Sample trcapi is causing an exception on a .NET (64 bit COR) executable

Question

Sample trcapi is causing an exception on a .NET (64 bit COR) executable

albertlab0 opened this issue 2 years ago · 1 comments

Describe the bug
I am using trcapi to trace a malware sample. The malware sample executes normally without trcapi. However,
with tracapi(withdll.exe 64 bit since it is 64 bit COR), it is raising an exception.

The malware sample doesn't seem to have any anti-debug anit-hooking check.

Command-line test case
withdll.exe /d:trcapi64.dll Installer.exe

Expected behavior

Installer.exe creates a suspended process InstallUtil.exe. so we are expecting to see a CreateProcess event.

But it crashed half way:

20230124111232276 3532 50.60: trcapi64: 001 -RaiseException(,,,) ->
20230124111232276 ---- --.00: Error 1810889600 in (null).

```
Version 4.0.1 of Detours
```

Additional context
I am still trying to debug it and narrow down the issue a bit.

Answer 1 · 2023-01-24T23:02:45.000Z

Faulting module name: KERNELBASE.dll, version: 10.0.16299.15, time stamp: 0x4736733c
Exception code: 0xe0434352
Fault offset: 0x0000000000013fb8
Faulting process id: 0x1bbc

This might be related to #54