weixin_39617702
weixin_39617702
2020-12-30 18:06

AV in Process Hacker v3.0.8110.3583 Git-cc0ab078 Plugins-Extra Git-717d8e160 after adding GraphExplorerPlugin

If you add GraphExplorerPlugin to the plug-in kit, then after calling it through the Tools - Graph Explorer menu, even if the plug-in is completed by ESC or its window is closed by the Close command, after a while in Process Hacker Access Violation occurs due to reading at the address 0x00000000. I have this phenomenon observed in 100% of cases within the first minute after closing the plugin and minimizing Process Hacker to the system tray. I attach screenshots of the dump decryption:

1

2

3

4

5

6

7

该提问来源于开源项目:processhacker/plugins-extra

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

13条回答

  • weixin_39843093 weixin_39843093 3月前

    If you add GraphExplorerPlugin

    This thing didn't exist until a few hours ago and is WIP.

    点赞 评论 复制链接分享
  • weixin_39617702 weixin_39617702 3月前

    I checked the reproducibility of the phenomenon on several more machines - it exists. I can send a dump of the moment of failure - maybe I missed something?

    ProcessHacker.7z included PH v3.0.8111.3584 Git-1de60a7d, .pdb files, crashdump, config, launch script.

    点赞 评论 复制链接分享
  • weixin_39843093 weixin_39843093 3月前

    I can send a dump of the moment of failure

    The plugin is missing locks for process provider events when adding/removing items.

    I checked the reproducibility of the phenomenon on several more machines - it exists.

    I haven't added the support because the process provider events will probably be removed. This repository is for unstable plugin development and stuff is missing which is intentional since it was just added yesterday.

    You should wait for an official release.

    点赞 评论 复制链接分享
  • weixin_39617702 weixin_39617702 3月前

    So far I have only looked at it in the test set - I did not include it in the working one, and what I saw I said to help in testing.

    点赞 评论 复制链接分享
  • weixin_39843093 weixin_39843093 3月前

    what I saw I said to help in testing.

    It's appreciated. I would normally fix crashes but this is a rare occasion where it's something new. The crash is missing support for something that probably won't remain... It's a WIP.

    点赞 评论 复制链接分享
  • weixin_39617702 weixin_39617702 3月前

    I have corrected the toolkit by excluding the GraphExplorerPlugin and ReparseEnumPlugin from the assembly - this one is not going to be assembled because the Reparse flags of the tags have not been described yet. And as I saw it immediately looked what to expect from him - great! Far Manager has a plug-in NTFS File Information which, among other features, is reading MFT, working with streams, defragmenting files, calculating hashes, and also parses symlinks for parts, and naturally, the appearance of a similar tool in PH made me happy. I really want to be able to see where this or that symlink leads and does the file have streams? Such an opportunity will greatly help out, especially when repairing damage when any information that allows you to determine a repair plan is worth its weight in gold.

    点赞 评论 复制链接分享
  • weixin_39843093 weixin_39843093 3月前

    excluding ReparseEnumPlugin

    ReparseEnumPlugin is fine and was completed.

    Far Manager has a plug-in NTFS File Information which, among other features, is reading MFT, working with streams, defragmenting files, calculating hashes, and also parses symlinks for parts

    No. The ReparseEnum plugin is showing the ntfs volume reparse cache and only contains a few entries. It's not a file browser and will never be similar to Far Manager since they're completely unrelated.

    点赞 评论 复制链接分享
  • weixin_39843093 weixin_39843093 3月前

    You need the latest SDK installed.

    点赞 评论 复制链接分享
  • weixin_39673947 weixin_39673947 3月前

    You need the latest SDK installed.

    IO_REPARSE_TAG_DATALESS_CIM is not present in latest stable Windows SDK 10.0.19041.0. It's in insider WinSDK in winnt.h file. Maybe it is needed to add conditionally with WINVER.

    c
    #define IO_REPARSE_TAG_DATALESS_CIM (0xA0000028L)
    
    点赞 评论 复制链接分享
  • weixin_39617702 weixin_39617702 3月前

    Big thanks! I do't know this flag.

    点赞 评论 复制链接分享
  • weixin_39673947 weixin_39673947 3月前

    Just use grep -r "C:\Program Files (x86)\Windows Kits\10\Include".

    点赞 评论 复制链接分享
  • weixin_39617702 weixin_39617702 3月前

    Yes, I have SDK 19041, and according to MS, there will be no newer one:

    In to https://developer.microsoft.com/ru-ru/windows/downloads/sdk-archive/ says:

    Windows 10 version 20H2 is a limited set of features for specific performance and quality improvements. Developers should be aware of this release, but no action is required yet.

    There will be no new Windows SDK for this version of Windows because no new APIs are introduced in this release. This means there is no need to make changes to the project files or set a new target Windows version. Continue using the Windows 10 SDK for Windows 10 (version 2004). When you specify a target version for a Windows app, Windows 10 (Build 19041) is still the latest target version.

    grep ... also thanks! I not find whis record's. And I think it's better: add a line to SDL or just commit it to the PH sources? I added it to the main.h plugin and everything was assembled, looked at it in action - great! Everything has a list of Repars Points, and the ability to copy. I just did not delete it - this is on occasion on a test symbol, which is not a pity.:)

    点赞 评论 复制链接分享
  • weixin_39617702 weixin_39617702 3月前

    ABOUT! The perfect solution! Thank you so much! And I already thought from GCC in a loop to brute force the GNU patch tree, only my hands did not reach the implementation of this disgrace. :)

    点赞 评论 复制链接分享