c++ / delphi package - dll injection and api hooking
tbrd
Posts: 19 Joined: Thu Dec 15, 2016 8:45 am
Post
by tbrd » Thu Dec 15, 2016 9:51 am
Hello Madshi!
Customers of my MCH applications report that they cannot start some applications when my codehook service is running and Kaspersky AV is installed. On my test system I get the following runtime error when an application starts:
Code: Select all
STACK_TEXT:
00000000`0009e598 00000000`50de6a28 : 00000000`00000000 00000000`00000004 00000000`00000008 00000000`7ff8415f : 0x43eb0
00000000`0009e5a0 00000000`50de69df : 00000000`00000000 00000000`00800000 00000000`00792c50 00000000`00000000 : wow64!Wow64ApcRoutineInternal+0x40
00000000`0009e620 00007ff8`40309b5e : 71b00214`71b00000 00000000`00000000 00000000`00000000 00000000`50de69c0 : wow64!Wow64ApcRoutine+0x1f
00000000`0009e660 00007ff8`403065d4 : 00007ff8`4026ddc5 00000000`00790000 00000000`00000050 00000000`00000006 : ntdll!KiUserApcDispatch+0x2e
00000000`0009eb58 00007ff8`4026ddc5 : 00000000`00790000 00000000`00000050 00000000`00000006 00007ff8`40298097 : ntdll!NtMapViewOfSection+0x14
00000000`0009eb60 00007ff8`4026da52 : 00000000`00000040 00000000`0009ec60 00000000`00000000 00000000`00792ac8 : ntdll!LdrpMapViewOfSection+0xb5
00000000`0009ec00 00007ff8`4026d925 : 00000000`00792a80 00007ff8`4026de00 00000000`00008600 00000000`d02dfd33 : ntdll!LdrpMapImage+0x72
00000000`0009eca0 00007ff8`4026d47e : 00000000`00000000 00000000`c0000135 00000000`00792a80 00000000`00792a80 : ntdll!LdrpMapDllWithSectionHandle+0x2d
00000000`0009ece0 00007ff8`4026d236 : 00000000`00000000 00000000`00000040 00000000`00000000 00000000`0009ee70 : ntdll!LdrpLoadKnownDll+0xe6
00000000`0009ed40 00007ff8`4028701c : 00000000`0009ee64 00000000`0009ef20 00000000`0009ee70 00000000`0009f100 : ntdll!LdrpFindOrPrepareLoadingModule+0xa6
00000000`0009eda0 00007ff8`40286add : 00000000`0009ee70 00000000`0009f000 00000000`00000000 00000000`00000001 : ntdll!LdrpLoadDllInternal+0x110
00000000`0009ee20 00007ff8`40269efc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpLoadDll+0xf1
00000000`0009efc0 00007ff8`40266e2e : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`002f0000 : ntdll!LdrLoadDll+0x8c
00000000`0009f0c0 00007ff8`402f29d7 : 00000000`00400100 00000000`00000000 00000000`00000000 00000000`002f0000 : ntdll!LdrpLoadWow64+0x6e
00000000`0009f350 00007ff8`40328986 : 00000000`00000000 00007ff8`402e9e59 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1517
00000000`0009f750 00007ff8`402d9fae : 00000000`0009f820 00000000`00000000 00000000`00000000 00000000`002f0000 : ntdll!_LdrpInitialize+0x4e982
00000000`0009f7d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
MODULE_NAME: wow64
IMAGE_NAME: wow64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 57899aec
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .ecxr ; kb
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_c0000005_wow64.dll!Wow64ApcRoutineInternal
BUCKET_ID: SOFTWARE_NX_FAULT_BAD_IP_wow64!Wow64ApcRoutineInternal+40
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_BAD_IP_wow64!Wow64ApcRoutineInternal+40
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: wow64.dll
BUCKET_ID_IMAGE_STR: wow64.dll
FAILURE_MODULE_NAME: wow64
BUCKET_ID_MODULE_STR: wow64
FAILURE_FUNCTION_NAME: Wow64ApcRoutineInternal
BUCKET_ID_FUNCTION_STR: Wow64ApcRoutineInternal
BUCKET_ID_OFFSET: 40
BUCKET_ID_MODTIMEDATESTAMP: 57899aec
BUCKET_ID_MODCHECKSUM: 52b95
BUCKET_ID_MODVER_STR: 6.2.14393.0
BUCKET_ID_PREFIX_STR: SOFTWARE_NX_FAULT_BAD_IP_
FAILURE_PROBLEM_CLASS: SOFTWARE_NX_FAULT
FAILURE_SYMBOL_NAME: wow64.dll!Wow64ApcRoutineInternal
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/iron.exe/1.0.0.0/52eaf40f/unknown/0.0.0.0/bbbbbbb4/c0000005/00043eb0.htm?Retriage=1
TARGET_TIME: 2016-12-15T09:37:36.000Z
OSBUILD: 14393
OSSERVICEPACK: 479
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 161110-2025
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14393.479
ANALYSIS_SESSION_ELAPSED_TIME: 471
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:software_nx_fault_c0000005_wow64.dll!wow64apcroutineinternal
FAILURE_ID_HASH: {329ea9c8-9139-97e8-a383-4689b3177d12}
One interesting thing: Faulting instruction pointer is always 0x43eb0...
