Rare 0xc0000018 error on w81 64b apps

c++ / delphi package - dll injection and api hooking
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Rare 0xc0000018 error on w81 64b apps

Post by EaSy »

Hi,
we rarely experience a bug with MCH. All of the injected 64b apps are unable to start because of error "The application was unable to start correctly (0xc0000018)" on w8.1 64b.
I managed to find the source. It is a address collision of MCH data buffer with system dll in app's memory space during its startup.
Verbose loader output says the relocation for kernel32 is needed and then it fails.
MCHbug.png
MCHbug.png (140.37 KiB) Viewed 26948 times
The problem always lasts until the next restart when both kernel32 and MCH data both occupy different addresses. So my guess is, it is really random, but it happens. Thanks for fix.

Sincerely
PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by madshi »

Are you using the latest madCodeHook build (madCodeHook 3.1.7, installer 2.7.9.0)? I think there was a bugfix a while ago for a problem which sounded somewhat similar to what you're describing now, but I'm not 100% sure right now.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by EaSy »

We are using the latest build. AllocMemEx probably wasn't able to find free page after ntdll (NtTestAlert), so it allocated the one before. But it collided with kernel32. You can look at the addresses. Ntdll starts at 0x7fff5cd90000. The buffer is allocated 0x10000 bytes before at the address 0x7fff5cd80000. It collides with kernel32 which ends at 0x7fff5cd8a000, only 0x6000 bytes before.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by madshi »

Sorry for the late reply. Is there an easy way for me to reproduce the issue? In all my tests on win8.1 x64 I've never seen this issue yet... :( Maybe one thing I could do is to delay the patching a bit, until the first dll gets loaded into the newly created process. I'm already using that trick for some hard-to-handle x64 processes for win8.1. Maybe I could use it for all processes. But I'm a bit worried that it might make injection uneffective if some processes are never loading any dlls. But then, probably every process is linked to kernel32.dll, so it's probably not something I'd need to worry about. Thoughts?
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by EaSy »

Hi,
it is very rare. The report is from WM snapshot of w8.1.

The easiest way would be to do "up" search by one 4KB page only, not by 0x10000. There is always some space between dll images in memory.

Sincerely
PP
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by EaSy »

Hi,
any progress?

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by madshi »

Hmmmm... If I made a test build, could you double check whether the problem is gone or not? I don't know any other way because I've trouble reproducing this issue...
wj_Lee
Posts: 7
Joined: Tue Apr 28, 2015 12:29 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by wj_Lee »

Hi,

I got a simple question,

at release note 3.1.8,
...
(2) fixed: hooking ntdll in non-large-address-aware x64 processes crashed
...

that clause means this issue?


Sincerely
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by madshi »

I think that was a different problem. In any case, both problems should be fixed in the latest build.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by EaSy »

Hi,
i want to reopen this issue. It is happening on W10. Here is the screenshot.
2016-02-08 11_23_10-2.png
2016-02-08 11_23_10-2.png (250.58 KiB) Viewed 25107 times
Any idea how to fix it for good?

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by madshi »

This issue should be fixed in the latest beta build:

http://madshi.net/madCollectionBeta.exe
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by EaSy »

It helped. Thx.

PP
Overnissen
Posts: 31
Joined: Mon Dec 29, 2014 6:22 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by Overnissen »

I believe I have a similar problem, it gives the same error anyway and only on Windows10.

I have the hooking .dlls signed, the kernel mode injection drivers configured and signed and it works fine on Win7.

May I ask what I need to update ?

Would it be enough to retrieve the renameme64.sys and renameme32.sys, configure them and sign them, or do I have to rebuild the .dlls with the beta madCodeHook as well ?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by madshi »

Just renewing the drivers should do the trick.
Overnissen
Posts: 31
Joined: Mon Dec 29, 2014 6:22 pm

Re: Rare 0xc0000018 error on w81 64b apps

Post by Overnissen »

Thanks madshi, I'll give it a go :)
Post Reply