search

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
MIT License
5k stars 978 forks source link

Sample trcapi is causing an exception on a .NET (64 bit COR) executable #273

Open albertlab0 opened 1 year ago

albertlab0 commented 1 year ago

Describe the bug I am using trcapi to trace a malware sample. The malware sample executes normally without trcapi. However, with tracapi(withdll.exe 64 bit since it is 64 bit COR), it is raising an exception.

The malware sample doesn't seem to have any anti-debug anit-hooking check.

Command-line test case withdll.exe /d:trcapi64.dll Installer.exe

Expected behavior

Installer.exe creates a suspended process InstallUtil.exe. so we are expecting to see a CreateProcess event.

But it crashed half way:

20230124111232276 3532 50.60: trcapi64: 001 -RaiseException(,,,) -> 20230124111232276 ---- --.00: Error 1810889600 in (null).

```
Version 4.0.1 of Detours
```

Additional context I am still trying to debug it and narrow down the issue a bit.

albertlab0 commented 1 year ago

Faulting module name: KERNELBASE.dll, version: 10.0.16299.15, time stamp: 0x4736733c Exception code: 0xe0434352 Fault offset: 0x0000000000013fb8 Faulting process id: 0x1bbc

This might be related to https://github.com/microsoft/Detours/issues/54