MCH 3 does not make any problems in conjunction with Kaspersky AV.
Any idea?
madshi
Site Admin
Posts: 10765 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Thu Dec 15, 2016 10:09 am
Can you try the latest beta build 2.8.0.10, which I've just uploaded a couple of minutes ago? Does it fix the issue? It has some changes for exactly this problem you're reporting.
http://madshi.net/madCollectionBeta.exe
tbrd
Posts: 19 Joined: Thu Dec 15, 2016 8:45 am
Post
by tbrd » Thu Dec 15, 2016 10:43 am
No change...
madshi
Site Admin
Posts: 10765 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Thu Dec 15, 2016 11:25 am
How about this one?
http://madshi.net/madCollectionBeta.exe
Please make sure it's 2.8.0.11.
Your crash callstack suggests it's a wow64 (32bit) process on a 64bit OS. Do 64bit processes start fine, or do they crash also? If they crash also, what's their crash callstack for you?
tbrd
Posts: 19 Joined: Thu Dec 15, 2016 8:45 am
Post
by tbrd » Thu Dec 15, 2016 11:31 am
I only saw 32Bit WOW Processes crash...
I will check the new Version 2.8.0.11...
tbrd
Posts: 19 Joined: Thu Dec 15, 2016 8:45 am
Post
by tbrd » Thu Dec 15, 2016 11:47 am
It crashes with 2.8.0.11 also...
madshi
Site Admin
Posts: 10765 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Thu Dec 15, 2016 12:03 pm
Argh. The callstack should be different now, though?
For now you can use the 3.x driver together with the 4.x user mode library, as a workaround. The communication interface is compatible.
tbrd
Posts: 19 Joined: Thu Dec 15, 2016 8:45 am
Post
by tbrd » Thu Dec 15, 2016 12:35 pm
yes callstack with 2.8.0.11 is different:
Code: Select all
PROBLEM_CLASSES:
SOFTWARE_NX_FAULT
Tid [0x1998]
Frame [0x00]: wow64!Wow64NotifyDebugger
AFTER_CALL
Tid [0x1998]
Frame [0x00]: wow64!Wow64NotifyDebugger
Failure Bucketing
BUGCHECK_STR: SOFTWARE_NX_FAULT_AFTER_CALL
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_AFTER_CALL
STACK_TEXT:
00000000`0009ce30 00000000`73f0d4a1 wow64!Wow64NotifyDebugger+0x1d
00000000`0009ce60 00000000`73f0c218 wow64!HandleRaiseException+0x13c
00000000`0009d350 00000000`73f0d643 wow64!Wow64NtRaiseException+0x9b
00000000`0009d3e0 00000000`73f0d744 wow64!whNtRaiseException+0x14
00000000`0009d410 00000000`73f06ea5 wow64!Wow64SystemServiceEx+0x155
00000000`0009dcd0 00000000`73ef1cf7 wow64cpu!ServiceNoTurbo+0xb
00000000`0009dd80 00000000`73f1bfa1 wow64!Wow64KiUserCallbackDispatcher+0x4151
00000000`0009de00 00000000`73f16ae7 wow64!Wow64ApcRoutineInternal+0xff
00000000`0009de80 00000000`73f169df wow64!Wow64ApcRoutine+0x1f
00000000`0009dec0 00007ffb`19669b5e ntdll!KiUserApcDispatch+0x2e
00000000`0009e3b8 00007ffb`196661b4 ntdll!NtDeviceIoControlFile+0x14
00000000`0009e3c0 00000000`7ff81cc5 unknown!unknown+0x0
00000000`0009e480 00000000`7ff83d29 unknown!unknown+0x0
00000000`0009e500 00000000`7ff84ab5 unknown!unknown+0x0
00000000`0009e540 00000000`7ff86cb7 unknown!unknown+0x0
00000000`0009e570 00000000`73f06648 wow64!whNtMapViewOfSection+0x178
00000000`0009e6b0 00000000`73f06ea5 wow64!Wow64SystemServiceEx+0x155
00000000`0009ef70 00000000`73ef1cf7 wow64cpu!ServiceNoTurbo+0xb
00000000`0009f020 00000000`73f1bfa1 wow64!Wow64KiUserCallbackDispatcher+0x4151
00000000`0009f0a0 00000000`73f0cbb0 wow64!Wow64LdrpInitialize+0x120
00000000`0009f350 00007ffb`19652a11 ntdll!LdrpInitializeProcess+0x1551
