A forum for reverse engineering, OS internals and malware analysis 

Application Verifier Custom Providers

Forum for discussion about user-mode development.

Application Verifier Custom Providers

 #23556  by EP_X0FF
 Fri Aug 08, 2014 5:31 pm
This post isn't innovation or what else. It is renewing of old MSFT blogpost (and some other publication vanished in time and dated back to 2004(?)). Recently have been looking over this method to solve one very specific task, unfortunately it didn't helped me, but I thought it will be interesting to share this (again) with everybody.

Here and below expected target system as x64, however it will be the same for x86-32.

Short Q&A

What is Application Verifier (AVrf)?
You can read it description there -> MSDN: Application Verifier
and inside WinDBG documentation -> !avrf WinDBG command

Where it works?
It is built-in Windows Native debugging mechanism. It is supported everywhere in all actual NT versions (and in Windows XP too).

What is the requirement to use it?
Administrator rights required to write access for the IFEO registry key (IFEO = Image File Execution Options) and write access to the %systemroot%\system32 directory.

How does it works?
It is DLL injection based debugging mechanism build on IAT hooking. Windows will give you free, absolutely stable and easy to use hooking mechanism in addition to dll injection at the earlier stage of process loading. You create special dll, called custom verifier provider dll, writing for it special DllMain where at special fwdReason you are registering your dll as verifier provider (full example provided). Your code will be loaded just after verifier at earlier process startup time when no other dlls are loaded except ntdll, api set schema and verifier dlls. Note that because nothing else loaded at time when your code gets control you should be using Native API at entry code. Later usual dlls will be loaded (depends on appplication imports of course).

AVrf declarations and structures

Some can be found in old DDK files, but take a hint - this staff isn't documented and may change in next version of Windows. However it didn't changed since XP and works perfectly in Windows 8.1, quite doubtful it anyhow will change in future.

You can rip all these structures from WDK8 mfcs42ud.pdb for some unknown reason it have them all. Maybe can be still found somewhere in WDK or in other PDB files.

RTL_VERIFIER_PROVIDER_DESCRIPTOR
Code: Select all
typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {
	DWORD Length;
	PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
	RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
	RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
	PWSTR VerifierImage;
	DWORD VerifierFlags;
	DWORD VerifierDebug;
	PVOID RtlpGetStackTraceAddress;
	PVOID RtlpDebugPageHeapCreate;
	PVOID RtlpDebugPageHeapDestroy;
	RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
Main custom provider structure.

Significant members:

Length
The size of this data structure, in bytes. Set this member to sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR).

ProviderDlls
Pointer to array of RTL_VERIFIER_DLL_DESCRIPTOR type structures, describing dlls to be hooked.

ProviderDllLoadCallback
Pointer to a dlls loading callback, with the following format
Code: Select all
typedef VOID (NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
This callback will be called before DLL_PROCESS_ATTACH event of any loading dll.

ProviderDllUnloadCallback
Pointer to dlls unloading callback, with the following format
Code: Select all
typedef VOID (NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
This callback will be called before DLL_PROCESS_DETACH event of any unloading dll.

...
ProviderNtdllHeapFreeCallback
Pointer to callback called before any ntdll heap free, has the following format
Code: Select all
typedef VOID (NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK) (PVOID AllocationBase, SIZE_T AllocationSize);

RTL_VERIFIER_DLL_DESCRIPTOR
Code: Select all
typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {
	PWCHAR DllName;
	DWORD DllFlags;
	PVOID DllAddress;
	PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
Members:

PWCHAR DllName
Unicode name of dll which routines you want to filter. E.g. L"kernel32.dll"

DllFlags
Filled by verifier, do not use.

DllAddress
Filled by verifier, do not use.

DllThunks
Pointer to array of RTL_VERIFIER_THUNK_DESCRIPTOR structures, describing each hook.

