Host process crashes when unloading hooks


I'm using the 2.7 Alpha 3 binaries to test how smooth things are going, but when using either FileMon.exe or ProcessMonitor.exe to do some testing (note I'm using the precompiled ones), the process I connect to crashes when I unload the hooks (un-tik the box for a specific process in ProcessMonitor.exe).

I tested it on Windows 7 and Windows 2008 R2 (both are 64bit versions). Is this something you are aware of, or shouldn't this happen?
Closed Feb 6, 2014 at 9:52 PM by spazzarama


Sanny78 wrote Oct 22, 2012 at 1:57 PM

I just compiled everything from scratch and tried it again. 32bit is working as expected, but 64bit still kill the process while the hooks are released/removed.

I wonder if other people experienced the same issue and/or if anyone is using this successfully on 64bit?

spazzarama wrote Jan 13, 2013 at 3:08 AM

I believe this is now fixed - please update and retry with source from r70794

wrote Feb 22, 2013 at 12:15 AM

ohana54 wrote Mar 9, 2013 at 11:16 AM

I'm experiencing it as well with 64bit. Haven't tried 32bit.
Running with the latest beta (2.7.4761.0).

Please fix :)

ohana54 wrote Mar 9, 2013 at 11:22 AM

Sorry, I just saw your suggestion to take a new build, I didn't notice it's newer than the beta.
I'll wait for the next release.


spazzarama wrote Mar 10, 2013 at 10:12 AM

Hi ohana54, can you please post some details on how to reproduce the problem? A code sample if possible?

Thanks, Justin

ohana54 wrote Mar 10, 2013 at 11:08 AM

I can post an example, but in your previous comment you said it was fixed in a newer build.
I'm still in the beta build, NOT the newer one, so it makes sense that is reproduces for me.

spazzarama wrote Mar 10, 2013 at 10:50 PM

I couldn't reproduce the problem in that build, however if you are able to then I am not convinced it will be fixed. The problem could be related to exiting a target process too quickly (while IPC messages are pending) or any number of things.

Therefore I would greatly appreciate it if you could post the example so I can have a reproducible case that I can ensure it really is fixed.


wrote May 1, 2013 at 7:52 AM

wrote May 8, 2013 at 10:38 PM

Crazyphilipp wrote May 8, 2013 at 10:49 PM

This problem still exists in revision 71015. As an example, just take the ProcessMonitor example that's shipped with the source code, check any process and uncheck it - voilá, the injected process crashes immediately.

The exception that occurs reads "Unhandled exception at 0x000007F9B15B4CA1 (ntdll.dll) in application.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF."

Here's the stack trace of the crashing instruction:
>   ntdll.dll!RtlpCaptureContext()
    AcLayers.dll!NS_FaultTolerantHeap::FthFreeTrackerLogStack(void *)
    AcLayers.dll!NS_FaultTolerantHeap::FthDelayFreeQueueInsert(void *,unsigned __int64,int)
    AcLayers.dll!NS_FaultTolerantHeap::APIHook_RtlFreeHeap(void *,unsigned long,void *)

alvinhochun wrote May 30, 2013 at 3:09 PM

I'm not sure if a discussion thread that I've posted is actually the same problem. [discussion:442177]

If it is, I've posted a possible fix there and I think you should check.

(Well I guess it doesn't hurt if I post it here again?)
--- a/DriverShared/ASM/HookSpecific_x64.asm Thu May 30 22:55:31 2013
+++ b/DriverShared/ASM/HookSpecific_x64.asm Thu May 30 22:55:45 2013
@@ -379,7 +379,7 @@
    mov rcx, qword ptr [r14 + 32]
    lea rax, qword ptr [rsp + 8]
-   sub rsp, 40
+   sub rsp, 48
    jmp rax
 ; outro signature, to automatically determine code size

VahidN wrote Oct 2, 2013 at 8:45 AM

Thanks for this patch. it works very well on Windows 7-X64 and by applying it the X64 target won't crash after unloading the hooks.

wrote Oct 2, 2013 at 9:21 AM

wrote Oct 17, 2013 at 9:31 PM

wrote Feb 6, 2014 at 9:52 PM

Fixed on changeset 73761

wrote Feb 6, 2014 at 9:52 PM