search

bb107 / MemoryModulePP

MemoryModule which compatible with Win32 API and support exception handling
MIT License
359 stars 96 forks source link

Crash Crash Crash Crash Crash Crash #35

Open wPood909mv opened 1 year ago

wPood909mv commented 1 year ago

Service process crash with system permissions. X86 process running on win11 [10.0.22621.2361] 100% probability of crashing during startup

RtlInitUnicodeString(&us, buffer);
InitializeObjectAttributes(&oa, &us, 0, nullptr, nullptr);

li.QuadPart = 0x1000;
ServiceMessageBox("MmpAllocateGlobalData", "MmpAllocateGlobalData   2222222222222222222", MB_ICONERROR, TRUE);
status = NtCreateSection(         //fail
    &hSection,
    SECTION_ALL_ACCESS,
    &oa,
    &li,
    PAGE_READWRITE,
    SEC_COMMIT,
    nullptr
);

Causing the following code to crash.....

// Allocate memory for image headers
if (MmpGlobalDataPtr== 0)  //null   pointer
    ServiceMessageBox("MemoryLoadLibrary", "MemoryLoadLibrary   fffffffffffffffffffffffffffff MmpGlobalDataPtr == 0)", MB_ICONERROR, TRUE);

size_t alignedHeadersSize = (DWORD)AlignValueUp(old_header->OptionalHeader.SizeOfHeaders + sizeof(MEMORYMODULE), MmpGlobalDataPtr->SystemInfo.dwPageSize);          //Crash
if (alignedHeadersSize == 0)
bb107 commented 1 year ago

Hi, the problem of initialization failure has been solved.

wPood909mv commented 1 year ago

The service program crashes once after starting the computer 5 times. The above configuration still caused the following issues:

FAULTING_IP: ntdll!RtlIsZeroMemory+ff 7798d42f eb33 jmp ntdll!RtlIsZeroMemory+0x134 (7798d464)

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 7798d42f (ntdll!RtlIsZeroMemory+0x000000ff) ExceptionCode: c0000374 ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 779cb918

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 778a0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP: 65230521

ERROR_CODE: (NTSTATUS) 0xc0000374 -

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 -

EXCEPTION_PARAMETER1: 779cb918

MOD_LIST:

FAULTING_THREAD: 000010bc

PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS

BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER: from 7798d401 to 7798d42f

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong. 0513f458 7798d401 7fe51e91 00000000 00000002 ntdll!RtlIsZeroMemory+0xff 0513f4ec 77996663 00000001 779cb948 7799449e ntdll!RtlIsZeroMemory+0xd1 0513f528 7799cfdb 00000011 02f20100 03655d88 ntdll!RtlpNtSetValueKey+0x28a3 0513f540 7799e64d 03655d88 03655000 0000008d ntdll!RtlpNtSetValueKey+0x921b 0513f588 779a2d21 03655d88 00000000 02f20000 ntdll!RtlpNtSetValueKey+0xa88d 0513f5ac 7799f8b0 00000000 03655d88 02f20000 ntdll!RtlpNtSetValueKey+0xef61 0513f5cc 7792fd62 00000000 0513f644 0513f648 ntdll!RtlpNtSetValueKey+0xbaf0 0513f62c 77996d58 00000000 0513f644 0513f648 ntdll!RtlRemovePropertyStore+0x162 0513f64c 77973555 00000000 7fe51ce1 03655d88 ntdll!RtlpNtSetValueKey+0x2f98 0513f69c 77939792 00000000 00000011 03670448 ntdll!RtlImageRvaToVa+0x105 0513f6b0 7790a3ff 02f20000 00000000 03655d88 ntdll!RtlCaptureStackContext+0x2f2 0513f6d4 778e688d 7fe51d01 00000000 036556b0 ntdll!RtlFindUnicodeSubstring+0x12f 0513f77c 74e2a13b 036555d8 03691530 036556b0 ntdll!LdrShutdownThread+0x26d 0513f790 7790e4fc 036555d8 036555d8 72ce0000 stacktimesupport!HookLdrShutdownThread+0x10b 0513f868 75aba565 00000000 036555d8 0513f901 ntdll!RtlExitUserThread+0x4c 0513f87c 7752d1c1 72ce0000 00000000 0513f8a0 KERNELBASE!FreeLibraryAndExitThread+0x35 0513f88c 72f49c99 72ce0000 00000000 72e88880 kernel32!FreeLibraryAndExitThread+0x11 0513f8a0 72f49d83 00000000 0513f8e4 72f49bf5 ComMaskDec!common_end_thread+0x4d [minkernel\crts\ucrt\src\appcrt\startup\thread.cpp @ 266] 0513f8ac 72f49bf4 00000000 31f3cf92 00000018 ComMaskDec!_endthreadex+0xd [minkernel\crts\ucrt\src\appcrt\startup\thread.cpp @ 277] 0513f8e4 74e2ade7 036555d8 f4a72008 74e2ab70 ComMaskDec!thread_start<unsigned int (__stdcall)(void ),1>+0x5d [minkernel\crts\ucrt\src\appcrt\startup\thread.cpp @ 97] 0513f928 77527ba9 03691530 77527b90 0513f990 stacktimesupport!MmpUserThreadStart+0x277 0513f938 7790bc5b 0513f9b0 7fe513ed 00000000 kernel32!BaseThreadInitThunk+0x19 0513f990 7790bbdf ffffffff 77939277 00000000 ntdll!RtlInitializeExceptionChain+0x6b 0513f9a0 74e2a3e6 74e2ab70 0513f9b0 72f49b97 ntdll!RtlClearBits+0xbf 00000000 00000000 00000000 00000000 00000000 stacktimesupport!HookRtlUserThreadStart+0x26

STACK_COMMAND: ~9s; .ecxr ; kb

FOLLOWUP_IP: stacktimesupport!HookLdrShutdownThread+10b 74e2a13b 5e pop esi

SYMBOL_STACK_INDEX: d

SYMBOL_NAME: stacktimesupport!HookLdrShutdownThread+10b

FOLLOWUP_NAME: MachineOwner

bb107 commented 1 year ago

C0000374 means heap corruption. You can load it with kernel32!LoadLibraryA to rule out whether it is a problem with the DLL itself.

0513f77c 74e2a13b 036555d8 03691530 036556b0 ntdll!LdrShutdownThread+0x26d

This line is the return address of calling ntdll!_LdrpFreeTls. This means that the heap is corrupted when tls is being released, and the MmpTlsFiber branch may be able to mitigate this. If the problem persists, please provide a code snippet that causes the problem.

wPood909mv commented 1 year ago

The reason has been found, it's my own problem.