1

Topic: All falls successively the ambassador of changeover dll in appinit_dlls

Well, is dll, the monitor, which  to all processes in system through appinit_dlls. At changeover of this dll on the new version begin all new triggered processes falls. After system restarting all works normally. Can, who that faced a problem? What to do? Where for the ends to search?

2

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: ksd> well, is dll, the monitor, which  to all processes in system through appinit_dlls. ksd> at changeover of this dll on the new version begin all new triggered processes falls. ksd> after system restarting all works normally. ksd> can, who that faced a problem? What to do? Where for the ends to search? 1) error status code what? 2) in DLL by a case the C ++ Runtime is not used? For code DLL can on idea begin earlier to be fulfilled, than is initialized  in process, to which   (or and it is not initialized at all). From here and failure?

3

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, Carc, you wrote: a C> Hello, ksd, you wrote: ksd>> well, is dll, the monitor, which  to all processes in system through appinit_dlls. ksd>> at changeover of this dll on the new version begin all new triggered processes falls. ksd>> after system restarting all works normally. ksd>> can, who that faced a problem? What to do? Where for the ends to search? A C> 1) Error status code what? Applications fall with Access Violation do not understand where. The C> 2) In DLL is not used by a case a C ++ Runtime? For code DLL can on idea begin earlier to be fulfilled, than is initialized  in process, to which   (or and it is not initialized at all). From here and failure? It is used. And what ? It statically .  that it is possible to use only kernel32, remaining it is not loaded yet. Well, after Windows reboot all is normal?

4

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: the C>> 2) In DLL is not used by a case a C ++ Runtime? For code DLL can on idea begin earlier to be fulfilled, than is initialized  in process, to which   (or and it is not initialized at all). From here and failure? ksd> it is used. And what ? It statically .  that it is possible to use only kernel32, remaining it is not loaded yet. Well, after Windows reboot all is normal? Yes, it is strange that reboot influences. And anything  in DLLMain is not present?

5

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: ksd> it is used. And what ? It statically .  that it is possible to use only kernel32, remaining it is not loaded yet. Well, after Windows reboot all is normal? If there are what-thread static variables of level of a class or in a cpp-file on their idea just should  . And at the moment of loading if  it is not initialized yet, and there are any calls to such variables that in this case there will be one who knows. There can be in it a business? I something similar saw, truth in exe-shnike. But in it for a dense forest  on a maximum has been removed . So here after connection of any left unit at which in cpp was found std:: string static on a class, exe-shnik started to fall it is direct on start with Access Violation. Cured changeover of all objective variables like std:: string on scalar data types, like char []. How much I then understood, the compiler simply allocated such data in data-section exe-shnika and in advance "knew" them as . And the problem disappeared. There like as it turned out that this static std:: string on the initialization selected storage, and something there wrote. Without  on start in release it  did not work. And when I there added scalar types with the given size like as it turned out that the compiler knew in advance the size and than to initialize, therefore did without initialization with . But especially I there did not investigate. The unit ancient already,  where was used, and is direct here on normal it it would not be desirable to redesign and at all. And considering that all these static std:: string lay in private sections, and to them this class did not give access, quite arranged to alter a stuffing on scalar types, without changing the class interface.  that remains only  the project. Can directs on what-thread thought? Can directs on what-thread thought?

