This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VisualStudio debugging with AppVerifier enabled impossible due to hmpalert.dll crashing application immediately

Hi,

our company uses Sophos Intercept X Exploit Prevention Systems (Hitman Engine version as of 16th January is 3.6.14.616). My desktop system is Windows 10 Enterprise 1703 (x64).

We are developing software with VisualStudio 2013-2017 in C++ and C#. After getting some "strange" crashes in one of my C++ solutions during debugging I've tried to debug with MicroSoft's App Verifier enabled.

The problems got even worse. As soon as even something simple like a "hello world" program is loaded into the debugger it crashes. The call stack does not even contain a single line of my program but references hmpalert.dll that is part of hitman pro.

This is a typical example:

>    vrfcore.dll!_VerifierStopMessageEx()    Unknown    Symbols loaded.
     vfbasics.dll!_AVrfpSanityCheckAddressRange@12()    Unknown    Symbols loaded.
     vfbasics.dll!_AVrfpRtlEnterCriticalSection@4()    Unknown    Symbols loaded.
     hmpalert.dll!738e2288()    Unknown    No symbols loaded.
     [Frames below may be incorrect and/or missing, no symbols loaded for hmpalert.dll]        Annotated Frame
     hmpalert.dll!738def70()    Unknown    No symbols loaded.
     ntdll.dll!LdrpPrepareImportAddressTableForSnap()    Unknown    Symbols loaded.

The console ouput contains just:

Invalid parameter passed to C runtime function.

It's impossible to continue from this point on.

 

Getting back to the "strange" crashes in my real world application. The program I develop is rather mature. It's in use for many years and runs perfectly fine outside of the debugger. Attaching the VS debugger to it, it crashes sooner or later with read or write access violations. These exceptions happen typically at trivial lines like "int i = 1;" Sometime the crashes happen within minutes, sometimes they did not happen for hours. My system was checked without finding any problems. A colleague run into the same kind of problems debugging a totally different program.

Anyone here having the same kind of problems?

How to use an essential tool like App Verifier and the VisualStudio debugger together with Sophos/Hitman Pro?

Cheers,
Kai



This thread was automatically locked due to age.
  • Hi Kai Hüttemann,

    Please open a support ticket with the below logs so that our engineers can investigate it further.

    1. SDU logs from the reported client machine.

    2. A copy of the applications and the debugging tools.

    3. Full Memory dump of the process:

    • Create the directory C:\dumps\
    • Download Procdump from here and save it to C:\dumps\
    • Run in an admin prompt:
    • procdump -ma -i C:\dumps
    • Recreate the issue and you should have dump file create in C:\dumps\
    • Run: procdump -u to unregister Procdump.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • +1 on original post. The existence of hmpalert.dll causes Application Verifier to fail immediately. Easy repro steps:

     

    Open Application Viewer

    Add "notepad.exe"

    Save settings

    Browse to WinDbg in your commandline (there's many flavors so we'll just use the x86 one) 
    location: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86
    command: > windbg -xd av -xd ch -xd sov notepad.exe

    You are presented with a list of sadness:


    Microsoft (R) Windows Debugger Version 10.0.16299.91 X86
    Copyright (c) Microsoft Corporation. All rights reserved.

    CommandLine: notepad.exe
    Symbol search path is: srv*
    Executable search path is:
    ModLoad: 01050000 0108e000 notepad.exe
    ModLoad: 77ca0000 77e30000 ntdll.dll
    Page heap: pid 0x4CD8: page heap enabled with flags 0x3.
    AVRF: notepad.exe: pid 0x4CD8: flags 0x81643027: application verifier enabled
    ModLoad: 0fc40000 0fca4000 C:\WINDOWS\SysWOW64\verifier.dll
    Page heap: pid 0x4CD8: page heap enabled with flags 0x3.
    AVRF: notepad.exe: pid 0x4CD8: flags 0x81643027: application verifier enabled
    ModLoad: 74470000 74550000 C:\Windows\SysWOW64\hmpalert.dll
    ModLoad: 74ac0000 74ba0000 C:\WINDOWS\SysWOW64\KERNEL32.dll
    ModLoad: 748d0000 74ab4000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
    ModLoad: 768f0000 76968000 C:\WINDOWS\SysWOW64\ADVAPI32.dll
    ModLoad: 74bf0000 74caf000 C:\WINDOWS\SysWOW64\msvcrt.dll
    ModLoad: 74ba0000 74be4000 C:\WINDOWS\SysWOW64\sechost.dll
    ModLoad: 76a50000 76b10000 C:\WINDOWS\SysWOW64\RPCRT4.dll
    ModLoad: 74560000 74580000 C:\WINDOWS\SysWOW64\SspiCli.dll
    ModLoad: 74550000 7455a000 C:\WINDOWS\SysWOW64\CRYPTBASE.dll
    ModLoad: 779b0000 77a08000 C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
    ModLoad: 0fd90000 0fdc3000 C:\WINDOWS\SysWOW64\vrfcore.dll
    ModLoad: 0f750000 0f7b1000 C:\WINDOWS\SysWOW64\vfbasics.dll
    Invalid parameter passed to C runtime function.
    (4cd8.4970): Break instruction exception - code 80000003 (first chance)
    eax=0fda0314 ebx=00000000 ecx=000001a1 edx=0016f051 esi=0f7740c0 edi=7452108c
    eip=0fd93859 esp=0016f1c0 ebp=0016f3d4 iopl=0 nv up ei pl nz na po nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
    vrfcore!VerifierStopMessageEx+0x599:
    0fd93859 cc int 3

     

    This doesn't give you any particular proof, but if you type in 'k' into the the command window in WinDbg, it will give you a crash stack.

    0:000> k
    # ChildEBP RetAddr
    00 0016f3d4 0f758c21 vrfcore!VerifierStopMessageEx+0x599
    01 0016f420 0f75b235 vfbasics!AVrfpSanityCheckAddressRange+0x57
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\hmpalert.dll -
    02 0016f42c 74485868 vfbasics!AVrfpRtlEnterCriticalSection+0x15
    WARNING: Stack unwind information not available. Following frames may be wrong.
    03 0016f480 74481b37 hmpalert!CVCCP+0x76b8
    04 0016f784 77d4f72e hmpalert!CVCCP+0x3987
    05 0016f848 77d4ecf0 ntdll!AVrfpSnapDllImports+0x166
    06 0016f868 77d4f5a6 ntdll!AVrfpDllLoadNotificationInternal+0xb4
    07 0016f878 77d4e6a5 ntdll!AVrfpSnapAlreadyLoadedDlls+0x41
    08 0016f8a8 77d425dc ntdll!AVrfInitializeVerifier+0x19f
    09 0016fb14 77d01e92 ntdll!LdrpInitializeProcess+0x150d
    0a 0016fb70 77d01d5c ntdll!_LdrpInitialize+0xe0
    0b 0016fb80 00000000 ntdll!LdrInitializeThunk+0x1c


    People that have hmpalert.dll cannot use Application Verifier. People that don't have it, can run it without problems.