CoCreateInstance explorer.exe crash...

c++ / delphi package - dll injection and api hooking
Post Reply
kimjw0820
Posts: 35
Joined: Fri Sep 11, 2015 1:54 am

CoCreateInstance explorer.exe crash...

Post by kimjw0820 »

hello madshi,
Is this an issue you know?

CoCreateInstance Hook.
not modify param value.

process_explorer.exe or any process right click -> run as admin. (To run consent.exe)
Occasionally a crash explorer.exe occurred when I pressed the ok button.

If you want, I will email pdb.

thank you.

Code: Select all

0:062> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for sppc.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for dofsMntNtf6.dll - 
GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 400

CONTEXT:  (.ecxr)
rax=000000000000ffff rbx=0000000000000000 rcx=000000000000ffff
rdx=0000000000000000 rsi=00007ffc708b0290 rdi=00000000ffffffff
rip=00007ffc70665e36 rsp=00000000103ee680 rbp=00000000103ee6d0
 r8=000000000000ffff  r9=00000000000036b7 r10=0000000000000588
r11=00000000103ee670 r12=00000000ffffffff r13=00007ffc7083fd10
r14=00000000103ef1f0 r15=0000000000000004
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010244
combase!CCache::GetElement+0x1b [inlined in combase!CComCatalog::GetClassInfoInternal+0x2c6]:
00007ffc`70665e36 4839bccd00090000 cmp     qword ptr [rbp+rcx*8+900h],rdi ss:00000000`1046efc8=????????????????
Resetting default scope

FAULTING_IP: 
combase!CComCatalog::GetClassInfoInternal+2c6 [onecore\com\combase\catalog\catalog.cxx @ 3929]
00007ffc`70665e36 4839bccd00090000 cmp     qword ptr [rbp+rcx*8+900h],rdi

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffc70665e36 (combase!CCache::GetElement+0x000000000000001b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 000000001046efc8
Attempt to read from address 000000001046efc8

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%p

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  000000001046efc8

FOLLOWUP_IP: 
jsfnhk64!hook_co_create_instance::new_function+4b [d:\project_docuone\ecm-win\trunk\src\jsfnhk\dll\common\hook_co_create_instance.cpp @ 59]
00007ffc`5ca7f1bb 8bf8            mov     edi,eax

READ_ADDRESS:  000000001046efc8 

BUGCHECK_STR:  INVALID_POINTER_READ

WATSON_BKT_PROCSTAMP:  951324bb

WATSON_BKT_PROCVER:  10.0.15063.447

WATSON_BKT_MODULE:  combase.dll

WATSON_BKT_MODSTAMP:  91412db8

WATSON_BKT_MODOFFSET:  65e36

WATSON_BKT_MODVER:  10.0.15063.296

BUILD_VERSION_STRING:  10.0.15063.296 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH:  0a616d6105b13b8cf748ae980da3734e7ae2cf2d

MODLIST_SHA1_HASH:  7cd0f0a18f3e316742f57626d8876c613ad63d4e

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_FLAGS:  8000c07

DUMP_TYPE:  0

ANALYSIS_SESSION_HOST:  DESKTOP-3DKN04D

ANALYSIS_SESSION_TIME:  07-24-2017 21:38:26.0849

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  KOR

PROBLEM_CLASSES: 



INVALID_POINTER_READ
    Tid    [0xc48]
    Frame  [0x00]: combase!CComCatalog::GetClassInfoInternal


LAST_CONTROL_TRANSFER:  from 00007ffc7066cb41 to 00007ffc70665e36

STACK_TEXT:  
00000000`103ee680 00007ffc`7066cb41 : 00000000`00000003 00000000`00000001 00000000`00000001 00000000`011e9ff0 : combase!CComCatalog::GetClassInfoInternal+0x2c6
00000000`103ef050 00007ffc`7066dc3b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : combase!ICoCreateInstanceEx+0x2a1
00000000`103ef360 00007ffc`706a51d3 : 00000000`00000000 00007ffc`6de84691 00000000`087c7cf0 00000000`0eb79cf0 : combase!CComActivator::DoCreateInstance+0x14b
00000000`103ef480 00007ffc`5ca7f1bb : 00000000`00000403 00000000`0003a013 00000000`103ef588 00000000`00000000 : combase!CoCreateInstance+0xc3
00000000`103ef520 00007ffc`5ca80945 : 00000000`103ef638 00007ffc`706d1073 00000000`00000000 00000000`103ef630 : jsfnhk64!hook_co_create_instance::new_function+0x4b
00000000`103ef5c0 00007ffc`70a21000 : 00000000`00000000 00000000`103ef660 00000000`103ef6d8 00000000`00000000 : jsfnhk64!hook_co_create_instance::proxy_function+0x45
00000000`103ef600 00000000`00000000 : 00000000`103ef660 00000000`103ef6d8 00000000`00000000 00000000`103ef630 : 0x00007ffc`70a21000


