Executable crashes with access violation when run with drrun.exe

138 views
Skip to first unread message

Eran Zimmerman Gonen

unread,
Nov 9, 2021, 12:27:27 PM11/9/21
to DynamoRIO Users
I tried running my code with winafl and DynamoRIO in several ways (including both drrun.exe and afl-fuzz.exe), all failed with c0000005 (access violation). I saw it recommended somewhere to run with drrun.exe but without winafl, to see if that works, and that also gives an access violation, even when I removed everything from my test exe and left just "return 0":
C:\Code\MyResearch\DynamoRIO-Windows-8.0.18936\bin64\drrun.exe -- C:\Code\Test\TestExe\x64\Release\TestExe.exe

I can see the crash in windows' event log, brought below.
I also tried to check where that offset in ntdll is, and got to LdrGetDllHandleByName - the exception is when it tries to write to its out param.

Using latest DynamoRIO release (DynamoRIO-Windows-8.0.18936.zip), Windows 10 21H1 (OS build 19043.1320).

In eventvwr (Windows Logs > Application), I can see:
Faulting application name: TestExe.exe, version: 0.0.0.0, time stamp: 0x618a6e15
Faulting module name: ntdll.dll, version: 10.0.19041.1288, time stamp: 0xa280d1d6
Exception code: 0xc0000005
Fault offset: 0x0000000000076ffb
Faulting process id: 0x7764
Faulting application start time: 0x01d7d568252e029e
Faulting application path: C:\Code\Test\TestExe\x64\Release\TestExe.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 5cd5b69b-1c62-473d-aea0-da04415907ab
Faulting package full name: 
Faulting package-relative application ID: 


And also:
Fault bucket 2193024489411161897, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: TestExe.exe
P2: 0.0.0.0
P3: 618a6e15
P4: ntdll.dll
P5: 10.0.19041.1288
P6: a280d1d6
P7: c0000005
P8: 0000000000076ffb
P9: 
P10: 

Attached files:
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8848.tmp.dmp
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8888.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8898.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER88A6.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER88D6.tmp.txt

These files may be available here:
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_TestExe.exe_765ed3d798174e1ba1abff5141a4da78ab5fa1_8fc52057_1b47e7a3-ee3c-4f7b-8675-84bf386b4201

Analysis symbol: 
Rechecking for solution: 0
Report Id: 5cd5b69b-1c62-473d-aea0-da04415907ab
Report Status: 268435456
Hashed bucket: 318aba5cafebc57efe6f30276b15af29
Cab Guid: 0

John Galea

unread,
Nov 9, 2021, 3:17:16 PM11/9/21
to DynamoRIO Users
Thank you for letting us know about the crash. It is weird that it crashes even with an almost empty test application.

Can you please raise an issue on DynamoRIO's Github repository, detailing the bug, so someone can take a look when available.

Thank you. 

Eran Zimmerman Gonen

unread,
Nov 9, 2021, 4:34:32 PM11/9/21
to DynamoRIO Users
Done.
https://github.com/DynamoRIO/dynamorio/issues/5198
Thanks!
Reply all
Reply to author
Forward
0 new messages