Page 1 of 1
InitializeMadCHook() crash when debugging
Posted: Tue Feb 27, 2018 3:00 pm
by raners
Hi!
Today, after a long time, we need to debug some new code in our project and it turns out that when tried to debugging, the program crashed on InitializeMadCHook() - more specific in function InitSecurityAttributes() (file ObjectTools.cpp).
We are using MCH 4.0.4 and when debugging, the program crash on the following call:
When we last debug this program, we used MCH version 3.0.x and today I tried the same with old MCH (3.0.x) and debugging still works.
When debugging with MCH 3.0.x, the problematic code did not execute because a check:
Code: Select all
if ((limited) && (GetMadCHookOption(SECURE_MEMORY_MAPS)))
returned false.
I have to mention that in both case no MCH driver was running; we inject our .dll using Registry value "AppInit_DLLs"...
Building on win7, VS2008...
If you need some more information, please just say what you need to know...
Re: InitializeMadCHook() crash when debugging
Posted: Tue Feb 27, 2018 4:03 pm
by madshi
Strange stuff. Does the debugger give you any more information than just "crash"?
Re: InitializeMadCHook() crash when debugging
Posted: Wed Feb 28, 2018 7:19 am
by raners
An error popup appears: First-chance exception at 0x778e1d26 (ntdll.dll) in Foxit Reader.exe: 0xC0000005: Access violation writing location 0x00000014.
Disassembly:
Code: Select all
{
if (seia(count, ea, NULL, &dacl))
64A37950 8D 45 B0 lea eax,[dacl]
64A37953 50 push eax
64A37954 6A 00 push 0
64A37956 8D 8D 20 FF FF FF lea ecx,[ea]
64A3795C 51 push ecx
64A3795D 8B 55 A4 mov edx,dword ptr [count]
64A37960 52 push edx
[color=#FF0000]64A37961 FF 55 FC call dword ptr [seia][/color]
64A37964 85 C0 test eax,eax
64A37966 74 07 je InitSecurityAttributes+2DFh (64A3796Fh)
dacl = NULL;
64A37968 C7 45 B0 00 00 00 00 mov dword ptr [dacl],0
}
It obviously crash at location marked red (when calling "seia")...
Callstack:
Code: Select all
x.dll!InitSecurityAttributes(_SECURITY_ATTRIBUTES * sa=0x64a8b9b8, _SECURITY_DESCRIPTOR * sd=0x64a8b9a4, bool limited=true, bool allowEveryone=true) Line 408 + 0x14 bytes C++
x.dll!InitSas() Line 447 + 0x13 bytes C++
x.dll!StaticLibHelper_Init(void * __formal=0x64a271f0) Line 95 C++
x.dll!InitializeMadCHook() Line 824 C++
x.dll!dllMainFunction() Line 4277 C++
x.dll!DllMain(HINSTANCE__ * hModule=0x649f0000, unsigned long ul_reason_for_call=1, void * lpReserved=0x00000000) Line 4494 C++
x.dll!__DllMainCRTStartup(void * hDllHandle=0x649f0000, unsigned long dwReason=1, void * lpreserved=0x00000000) Line 546 + 0x11 bytes C
x.dll!_DllMainCRTStartup(void * hDllHandle=0x649f0000, unsigned long dwReason=1, void * lpreserved=0x00000000) Line 510 + 0x11 bytes C
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 bytes
ntdll.dll!_LdrpRunInitializeRoutines@4() + 0x38c1 bytes
ntdll.dll!_LdrpLoadDll@28() - 0x83 bytes
ntdll.dll!_LdrLoadDll@16() + 0x66 bytes
If you need any more information, please just tell me...
Re: InitializeMadCHook() crash when debugging
Posted: Wed Feb 28, 2018 7:55 am
by madshi
Foxit Reader.exe is your own process/EXE?
Re: InitializeMadCHook() crash when debugging
Posted: Wed Feb 28, 2018 9:14 am
by raners
Hmmm, strange... I'm suprised... When I changed the debugging program (which is run when debugging starts), everything works well...
No, Foxit Reader is not our program. We're using it in the past because everything worked well...
If you want to try, here is the install file:
https://0patch.com/poc/Foxit_Reader_4.1 ... _Setup.exe. If you notice something strange, please let us know.
We can now debug our .dll...
It is however still strange that it works with older MCH (v3.0.x) in the same envirornment...
Thanks for helping us...
Re: InitializeMadCHook() crash when debugging
Posted: Wed Feb 28, 2018 9:40 am
by madshi
So the problem only occurs with one specific process? That is really weird. FWIW, I can't see anything wrong with my code. And it seems the crash occurs somewhere in ntdll.dll. Don't really know why, to be honest...
Re: InitializeMadCHook() crash when debugging
Posted: Thu Mar 01, 2018 12:29 pm
by raners
Hi again...
We now changed the injecting mechanism on debugging machine... Instead of using "Appinit_dlls" registry value, we now build a helping app, which calls "InstallInjectionDriver()" and then "InjectLibrary()" with currently debugged "x.dll" (and we inject this debugged dll in just specific exes)...
But when we make some changes in debugged x.dll and try to build it, VS2008 can not overwrite x.dll because driver holds it ("System" process has "x.dll" loaded)...
How do you debug the injecting .dll?
We would like the following:
* When we click "Build" in VS2008, the x.dll should rebuild (and changed on filesystem)
* When we click "Debug", the desired application starts and "x.dll" should be injected into it
Re: InitializeMadCHook() crash when debugging
Posted: Thu Mar 01, 2018 12:33 pm
by madshi
You need to uninject before changing the DLL, then you can reinject. You don't have to use the injection driver. If you want to debug just one process, you can directly inject into the target process by using the process handle.