spender-sandbox/cuckoomon-modified

CreateWindowEx Crash

Closed this issue · 1 comments

vasporig commented

Hi!

Found an indirect crash maybe because of:
HOOK_NOTAIL(user32, CreateWindowExA, 12),
HOOK_NOTAIL(user32, CreateWindowExW, 12),

Crash could be reproduced by opening the save dialog in notepad ( Windows 7 x64 Enterprise SP1 )

Exception Message:

Unhandled exception at 0x000000000018F2F0 in notepad.exe: 0xC000041D: An unhandled exception was encountered during a user callback.

Notepad callstack

000000000018f2f0()  <- not in executable region
user32.dll!UserCallWinProcCheckWow()   
user32.dll!DispatchClientMessage() 
user32.dll!__fnDWORD() 
ntdll.dll!KiUserCallbackDispatcherContinue()   
user32.dll!ZwUserDestroyWindow()   
shell32.dll!CChangeRouterProxy::Release(void)   
shell32.dll!SHChangeNotifyRegisterThread() 
comdlg32.dll!CFileOpenSave::Show(struct HWND__ *)   
notepad.exe!ShowOpenSaveDialog()   
notepad.exe!InvokeSaveDialog() 
notepad.exe!NPCommand()    
notepad.exe!NPWndProc()    
user32.dll!UserCallWinProcCheckWow()   
user32.dll!DispatchClientMessage() 
user32.dll!__fnDWORD() 
ntdll.dll!KiUserCallbackDispatcherContinue()   
user32.dll!NtUserTranslateAccelerator()    
user32.dll!TranslateAcceleratorW() 
notepad.exe!WinMain()

UserCallWinProcCheckWow:

0000000077049AF4  mov         rax,rsp  
0000000077049AF7  mov         qword ptr [rax+8],rsi  
0000000077049AFB  mov         qword ptr [rax+18h],rdi  
0000000077049AFF  mov         qword ptr [rax+20h],r12  
0000000077049B03  mov         qword ptr [rax+10h],rdx  
0000000077049B07  push        r13  
0000000077049B09  push        r14  
0000000077049B0B  push        r15  
0000000077049B0D  sub         rsp,0A0h  
0000000077049B14  mov         r13d,r9d  
0000000077049B17  mov         r15,r8  
0000000077049B1A  mov         r14,rcx  
0000000077049B1D  and         qword ptr [rax-80h],0  
0000000077049B22  mov         rax,qword ptr gs:[30h]  
0000000077049B2B  mov         rdx,qword ptr [rax+860h]  
0000000077049B32  test        rdx,rdx  
0000000077049B35  je          UserCallWinProcCheckWow+4Ch (077049B40h)  
0000000077049B37  test        byte ptr [rdx],4  
0000000077049B3A  jne         UserCallWinProcCheckWow+0FFFFB9E5h (0770454D9h)  
0000000077049B40  xor         r12d,r12d  
0000000077049B43  mov         dword ptr [rsp+40h],r12d  
0000000077049B48  lea         edi,[r12+1]  
0000000077049B4D  mov         qword ptr [rsp+50h],48h  
0000000077049B56  mov         dword ptr [rsp+58h],edi  
0000000077049B5A  xor         edx,edx  
0000000077049B5C  lea         r8d,[rdx+38h]  
0000000077049B60  lea         rcx,[rsp+60h]  
0000000077049B65  call        memset (0770497ECh)  
0000000077049B6A  xor         esi,esi  
0000000077049B6C  mov         dword ptr [rsp+30h],esi  
0000000077049B70  test        r12d,r12d  
0000000077049B73  jne         UserCallWinProcCheckWow+0B7h (077049BABh)  
0000000077049B75  mov         rdx,r14  
0000000077049B78  lea         rcx,[rsp+50h]  
0000000077049B7D  call        qword ptr [__imp_RtlActivateActivationContextUnsafeFast (0770B2078h)]  
0000000077049B83  lock add    dword ptr [gcCallUserApiHook (0770C2100h)],edi  
0000000077049B8A  cmp         qword ptr [ghmodUserApiHook (0770C21F8h)],rsi  
0000000077049B91  je          UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)  
0000000077049B97  cmp         dword ptr [gfUserApiHook (0770C2130h)],esi  
0000000077049B9D  je          UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)  
0000000077049BA3  mov         esi,edi  
0000000077049BA5  mov         dword ptr [rsp+30h],edi  
0000000077049BA9  jmp         UserCallWinProcCheckWow+0B7h (077049BABh)  
0000000077049BAB  test        esi,esi  
0000000077049BAD  je          UserCallWinProcCheckWow+100h (077049BF4h)  
0000000077049BAF  cmp         dword ptr [rsp+0F8h],0  
0000000077049BB7  je          UserCallWinProcCheckWow+100h (077049BF4h)  
0000000077049BB9  mov         edx,r13d  
0000000077049BBC  shr         edx,3  
0000000077049BBF  mov         r8,qword ptr [guah+60h (0770C23E0h)]  
0000000077049BC6  test        r8,r8  
0000000077049BC9  je          UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)  
0000000077049BCF  cmp         edx,dword ptr [guah+68h (0770C23E8h)]  
0000000077049BD5  jae         UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)  
0000000077049BDB  mov         ecx,r13d  
0000000077049BDE  and         ecx,7  
0000000077049BE1  shl         edi,cl  
0000000077049BE3  movzx       ecx,byte ptr [rdx+r8]  
0000000077049BE8  and         edi,ecx  
0000000077049BEA  jmp         UserCallWinProcCheckWow+0F8h (077049BECh)  
0000000077049BEC  test        edi,edi  
0000000077049BEE  jne         UserCallWinProcCheckWow+0FFFFEE4Ah (07704893Eh)  
0000000077049BF4  mov         r9,qword ptr [rsp+0E8h]  
0000000077049BFC  mov         r8,qword ptr [rsp+0E0h]  
0000000077049C04  mov         edx,r13d  
0000000077049C07  mov         rcx,r15  
0000000077049C0A  call        qword ptr [rsp+0C8h]  <--------------- CALLED from here
0000000077049C11  mov         qword ptr [rsp+38h],rax  
0000000077049C16  test        r12d,r12d  
0000000077049C19  jne         UserCallWinProcCheckWow+13Bh (077049C2Fh)  
0000000077049C1B  test        esi,esi  
0000000077049C1D  je          UserCallWinProcCheckWow+130h (077049C24h)
...
spender-sandbox commented

Couldn't be due to our hooks, those hooks return and restore registers and stack to their previous state before calling the original function (unlike normal hooks which wrap the execution of the original function). You can verify by adding exclude-apis=CreateWindowExA:CreateWindowExW to the options.

-Brad