RTL_VERIFIER_THUNK_DESCRIPTOR
Code: Select all
typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {
	PCHAR ThunkName;
	PVOID ThunkOldAddress;
	PVOID ThunkNewAddress;
} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;
Members:

ThunkName
ANSI name of routine to intercept. E.g. "CloseHandle"

ThunkOldAddress
Filled by verifier, do not change. There will be stored original address of hooked by IAT patching routine.

ThunkNewAddress
Pointer to hook handler. E.g. CloseHandleHook

InitRoutine (DllMain)
Code: Select all
BOOL WINAPI InitRoutine(
	PVOID DllHandle, 
	DWORD fdwReason, 
	PRTL_VERIFIER_PROVIDER_DESCRIPTOR* pVPD
	)
{
	switch(fdwReason)
	{
	case DLL_PROCESS_ATTACH:
		LdrDisableThreadCalloutsForDll(DllHandle);
		break;
	case DLL_PROCESS_VERIFIER:
		RegisterProvider();
		*pVPD = &g_avrfProvider;
		Payload();
		break;
	default:
		break;
	}
	return TRUE;
}
The same DllMain but with usage of 3rd parameter and custom provider registration at new undocumented fdwReason.

AVrf reason code for dll entry point
Code: Select all
#define DLL_PROCESS_VERIFIER 4
This event will occur before any other events.


AVrf custom provider installation

Copy your provider dll to the %systemroot%\system32 (note for WOW64 you should use appreciate folder syswow64 and registry keys). Administrator rights required.

Install your provider for specific application you want to debug, use IFEO key for this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppName

In the same key set your dll to the verifier dlls (can be multiple), only name required

"VerifierDlls"="mydll.dll"

Enable Application Verifier for this application, in the same key set

"GlobalFlag"=dword:00000100

where 0x00000100 is FLG_APPLICATION_VERIFIER -> Enable application verifier

Example
Code: Select all
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mytest.exe]
"VerifierDlls"="mydll.dll"
"GlobalFlag"=dword:00000100
AVrf Custom provider example

This custom provider implements hooking of NtQuerySystemInformation with debug output of it result and Avrf dynamic-link libraries load callback example.
Code: Select all
#include "ntdll\ntdll.h"
#include "ntdll\ntstatus.h"

#define DLL_PROCESS_VERIFIER 4

typedef VOID (NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
typedef VOID (NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK) (PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
typedef VOID (NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK) (PVOID AllocationBase, SIZE_T AllocationSize);

typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {
	PCHAR ThunkName;
	PVOID ThunkOldAddress;
	PVOID ThunkNewAddress;
} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;

typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {
	PWCHAR DllName;
	DWORD DllFlags;
	PVOID DllAddress;
	PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;

typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {
	DWORD Length;
	PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
	RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
	RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
	PWSTR VerifierImage;
	DWORD VerifierFlags;
	DWORD VerifierDebug;
	PVOID RtlpGetStackTraceAddress;
	PVOID RtlpDebugPageHeapCreate;
	PVOID RtlpDebugPageHeapDestroy;
	RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;

static RTL_VERIFIER_THUNK_DESCRIPTOR avrfThunks[2];
static RTL_VERIFIER_DLL_DESCRIPTOR avrfDlls[2]; 
static RTL_VERIFIER_PROVIDER_DESCRIPTOR g_avrfProvider;

typedef NTSTATUS (NTAPI *pfnNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT OPTIONAL PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT OPTIONAL PULONG ReturnLength
    );

pfnNtQuerySystemInformation pNtQuerySystemInformation;

VOID NTAPI avrfLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
{
	DbgPrint("VerifierLoadCallback - dll load %ws, DllBase = %p\n\r", DllName, DllBase);
}

NTSTATUS NTAPI NtQuerySystemInformationHook(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT OPTIONAL PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT OPTIONAL PULONG ReturnLength
    )
{
	NTSTATUS status;

	status = ((pfnNtQuerySystemInformation)(avrfThunks[0].ThunkOldAddress))(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);

	DbgPrint("NtQuerySystemInformation(%d) = %lx\n\r", SystemInformationClass, status);
	return status;
}

