MCH 4 (2.8.0.2 and 2.8.0.9)

c++ / delphi package - dll injection and api hooking
Post Reply
tbrd
Posts: 19
Joined: Thu Dec 15, 2016 8:45 am

MCH 4 (2.8.0.2 and 2.8.0.9)

Post by tbrd »

Hello Madshi!

Customers of my MCH applications report that they cannot start some applications when my codehook service is running and Kaspersky AV is installed. On my test system I get the following runtime error when an application starts:

Code: Select all

STACK_TEXT:  
00000000`0009e598 00000000`50de6a28 : 00000000`00000000 00000000`00000004 00000000`00000008 00000000`7ff8415f : 0x43eb0
00000000`0009e5a0 00000000`50de69df : 00000000`00000000 00000000`00800000 00000000`00792c50 00000000`00000000 : wow64!Wow64ApcRoutineInternal+0x40
00000000`0009e620 00007ff8`40309b5e : 71b00214`71b00000 00000000`00000000 00000000`00000000 00000000`50de69c0 : wow64!Wow64ApcRoutine+0x1f
00000000`0009e660 00007ff8`403065d4 : 00007ff8`4026ddc5 00000000`00790000 00000000`00000050 00000000`00000006 : ntdll!KiUserApcDispatch+0x2e
00000000`0009eb58 00007ff8`4026ddc5 : 00000000`00790000 00000000`00000050 00000000`00000006 00007ff8`40298097 : ntdll!NtMapViewOfSection+0x14
00000000`0009eb60 00007ff8`4026da52 : 00000000`00000040 00000000`0009ec60 00000000`00000000 00000000`00792ac8 : ntdll!LdrpMapViewOfSection+0xb5
00000000`0009ec00 00007ff8`4026d925 : 00000000`00792a80 00007ff8`4026de00 00000000`00008600 00000000`d02dfd33 : ntdll!LdrpMapImage+0x72
00000000`0009eca0 00007ff8`4026d47e : 00000000`00000000 00000000`c0000135 00000000`00792a80 00000000`00792a80 : ntdll!LdrpMapDllWithSectionHandle+0x2d
00000000`0009ece0 00007ff8`4026d236 : 00000000`00000000 00000000`00000040 00000000`00000000 00000000`0009ee70 : ntdll!LdrpLoadKnownDll+0xe6
00000000`0009ed40 00007ff8`4028701c : 00000000`0009ee64 00000000`0009ef20 00000000`0009ee70 00000000`0009f100 : ntdll!LdrpFindOrPrepareLoadingModule+0xa6
00000000`0009eda0 00007ff8`40286add : 00000000`0009ee70 00000000`0009f000 00000000`00000000 00000000`00000001 : ntdll!LdrpLoadDllInternal+0x110
00000000`0009ee20 00007ff8`40269efc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpLoadDll+0xf1
00000000`0009efc0 00007ff8`40266e2e : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`002f0000 : ntdll!LdrLoadDll+0x8c
00000000`0009f0c0 00007ff8`402f29d7 : 00000000`00400100 00000000`00000000 00000000`00000000 00000000`002f0000 : ntdll!LdrpLoadWow64+0x6e
00000000`0009f350 00007ff8`40328986 : 00000000`00000000 00007ff8`402e9e59 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1517
00000000`0009f750 00007ff8`402d9fae : 00000000`0009f820 00000000`00000000 00000000`00000000 00000000`002f0000 : ntdll!_LdrpInitialize+0x4e982
00000000`0009f7d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe

MODULE_NAME: wow64

IMAGE_NAME:  wow64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  57899aec

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .ecxr ; kb

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_c0000005_wow64.dll!Wow64ApcRoutineInternal

BUCKET_ID:  SOFTWARE_NX_FAULT_BAD_IP_wow64!Wow64ApcRoutineInternal+40

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_BAD_IP_wow64!Wow64ApcRoutineInternal+40