00000000`0009f750 00007ffb`19688986 ntdll!_LdrpInitialize+0x4e982
00000000`0009f7d0 00007ffb`19639fae ntdll!LdrInitializeThunk+0xe
THREAD_SHA1_HASH_MOD: 27c2ddf6a7eafc96676439108e65df8a88ee28a4
FAULT_INSTR_CODE: 48b4865
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: wow64!Wow64NotifyDebugger+1d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: wow64
IMAGE_NAME: wow64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 57899aec
STACK_COMMAND: .ecxr ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dps 9ce30 ; kb
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_AFTER_CALL_c0000005_wow64.dll!Wow64NotifyDebugger
BUCKET_ID: SOFTWARE_NX_FAULT_AFTER_CALL_BAD_IP_wow64!Wow64NotifyDebugger+1d
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_AFTER_CALL_BAD_IP_wow64!Wow64NotifyDebugger+1d
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: wow64.dll
BUCKET_ID_IMAGE_STR: wow64.dll
FAILURE_MODULE_NAME: wow64
BUCKET_ID_MODULE_STR: wow64
FAILURE_FUNCTION_NAME: Wow64NotifyDebugger
BUCKET_ID_FUNCTION_STR: Wow64NotifyDebugger
BUCKET_ID_OFFSET: 1d
BUCKET_ID_MODTIMEDATESTAMP: 57899aec
BUCKET_ID_MODCHECKSUM: 52b95
BUCKET_ID_MODVER_STR: 6.2.14393.0
BUCKET_ID_PREFIX_STR: SOFTWARE_NX_FAULT_AFTER_CALL_BAD_IP_
FAILURE_PROBLEM_CLASS: SOFTWARE_NX_FAULT_AFTER_CALL
FAILURE_SYMBOL_NAME: wow64.dll!Wow64NotifyDebugger
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/iron.exe/1.0.0.0/52eaf40f/unknown/0.0.0.0/bbbbbbb4/c0000005/195ea5d0.htm?Retriage=1
TARGET_TIME: 2016-12-15T12:33:48.000Z
OSBUILD: 14393
OSSERVICEPACK: 479
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 161110-2025
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14393.479
ANALYSIS_SESSION_ELAPSED_TIME: 6cc
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:software_nx_fault_after_call_c0000005_wow64.dll!wow64notifydebugger
FAILURE_ID_HASH: {e1ce6a81-8139-068b-301b-cf3b50f46b8f}
Analysis from WinDBG
DumpFile from Procdump64
madshi
Site Admin
Posts: 10765 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Thu Dec 15, 2016 12:40 pm
Thanks. At this point I'm not sure what the cause of the crash could be. It's complicating things a lot that it only occurs in combination with another 3rd party software.
This is definitely at the top of my priority list right now. I'll let you know as soon as I have something new to test. For now, as mentioned, you can use the 3.x driver in combination with the 4.x user mode library.
tbrd
Posts: 19 Joined: Thu Dec 15, 2016 8:45 am
Post
by tbrd » Thu Dec 15, 2016 12:43 pm
OK thanks
madshi
Site Admin
Posts: 10765 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Wed Dec 21, 2016 12:08 pm
I've found that the new injection method I'm using is for some reason incompatible with Kaspersky. I'm pretty sure it's Kaspersky's fault, but there's not much I can do about it, and I've been told it also occurs with a couple other AV products. So I'll have to go back to the old injection method, which I'm very sad about, because the new one was better, simpler and cleaner.
Here's a new beta build which is the 4.x driver with all the new features, but with the 3.x injection method:
http://madshi.net/madCollectionBeta.exe (installer 2.8.0.12)
I'll work on a totally new injection method for a future 4.x build. For now the build above should solve the problem.