crash on Windows 7 (32b)

[dred3]

hello

see attach with minidump please

http://www.sendspace.com/file/ux5gd2

[dred3]

0:001> kb

ChildEBP RetAddr Args to Child

0286f6a8 006450fb 006a5f20 00767288 0286f6f0 ntdll!RtlEnterCriticalSection+0x12

WARNING: Stack unwind information not available. Following frames may be wrong.

0286f6b8 00643f0c 0000000d ee073b95 00000000 wl_hook+0x450fb

0286f6f0 0063e01b 00767288 00000000 00000000 wl_hook+0x43f0c

0286f708 0063e0a5 00600000 00000002 00000000 wl_hook+0x3e01b

0286f748 0063e160 00600000 0286f774 77d0afc4 wl_hook+0x3e0a5

0286f754 77d0afc4 00600000 00000002 00000000 wl_hook+0x3e160

0286f774 77d0b5b1 0063e142 00600000 00000002 ntdll!LdrpCallInitRoutine+0x14

0286f814 77d0b338 0286f884 7512c0c8 00000000 ntdll!LdrpInitializeThread+0x15b

0286f860 77d0b365 0286f884 77cb0000 00000000 ntdll!_LdrpInitialize+0x1ad

0286f870 00000000 0286f884 77cb0000 00000000 ntdll!LdrInitializeThunk+0x10

 

now I undestand that is a problem mumble + outpost_firewall(wl_hook)

is any solution for this bug?

[kissaki]

wl_hook is of the outpost firewall?

I will blame it for the crash then …

When does it crash?

What’s the state of Mumble?

I don’t see mumble in your quoted stack at all.

[dred3]

yes, wl_hook - its Outpost

looks like its their bug

 

FAULTING_IP:

ntdll!RtlEnterCriticalSection+12

77cf6bf0 f00fba3000 lock btr dword ptr [eax],0

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)

ExceptionAddress: 77cf6bf0 (ntdll!RtlEnterCriticalSection+0x00000012)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000001

Parameter[1]: 006a5f24

Attempt to write to address 006a5f24

DEFAULT_BUCKET_ID: INVALID_POINTER_READ

PROCESS_NAME: mumble.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 -

WRITE_ADDRESS: 006a5f24

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

ADDITIONAL_DEBUG_TEXT: Followup set via attribute from Frame 0 on thread ffffffff

LAST_CONTROL_TRANSFER: from 006450fb to 77cf6bf0

FAULTING_THREAD: 00001734

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ

STACK_TEXT:

006a3b40 wl_hook

77870000 kernel32!_imp__DebugBreak (kernel32+0x0)

006450fb wl_hook

006a5f20 wl_hook

00643f0c wl_hook

00600000 wl_hook

0063db80 wl_hook

0063e01b wl_hook

0063e0a5 wl_hook

0063e160 wl_hook

77d0afc4 ntdll!LdrpCallInitRoutine

77d0b5b1 ntdll!LdrpInitializeThread

0063e142 wl_hook

77d8714c ntdll!LdrpProcessInitialized

77d0b58b ntdll!LdrpInitializeThread

77ccd75d ntdll!_except_handler4

77d0b338 ntdll!_LdrpInitialize

77cb0000 ntdll!`string' (ntdll+0x0)

77d0b365 ntdll!LdrInitializeThunk

77cdd662 ntdll!TppWorkerThread

77cf64d8 ntdll!RtlUserThreadStart

FOLLOWUP_IP:

wl_hook+a3b40

006a3b40 205f6a and byte ptr [edi+6Ah],bl

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: wl_hook+a3b40

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: wl_hook

IMAGE_NAME: wl_hook.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4ca48649

STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 286f698 ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_wl_hook.dll!Unknown

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_wl_hook+a3b40

Followup: MachineOwner

 

PROCESS_NAME: mumble.exe

 

it crashed on startup, the mumble main window doesnt painted even

is mumble have some antirootkits or antidebug methods?

I do not saw the sources yet

some idea I have to compile it with debug info and then test it

[dred3]

and I see now some debugger logs from mumble before crash

and some hook methods in sources (void HardHook::setup(voidFunc func, voidFunc replacement))

that is a reason of the crash I think

HardHook: Asked to replace 7E379766 with 00464E60

HardHook: Unknown opcode at 0: b8 50 12 0 0 ba 0 3 fe 7f ff 12

HardHook: Asked to replace 7E3742ED with 00464E10

HardHook: Chaining from 7E3742ED to 01165574

HardHook: Unknown opcode at 0: 90 58 68 74 55 16 1 50 50 e9 9e 61

which functions hooks the mumble?

outpost protects own memory and modules

near this......

[kissaki]

Mumble hooks into OpenGL and Direct3D applications.

I guess Outlook doesn’t use Direct3D to draw!?

You can disable the Mumble overlay so no hooking on Mumbles side will happen, and see if that helps.

[HKEY_CURRENT_USER\Software\Mumble\Mumble\overlay]
"enable"="false"