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  wow64.dll

BUCKET_ID_IMAGE_STR:  wow64.dll

FAILURE_MODULE_NAME:  wow64

BUCKET_ID_MODULE_STR:  wow64

FAILURE_FUNCTION_NAME:  Wow64ApcRoutineInternal

BUCKET_ID_FUNCTION_STR:  Wow64ApcRoutineInternal

BUCKET_ID_OFFSET:  40

BUCKET_ID_MODTIMEDATESTAMP:  57899aec

BUCKET_ID_MODCHECKSUM:  52b95

BUCKET_ID_MODVER_STR:  6.2.14393.0

BUCKET_ID_PREFIX_STR:  SOFTWARE_NX_FAULT_BAD_IP_

FAILURE_PROBLEM_CLASS:  SOFTWARE_NX_FAULT

FAILURE_SYMBOL_NAME:  wow64.dll!Wow64ApcRoutineInternal

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/iron.exe/1.0.0.0/52eaf40f/unknown/0.0.0.0/bbbbbbb4/c0000005/00043eb0.htm?Retriage=1

TARGET_TIME:  2016-12-15T09:37:36.000Z

OSBUILD:  14393

OSSERVICEPACK:  479

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  161110-2025

BUILDLAB_STR:  rs1_release

BUILDOSVER_STR:  10.0.14393.479

ANALYSIS_SESSION_ELAPSED_TIME: 471

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:software_nx_fault_c0000005_wow64.dll!wow64apcroutineinternal

FAILURE_ID_HASH:  {329ea9c8-9139-97e8-a383-4689b3177d12}
One interesting thing: Faulting instruction pointer is always 0x43eb0...
MCH 3 does not make any problems in conjunction with Kaspersky AV.
Any idea?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by madshi »

Can you try the latest beta build 2.8.0.10, which I've just uploaded a couple of minutes ago? Does it fix the issue? It has some changes for exactly this problem you're reporting.

http://madshi.net/madCollectionBeta.exe
tbrd
Posts: 19
Joined: Thu Dec 15, 2016 8:45 am

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by tbrd »

No change...
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by madshi »

How about this one?

http://madshi.net/madCollectionBeta.exe

Please make sure it's 2.8.0.11.

Your crash callstack suggests it's a wow64 (32bit) process on a 64bit OS. Do 64bit processes start fine, or do they crash also? If they crash also, what's their crash callstack for you?
tbrd
Posts: 19
Joined: Thu Dec 15, 2016 8:45 am

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by tbrd »

I only saw 32Bit WOW Processes crash...
I will check the new Version 2.8.0.11...
tbrd
Posts: 19
Joined: Thu Dec 15, 2016 8:45 am

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by tbrd »

It crashes with 2.8.0.11 also...
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by madshi »

Argh. The callstack should be different now, though?

For now you can use the 3.x driver together with the 4.x user mode library, as a workaround. The communication interface is compatible.
tbrd
Posts: 19
Joined: Thu Dec 15, 2016 8:45 am

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by tbrd »

yes callstack with 2.8.0.11 is different:

Code: Select all

PROBLEM_CLASSES: 



SOFTWARE_NX_FAULT
    Tid    [0x1998]
    Frame  [0x00]: wow64!Wow64NotifyDebugger



AFTER_CALL
    Tid    [0x1998]
    Frame  [0x00]: wow64!Wow64NotifyDebugger
    Failure Bucketing


BUGCHECK_STR:  SOFTWARE_NX_FAULT_AFTER_CALL

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_AFTER_CALL

STACK_TEXT:  
00000000`0009ce30 00000000`73f0d4a1 wow64!Wow64NotifyDebugger+0x1d
00000000`0009ce60 00000000`73f0c218 wow64!HandleRaiseException+0x13c
00000000`0009d350 00000000`73f0d643 wow64!Wow64NtRaiseException+0x9b
00000000`0009d3e0 00000000`73f0d744 wow64!whNtRaiseException+0x14
00000000`0009d410 00000000`73f06ea5 wow64!Wow64SystemServiceEx+0x155
00000000`0009dcd0 00000000`73ef1cf7 wow64cpu!ServiceNoTurbo+0xb
00000000`0009dd80 00000000`73f1bfa1 wow64!Wow64KiUserCallbackDispatcher+0x4151
00000000`0009de00 00000000`73f16ae7 wow64!Wow64ApcRoutineInternal+0xff
00000000`0009de80 00000000`73f169df wow64!Wow64ApcRoutine+0x1f
00000000`0009dec0 00007ffb`19669b5e ntdll!KiUserApcDispatch+0x2e
00000000`0009e3b8 00007ffb`196661b4 ntdll!NtDeviceIoControlFile+0x14
00000000`0009e3c0 00000000`7ff81cc5 unknown!unknown+0x0
00000000`0009e480 00000000`7ff83d29 unknown!unknown+0x0
00000000`0009e500 00000000`7ff84ab5 unknown!unknown+0x0
00000000`0009e540 00000000`7ff86cb7 unknown!unknown+0x0
00000000`0009e570 00000000`73f06648 wow64!whNtMapViewOfSection+0x178
00000000`0009e6b0 00000000`73f06ea5 wow64!Wow64SystemServiceEx+0x155
00000000`0009ef70 00000000`73ef1cf7 wow64cpu!ServiceNoTurbo+0xb
00000000`0009f020 00000000`73f1bfa1 wow64!Wow64KiUserCallbackDispatcher+0x4151
00000000`0009f0a0 00000000`73f0cbb0 wow64!Wow64LdrpInitialize+0x120
00000000`0009f350 00007ffb`19652a11 ntdll!LdrpInitializeProcess+0x1551
00000000`0009f750 00007ffb`19688986 ntdll!_LdrpInitialize+0x4e982
00000000`0009f7d0 00007ffb`19639fae ntdll!LdrInitializeThunk+0xe