VOID Payload()
{
	DbgPrint("DLL!Payload()\n\r");
}

VOID RegisterProvider(
	VOID
	)
{
	DbgPrint("DLL!RegisterProvider\n\r");

	avrfThunks[0].ThunkName = "RtlQueryElevationFlags"; 
	avrfThunks[0].ThunkOldAddress = NULL;
	avrfThunks[0].ThunkNewAddress = &RtlQueryElevationFlagsHook;

	avrfDlls[0].DllName = L"ntdll.dll";
	avrfDlls[0].DllFlags = 0;
	avrfDlls[0].DllAddress = NULL;
	avrfDlls[0].DllThunks = avrfThunks; 

	RtlSecureZeroMemory(&g_avrfProvider, sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR));
	g_avrfProvider.Length = sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR);
	g_avrfProvider.ProviderDlls = avrfDlls;
	g_avrfProvider.ProviderDllLoadCallback = (RTL_VERIFIER_DLL_LOAD_CALLBACK)&avrfLoadCallback;
}

BOOL WINAPI InitRoutine(
	PVOID DllHandle, 
	DWORD fdwReason, 
	PRTL_VERIFIER_PROVIDER_DESCRIPTOR* pVPD
	)
{
	switch(fdwReason)
	{
	case DLL_PROCESS_ATTACH:
		DbgPrint("DLL!DLL_PROCESS_ATTACH\n\r");
		LdrDisableThreadCalloutsForDll(DllHandle);
		break;
	case DLL_PROCESS_DETACH:
		DbgPrint("DLL!DLL_PROCESS_DETACH\n\r");
		break;
	case DLL_PROCESS_VERIFIER:
		DbgPrint("DLL!DLL_PROCESS_VERIFIER\n\r");
		RegisterProvider();
		*pVPD = &g_avrfProvider;
		Payload();
		break;
	default:
		break;
	}
	return TRUE;
}
Execution trace result (Dependency Walker), custom provider name - "dll.dll"
Code: Select all
Options Selected:
     Simulate ShellExecute by inserting any App Paths directories into the PATH environment variable.
     Log thread information.
     Use simple thread numbers instead of actual thread IDs.
     Log first chance exceptions.
     Log debug output messages.
     Use full paths when logging file names.
     Log a time stamp with each line of log.
     Automatically open and profile child processes.
--------------------------------------------------------------------------------

