Application Verifier causes hooked application to crash

Apr 15, 2014 at 4:31 PM
Hello,

I just wondering is it ok that application that uses easyhook to hook clr.dll crashes when Application Verifier is active?
EasyHook version 2.6.
Error is heap corruption.

Call stack:
ntdll.dll!RtlCaptureContext()  + 0x85 bytes 
ntdll.dll!RtlpWalkFrameChain()  + 0x49 bytes    
ntdll.dll!RtlWalkFrameChain()  + 0x39 bytes 
ntdll.dll!RtlCaptureStackBackTrace()  + 0x4a bytes  
ntdll.dll!RtlStdLogStackTrace()  + 0x24 bytes   
ntdll.dll!RtlLogStackTrace()  + 0x1b bytes  
verifier.dll!AVrfpDphPlaceOnBusyList()  + 0x38 bytes    
verifier.dll!AVrfDebugPageHeapAllocate()  + 0x26f bytes 
ntdll.dll!RtlDebugAllocateHeap()  + 0x31 bytes  
ntdll.dll!string "Enabling heap debug options\n"()  + 0x14bda bytes 
ntdll.dll!RtlAllocateHeap()  + 0x178 bytes  
EasyHook64.dll!LhBarrierIntro(_LOCAL_HOOK_INFO_ * InHandle, void * InRetAddr, void * * InAddrOfRetAddr)  Line 800 + 0x15 bytes  C
Test.exe!SwapMethodBodySample.Main(string[] args) Line 255 C#
mscoreei.dll!_CorExeMain()  + 0x5d bytes    
mscoree.dll!_CorExeMain_Exported()  + 0x69 bytes    
kernel32.dll!BaseThreadInitThunk()  + 0xd bytes 
ntdll.dll!RtlUserThreadStart()  + 0x21 bytes    
May 7, 2014 at 4:07 PM
Edited May 7, 2014 at 4:23 PM
Actually the simplest x64 program I managed to create also crashes when hooks are used.
I created a native dll with one exported function

original.dll: main.cpp

#include <iostream>

extern "C" __declspec(dllexport) void __stdcall OriginalFunction() {
    std::cout << "Hello world" << std::endl;
}
And the main program holds next:
#include <iostream>
#include <tchar.h>
#include <Windows.h>
#include <release-2.7/Public/easyhook.h>

typedef void (__stdcall *OriginalFunctionFunc)();

OriginalFunctionFunc OriginalFunction;

void __stdcall OriginalFunctionHook() {
    std::cout << "No hello world available" << std::endl;
}

int main() {

    HMODULE hModule = LoadLibrary(_T("original.dll"));
    OriginalFunction = (OriginalFunctionFunc)GetProcAddress(hModule, "OriginalFunction");
    OriginalFunction();

    HOOK_TRACE_INFO handle;
    memset(&handle, 0, sizeof(handle));
    NTSTATUS status = LhInstallHook(OriginalFunction, OriginalFunctionHook, (void*)0, &handle);

    if (NT_ERROR(status)) {
        std::cout << "Can't install hook" << std::endl;
    }
    ULONG p[] = {0};
    LhSetExclusiveACL(p, 0, &handle);
    
    OriginalFunction();

    return 0;
}
Application verifier is tuned with default options for Basics tests.
WinDbg output is:
(19d0.1298): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!RtlCaptureContext+0x86:
00000000`772a08c5 0fae8100010000  fxsave  [rcx+100h]    ds:00000000`001aed68=e9
0:000> kb
RetAddr           : Args to Child                                                           : Call Site
00000000`7725b219 : 000007ff`fffde000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlCaptureContext+0x86
00000000`7725b559 : 00000000`001af208 00000000`00000025 00000000`001afea0 00000000`00000005 : ntdll!RtlpWalkFrameChain+0x49
00000000`7725b4ea : 00000000`001ab000 000007fe`f79e6740 00000000`001afea0 00000000`001afba0 : ntdll!RtlWalkFrameChain+0x2d
00000000`773170e4 : 00000000`001b0000 00000000`099b0000 00000000`00000c00 00000000`0000027f : ntdll!RtlCaptureStackBackTrace+0x4a
00000000`773171ab : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlStdLogStackTrace+0x24
000007fe`f79e6d84 : 00000000`00001000 00000000`099b1000 00000000`00000000 00000000`00000000 : ntdll!RtlLogStackTrace+0x1b
000007fe`f79e8513 : 00000000`00001000 00000000`099b1000 00000000`099b1000 00000000`00000c00 : verifier!AVrfpDphPlaceOnBusyList+0x38
00000000`77327041 : 00000000`00000000 00000000`01001002 00000000`01001002 00000000`03d48548 : verifier!AVrfDebugPageHeapAllocate+0x26f
00000000`772eb5aa : 00000000`099b0000 00000000`001af4e8 00000000`099b0000 00000000`77392dd0 : ntdll!RtlDebugAllocateHeap+0x31
00000000`772a34d8 : 00000000`099b0000 00000000`01001002 00000000`00000c00 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x18b42
000007fe`f7a659fa : 00000000`00000004 00000000`00000000 00000000`00000000 000007fe`f1ae9487 : ntdll!RtlAllocateHeap+0x16c
000007fe`f80efd34 : 000007fe`f811d440 000007fe`f811c440 00000000`00000000 000007fe`f811d440 : vfbasics!AVrfpRtlAllocateHeap+0xee
000007fe`faeb030c : 000007fe`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : EasyHook64!LhBarrierIntro+0x154 [d:\projects\easy_hook\release-2.7\drivershared\localhook\barrier.c @ 787]
000007fe`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7fe`faeb030c
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7fe`00000000
OS: Windows 7 x64
Built with VS 2010
AppVerifier 4.1.1078

If appverifier disabled everything works, but with application verifier application crashes. And its rather critical to have application verifier working. So is there any ideas what can be done to have hooks and appverifier running?