THREAD_SHA1_HASH_MOD:  27c2ddf6a7eafc96676439108e65df8a88ee28a4

FAULT_INSTR_CODE:  48b4865

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  wow64!Wow64NotifyDebugger+1d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: wow64

IMAGE_NAME:  wow64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  57899aec

STACK_COMMAND:  .ecxr ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dps 9ce30 ; kb

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_AFTER_CALL_c0000005_wow64.dll!Wow64NotifyDebugger

BUCKET_ID:  SOFTWARE_NX_FAULT_AFTER_CALL_BAD_IP_wow64!Wow64NotifyDebugger+1d

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_AFTER_CALL_BAD_IP_wow64!Wow64NotifyDebugger+1d

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  wow64.dll

BUCKET_ID_IMAGE_STR:  wow64.dll

FAILURE_MODULE_NAME:  wow64

BUCKET_ID_MODULE_STR:  wow64

FAILURE_FUNCTION_NAME:  Wow64NotifyDebugger

BUCKET_ID_FUNCTION_STR:  Wow64NotifyDebugger

BUCKET_ID_OFFSET:  1d

BUCKET_ID_MODTIMEDATESTAMP:  57899aec

BUCKET_ID_MODCHECKSUM:  52b95

BUCKET_ID_MODVER_STR:  6.2.14393.0

BUCKET_ID_PREFIX_STR:  SOFTWARE_NX_FAULT_AFTER_CALL_BAD_IP_

FAILURE_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_AFTER_CALL

FAILURE_SYMBOL_NAME:  wow64.dll!Wow64NotifyDebugger

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/iron.exe/1.0.0.0/52eaf40f/unknown/0.0.0.0/bbbbbbb4/c0000005/195ea5d0.htm?Retriage=1

TARGET_TIME:  2016-12-15T12:33:48.000Z

OSBUILD:  14393

OSSERVICEPACK:  479

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  161110-2025

BUILDLAB_STR:  rs1_release

BUILDOSVER_STR:  10.0.14393.479

ANALYSIS_SESSION_ELAPSED_TIME: 6cc

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:software_nx_fault_after_call_c0000005_wow64.dll!wow64notifydebugger

FAILURE_ID_HASH:  {e1ce6a81-8139-068b-301b-cf3b50f46b8f}
Analysis from WinDBG
DumpFile from Procdump64
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by madshi »

Thanks. At this point I'm not sure what the cause of the crash could be. It's complicating things a lot that it only occurs in combination with another 3rd party software.

This is definitely at the top of my priority list right now. I'll let you know as soon as I have something new to test. For now, as mentioned, you can use the 3.x driver in combination with the 4.x user mode library.
tbrd
Posts: 19
Joined: Thu Dec 15, 2016 8:45 am

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by tbrd »

OK thanks
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 (2.8.0.2 and 2.8.0.9)

Post by madshi »

I've found that the new injection method I'm using is for some reason incompatible with Kaspersky. I'm pretty sure it's Kaspersky's fault, but there's not much I can do about it, and I've been told it also occurs with a couple other AV products. So I'll have to go back to the old injection method, which I'm very sad about, because the new one was better, simpler and cleaner.

Here's a new beta build which is the 4.x driver with all the new features, but with the 3.x injection method:

http://madshi.net/madCollectionBeta.exe (installer 2.8.0.12)

I'll work on a totally new injection method for a future 4.x build. For now the build above should solve the problem.
Post Reply