App running +rwx code at DR injection time crashes
Created by: eranzim
Describe the bug I tried running my code with winafl and DynamoRIO in several ways (including both drrun.exe and afl-fuzz.exe), all failed with c0000005 (access violation). I saw it recommended somewhere to run with drrun.exe but without winafl, to see if that works, and that also gives an access violation, even when I removed everything from my test exe and left just "return 0": C:\Code\MyResearch\DynamoRIO-Windows-8.0.18936\bin64\drrun.exe -- C:\Code\Test\TestExe\x64\Release\TestExe.exe
I can see the crash in windows' event log, brought below. I also tried to check where that offset in ntdll is, and got to LdrGetDllHandleByName - the exception is when it tries to write to its out param.
To Reproduce C:\Code\MyResearch\DynamoRIO-Windows-8.0.18936\bin64\drrun.exe -- C:\Code\Test\TestExe\x64\Release\TestExe.exe TestExe.exe is a 64-bit exe compiled in Release with Visual Studio 2019 16.11.5, which contains a _tmain function that only returns 0.
Running TestExe.exe directly doesn't crash. Running with -debug still crashes, see output below.
Expected behavior Don't crash.
Screenshots or Pasted Text In eventvwr (Windows Logs > Application), I can see:
Faulting application name: TestExe.exe, version: 0.0.0.0, time stamp: 0x618a6e15
Faulting module name: ntdll.dll, version: 10.0.19041.1288, time stamp: 0xa280d1d6
Exception code: 0xc0000005
Fault offset: 0x0000000000076ffb
Faulting process id: 0x7764
Faulting application start time: 0x01d7d568252e029e
Faulting application path: C:\Code\Test\TestExe\x64\Release\TestExe.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 5cd5b69b-1c62-473d-aea0-da04415907ab
Faulting package full name:
Faulting package-relative application ID:
And also:
Fault bucket 2193024489411161897, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: TestExe.exe
P2: 0.0.0.0
P3: 618a6e15
P4: ntdll.dll
P5: 10.0.19041.1288
P6: a280d1d6
P7: c0000005
P8: 0000000000076ffb
P9:
P10:
Attached files:
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8848.tmp.dmp
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8888.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8898.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER88A6.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER88D6.tmp.txt
These files may be available here:
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_TestExe.exe_765ed3d798174e1ba1abff5141a4da78ab5fa1_8fc52057_1b47e7a3-ee3c-4f7b-8675-84bf386b4201
Analysis symbol:
Rechecking for solution: 0
Report Id: 5cd5b69b-1c62-473d-aea0-da04415907ab
Report Status: 268435456
Hashed bucket: 318aba5cafebc57efe6f30276b15af29
Cab Guid: 0
Output of running with debug:
# C:\Code\MyResearch\DynamoRIO-Windows-8.0.18936\bin64\drrun.exe -debug -- C:\Code\Test\TestExe\x64\Release\TestExe.exe
<Starting application C:\Code\Test\TestExe\x64\Release\TestExe.exe (29100)>
<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<intercept_syscall_wrapper: not hooking NtCreateUserProcess due to conflict @0x00007ffec8bee655>
<intercept_syscall_wrapper: not hooking NtTerminateProcess due to conflict @0x00007ffec8bed2e5>
<intercept_syscall_wrapper: not hooking NtTerminateThread due to conflict @0x00007ffec8bed7c5>
<intercept_syscall_wrapper: not hooking NtMapViewOfSection due to conflict @0x00007ffec8bed265>
<intercept_syscall_wrapper: not hooking NtOpenFile due to conflict @0x00007ffec8bed3c5>
<Stopping application C:\Code\Test\TestExe\x64\Release\TestExe.exe (29100)>
<CURIOSITY : reached_image_entry_yet() || standalone_library || ( (((void)(((dynamo_options.checklevel >= (1)) && !(!((OPTION_IS_STRING_thin_client)) || (((&options_lock)->num_readers > 0) || self_owns_write_lock(&options_lock)))) ? (d_r_internal_error("D:\\a\\dynamorio\\dynamorio\\core\\win32\\os.c", 1231, "!((OPTION_IS_STRING_thin_client)) || READWRITE_LOCK_HELD(&options_lock)"), 0) : 0)), dynamo_options.thin_client)) || dr_api_entry || (!((dynamo_options.client_lib)[0] == '\0')) in file D:\a\dynamorio\dynamorio\core\win32\os.c line 1231
version 8.0.18936, custom build
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000001634dde4288 0x000001634ddc4800
0x00000000153928ed 0xccccccccccccc300
C:\Code\MyResearch\DynamoRIO-Windows-8.0.18936\lib64\debug\dynamorio.dll=0x0000000015000000>
Versions Using latest DynamoRIO release (DynamoRIO-Windows-8.0.18936.zip), Windows 10 21H1 (OS build 19043.1320). 64-bit versions for everything.
Additional context I have SEP, but even when I disabled it - the crash still happened.