Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Crash] Unknown/Strange crash in Chrome.dll (AccessViolation). while calling win32 CreateWindowExW #355

Closed
IDA-RE-things opened this issue Mar 9, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@IDA-RE-things
Copy link

IDA-RE-things commented Mar 9, 2024

Unknown crash in Chrome.dll after starting and clicking on GUI interface with mouse.
AccessViolation at some location.
Its happened with latest v122."Hotfix2"
But earler versions -- v121, v122 -- same situation.
AccessViolation_1

As I mentioned here #338, its need to provide stripped-down pdb file while linking. Or with postrprocess pdbcopy tool.
To debug crashes on XP x86 machines. (and elsewhere).
We just cant use this huge pdb file to debug. And to view Callstack at least.
But there are no reaction.

The issue described here #323 was "fixed", But some wrong way. Because now it dont creates CrashDump's at all. And creates no logs at all. :) :)

This is CallStack from VisualStudio, where we can't see Function names, without adequate PDB :

Callstack_1

@IDA-RE-things
Copy link
Author

IDA-RE-things commented Mar 9, 2024

UPD: I got now some callstack of the crash, but for old ver v.121-dbg, for which I have created stripped pdb, as I described early.

No linenumbers info, But looks better

Callstack_2

@IDA-RE-things
Copy link
Author

UPD: @win32ss, I have seen additional pdb's you have uploaded here
https://github.com/win32ss/supermium/releases/tag/v122-hf
It contains only information about object modules. And no other info, including function names. Its only 5 Mb. And useless.

Can you upload this #338 ?, as we discussed at the bottom, so I will ty.

@IDA-RE-things
Copy link
Author

IDA-RE-things commented Mar 10, 2024

UPD: got the SallStack using new updated PDB. Pdb is ok for now.

Callstack is near some as I got before for v121-dbg
So what about the bug ?
@win32ss, What do you think about this Call Stack of functions?

Callstack_4

I see some garbage, called from function. at 0x0211e200 :

Callstack_3

Why the code crashes, while calling Win32 API CreateWindowExW() ??
@win32ss, What is inside win32 here ?

@IDA-RE-things IDA-RE-things changed the title [Crash] Unknown crash in Chrome.dll (AccessViolation). Provide "strippeddown" pdb file to debug crashes on XP x86 machines. [Crash] Unknown/Strange crash in Chrome.dll (AccessViolation). while calling win32 CreateWindowExW Mar 10, 2024
@IDA-RE-things
Copy link
Author

I'm got more precise results:

  1. Its a CallStack:

Callstack_5

  1. Its a function mixed code, where problem occured: register edi has garbage :

Code_1

  1. Its a function source code:

Code_4

  1. Its a function, which called in normal situation (OnWndProc) :

Code_3

But instead called some garbage from 0x0211e200...

So "window" pointer or its fields have garbage. I can't see fields contents, because VS2010 dont show it. (Dont know about other VS versions (later), they are not compatible w/remote debug on XP)

@win32ss
Copy link
Owner

win32ss commented Mar 11, 2024

Any idea if these failed calls came from WM_NCCREATE or not?

I wonder if the WindowUserData got overwritten with garbage after the window was created, as the WindowImpl is inherited by HWNDMessageHandler, and the pointer to that instance of WindowImpl is passed to CreateWindowExW as the lParam value, which is then set as WindowUserData on the WM_NCCREATE message. Is there anything that could be hooking the windows and potentially overwriting the WindowUserData?

@IDA-RE-things
Copy link
Author

IDA-RE-things commented Mar 12, 2024

The bug was found by me and fixed.

The bug was in my own (and very old) application layer compatibility dll from 2009 year for DWMAPI.dll for XP.
The function DwmExtendFrameIntoClientArea()
Bug was with missing __stdcall specifier, so default __cdecl was applied by compiler.
As result, the returned ESP was wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants