1. Forum
  2. Usenet
  3. COMP.OS.MS-WINDOWS.PROGRA

  • Access violation on Snapshot

    From Udo Steinbach@21:1/5 to All on Thu May 30 16:46:12 2024
    Do we have readers here?

    PssCaptureSnapshot() with (PSS_CAPTURE_HANDLES | PSS_CAPTURE_THREADS) or PSS_CAPTURE_HANDLES allone on the calling process, GetCurrentProcess().
    https://learn.microsoft.com/en-us/windows/win32/api/processsnapshot/nf-processsnapshot-psscapturesnapshot
    On average, every second call results in EXCEPTION_ACCESS_VIOLATION at
    #0 0x7FFA2A590F8D: <KiUserExceptionDispatcher()>+45
    #1 0x7FFA2A593F25: <memcpy()>+37
    #2 0x7FFA2A606120: <PssNtWalkSnapshot()>+6160
    #3 0x7FFA2A606441: <PssNtWalkSnapshot()>+6961
    #4 0x7FFA2A605CAB: <PssNtWalkSnapshot()>+5019
    #5 0x7FFA2A603F22: <PssNtCaptureSnapshot()>+882
    #6 0x7FFA280F00DD: <PssCaptureSnapshot()>+29
    (my own inexact backtrace)
    Within Debugger it runs 99,9% as wanted. Same results as Admin and OpenProcess() on self.
    Does someone has a pointer? I suspect not an access violation but a read or write out of allocated memory.

    Ah, GDB says SIGSEGV:
    #0 0x00007ffa2a593f92 in ntdll!memmove () from C:\WINDOWS\SYSTEM32\ntdll.dll #1 0x00007ffa2a606121 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #2 0x00007ffa2a606442 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #3 0x00007ffa2a605cac in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #4 0x00007ffa2a603f23 in ntdll!PssNtCaptureSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #5 0x00007ffa280f00de in PssCaptureSnapshot () from C:\WINDOWS\System32\KernelBase.dll

    0x00007ffa2a593f89 <+137>: cmp %rcx,%r11
    0x00007ffa2a593f8c <+140>: ja 0x7ffa2a594100 <ntdll!memmove+512>
    0x00007ffa2a593f92 <+146>: movups (%rcx,%rdx,1),%xmm0
    0x00007ffa2a593f96 <+150>: add $0x10,%rcx
    0x00007ffa2a593f9a <+154>: test $0xf,%cl
    0x00007ffa2a593f9d <+157>: je 0x7ffa2a593fb1 <ntdll!memmove+177>

    --
    Fahrradverkehr in Deutschland: http://radwege.udoline.de/
    GPG: A245 F153 0636 6E34 E2F3 E1EB 817A B14D 3E7E 482E

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From JJ@21:1/5 to Udo Steinbach on Fri May 31 03:41:31 2024
    On Thu, 30 May 2024 16:46:12 +0200, Udo Steinbach wrote:
    Do we have readers here?

    PssCaptureSnapshot() with (PSS_CAPTURE_HANDLES | PSS_CAPTURE_THREADS) or PSS_CAPTURE_HANDLES allone on the calling process, GetCurrentProcess().
    https://learn.microsoft.com/en-us/windows/win32/api/processsnapshot/nf-processsnapshot-psscapturesnapshot
    On average, every second call results in EXCEPTION_ACCESS_VIOLATION at
    #0 0x7FFA2A590F8D: <KiUserExceptionDispatcher()>+45
    #1 0x7FFA2A593F25: <memcpy()>+37
    #2 0x7FFA2A606120: <PssNtWalkSnapshot()>+6160
    #3 0x7FFA2A606441: <PssNtWalkSnapshot()>+6961
    #4 0x7FFA2A605CAB: <PssNtWalkSnapshot()>+5019
    #5 0x7FFA2A603F22: <PssNtCaptureSnapshot()>+882
    #6 0x7FFA280F00DD: <PssCaptureSnapshot()>+29
    (my own inexact backtrace)
    Within Debugger it runs 99,9% as wanted. Same results as Admin and OpenProcess() on self.
    Does someone has a pointer? I suspect not an access violation but a read or write out of allocated memory.

    Ah, GDB says SIGSEGV:
    #0 0x00007ffa2a593f92 in ntdll!memmove () from C:\WINDOWS\SYSTEM32\ntdll.dll #1 0x00007ffa2a606121 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #2 0x00007ffa2a606442 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #3 0x00007ffa2a605cac in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #4 0x00007ffa2a603f23 in ntdll!PssNtCaptureSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
    #5 0x00007ffa280f00de in PssCaptureSnapshot () from C:\WINDOWS\System32\KernelBase.dll

    0x00007ffa2a593f89 <+137>: cmp %rcx,%r11
    0x00007ffa2a593f8c <+140>: ja 0x7ffa2a594100 <ntdll!memmove+512>
    0x00007ffa2a593f92 <+146>: movups (%rcx,%rdx,1),%xmm0
    0x00007ffa2a593f96 <+150>: add $0x10,%rcx
    0x00007ffa2a593f9a <+154>: test $0xf,%cl
    0x00007ffa2a593f9d <+157>: je 0x7ffa2a593fb1 <ntdll!memmove+177>

    Common mistake is miscalculation of data size or address of data or both,
    due to assumption (i.e. without any data validation). Doesn't matter if the data source is corrupted. If the code has data validation, there shouldn't
    be any exception.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Udo Steinbach@21:1/5 to All on Thu May 30 22:33:23 2024
    Same on another process.
    PSS_CAPTURE_NONE works, PSS_CAPTURE_VA_CLONE too, every other,
    only PSS_CAPTURE_HANDLES crashes.
    --
    Fahrradverkehr in Deutschland: http://radwege.udoline.de/
    GPG: A245 F153 0636 6E34 E2F3 E1EB 817A B14D 3E7E 482E

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Udo Steinbach@21:1/5 to All on Fri May 31 17:16:56 2024
    After reboot the code that yesterday did run crashed today at first. Hmmm. Inspired by an example I combined all capture flags, it ran. Shortened these to (::PSS_CAPTURE_HANDLES | ::PSS_CAPTURE_HANDLE_NAME_INFORMATION | ::PSS_CAPTURE_THREADS)
    runs and lets me get the wanted values, but
    (::PSS_CAPTURE_HANDLES | ::PSS_CAPTURE_THREADS)
    crashes. Nice.
    --
    Fahrradverkehr in Deutschland: http://radwege.udoline.de/
    GPG: A245 F153 0636 6E34 E2F3 E1EB 817A B14D 3E7E 482E

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Udo Steinbach@21:1/5 to All on Sun Jun 2 20:25:56 2024
    Am 2024-05-30 um 22:41 schrieb JJ:
    Common mistake is miscalculation of data size or address of data

    Sure sure, but this time it's not me. With an extra flag it works.
    --
    Fahrradverkehr in Deutschland: http://radwege.udoline.de/
    GPG: A245 F153 0636 6E34 E2F3 E1EB 817A B14D 3E7E 482E

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)