6

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, Carc, you wrote: a C> Hello, ksd, you wrote: ksd>> it is used. And what ? It statically .  that it is possible to use only kernel32, remaining it is not loaded yet. Well, after Windows reboot all is normal? The C> If is what-thread static variables of level of a class or in a cpp-file on their idea just should  . And at the moment of loading if  it is not initialized yet, and there are any calls to such variables that in this case there will be one who knows. There can be in it a business? The C> I something similar saw, truth in exe-shnike. But in it for a dense forest  on a maximum has been removed . So here after connection of any left unit at which in cpp was found std:: string static on a class, exe-shnik started to fall it is direct on start with Access Violation. Cured changeover of all objective variables like std:: string on scalar data types, like char []. > How much I then understood a C, the compiler simply allocated such data in data-section exe-shnika and in advance "knew" them as . And the problem disappeared. There like as it turned out that this static std:: string on the initialization selected storage, and something there wrote. Without  on start in release it  did not work. And when I there added scalar types with the given size like as it turned out that the compiler knew in advance the size and than to initialize, therefore did without initialization with . But especially I there did not investigate. The unit ancient already,  where was used, and is direct here on normal it it would not be desirable to redesign and at all. And considering that all these static std:: string lay in private sections, and to them this class did not give access, quite arranged to alter a stuffing on scalar types, without changing the class interface.  that remains only  the project. Can directs on what-thread thought?

7

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: ksd>>> well, is dll, the monitor, which  to all processes in system through appinit_dlls. ksd>>> at changeover of this dll on the new version begin all new triggered processes falls. ksd>>> after system restarting all works normally. ksd>>> can, who that faced a problem? What to do? Where for the ends to search? A C>> 1) Error status code what? ksd> applications fall with Access Violation do not understand where. And what is meant changeover? At me suspicion that old dll still somewhere in the field of storage of processes. After changeover, somehow processes climb to old addresses in new dll and fall. With explicit LoadLibrary such hogwash should not be... And what at you , by the way?...

8

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, CEMb, you wrote: CEM> Hello, ksd, you wrote: ksd>>>> well, is dll, the monitor, which  to all processes in system through appinit_dlls. ksd>>>> at changeover of this dll on the new version begin all new triggered processes falls. ksd>>>> after system restarting all works normally. ksd>>>> can, who that faced a problem? What to do? Where for the ends to search? A C>>> 1) Error status code what? ksd>> applications fall with Access Violation do not understand where. CEM> And what is meant changeover? At me suspicion that old dll still somewhere in the field of storage of processes. After changeover, somehow processes climb to old addresses in new dll and fall. With explicit LoadLibrary such hogwash should not be... And what at you , by the way?... Under changeover it is meant to rename leaking, to write down in system32 new, to launch something, well, cmd.exe, for example. Also it turns out here very similar on a situation with reversal to old addresses. As though to system to tell, what dll-ku changed, it is necessary to do display anew? It is shown on different versions of Windows, now we struggle was specific with win7.

9

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: ksd> under changeover it is meant to rename leaking, to write down in system32 new, to launch something, well, cmd.exe, for example. Also it turns out here very similar on a situation with reversal to old addresses. As though to system to tell, what dll-ku changed, it is necessary to do display anew? It should be preempted from all processes. As the variant - in processes to tell FreeLibrary until counters not to be nullified. But all the same at first it would be desirable to understand that really happens inside. It turns out that when starts new process - it takes whence the old export table your dll (if it so to preempt dll-ku from all processes - most likely does not help business if only the Windows do not do a copy, looking at a way to library, yes). I such did not see, but I and will not remember, that I did global interceptions the last years But here is exact that I remember: At a re-registration of COM objects in 7-ke it is necessary to be overloaded, because 7 somewhere  (I do not remember that, or GUID or the way to an executed file, the second is faster) to be treated only by reboot. A situation strange, here too the strange. Well, who else can unsubscribes, we wait

10

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: ksd> applications fall with Access Violation do not understand where. So does not happen cannot Fall "do not understand where", always there is any point, the exception whence took off. As a variant - to adjust system on auto-collection : Collecting User-Mode Dumps https://msdn.microsoft.com/en-us/librar … p/bb787181 (v=vs.85).aspx Well and then to catch , to open them in WinDBG and to search, where fell and why. ksd> is dll, the monitor, which  to all processes in system through appinit_dlls. I advise as soon as possible to forget from AppInit_DLLs in favor of something another. At first, does not work on Win8 + at included Secure Boot. Secondly, the system of exceptions is not provided. For example, at me winlogon.exe fell only that loaded dll caused any function from shell32.dll. And if I do not want to boot in winlogon.exe, what then? Thirdly, the loading moment dll is not defined also it can become a source of additional problems (some remaining system dll can be not initialized yet). ksd> under changeover it is meant to rename leaking, to write down in system32 new, to launch something, well, cmd.exe, for example. Also it turns out here very much I Offer experiment: to collect as much as possible primitive dll without any functional loading, it is simple DllMain and all. And to check up, whether it will be played back on it. If yes - a problem in Windows. If is not present - a problem in dll (99 % that so it and is).