00:00:00.000: Started "c:\verifier_test\VRTEST.EXE" (process 0x1580) at address 0x00000000FFC20000 by thread 1.
00:00:00.000: Loaded "c:\windows\system32\NTDLL.DLL" at address 0x0000000076F40000 by thread 1.
00:00:00.015: Loaded "c:\windows\system32\VERIFIER.DLL" at address 0x000007FEF93B0000 by thread 1.
00:00:00.015: Page heap: pid 0x1580: page heap enabled with flags 0x2.
00:00:00.015: AVRF: VRTEST.EXE: pid 0x1580: flags 0x48004: application verifier enabled
00:00:00.031: Loaded "c:\windows\system32\DLL.DLL" at address 0x000007FEF9D50000 by thread 1.
00:00:00.031: DLL!DLL_PROCESS_VERIFIER
00:00:00.031: DLL!RegisterProvider
00:00:00.031: DLL!Payload()
00:00:00.031: DLL!DLL_PROCESS_ATTACH
00:00:00.031: Loaded "c:\windows\system32\KERNEL32.DLL" at address 0x0000000076E20000 by thread 1.
00:00:00.046: Loaded "c:\windows\system32\KERNELBASE.DLL" at address 0x000007FEFCDD0000 by thread 1.
00:00:00.046: VerifierLoadCallback - dll load KERNELBASE.dll, DllBase = 000007FEFCDD0000
00:00:00.046: VerifierLoadCallback - dll load kernel32.dll, DllBase = 0000000076E20000
00:00:00.046: DLL!DLL_PROCESS_ATTACH
00:00:00.046: NtQuerySystemInformation(50) = 0
00:00:00.046: NtQuerySystemInformation(0) = 0
00:00:00.046: NtQuerySystemInformation(1) = 0
00:00:00.046: NtQuerySystemInformation(0) = 0
00:00:00.046: NtQuerySystemInformation(1) = 0
00:00:00.046: Loaded "c:\windows\system32\USER32.DLL" at address 0x0000000076D20000 by thread 1.
00:00:00.046: Loaded "c:\windows\system32\GDI32.DLL" at address 0x000007FEFEBD0000 by thread 1.
00:00:00.046: Loaded "c:\windows\system32\LPK.DLL" at address 0x000007FEFF240000 by thread 1.
00:00:00.046: Loaded "c:\windows\system32\USP10.DLL" at address 0x000007FEFDAE0000 by thread 1.
00:00:00.046: Loaded "c:\windows\system32\MSVCRT.DLL" at address 0x000007FEFEF70000 by thread 1.
00:00:00.062: VerifierLoadCallback - dll load msvcrt.dll, DllBase = 000007FEFEF70000
00:00:00.062: VerifierLoadCallback - dll load USP10.dll, DllBase = 000007FEFDAE0000
00:00:00.062: VerifierLoadCallback - dll load LPK.dll, DllBase = 000007FEFF240000
00:00:00.062: VerifierLoadCallback - dll load GDI32.dll, DllBase = 000007FEFEBD0000
00:00:00.062: VerifierLoadCallback - dll load USER32.dll, DllBase = 0000000076D20000
00:00:00.062: Loaded "c:\windows\system32\SHELL32.DLL" at address 0x000007FEFDD90000 by thread 1.
00:00:00.062: Loaded "c:\windows\system32\SHLWAPI.DLL" at address 0x000007FEFDD10000 by thread 1.
00:00:00.062: VerifierLoadCallback - dll load SHLWAPI.dll, DllBase = 000007FEFDD10000
00:00:00.062: VerifierLoadCallback - dll load SHELL32.dll, DllBase = 000007FEFDD90000
00:00:00.062: VerifierLoadCallback - dll load VRTEST.EXE, DllBase = 00000000FFC20000
00:00:00.062: Entrypoint reached. All implicit modules have been loaded.
00:00:00.062: Loaded "c:\windows\system32\APPHELP.DLL" at address 0x000007FEFCB70000 by thread 1.
00:00:00.078: VerifierLoadCallback - dll load apphelp.dll, DllBase = 000007FEFCB70000
00:00:00.078: NtQuerySystemInformation(1) = 0
