CreateWindowEx Crash
Closed this issue · 1 comments
vasporig commented
Hi!
Found an indirect crash maybe because of:
HOOK_NOTAIL(user32, CreateWindowExA, 12),
HOOK_NOTAIL(user32, CreateWindowExW, 12),
Crash could be reproduced by opening the save dialog in notepad ( Windows 7 x64 Enterprise SP1 )
Exception Message:
Unhandled exception at 0x000000000018F2F0 in notepad.exe: 0xC000041D: An unhandled exception was encountered during a user callback.
Notepad callstack
000000000018f2f0() <- not in executable region
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchClientMessage()
user32.dll!__fnDWORD()
ntdll.dll!KiUserCallbackDispatcherContinue()
user32.dll!ZwUserDestroyWindow()
shell32.dll!CChangeRouterProxy::Release(void)
shell32.dll!SHChangeNotifyRegisterThread()
comdlg32.dll!CFileOpenSave::Show(struct HWND__ *)
notepad.exe!ShowOpenSaveDialog()
notepad.exe!InvokeSaveDialog()
notepad.exe!NPCommand()
notepad.exe!NPWndProc()
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchClientMessage()
user32.dll!__fnDWORD()
ntdll.dll!KiUserCallbackDispatcherContinue()
user32.dll!NtUserTranslateAccelerator()
user32.dll!TranslateAcceleratorW()
notepad.exe!WinMain()
UserCallWinProcCheckWow:
0000000077049AF4 mov rax,rsp
0000000077049AF7 mov qword ptr [rax+8],rsi
0000000077049AFB mov qword ptr [rax+18h],rdi
0000000077049AFF mov qword ptr [rax+20h],r12
0000000077049B03 mov qword ptr [rax+10h],rdx
0000000077049B07 push r13
0000000077049B09 push r14
0000000077049B0B push r15
0000000077049B0D sub rsp,0A0h
0000000077049B14 mov r13d,r9d
0000000077049B17 mov r15,r8
0000000077049B1A mov r14,rcx
0000000077049B1D and qword ptr [rax-80h],0
0000000077049B22 mov rax,qword ptr gs:[30h]
0000000077049B2B mov rdx,qword ptr [rax+860h]
0000000077049B32 test rdx,rdx
0000000077049B35 je UserCallWinProcCheckWow+4Ch (077049B40h)
0000000077049B37 test byte ptr [rdx],4
0000000077049B3A jne UserCallWinProcCheckWow+0FFFFB9E5h (0770454D9h)
0000000077049B40 xor r12d,r12d
0000000077049B43 mov dword ptr [rsp+40h],r12d
0000000077049B48 lea edi,[r12+1]
0000000077049B4D mov qword ptr [rsp+50h],48h
0000000077049B56 mov dword ptr [rsp+58h],edi
0000000077049B5A xor edx,edx
0000000077049B5C lea r8d,[rdx+38h]
0000000077049B60 lea rcx,[rsp+60h]
0000000077049B65 call memset (0770497ECh)
0000000077049B6A xor esi,esi
0000000077049B6C mov dword ptr [rsp+30h],esi
0000000077049B70 test r12d,r12d
0000000077049B73 jne UserCallWinProcCheckWow+0B7h (077049BABh)
0000000077049B75 mov rdx,r14
0000000077049B78 lea rcx,[rsp+50h]
0000000077049B7D call qword ptr [__imp_RtlActivateActivationContextUnsafeFast (0770B2078h)]
0000000077049B83 lock add dword ptr [gcCallUserApiHook (0770C2100h)],edi
0000000077049B8A cmp qword ptr [ghmodUserApiHook (0770C21F8h)],rsi
0000000077049B91 je UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)
0000000077049B97 cmp dword ptr [gfUserApiHook (0770C2130h)],esi
0000000077049B9D je UserCallWinProcCheckWow+0FFFEC3E6h (077035EDAh)
0000000077049BA3 mov esi,edi
0000000077049BA5 mov dword ptr [rsp+30h],edi
0000000077049BA9 jmp UserCallWinProcCheckWow+0B7h (077049BABh)
0000000077049BAB test esi,esi
0000000077049BAD je UserCallWinProcCheckWow+100h (077049BF4h)
0000000077049BAF cmp dword ptr [rsp+0F8h],0
0000000077049BB7 je UserCallWinProcCheckWow+100h (077049BF4h)
0000000077049BB9 mov edx,r13d
0000000077049BBC shr edx,3
0000000077049BBF mov r8,qword ptr [guah+60h (0770C23E0h)]
0000000077049BC6 test r8,r8
0000000077049BC9 je UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)
0000000077049BCF cmp edx,dword ptr [guah+68h (0770C23E8h)]
0000000077049BD5 jae UserCallWinProcCheckWow+0FFFFEED1h (0770489C5h)
0000000077049BDB mov ecx,r13d
0000000077049BDE and ecx,7
0000000077049BE1 shl edi,cl
0000000077049BE3 movzx ecx,byte ptr [rdx+r8]
0000000077049BE8 and edi,ecx
0000000077049BEA jmp UserCallWinProcCheckWow+0F8h (077049BECh)
0000000077049BEC test edi,edi
0000000077049BEE jne UserCallWinProcCheckWow+0FFFFEE4Ah (07704893Eh)
0000000077049BF4 mov r9,qword ptr [rsp+0E8h]
0000000077049BFC mov r8,qword ptr [rsp+0E0h]
0000000077049C04 mov edx,r13d
0000000077049C07 mov rcx,r15
0000000077049C0A call qword ptr [rsp+0C8h] <--------------- CALLED from here
0000000077049C11 mov qword ptr [rsp+38h],rax
0000000077049C16 test r12d,r12d
0000000077049C19 jne UserCallWinProcCheckWow+13Bh (077049C2Fh)
0000000077049C1B test esi,esi
0000000077049C1D je UserCallWinProcCheckWow+130h (077049C24h)
...
spender-sandbox commented
Couldn't be due to our hooks, those hooks return and restore registers and stack to their previous state before calling the original function (unlike normal hooks which wrap the execution of the original function). You can verify by adding exclude-apis=CreateWindowExA:CreateWindowExW to the options.
-Brad