search

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
https://systeminformer.sourceforge.io
MIT License
10.88k stars 1.38k forks source link

Unloaded AppDomain is still shown in System Informer `.NET assemblies` tab. #2048

Open Cracked5pider opened 5 months ago

Cracked5pider commented 5 months ago

Brief description of your issue

While writing a small function to host the CLR in the current process and load and invoke an assembly. After invoking the assembly the app domain is getting unloaded but still shown in System Informer (just with the loaded assembly name missing). More shown below. When interacting with the CLR API to query all app domains and assemblies, the app domain that has been unloaded is no longer visible (API used are: ICorRuntimeHost::EnumDomains, ICorRuntimeHost::NextDomain, mscorlib::_AppDomain::GetAssemblies).

Code that unloads the App domain: image

Steps to reproduce (optional)

No response

Expected behavior (optional)

I downloaded ProcessHacker to see if the same behavior is occurring. Which wasn't the case. (stomper.x64.exe is the process that I wrote to host the CLR and execute my .NET assembly). image

Actual behavior (optional)

Under SystemInformer the AppDomain is still shown after calling ICorRuntimeHost::UnloadDomain. image

Environment (optional)

My environment is Windows 11 (Build: 22631.3447) 64-bit and running a 64-bit process. If more information is required to understand the issue I am willing to help and show more.
dmex commented 5 months ago

What does windbg show?

Copy the value from the address column and from windbg try execute: FindAppDomain ADDR !DumpDomain ADDR !DumpDomain should also list all the appdomains dt coreclr!appdomain ADDR

TheoTurletti commented 1 day ago

I have same issue when patching ETW in a powershell process :

Process Hacker :

image

System Informer :

image