metro app hook error...

c++ / delphi package - dll injection and api hooking

metro app hook error...

Postby kimjw0820 » Mon Nov 07, 2016 5:21 am

hello!!
I found the following problems during testing.
MicrosoftEdgeCP.exe hook crash
crash to "d3d11.dll", "D3D11CreateDevice"

pc : windows 10 64bit

dump call stack

--

0:010> kvn
# Child-SP RetAddr : Args to Child : Call Site
00 00000043`13af8a68 00007ffd`7206c2cf : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtWaitForMultipleObjects+0x14
01 00000043`13af8a70 00007ffd`7206c1ce : 00000000`00000003 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0xef
02 00000043`13af8d70 00007ffd`5261bbc3 : 00000000`f00019ff ffffffff`ffffff00 00000157`c1590000 00000000`00000372 : KERNELBASE!WaitForMultipleObjects+0xe
03 00000043`13af8db0 00007ffd`5261bea9 : 00000000`00000000 00000000`00000000 00000000`00000003 00000043`13af9408 : Faultrep!WerpReportFaultInternal+0x65f
04 00000043`13af9360 00007ffd`68f6eaa8 : 00000000`00000008 00000043`13af94a0 00000000`00002000 00000000`00000001 : Faultrep!WerpReportFault+0xb1
05 00000043`13af93a0 00007ffd`68f62e06 : 00000043`13af9a20 00000000`00000040 00000000`00000040 00000000`00000000 : eShims!ReportNonFatalWerTelemetry+0x2f8
06 00000043`13af99c0 00007ffd`68f62fd7 : 0000375d`ffffffff 00007ffd`00000001 00007ffd`616bfb38 00007ffd`61671139 : eShims!CACGLockdown::Enable+0xc2
07 00000043`13af99f0 00007ffd`6160b966 : 00000000`00000000 00000043`13afa5b8 00000000`00000000 00000000`00000000 : eShims!NS_ACGLockdownTelemetry::APIHook_VirtualAllocEx+0x47
08 00000043`13af9a50 00007ffd`6160242e : 00000000`00000800 ffffffff`ffffffff 00007ffd`6ece5080 00000000`00000000 : jsfnhk64!AllocMemEx+0xe6
09 00000043`13af9ae0 00007ffd`6160646c : 00000000`00000800 00007ffd`6ece5080 00000000`00000000 00000000`00000000 : jsfnhk64!VirtualAlloc2+0x3e
0a 00000043`13af9b10 00007ffd`616018df : 00000157`bf393490 00007ffd`6ec80000 00000157`bf3b91c4 00007ffd`6ece5080 : jsfnhk64!CCodeHook::CCodeHook+0xdc
0b 00000043`13af9e00 00007ffd`61602919 : 00007ffd`61600000 00007ffd`6ec80000 00000157`bf3b90c0 00000157`bf3b91c4 : jsfnhk64!AutoUnhookUninject+0x18f
0c 00000043`13afa3e0 00007ffd`616036a4 : 00007ffd`5f1d0000 00000043`00000040 00000000`00000000 00000000`00000000 : jsfnhk64!CheckHooks+0x4d9
0d 00000043`13afa520 00007ffd`729a0052 : 00000000`00000001 00000043`13afa5d0 00000043`13afa5a0 00000043`13afa5e8 : jsfnhk64!HookLoadLibrary+0xb24
0e 00000043`13afa560 00000000`00000001 : 00000043`13afa5d0 00000043`13afa5a0 00000043`13afa5e8 00000000`00000000 : 0x00007ffd`729a0052
0f 00000043`13afa568 00000043`13afa5d0 : 00000043`13afa5a0 00000043`13afa5e8 00000000`00000000 00007ffd`7460e977 : 0x1
10 00000043`13afa570 00000043`13afa5a0 : 00000043`13afa5e8 00000000`00000000 00007ffd`7460e977 00000000`00000000 : 0x00000043`13afa5d0
11 00000043`13afa578 00000043`13afa5e8 : 00000000`00000000 00007ffd`7460e977 00000000`00000000 00000043`13afa8c8 : 0x00000043`13afa5a0
12 00000043`13afa580 00000000`00000000 : 00007ffd`7460e977 00000000`00000000 00000043`13afa8c8 00000043`004a0048 : 0x00000043`13afa5e8


