CoCreateInstance explorer.exe crash...
Posted: Mon Jul 24, 2017 1:04 pm
hello madshi,
Is this an issue you know?
CoCreateInstance Hook.
not modify param value.
process_explorer.exe or any process right click -> run as admin. (To run consent.exe)
Occasionally a crash explorer.exe occurred when I pressed the ok button.
If you want, I will email pdb.
thank you.
Is this an issue you know?
CoCreateInstance Hook.
not modify param value.
process_explorer.exe or any process right click -> run as admin. (To run consent.exe)
Occasionally a crash explorer.exe occurred when I pressed the ok button.
If you want, I will email pdb.
thank you.
Code: Select all
0:062> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for sppc.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for dofsMntNtf6.dll -
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 400
CONTEXT: (.ecxr)
rax=000000000000ffff rbx=0000000000000000 rcx=000000000000ffff
rdx=0000000000000000 rsi=00007ffc708b0290 rdi=00000000ffffffff
rip=00007ffc70665e36 rsp=00000000103ee680 rbp=00000000103ee6d0
r8=000000000000ffff r9=00000000000036b7 r10=0000000000000588
r11=00000000103ee670 r12=00000000ffffffff r13=00007ffc7083fd10
r14=00000000103ef1f0 r15=0000000000000004
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010244
combase!CCache::GetElement+0x1b [inlined in combase!CComCatalog::GetClassInfoInternal+0x2c6]:
00007ffc`70665e36 4839bccd00090000 cmp qword ptr [rbp+rcx*8+900h],rdi ss:00000000`1046efc8=????????????????
Resetting default scope
FAULTING_IP:
combase!CComCatalog::GetClassInfoInternal+2c6 [onecore\com\combase\catalog\catalog.cxx @ 3929]
00007ffc`70665e36 4839bccd00090000 cmp qword ptr [rbp+rcx*8+900h],rdi
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffc70665e36 (combase!CCache::GetElement+0x000000000000001b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000001046efc8
Attempt to read from address 000000001046efc8
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%p
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000000001046efc8
FOLLOWUP_IP:
jsfnhk64!hook_co_create_instance::new_function+4b [d:\project_docuone\ecm-win\trunk\src\jsfnhk\dll\common\hook_co_create_instance.cpp @ 59]
00007ffc`5ca7f1bb 8bf8 mov edi,eax
READ_ADDRESS: 000000001046efc8
BUGCHECK_STR: INVALID_POINTER_READ
WATSON_BKT_PROCSTAMP: 951324bb
WATSON_BKT_PROCVER: 10.0.15063.447
WATSON_BKT_MODULE: combase.dll
WATSON_BKT_MODSTAMP: 91412db8
WATSON_BKT_MODOFFSET: 65e36
WATSON_BKT_MODVER: 10.0.15063.296
BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: 0a616d6105b13b8cf748ae980da3734e7ae2cf2d
MODLIST_SHA1_HASH: 7cd0f0a18f3e316742f57626d8876c613ad63d4e
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_FLAGS: 8000c07
DUMP_TYPE: 0
ANALYSIS_SESSION_HOST: DESKTOP-3DKN04D
ANALYSIS_SESSION_TIME: 07-24-2017 21:38:26.0849
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: KOR
PROBLEM_CLASSES:
INVALID_POINTER_READ
Tid [0xc48]
Frame [0x00]: combase!CComCatalog::GetClassInfoInternal
LAST_CONTROL_TRANSFER: from 00007ffc7066cb41 to 00007ffc70665e36
STACK_TEXT:
00000000`103ee680 00007ffc`7066cb41 : 00000000`00000003 00000000`00000001 00000000`00000001 00000000`011e9ff0 : combase!CComCatalog::GetClassInfoInternal+0x2c6
00000000`103ef050 00007ffc`7066dc3b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : combase!ICoCreateInstanceEx+0x2a1
00000000`103ef360 00007ffc`706a51d3 : 00000000`00000000 00007ffc`6de84691 00000000`087c7cf0 00000000`0eb79cf0 : combase!CComActivator::DoCreateInstance+0x14b
00000000`103ef480 00007ffc`5ca7f1bb : 00000000`00000403 00000000`0003a013 00000000`103ef588 00000000`00000000 : combase!CoCreateInstance+0xc3
00000000`103ef520 00007ffc`5ca80945 : 00000000`103ef638 00007ffc`706d1073 00000000`00000000 00000000`103ef630 : jsfnhk64!hook_co_create_instance::new_function+0x4b
00000000`103ef5c0 00007ffc`70a21000 : 00000000`00000000 00000000`103ef660 00000000`103ef6d8 00000000`00000000 : jsfnhk64!hook_co_create_instance::proxy_function+0x45
00000000`103ef600 00000000`00000000 : 00000000`103ef660 00000000`103ef6d8 00000000`00000000 00000000`103ef630 : 0x00007ffc`70a21000
THREAD_SHA1_HASH_MOD_FUNC: 84f174c11349de19917243f8b3f9092a09e79693
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: a9c014fe5295a94ce4d5f6a0af7cb92d8db62207
THREAD_SHA1_HASH_MOD: fd5295ec0344997e3e4c6d957c61da0c80f705e0
FAULT_INSTR_CODE: c085f88b
FAULTING_SOURCE_LINE: d:\project_docuone\ecm-win\trunk\src\jsfnhk\dll\common\hook_co_create_instance.cpp
FAULTING_SOURCE_FILE: d:\project_docuone\ecm-win\trunk\src\jsfnhk\dll\common\hook_co_create_instance.cpp
FAULTING_SOURCE_LINE_NUMBER: 59
FAULTING_SOURCE_CODE:
55: //
56: // call the original function.
57: //
58:
> 59: HRESULT result = _madchook.original_function()(
60: rclsid,
61: pUnkOuter,
62: dwClsContext,
63: riid,
64: ppv
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: jsfnhk64!hook_co_create_instance::new_function+4b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: jsfnhk64
IMAGE_NAME: jsfnhk64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5975e7d0
STACK_COMMAND: .ecxr ; kb
BUCKET_ID: INVALID_POINTER_READ_jsfnhk64!hook_co_create_instance::new_function+4b
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_jsfnhk64!hook_co_create_instance::new_function+4b
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: jsfnhk64.dll
BUCKET_ID_IMAGE_STR: jsfnhk64.dll
FAILURE_MODULE_NAME: jsfnhk64
BUCKET_ID_MODULE_STR: jsfnhk64
FAILURE_FUNCTION_NAME: hook_co_create_instance::new_function
BUCKET_ID_FUNCTION_STR: hook_co_create_instance::new_function
BUCKET_ID_OFFSET: 4b
BUCKET_ID_MODTIMEDATESTAMP: 5975e7d0
BUCKET_ID_MODCHECKSUM: f4640
BUCKET_ID_MODVER_STR: 1.0.116.0
BUCKET_ID_PREFIX_STR: INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: INVALID_POINTER_READ
FAILURE_SYMBOL_NAME: jsfnhk64.dll!hook_co_create_instance::new_function
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_jsfnhk64.dll!hook_co_create_instance::new_function
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer.exe/10.0.15063.447/951324bb/combase.dll/10.0.15063.296/91412db8/c0000005/00065e36.htm?Retriage=1
TARGET_TIME: 2017-07-24T12:37:02.000Z
OSBUILD: 15063
OSSERVICEPACK: 296
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.15063.296
ANALYSIS_SESSION_ELAPSED_TIME: ac98
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_jsfnhk64.dll!hook_co_create_instance::new_function
FAILURE_ID_HASH: {eec8cb62-c819-1440-076a-e04109156014}
Followup: MachineOwner
---------