THREAD_SHA1_HASH_MOD_FUNC:  84f174c11349de19917243f8b3f9092a09e79693

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  a9c014fe5295a94ce4d5f6a0af7cb92d8db62207

THREAD_SHA1_HASH_MOD:  fd5295ec0344997e3e4c6d957c61da0c80f705e0

FAULT_INSTR_CODE:  c085f88b

FAULTING_SOURCE_LINE:  d:\project_docuone\ecm-win\trunk\src\jsfnhk\dll\common\hook_co_create_instance.cpp

FAULTING_SOURCE_FILE:  d:\project_docuone\ecm-win\trunk\src\jsfnhk\dll\common\hook_co_create_instance.cpp

FAULTING_SOURCE_LINE_NUMBER:  59

FAULTING_SOURCE_CODE:  
    55:     //
    56:     // call the original function.
    57:     //
    58: 
>   59:     HRESULT result = _madchook.original_function()(
    60:                         rclsid,
    61:                         pUnkOuter,
    62:                         dwClsContext,
    63:                         riid,
    64:                         ppv


SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  jsfnhk64!hook_co_create_instance::new_function+4b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: jsfnhk64

IMAGE_NAME:  jsfnhk64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5975e7d0

STACK_COMMAND:  .ecxr ; kb

BUCKET_ID:  INVALID_POINTER_READ_jsfnhk64!hook_co_create_instance::new_function+4b

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_jsfnhk64!hook_co_create_instance::new_function+4b

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  jsfnhk64.dll

BUCKET_ID_IMAGE_STR:  jsfnhk64.dll

FAILURE_MODULE_NAME:  jsfnhk64

BUCKET_ID_MODULE_STR:  jsfnhk64

FAILURE_FUNCTION_NAME:  hook_co_create_instance::new_function

BUCKET_ID_FUNCTION_STR:  hook_co_create_instance::new_function

BUCKET_ID_OFFSET:  4b

BUCKET_ID_MODTIMEDATESTAMP:  5975e7d0

BUCKET_ID_MODCHECKSUM:  f4640

BUCKET_ID_MODVER_STR:  1.0.116.0

BUCKET_ID_PREFIX_STR:  INVALID_POINTER_READ_

FAILURE_PROBLEM_CLASS:  INVALID_POINTER_READ

FAILURE_SYMBOL_NAME:  jsfnhk64.dll!hook_co_create_instance::new_function

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_jsfnhk64.dll!hook_co_create_instance::new_function

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/explorer.exe/10.0.15063.447/951324bb/combase.dll/10.0.15063.296/91412db8/c0000005/00065e36.htm?Retriage=1

TARGET_TIME:  2017-07-24T12:37:02.000Z

OSBUILD:  15063

OSSERVICEPACK:  296

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.15063.296

ANALYSIS_SESSION_ELAPSED_TIME: ac98

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_jsfnhk64.dll!hook_co_create_instance::new_function

FAILURE_ID_HASH:  {eec8cb62-c819-1440-076a-e04109156014}

Followup:     MachineOwner
---------
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CoCreateInstance explorer.exe crash...

Post by madshi »

I'm not aware of a problem specific to CoCreateInstance or Explorer.exe.

What is "hook_co_create::proxy_function" and "::new_function"? Do you have your hook callback functions somehow modified into class methods?
kimjw0820
Posts: 35
Joined: Fri Sep 11, 2015 1:54 am

Re: CoCreateInstance explorer.exe crash...

Post by kimjw0820 »

this call is function pointer

HookCode param
pNextHook() == _madchook.original_function()
pCallbackFunc == proxy_function (static) -> singleton member function call(new_function)
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: CoCreateInstance explorer.exe crash...

Post by madshi »

I'm not sure how the compiler handles singleton member functions exactly. Well, I suppose it's likely to be as we need it, otherwise you'd get crashes all the time? Still, just to be safe, it might make sense to double check with simple functions, similar to how the madCodeHook demos perform hooking. Do you get the same crahes then, too? Furthermore, it's always useful to test with a simple "passthrough" callback function which does nothing but "return original_function(original_parameters)", so we can find out whether it's the madCodeHook framework which might be causing the issue, or maybe any manipulation you do in your hook callback code.
Post Reply