Sudo tries to leverage the kernel DLLs before loading them

Question

Sudo tries to leverage the kernel DLLs before loading them

mobilejon opened this issue a year ago · 5 comments

mobilejon commented a year ago

Sudo for Windows version

1.0.0

Windows build number

10.0.26100.1742

Other Software

N/A

Steps to reproduce

Using Sudo in CMD or w/e.

I found that prior to loading the nll.dll Sudo, is trying to use it as I found in the stack trace:

Expected Behavior

N/A

Actual Behavior

I don't think it's a behavioral issue, but upon debugging and looking at how Sudo works for an upcoming blog I noticed that is probably not the right behavior. The issue goes away once ntdll.dll is loaded

Answer 1 · 2024-12-04T20:22:17.000Z

What tool is that?

Answer 2 · 2024-12-05T18:52:44.000Z

What tool is that?

I can't tell what software this is but it's likely a debugging or crash analysis tool.

Answer 3 · 2024-12-05T18:55:06.000Z

That is procmon

Answer 4 · 2024-12-05T19:28:27.000Z

That is procmon

I knew the interface looks so familair.

Answer 5 · 2025-01-16T02:36:09.000Z

This is a bug caused by recent security hardening changes to the Process Monitor kernel driver. Try viewing the process start event of any other third party program and they all have the exact same issue.

You'll need to downgrade to an older version or wait for Procmon to include support for virtual handles with SymInitialize.