00:00:00.078: Loaded "c:\windows\apppatch\apppatch64\ACGENRAL.DLL" at address 0x000007FEF2BA0000 by thread 1.
00:00:00.078: Loaded "c:\windows\system32\SSPICLI.DLL" at address 0x000007FEFCB40000 by thread 1.
00:00:00.078: Loaded "c:\windows\system32\RPCRT4.DLL" at address 0x000007FEFF010000 by thread 1.
00:00:00.078: VerifierLoadCallback - dll load RPCRT4.dll, DllBase = 000007FEFF010000
00:00:00.078: VerifierLoadCallback - dll load SspiCli.dll, DllBase = 000007FEFCB40000
00:00:00.078: Loaded "c:\windows\system32\OLE32.DLL" at address 0x000007FEFD470000 by thread 1.
00:00:00.093: VerifierLoadCallback - dll load ole32.dll, DllBase = 000007FEFD470000
00:00:00.093: Loaded "c:\windows\system32\SFC.DLL" at address 0x0000000072F00000 by thread 1.
00:00:00.093: VerifierLoadCallback - dll load sfc.dll, DllBase = 0000000072F00000
00:00:00.093: Loaded "c:\windows\system32\SFC_OS.DLL" at address 0x000007FEF84B0000 by thread 1.
00:00:00.093: VerifierLoadCallback - dll load sfc_os.DLL, DllBase = 000007FEF84B0000
00:00:00.093: Loaded "c:\windows\system32\USERENV.DLL" at address 0x000007FEFCF60000 by thread 1.
00:00:00.109: Loaded "c:\windows\system32\PROFAPI.DLL" at address 0x000007FEFCD70000 by thread 1.
00:00:00.109: VerifierLoadCallback - dll load profapi.dll, DllBase = 000007FEFCD70000
00:00:00.109: VerifierLoadCallback - dll load USERENV.dll, DllBase = 000007FEFCF60000
00:00:00.109: Loaded "c:\windows\system32\DWMAPI.DLL" at address 0x000007FEFB0A0000 by thread 1.
00:00:00.109: VerifierLoadCallback - dll load dwmapi.dll, DllBase = 000007FEFB0A0000
00:00:00.109: Loaded "c:\windows\system32\ADVAPI32.DLL" at address 0x000007FEFDC30000 by thread 1.
00:00:00.109: Loaded "c:\windows\system32\SECHOST.DLL" at address 0x000007FEFEF50000 by thread 1.
00:00:00.124: VerifierLoadCallback - dll load sechost.dll, DllBase = 000007FEFEF50000
00:00:00.124: VerifierLoadCallback - dll load ADVAPI32.dll, DllBase = 000007FEFDC30000
00:00:00.124: Loaded "c:\windows\system32\MPR.DLL" at address 0x000007FEF80F0000 by thread 1.
00:00:00.124: VerifierLoadCallback - dll load MPR.dll, DllBase = 000007FEF80F0000
00:00:00.124: VerifierLoadCallback - dll load AcGenral.DLL, DllBase = 000007FEF2BA0000
00:00:00.124: NtQuerySystemInformation(0) = 0
00:00:00.124: Loaded "c:\windows\system32\IMM32.DLL" at address 0x000007FEFDA90000 by thread 1.
00:00:00.140: Loaded "c:\windows\system32\MSCTF.DLL" at address 0x000007FEFD680000 by thread 1.
00:00:00.140: VerifierLoadCallback - dll load MSCTF.dll, DllBase = 000007FEFD680000
00:00:00.140: VerifierLoadCallback - dll load IMM32.DLL, DllBase = 000007FEFDA90000
00:00:00.140: NtQuerySystemInformation(0) = 0
00:00:00.140: NtQuerySystemInformation(0) = 0
00:00:00.140: NtQuerySystemInformation(1) = 0
00:00:00.140: NtQuerySystemInformation(0) = 0
00:00:00.140: NtQuerySystemInformation(1) = 0
00:00:00.156: DLL!DLL_PROCESS_DETACH
00:00:00.156: Exited "c:\verifier_test\VRTEST.EXE" (process 0x1580) with code 0 (0x0) by thread 1.

