Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

static template class dll will crash #21

Open
luom opened this issue May 20, 2021 · 3 comments
Open

static template class dll will crash #21

luom opened this issue May 20, 2021 · 3 comments
Labels
bug investigate

Comments

@luom
Copy link

luom commented May 20, 2021

this is my code
dllmain.cpp

#include <windows.h>
#include "template.h"

void go();

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		go();
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

void go()
{
	string sa = "sasas";

	static test<string>* t = new test<string>();
	printf("t ptr: 0x%x\n", t);
	t->add(&sa);
	printf("count: %d\n", t->count());
}

template.h

#pragma once
#include <stdio.h>
#include <map>
#include <string>
#include <windows.h>

using namespace std;

template <class T>
class test
{
public:
	test() = default;

	int add(T *ptr)
	{
		LPEXCEPTION_POINTERS info = NULL;
		DWORD code;
		__try
		{
			m_map[m_count] = ptr;
			return m_count++;
		}
		__except (code = GetExceptionCode(), info = GetExceptionInformation(), EXCEPTION_EXECUTE_HANDLER)
		{

			printf("Exception happene code: 0x%x, %d\n", code, info->ExceptionRecord->ExceptionInformation[1]);
			//info->ExceptionRecord->ExceptionInformation
			exit(0);
		}

	}

	int count()
	{
		return m_count;
	}

private:
	int m_count = 0;
	map<int, T*> m_map;
};

Natice Loader.cpp

...
	if (VirtualProtect(finalShellcode, sysInfo.dwPageSize, PAGE_EXECUTE_READWRITE, &dwOldProtect1)) {
		RDI rdi = (RDI)(finalShellcode);
		printf("[+] Executing RDI\n");
		HANDLE t = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)finalShellcode, NULL, 0, NULL);
		//WaitForSingleObject(t, INFINITE);
		getchar();
		free(finalShellcode); // Free the RDI blob. We no longer need it.
	}

when i remote inject via ProcessHacker work ok,but i use Native.exe load this dll is crash.
when i change static test<string>* t = new test<string>(); to test<string>* t = new test<string>(); in dllmain.cpp both work ok
the ptr always is NULL when i use static

this is result
ProcessHacker:

t ptr: 0xad7a0
count: 1

Native.exe Loader:

[+] File is a DLL, attempting to convert
[+] Successfully Converted
[+] Executing RDI
t ptr: 0x0
Exception happene code: 0xc0000005, 8
@monoxgas
Copy link
Owner

monoxgas commented Jun 9, 2021

Thanks for the report on this!

I generally don't have a ton of bandwidth to look into issues like this, but I'll try to find some time to dig in.

@monoxgas monoxgas added the bug label Jun 9, 2021
@monoxgas monoxgas mentioned this issue Jun 9, 2021
Open
@injertao
Copy link

Maybe the problem is CRT initialization

@romanholidaypancakes
Copy link

@monoxgas
You can check this project bb107/MemoryModulePP, which supports exception handling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@monoxgas @luom @romanholidaypancakes @injertao