Crash Crash Crash Crash Crash Crash

[wPood909mv]

Service process crash with system permissions.
X86 process running on win11 [10.0.22621.2361]
100% probability of crashing during startup

RtlInitUnicodeString(&us, buffer);
InitializeObjectAttributes(&oa, &us, 0, nullptr, nullptr);

li.QuadPart = 0x1000;
ServiceMessageBox("MmpAllocateGlobalData", "MmpAllocateGlobalData   2222222222222222222", MB_ICONERROR, TRUE);
status = NtCreateSection(         //fail
	&hSection,
	SECTION_ALL_ACCESS,
	&oa,
	&li,
	PAGE_READWRITE,
	SEC_COMMIT,
	nullptr
);	

Causing the following code to crash.....

// Allocate memory for image headers
if (MmpGlobalDataPtr== 0)  //null   pointer
	ServiceMessageBox("MemoryLoadLibrary", "MemoryLoadLibrary   fffffffffffffffffffffffffffff MmpGlobalDataPtr == 0)", MB_ICONERROR, TRUE);


size_t alignedHeadersSize = (DWORD)AlignValueUp(old_header->OptionalHeader.SizeOfHeaders + sizeof(MEMORYMODULE), MmpGlobalDataPtr->SystemInfo.dwPageSize);          //Crash
if (alignedHeadersSize == 0)

[bb107]

Hi, the problem of initialization failure has been solved.

[wPood909mv]

The service program crashes once after starting the computer 5 times.
The above configuration still caused the following issues:

FAULTING_IP:
ntdll!RtlIsZeroMemory+ff
7798d42f eb33 jmp ntdll!RtlIsZeroMemory+0x134 (7798d464)

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7798d42f (ntdll!RtlIsZeroMemory+0x000000ff)
ExceptionCode: c0000374
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 779cb918

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 778a0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP: 65230521

ERROR_CODE: (NTSTATUS) 0xc0000374 -

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 -

EXCEPTION_PARAMETER1: 779cb918

MOD_LIST:

FAULTING_THREAD: 000010bc

PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS

BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER: from 7798d401 to 7798d42f

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0513f458 7798d401 7fe51e91 00000000 00000002 ntdll!RtlIsZeroMemory+0xff
0513f4ec 77996663 00000001 779cb948 7799449e ntdll!RtlIsZeroMemory+0xd1
0513f528 7799cfdb 00000011 02f20100 03655d88 ntdll!RtlpNtSetValueKey+0x28a3
0513f540 7799e64d 03655d88 03655000 0000008d ntdll!RtlpNtSetValueKey+0x921b
0513f588 779a2d21 03655d88 00000000 02f20000 ntdll!RtlpNtSetValueKey+0xa88d
0513f5ac 7799f8b0 00000000 03655d88 02f20000 ntdll!RtlpNtSetValueKey+0xef61
0513f5cc 7792fd62 00000000 0513f644 0513f648 ntdll!RtlpNtSetValueKey+0xbaf0
0513f62c 77996d58 00000000 0513f644 0513f648 ntdll!RtlRemovePropertyStore+0x162
0513f64c 77973555 00000000 7fe51ce1 03655d88 ntdll!RtlpNtSetValueKey+0x2f98
0513f69c 77939792 00000000 00000011 03670448 ntdll!RtlImageRvaToVa+0x105
0513f6b0 7790a3ff 02f20000 00000000 03655d88 ntdll!RtlCaptureStackContext+0x2f2
0513f6d4 778e688d 7fe51d01 00000000 036556b0 ntdll!RtlFindUnicodeSubstring+0x12f
0513f77c 74e2a13b 036555d8 03691530 036556b0 ntdll!LdrShutdownThread+0x26d
0513f790 7790e4fc 036555d8 036555d8 72ce0000 stacktimesupport!HookLdrShutdownThread+0x10b
0513f868 75aba565 00000000 036555d8 0513f901 ntdll!RtlExitUserThread+0x4c
0513f87c 7752d1c1 72ce0000 00000000 0513f8a0 KERNELBASE!FreeLibraryAndExitThread+0x35
0513f88c 72f49c99 72ce0000 00000000 72e88880 kernel32!FreeLibraryAndExitThread+0x11
0513f8a0 72f49d83 00000000 0513f8e4 72f49bf5 ComMaskDec!common_end_thread+0x4d [minkernel\crts\ucrt\src\appcrt\startup\thread.cpp @ 266]
0513f8ac 72f49bf4 00000000 31f3cf92 00000018 ComMaskDec!_endthreadex+0xd [minkernel\crts\ucrt\src\appcrt\startup\thread.cpp @ 277]
0513f8e4 74e2ade7 036555d8 f4a72008 74e2ab70 ComMaskDec!thread_start<unsigned int (__stdcall*)(void *),1>+0x5d [minkernel\crts\ucrt\src\appcrt\startup\thread.cpp @ 97]
0513f928 77527ba9 03691530 77527b90 0513f990 stacktimesupport!MmpUserThreadStart+0x277
0513f938 7790bc5b 0513f9b0 7fe513ed 00000000 kernel32!BaseThreadInitThunk+0x19
0513f990 7790bbdf ffffffff 77939277 00000000 ntdll!RtlInitializeExceptionChain+0x6b
0513f9a0 74e2a3e6 74e2ab70 0513f9b0 72f49b97 ntdll!RtlClearBits+0xbf
00000000 00000000 00000000 00000000 00000000 stacktimesupport!HookRtlUserThreadStart+0x26

STACK_COMMAND: ~9s; .ecxr ; kb

FOLLOWUP_IP:
stacktimesupport!HookLdrShutdownThread+10b
74e2a13b 5e pop esi

SYMBOL_STACK_INDEX: d

SYMBOL_NAME: stacktimesupport!HookLdrShutdownThread+10b

FOLLOWUP_NAME: MachineOwner

[bb107]

C0000374 means heap corruption. You can load it with kernel32!LoadLibraryA to rule out whether it is a problem with the DLL itself.

0513f77c 74e2a13b 036555d8 03691530 036556b0 ntdll!LdrShutdownThread+0x26d

This line is the return address of calling ntdll!_LdrpFreeTls. This means that the heap is corrupted when tls is being released, and the MmpTlsFiber branch may be able to mitigate this.
If the problem persists, please provide a code snippet that causes the problem.

[wPood909mv]

The reason has been found, it's my own problem.