Links

1) MSFT: Reiley Yang - A Debugging Approach to IFEO
http://blogs.msdn.com/b/reiley/archive/ ... -ifeo.aspx

2) MSFT: Reiley Yang - A Debugging Approach to Application Verifier
http://blogs.msdn.com/b/reiley/archive/ ... ifier.aspx

3) Unknown source vanished in time (c) 2004.

NOTE: The content of this list is originally from: http://www.kernelmode.info/forum/viewto ... =15&t=3418. If you are reading it elsewhere, please visit the original location.
Last edited by EP_X0FF on Wed Nov 04, 2015 6:43 pm, edited 2 times in total. Reason: edit, see http://www.kernelmode.info/forum/viewtopic.php?p=27145#p27145 and below for more info

Re: Application Verifier Custom Providers

 #25458  by IChooseYou
 Fri Mar 13, 2015 1:27 am
This works on Windows 8 & Server 2012 but fails on Windows 7 x64 with this error:

Image
Image

It's so early in the loading process that I'm having a hard time debugging this. The stack in olly shows this:
Code: Select all
.text:1002C185 ; START OF FUNCTION CHUNK FOR ___crtIsPackagedApp
.text:1002C185
.text:1002C185 loc_1002C185:                           ; CODE XREF: ___crtIsPackagedApp+Dj
.text:1002C185                 mov     eax, dword_100DFA74
.text:1002C18A                 xor     esi, esi
.text:1002C18C                 xor     eax, ___security_cookie
.text:1002C192                 mov     [ebp+var_4], esi
.text:1002C195                 jz      short loc_1002C1A7
.text:1002C197                 push    esi
.text:1002C198                 lea     ecx, [ebp+var_4]
.text:1002C19B                 push    ecx
.text:1002C19C                 call    eax                          ; <-------------------- crash here
.text:1002C19E                 cmp     eax, 7Ah        
.text:1002C1A1                 jz      loc_1005F1A8
.text:1002C1A7
.text:1002C1A7 loc_1002C1A7:                           ; CODE XREF: ___crtIsPackagedApp+175C4j
.text:1002C1A7                                         ; ___crtIsPackagedApp+4A5D8j
.text:1002C1A7                 mov     isPackaged, esi
.text:1002C1AD                 jmp     loc_10014BE4
.text:1002C1AD ; END OF FUNCTION CHUNK FOR ___crtIsPackagedApp
This happens:
eax = dword_100DFA74 (which is NULL) XOR 0xBB40E64E
eax = 0xBB40E64E
call eax;

Why am I having CRT issues?
Any advice?

Re: Application Verifier Custom Providers

 #25459  by EP_X0FF
 Fri Mar 13, 2015 3:55 am
Download Application Verifier and test this application with it.

Re: Application Verifier Custom Providers

 #25462  by IChooseYou
 Sat Mar 14, 2015 1:52 am
EP_X0FF wrote:Download Application Verifier and test this application with it.
I tried it. Application verifier works.

My problems seems to be initializing CRT on Windows 7. I skipped _DllMainCRTStartup by setting /ENTRY to DllMain. Surprisingly that worked on Windows 7 (and crashed on Windows 8).

Win7 x86 build:
Image

Any ideas?

Re: Application Verifier Custom Providers

 #25464  by IChooseYou
 Sat Mar 14, 2015 5:51 am
EP_X0FF wrote:Get rid of CRT.
The post limitation is extremely annoying.

Getting rid of the c run times sounds like a pretty shitty fix.
I just don't understand why Microsoft's verifier _CRT_INIT and my _CRT_INIT are so different from each other.

Re: Application Verifier Custom Providers

 #25465  by EP_X0FF
 Sat Mar 14, 2015 6:54 am
Are you using CRT in your verifier dll? If so, get rid of it. Verifier dll loaded in the moment where nothing except native subsystem is initialized this may be the root of problem. Or you have to debug ms verifier dlls to figure out how they loaded.

Post approval is only for your first 10 posts and added to protect against spam, after you made 10 posts this limitation will be automatically removed.

Re: Application Verifier Custom Providers

 #25467  by Brock
 Mon Mar 16, 2015 6:26 am
He's using CRT in his verifier DLL which is statically linked and causing his problem. You're loading extremely early as mentioned so you need to account for this @IChooseYou. This worked by redirecting DLLMain on Win 7 and below because the LDR_MODULE structure was the same, on Windows 8 it's extended which uses a very different mechanism involving reference and dependency count of a DLL on a "node" basis, it's a different way of loading/unloading entirely and this directly corresponds to initializing a DLL's dependencies.

Re: Application Verifier Custom Providers

 #26121  by Microwave89
 Thu Jun 18, 2015 10:18 pm
Despite the fact that this one is fairly old, I have a small question:
Is it possible that solely dlls, which exist in the system32 folder can be used for a custom provider?
Since if I placed my dll into \ root directory the Avrf found and mapped the dll, however its dllmain was not called. (According to dbgprint).

As soon as I placed the dll in the system32 folder its dllmain got called as expected.

If the dll is not residing in system32 folder the verifier prints the following message:
Xyz could not be found in the initialization list.
Google spit out about 5 results regarding this error, mainly of static analyzes of verifier.dll.
Doesn't initialization list refer to the inmemoryorderlist or inloadorderlist?

If the dll was in fact not found I received 0xC0000135 which makes sense.


Best Regards

Microwave89
 Return to “User-Mode Development”