Putting it all Togetherīy this point I knew who was hooking our code and knew how it was getting there. Pointing to the actual target function! From there I was able to distill aįunctions being hooked by the injected NVIDIA DLLs. VirtualProtect: I ended up with the best possible case: the address was The first time I caught a detour, I examined the address being passed to Would be obvious when it was, as the NVIDIA DLLs would be on the call stack. While not every single VirtualProtect call would correspond to a detour, it I then resumed the debugger and examined the call stack every time it broke. I restarted windbg, but this time I set a breakpoint on VirtualProtect: In the best case, the caller will pass in the Worst case, VirtualProtect’s caller is going to pass the address of the page Going to need to call VirtualProtect to make the target code writable. Since Detours is patching executable code, we know that at some point it is I then became curious as to which other functions they were patching. Nvinit.dll loads nvd3d9wrap.dll which then uses Detours to patch Nvinit.dll is the name of the DLL that is injected by step 1. The offending DLLs are being injected by AppInit_DLLs (and in fact, Raymond This stack is a gold mine of information. Mozglue!`anonymous namespace'::patched_LdrLoadDll+0x1b0 Then the debugger broke on the memory access and I wanted the debugger to break as soon as It to break as soon as user32.dll was loaded: ![]() I launched windbg, started Firefox with it, and then told Interception, I decided to find out whether it was also trying to interceptĬreateWindowExW. Knowing that the presence of Detours was somehow interfering with our own API Now that I knew the likely culprit, I needed to know how it was getting there.ĭuring a November trip to the Mozilla Toronto office, I spent some timeĭebugging a test laptop that was configured with Optimus. ![]() I concluded that _etoured.dll was most likely a renamed version ofĭetoured.dll from Detours 2.x. Was required to be injected into the target process. While the changelog forĭetours 3.0 points out that it has “Removed requirement for includingĭetoured.dll in processes,” in previous versions of the package, this library Library that is used for intercepting Win32 API calls. Years, Microsoft Research has shipped a package called I also had a pretty strong hypothesis about what _etoured.dll was: For many Was a concern only when NVIDIA Optimus technology was enabled. Presence of both NVIDIA video drivers and Intel video drivers. In this case, the correlation data didn’t disappoint: there When it is just not clear where to begin, I like to start by looking at ourĬorrelation data in Socorro - you’d be surprised how often they can bring I looked at was js::CreateRegExpMatchResult! While a crash spike was clearlyĬorrelated with the landing of bug 1213567, the crashes were occurring inĬode that had nothing to do with IPC or Win32. It wasn’t obvious where to start debugging this. Unfortunately, shortly after landing bug 1213567, bug 1218473 was filed. The subclassing occurs immediately after window creation, this meant that Those calls with a RAII object that temporarily suppresses the neutering. By intercepting calls to CreateWindowEx, I could wrap Would result in the pathological case that triggers the stack overflow.įor a fix, what I wanted to do is to prevent messages that were sent immediatelyĭuring the execution of CreateWindow (such as WM_CREATE) from triggering Since WM_CREATE had already triggered neutering, this ![]() Shortly after creating that window, the code responsible would The case of bug 1213567, the message triggering the neutering was Sent to an unneutered window on the thread making the IPC call. Neutering is triggered during certain types of IPC calls as soon as a message is Window procedures that will eventually overflow the stack. Neutered window is bad because it creates an infinite recursion scenario with While I’ll save a discussion on the specifics of window neutering for anotherĭay, for our purposes it is sufficient for me to point out that subclassing a Was occurring while a window was neutered (“neutering” is terminology that is This was necessary because it was apparent in that bug that window subclassing In bug 1213567 I had landed a patch to intercept calls to CreateWindowEx. I’ve had to break and I’ve been asked a lot of questions about it. It’s one of the more challenging problems that I’m finally getting ‘round to writing about a nasty bug that I had to spend aīunch of time with in Q4 2015.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |