Page 1 of 1

InitializeMadCHook() crash when debugging

Posted: Tue Feb 27, 2018 3:00 pm
by raners
Hi!

Today, after a long time, we need to debug some new code in our project and it turns out that when tried to debugging, the program crashed on InitializeMadCHook() - more specific in function InitSecurityAttributes() (file ObjectTools.cpp).

We are using MCH 4.0.4 and when debugging, the program crash on the following call:

Code: Select all

if (seia(count, ea, NULL, &dacl))
When we last debug this program, we used MCH version 3.0.x and today I tried the same with old MCH (3.0.x) and debugging still works.

When debugging with MCH 3.0.x, the problematic code did not execute because a check:

Code: Select all

if ((limited) && (GetMadCHookOption(SECURE_MEMORY_MAPS)))
returned false.

I have to mention that in both case no MCH driver was running; we inject our .dll using Registry value "AppInit_DLLs"...

Building on win7, VS2008...

If you need some more information, please just say what you need to know... :wink:

Re: InitializeMadCHook() crash when debugging

Posted: Tue Feb 27, 2018 4:03 pm
by madshi
Strange stuff. Does the debugger give you any more information than just "crash"?

Re: InitializeMadCHook() crash when debugging

Posted: Wed Feb 28, 2018 7:19 am
by raners
An error popup appears: First-chance exception at 0x778e1d26 (ntdll.dll) in Foxit Reader.exe: 0xC0000005: Access violation writing location 0x00000014.

Disassembly:

Code: Select all

{
          if (seia(count, ea, NULL, &dacl))
64A37950 8D 45 B0         lea         eax,[dacl] 
64A37953 50               push        eax  
64A37954 6A 00            push        0    
64A37956 8D 8D 20 FF FF FF lea         ecx,[ea] 
64A3795C 51               push        ecx  
64A3795D 8B 55 A4         mov         edx,dword ptr [count] 
64A37960 52               push        edx  
[color=#FF0000]64A37961 FF 55 FC         call        dword ptr [seia][/color] 
64A37964 85 C0            test        eax,eax 
64A37966 74 07            je          InitSecurityAttributes+2DFh (64A3796Fh) 
            dacl = NULL;
64A37968 C7 45 B0 00 00 00 00 mov         dword ptr [dacl],0 
        }
It obviously crash at location marked red (when calling "seia")...

Callstack:

Code: Select all

x.dll!InitSecurityAttributes(_SECURITY_ATTRIBUTES * sa=0x64a8b9b8, _SECURITY_DESCRIPTOR * sd=0x64a8b9a4, bool limited=true, bool allowEveryone=true)  Line 408 + 0x14 bytes	C++
x.dll!InitSas()  Line 447 + 0x13 bytes	C++
x.dll!StaticLibHelper_Init(void * __formal=0x64a271f0)  Line 95	C++
x.dll!InitializeMadCHook()  Line 824	C++
x.dll!dllMainFunction()  Line 4277	C++
x.dll!DllMain(HINSTANCE__ * hModule=0x649f0000, unsigned long ul_reason_for_call=1, void * lpReserved=0x00000000)  Line 4494	C++
x.dll!__DllMainCRTStartup(void * hDllHandle=0x649f0000, unsigned long dwReason=1, void * lpreserved=0x00000000)  Line 546 + 0x11 bytes	C
x.dll!_DllMainCRTStartup(void * hDllHandle=0x649f0000, unsigned long dwReason=1, void * lpreserved=0x00000000)  Line 510 + 0x11 bytes	C
ntdll.dll!_LdrpCallInitRoutine@16()  + 0x14 bytes	
ntdll.dll!_LdrpRunInitializeRoutines@4()  + 0x38c1 bytes	
ntdll.dll!_LdrpLoadDll@28()  - 0x83 bytes	
ntdll.dll!_LdrLoadDll@16()  + 0x66 bytes
If you need any more information, please just tell me... :wink:

Re: InitializeMadCHook() crash when debugging

Posted: Wed Feb 28, 2018 7:55 am
by madshi
Foxit Reader.exe is your own process/EXE?

Re: InitializeMadCHook() crash when debugging

Posted: Wed Feb 28, 2018 9:14 am
by raners
Hmmm, strange... I'm suprised... When I changed the debugging program (which is run when debugging starts), everything works well...

No, Foxit Reader is not our program. We're using it in the past because everything worked well...

If you want to try, here is the install file: https://0patch.com/poc/Foxit_Reader_4.1 ... _Setup.exe. If you notice something strange, please let us know.

We can now debug our .dll... :wink: It is however still strange that it works with older MCH (v3.0.x) in the same envirornment...

Thanks for helping us... :wink:

Re: InitializeMadCHook() crash when debugging

Posted: Wed Feb 28, 2018 9:40 am
by madshi
So the problem only occurs with one specific process? That is really weird. FWIW, I can't see anything wrong with my code. And it seems the crash occurs somewhere in ntdll.dll. Don't really know why, to be honest...

Re: InitializeMadCHook() crash when debugging

Posted: Thu Mar 01, 2018 12:29 pm
by raners
Hi again...

We now changed the injecting mechanism on debugging machine... Instead of using "Appinit_dlls" registry value, we now build a helping app, which calls "InstallInjectionDriver()" and then "InjectLibrary()" with currently debugged "x.dll" (and we inject this debugged dll in just specific exes)...

But when we make some changes in debugged x.dll and try to build it, VS2008 can not overwrite x.dll because driver holds it ("System" process has "x.dll" loaded)...

How do you debug the injecting .dll?

We would like the following:
* When we click "Build" in VS2008, the x.dll should rebuild (and changed on filesystem)
* When we click "Debug", the desired application starts and "x.dll" should be injected into it

Re: InitializeMadCHook() crash when debugging

Posted: Thu Mar 01, 2018 12:33 pm
by madshi
You need to uninject before changing the DLL, then you can reinject. You don't have to use the injection driver. If you want to debug just one process, you can directly inject into the target process by using the process handle.