--

memory

00000157`bf3b91c4

00000157`bf3b91c4 44 33 44 31 31 43 72 65 61 74 65 44 65 76 69 63 65 00 00 00 70 ef 5f 12 43 00 00 00 00 00 00 00 00 00 00 00 00 3b 68 61 fd 7f D3D11CreateDevice...p._.C............;ha..
00000157`bf3b91ee 00 00 20 00 00 00 fd 7f 00 00 00 00 00 00 00 00 00 00 20 00 00 00 57 01 00 00 80 62 31 bf 57 01 00 00 12 00 00 01 43 00 00 00 .. ............... ...W....b1.W.......C...
00000157`bf3b9218 c0 ee 5f 12 43 00 00 00 64 00 33 00 64 00 31 00 31 00 2e 00 64 00 6c 00 6c 00 00 00 57 01 00 00 39 01 00 c0 00 00 00 00 c0 10 .._.C...d.3.d.1.1...d.l.l...W...9.........
00000157`bf3b9242 33 bf 57 01 00 00 c4 f7 60 61 fd 7f 00 00 20 00 00 00 20 00 60 00 48 00 33 bf 57 01 00 00 00 00 00 00 00 00 00 00 30 00 33 bf 3.W.....`a.... ... .`.H.3.W...........0.3.
00000157`bf3b926c 57 01 00 00 00 00 33 bf 57 01 00 00 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 c0 0b 00 00 43 00 W.....3.W...............................C.
00000157`bf3b9296 00 00 30 f3 0b 00 57 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd 7f 00 00 90 07 2a bf 57 01 00 00 14 00 00 00 00 00 00 00 ..0...W.....................*.W...........
00000157`bf3b92c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 14 33 bf 57 01 00 00 50 7f 62 61 fd 7f 00 00 00 00 ..........................3.W...P.ba......
00000157`bf3b92ea 00 00 00 00 00 00 00 00 60 61 fd 7f 00 00 00 00 00 00 00 00 00 00 77 69 6e 73 70 6f 6f 6c 2e 64 72 76 00 00 00 00 01 ee 5f 12 ........`a............winspool.drv......_.
00000157`bf3b9314 43 00 00 00 50 f1 5f 12 43 00 00 00 c0 ed 5f 12 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C...P._.C....._.C.........................
00000157`bf3b933e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........................................
00000157`bf3b9368 13 69 4b 75 fd 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .iKu......................................
00000157`bf3b9392 00 00 00 00 00 00 c4 6d 4b 75 fd 7f 00 00 00 00 00 00 00 00 00 00 50 f1 5f 12 43 00 00 00 a0 ee 5f 12 43 00 00 00 b0 ee 5f 12 .......mKu............P._.C....._.C....._.
00000157`bf3b93bc 43 00 00 00 7b e5 f4 9e 5d 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 06 00 00 00 00 C...{...]7................................
00000157`bf3b93e6 00 00 30 f0 5f 12 43 00 00 00 40 f0 5f 12 43 00 00 00 00 00 00 00 00 00 00 00 70 ef 5f 12 4f 70 65 6e 50 72 69 6e 74 65 72 32 ..0._.C...@._.C...........p._.OpenPrinter2
00000157`bf3b9410 57 00 5f 12 43 00 00 00 70 ef 5f 12 43 00 00 00 00 10 38 12 43 00 00 00 00 00 00 00 43 00 00 00 20 00 00 00 43 00 00 00 bf 6f W._.C...p._.C.....8.C.......C... ...C....o
00000157`bf3b943a 4b 75 fd 7f 00 00 20 00 00 00 00 00 00 00 01 ef 5f 12 43 00 00 00 18 00 00 01 43 00 00 00 c0 ee 5f 12 43 00 00 00 77 00 69 00 Ku.... ........._.C.......C....._.C...w.i.
00000157`bf3b9464 6e 00 73 00 70 00 6f 00 6f 00 6c 00 2e 00 64 00 72 00 76 00 00 00 10 00 00 00 00 00 20 3b 68 61 fd 7f 00 00 b0 ee 5f 12 43 00 n.s.p.o.o.l...d.r.v......... ;ha......_.C.
00000157`bf3b948e 00 00 20 00 00 00 20 00 60 00 48 00 33 bf 57 01 00 00 00 00 00 00 00 00 00 00 30 00 33 bf 57 01 00 00 00 00 33 bf 57 01 00 00 .. ... .`.H.3.W...........0.3.W.....3.W...
00000157`bf3b94b8 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 80 08 00 00 00 00 00 00 30 f3 0b 00 57 01 00 00 00 00 ................................0...W.....
00000157`bf3b94e2 00 00 00 00 00 00 00 00 00 00 43 00 00 00 90 07 2a bf 57 01 00 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..........C.....*.W.......................
00000157`bf3b950c 00 00 00 00 00 00 00 00 00 00 00 00 60 15 33 bf 57 01 00 00 10 6e 62 61 fd 7f 00 00 00 00 00 00 00 00 00 00 00 00 60 61 fd 7f ............`.3.W....nba..............`a..
00000157`bf3b9536 00 00 00 00 db 72 fd 7f 00 00 53 68 65 6c 6c 33 32 2e 64 6c 6c 00 fd 7f 00 00 b0 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 .....r....Shell32.dll.......@.............
00000157`bf3b9560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 ..........................................

thank you!
Attachments
test.png
test.png (82.88 KiB) Viewed 506 times
kimjw0820
 
Posts: 20
Joined: Fri Sep 11, 2015 1:54 am

Re: metro app hook error...

Postby madshi » Mon Nov 21, 2016 10:52 am

I see "eShims!NS_ACGLockdownTelemetry::APIHook_VirtualAllocEx" in the callstack. So it seems somebody hooked VirtualAllocEx. Is that your own API hook? Or is it another hook dll running in the same process? It seems that this "eShims!NS_ACGLockdownTelemetry::APIHook_VirtualAllocEx" API hook callback function is causing the issue.
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests