InitializeMadCHook() crash when debugging

c++ / delphi package - dll injection and api hooking

InitializeMadCHook() crash when debugging

Postby raners » Tue Feb 27, 2018 3:00 pm

Hi!

Today, after a long time, we need to debug some new code in our project and it turns out that when tried to debugging, the program crashed on InitializeMadCHook() - more specific in function InitSecurityAttributes() (file ObjectTools.cpp).

We are using MCH 4.0.4 and when debugging, the program crash on the following call:
Code: Select all
if (seia(count, ea, NULL, &dacl))


When we last debug this program, we used MCH version 3.0.x and today I tried the same with old MCH (3.0.x) and debugging still works.

When debugging with MCH 3.0.x, the problematic code did not execute because a check:
Code: Select all
if ((limited) && (GetMadCHookOption(SECURE_MEMORY_MAPS)))

returned false.

I have to mention that in both case no MCH driver was running; we inject our .dll using Registry value "AppInit_DLLs"...

Building on win7, VS2008...

If you need some more information, please just say what you need to know... :wink:
raners
 
Posts: 4
Joined: Tue Feb 27, 2018 2:28 pm

Re: InitializeMadCHook() crash when debugging

Postby madshi » Tue Feb 27, 2018 4:03 pm

Strange stuff. Does the debugger give you any more information than just "crash"?
madshi
Site Admin
 
Posts: 9827
Joined: Sun Mar 21, 2004 5:25 pm

Re: InitializeMadCHook() crash when debugging

Postby raners » Wed Feb 28, 2018 7:19 am

An error popup appears: First-chance exception at 0x778e1d26 (ntdll.dll) in Foxit Reader.exe: 0xC0000005: Access violation writing location 0x00000014.

Disassembly:
Code: Select all
{
          if (seia(count, ea, NULL, &dacl))
64A37950 8D 45 B0         lea         eax,[dacl]
64A37953 50               push        eax 
64A37954 6A 00            push        0   
64A37956 8D 8D 20 FF FF FF lea         ecx,[ea]
64A3795C 51               push        ecx 
64A3795D 8B 55 A4         mov         edx,dword ptr [count]
64A37960 52               push        edx 
[color=#FF0000]64A37961 FF 55 FC         call        dword ptr [seia][/color]
64A37964 85 C0            test        eax,eax
64A37966 74 07            je          InitSecurityAttributes+2DFh (64A3796Fh)
            dacl = NULL;
64A37968 C7 45 B0 00 00 00 00 mov         dword ptr [dacl],0
        }


It obviously crash at location marked red (when calling "seia")...

Callstack:
Code: Select all
x.dll!InitSecurityAttributes(_SECURITY_ATTRIBUTES * sa=0x64a8b9b8, _SECURITY_DESCRIPTOR * sd=0x64a8b9a4, bool limited=true, bool allowEveryone=true)  Line 408 + 0x14 bytes   C++
x.dll!InitSas()  Line 447 + 0x13 bytes   C++
x.dll!StaticLibHelper_Init(void * __formal=0x64a271f0)  Line 95   C++
x.dll!InitializeMadCHook()  Line 824   C++
x.dll!dllMainFunction()  Line 4277   C++
x.dll!DllMain(HINSTANCE__ * hModule=0x649f0000, unsigned long ul_reason_for_call=1, void * lpReserved=0x00000000)  Line 4494   C++
x.dll!__DllMainCRTStartup(void * hDllHandle=0x649f0000, unsigned long dwReason=1, void * lpreserved=0x00000000)  Line 546 + 0x11 bytes   C
x.dll!_DllMainCRTStartup(void * hDllHandle=0x649f0000, unsigned long dwReason=1, void * lpreserved=0x00000000)  Line 510 + 0x11 bytes   C
ntdll.dll!_LdrpCallInitRoutine@16()  + 0x14 bytes   
ntdll.dll!_LdrpRunInitializeRoutines@4()  + 0x38c1 bytes   
ntdll.dll!_LdrpLoadDll@28()  - 0x83 bytes   
ntdll.dll!_LdrLoadDll@16()  + 0x66 bytes


If you need any more information, please just tell me... :wink:
raners
 
Posts: 4
Joined: Tue Feb 27, 2018 2:28 pm

Re: InitializeMadCHook() crash when debugging

Postby madshi » Wed Feb 28, 2018 7:55 am

Foxit Reader.exe is your own process/EXE?
madshi
Site Admin
 
Posts: 9827
Joined: Sun Mar 21, 2004 5:25 pm

Re: InitializeMadCHook() crash when debugging

Postby raners » Wed Feb 28, 2018 9:14 am

Hmmm, strange... I'm suprised... When I changed the debugging program (which is run when debugging starts), everything works well...

No, Foxit Reader is not our program. We're using it in the past because everything worked well...

If you want to try, here is the install file: https://0patch.com/poc/Foxit_Reader_4.1 ... _Setup.exe. If you notice something strange, please let us know.

We can now debug our .dll... :wink: It is however still strange that it works with older MCH (v3.0.x) in the same envirornment...

Thanks for helping us... :wink:
raners
 
Posts: 4
Joined: Tue Feb 27, 2018 2:28 pm

Re: InitializeMadCHook() crash when debugging

Postby madshi » Wed Feb 28, 2018 9:40 am

So the problem only occurs with one specific process? That is really weird. FWIW, I can't see anything wrong with my code. And it seems the crash occurs somewhere in ntdll.dll. Don't really know why, to be honest...
madshi
Site Admin
 
Posts: 9827
Joined: Sun Mar 21, 2004 5:25 pm

Re: InitializeMadCHook() crash when debugging

Postby raners » Thu Mar 01, 2018 12:29 pm

Hi again...

We now changed the injecting mechanism on debugging machine... Instead of using "Appinit_dlls" registry value, we now build a helping app, which calls "InstallInjectionDriver()" and then "InjectLibrary()" with currently debugged "x.dll" (and we inject this debugged dll in just specific exes)...

But when we make some changes in debugged x.dll and try to build it, VS2008 can not overwrite x.dll because driver holds it ("System" process has "x.dll" loaded)...

How do you debug the injecting .dll?

We would like the following:
* When we click "Build" in VS2008, the x.dll should rebuild (and changed on filesystem)
* When we click "Debug", the desired application starts and "x.dll" should be injected into it
raners
 
Posts: 4
Joined: Tue Feb 27, 2018 2:28 pm

Re: InitializeMadCHook() crash when debugging

Postby madshi » Thu Mar 01, 2018 12:33 pm

You need to uninject before changing the DLL, then you can reinject. You don't have to use the injection driver. If you want to debug just one process, you can directly inject into the target process by using the process handle.
madshi
Site Admin
 
Posts: 9827
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 11 guests