search

winsiderss / systeminformer

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
https://systeminformer.sourceforge.io
MIT License
10.89k stars 1.39k forks source link

v3.0.5772.1245 - PH crash have AV than file send to hybrid-analysis.com using menu Tools - Online Checks in to ./phlib/ref.c::171 #231

Closed VictorVG closed 6 years ago

VictorVG commented 6 years ago

If try send file ti virus check using menu Tools - Online Checks - hybrid-analysis.com Process Hacker crash then have Access Violation (AV) in to _InterlockedIncrement(&objectHeader->RefCount) on ./phlib/ref.c::171 . Debugger show listing:

--- \phlib\ref.c -----------------
   167:     PPH_OBJECT_HEADER objectHeader;
   168:
   169:     objectHeader = PhObjectToObjectHeader(Object);
   170:     // Increment the reference count.
--->   171:     _InterlockedIncrement(&objectHeader->RefCount);
000000013FAC4A40 F0 FF 41 F8          lock inc    dword ptr [rcx-8]
   172:
   173:     return Object;
000000013FAC4A44 48 8B C1             mov         rax,rcx
   174: }
000000013FAC4A47 C3                   ret
--- not source code --------------------------------------------------------
000000013FAC4A48 CC                   int         3
000000013FAC4A49 CC                   int         3
000000013FAC4A4A CC                   int         3
000000013FAC4A4B CC                   int         3
000000013FAC4A4C CC                   int         3
000000013FAC4A4D CC                   int         3
000000013FAC4A4E CC                   int         3
000000013FAC4A4F CC                   int         3
--- \phlib\ref.c -----------------
   189:     PPH_OBJECT_HEADER objectHeader;
   190:     LONG oldRefCount;
   191:
   192:     assert(!(RefCount < 0));
   193:
   194:     objectHeader = PhObjectToObjectHeader(Object);
   195:     // Increase the reference count.
   196:     oldRefCount = _InterlockedExchangeAdd(&objectHeader->RefCount, RefCount);
000000013FAC4A50 F0 0F C1 51 F8       lock xadd   dword ptr [rcx-8],edx
   197:
   198:     return Object;
000000013FAC4A55 48 8B C1             mov         rax,rcx
   199: }
000000013FAC4A58 C3                   ret
--- not source code --------------------------------------------------------

Possible problem source in to (?????):

--- plugins/OnlineChecks/main.c    Thu Jan 25 15:58:49 2018
+++ plugins/OnlineChecks/main.c    Fri Jan 26 15:03:21 2018
@@ -291,7 +291,7 @@
     sendToMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"Sen&d to", NULL);
     PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_HYBRIDANALYSIS_UPLOAD, L"&hybrid-analysis.com", FileName), -1);
     PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_VIRUSTOTAL_UPLOAD, L"&virustotal.com", FileName), -1);
-    PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_JOTTI_UPLOAD, L"virusscan.&jotti.org", FileName), -1);
+//    PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_JOTTI_UPLOAD, L"virusscan.&jotti.org", FileName), -1);

     if (ProcessesMenu && (menuItem = PhFindEMenuItem(Parent, PH_EMENU_FIND_STARTSWITH, L"Search online", 0)))
     {
@@ -370,7 +370,7 @@
     sendToMenu = PhPluginCreateEMenuItem(PluginInstance, 0, 0, L"Sen&d to", NULL);
     PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_HYBRIDANALYSIS_UPLOAD_SERVICE, L"&hybrid-analysis.com", serviceItem ? serviceItem : NULL), -1);
     PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_VIRUSTOTAL_UPLOAD_SERVICE, L"&virustotal.com", serviceItem ? serviceItem : NULL), -1);
-    PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_JOTTI_UPLOAD_SERVICE, L"virusscan.&jotti.org", serviceItem ? serviceItem : NULL), -1);
+//    PhInsertEMenuItem(sendToMenu, PhPluginCreateEMenuItem(PluginInstance, 0, MENUITEM_JOTTI_UPLOAD_SERVICE, L"virusscan.&jotti.org", serviceItem ? serviceItem : NULL), -1);
     PhInsertEMenuItem(menuInfo->Menu, PhCreateEMenuSeparator(), -1);
     PhInsertEMenuItem(menuInfo->Menu, sendToMenu, -1);

--- plugins/OnlineChecks/upload.c    Thu Jan 25 15:58:49 2018
+++ plugins/OnlineChecks/upload.c    Fri Jan 26 15:01:30 2018
@@ -30,8 +30,8 @@
     { MENUITEM_HYBRIDANALYSIS_UPLOAD_SERVICE, L"www.hybrid-analysis.com", L"/api/submit", L"file" },
     { MENUITEM_VIRUSTOTAL_UPLOAD, L"www.virustotal.com", L"???", L"file" },
     { MENUITEM_VIRUSTOTAL_UPLOAD_SERVICE, L"www.virustotal.com", L"???", L"file" },
-    { MENUITEM_JOTTI_UPLOAD, L"virusscan.jotti.org", L"/en-US/submit-file?isAjax=true", L"sample-file[]" },
-    { MENUITEM_JOTTI_UPLOAD_SERVICE, L"virusscan.jotti.org", L"/en-US/submit-file?isAjax=true", L"sample-file[]" },
+//    { MENUITEM_JOTTI_UPLOAD, L"virusscan.jotti.org", L"/en-US/submit-file?isAjax=true", L"sample-file[]" },
+//    { MENUITEM_JOTTI_UPLOAD_SERVICE, L"virusscan.jotti.org", L"/en-US/submit-file?isAjax=true", L"sample-file[]" },
 };

 VOID RaiseUploadError(

but plug-in OnlineChecks send any files to virusscan.jotti.org success and also this service work success - I send file to check and after little time can see callback report in to browser.

Also, other user messages about errors are associated with this menu, but I'm checking them for now because I'm not sure that there is no random error in the user's local settings.

VictorVG commented 6 years ago

Also, other user messages about errors are associated with this menu, but I'm checking them for now because I'm not sure that there is no random error in the user's local settings.

The second message (I spoke about him yesterday) by ItsJustMe on forum.ru-board.com:

By the way, I'll add another interesting bug to the collection: select the second item from there (Upload file to VirusTotal ...) and click Cancel in the file selection dialog (if you really try to download something, it will be even worse, so we will not download anything , just click Cancel.) Admire the multiplication of ProcessHackers'

not confirmed. The phenomenon could not be reproduced on thirty independent machines.

VictorVG commented 6 years ago

I build and test Git 593e938 - work success, but hybrid-analysis.com service on the one hand is funny, on the other extremely drowsy - waiting for less than 2.5 hours, I have not seen them, and only accepts PE32 / PE64 files for any other answers with a blunder saying we got it wrong. :)

screen-2018-01-28_20-51-06

His colleagues at least first think, and after they swear, and these first swear, and then look at whose address the volley was given. :)