11

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ksd, you wrote: Still a variant for the analysis: to write the second dll-ku which will be  and to collect the necessary information of that happens with first dll. And as all the same to try to preempt 1st dll from storage before physically it to replace with another.

12

Re: All falls successively the ambassador of changeover dll in appinit_dlls

ksd> well, is dll, the monitor, which  to all processes in system through appinit_dlls. ksd> at changeover of this dll on the new version begin all new triggered processes falls. ksd> after system restarting all works normally. ksd> can, who that faced a problem? What to do? Where for the ends to search? 1) CreateRemoteThread/ReadVirtualMemory/WriteVirtualMemory at the code is present? 2) IPC with transmission of pointers on the code (functions)  is present? 3) #pragma comment (linker, "/SECTION:BLABLABLA, RWS")  is? Or/SECTION:BLABLABLA, RWS in parameters ? 4) and to talk And in  to look, what exactly falls, with what stack, to think over the received information - tried? 5) whether SetWindowsHookEx it is used with function in this ?

13

Re: All falls successively the ambassador of changeover dll in appinit_dlls

There was such hogwash, hardly the system was recovered on mine rescues static

14

Re: All falls successively the ambassador of changeover dll in appinit_dlls

Hello, ononim, you wrote: ksd>> well, is dll, the monitor, which  to all processes in system through appinit_dlls. ksd>> at changeover of this dll on the new version begin all new triggered processes falls. ksd>> after system restarting all works normally. ksd>> can, who that faced a problem? What to do? Where for the ends to search? O> 1) CreateRemoteThread/ReadVirtualMemory/WriteVirtualMemory at the code is present? O> 2) IPC with transmission of pointers on the code (functions)  is present? O> 3) #pragma comment (linker, "/SECTION:BLABLABLA, RWS")  is? Or/SECTION:BLABLABLA, RWS in parameters ? It is not present O> 4) and to talk And in  to look, what exactly falls, with what stack, to think over the received information - tried? At start of new process falls, how a debugger to cling on start? O> 5) whether SetWindowsHookEx it is used with function in this ? It is used.

15

Re: All falls successively the ambassador of changeover dll in appinit_dlls

O>> 1) CreateRemoteThread/ReadVirtualMemory/WriteVirtualMemory at the code is present? O>> 2) IPC with transmission of pointers on the code (functions)  is present? O>> 3) #pragma comment (linker, "/SECTION:BLABLABLA, RWS")  is? Or/SECTION:BLABLABLA, RWS in parameters ? ksd> it is not present O>> 4) and to talk And in  to look, what exactly falls, with what stack, to think over the received information - tried? ksd> at start of new process falls, how a debugger to cling on start? 1) to launch under a debugger 2) to launch under a debugger installing a daw debug child processes  another, for example cmd.exe, thus for the period of start cmd.exe to remove . Then to return  and to launch from cmd.exe that that falls O>> 5) whether SetWindowsHookEx it is used with function in this ? ksd> it is used. Now look. If you use this - for this purpose to put global  transfer arguments to system HINSTANCE  and the pointer to function -  . The system of miracles does not create. It on it HINSTANCE receives a way to , and the pointer on function transforms into offset concerning basis . In each new process it will load  on the received way and to add to the received basis offset known to it. If on the given way there will be another  on this offset most likely there will be at all that was on initiating .