Udo Steinbach
2024-05-30 14:46:12 UTC
Do we have readers here?
PssCaptureSnapshot() with (PSS_CAPTURE_HANDLES | PSS_CAPTURE_THREADS) or PSS_CAPTURE_HANDLES allone on the calling process, GetCurrentProcess().
https://learn.microsoft.com/en-us/windows/win32/api/processsnapshot/nf-processsnapshot-psscapturesnapshot
On average, every second call results in EXCEPTION_ACCESS_VIOLATION at
#0 0x7FFA2A590F8D: <KiUserExceptionDispatcher()>+45
#1 0x7FFA2A593F25: <memcpy()>+37
#2 0x7FFA2A606120: <PssNtWalkSnapshot()>+6160
#3 0x7FFA2A606441: <PssNtWalkSnapshot()>+6961
#4 0x7FFA2A605CAB: <PssNtWalkSnapshot()>+5019
#5 0x7FFA2A603F22: <PssNtCaptureSnapshot()>+882
#6 0x7FFA280F00DD: <PssCaptureSnapshot()>+29
(my own inexact backtrace)
Within Debugger it runs 99,9% as wanted. Same results as Admin and OpenProcess() on self.
Does someone has a pointer? I suspect not an access violation but a read or write out of allocated memory.
Ah, GDB says SIGSEGV:
#0 0x00007ffa2a593f92 in ntdll!memmove () from C:\WINDOWS\SYSTEM32\ntdll.dll
#1 0x00007ffa2a606121 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#2 0x00007ffa2a606442 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#3 0x00007ffa2a605cac in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#4 0x00007ffa2a603f23 in ntdll!PssNtCaptureSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#5 0x00007ffa280f00de in PssCaptureSnapshot () from C:\WINDOWS\System32\KernelBase.dll
0x00007ffa2a593f89 <+137>: cmp %rcx,%r11
0x00007ffa2a593f8c <+140>: ja 0x7ffa2a594100 <ntdll!memmove+512>
=> 0x00007ffa2a593f92 <+146>: movups (%rcx,%rdx,1),%xmm0
0x00007ffa2a593f96 <+150>: add $0x10,%rcx
0x00007ffa2a593f9a <+154>: test $0xf,%cl
0x00007ffa2a593f9d <+157>: je 0x7ffa2a593fb1 <ntdll!memmove+177>
PssCaptureSnapshot() with (PSS_CAPTURE_HANDLES | PSS_CAPTURE_THREADS) or PSS_CAPTURE_HANDLES allone on the calling process, GetCurrentProcess().
https://learn.microsoft.com/en-us/windows/win32/api/processsnapshot/nf-processsnapshot-psscapturesnapshot
On average, every second call results in EXCEPTION_ACCESS_VIOLATION at
#0 0x7FFA2A590F8D: <KiUserExceptionDispatcher()>+45
#1 0x7FFA2A593F25: <memcpy()>+37
#2 0x7FFA2A606120: <PssNtWalkSnapshot()>+6160
#3 0x7FFA2A606441: <PssNtWalkSnapshot()>+6961
#4 0x7FFA2A605CAB: <PssNtWalkSnapshot()>+5019
#5 0x7FFA2A603F22: <PssNtCaptureSnapshot()>+882
#6 0x7FFA280F00DD: <PssCaptureSnapshot()>+29
(my own inexact backtrace)
Within Debugger it runs 99,9% as wanted. Same results as Admin and OpenProcess() on self.
Does someone has a pointer? I suspect not an access violation but a read or write out of allocated memory.
Ah, GDB says SIGSEGV:
#0 0x00007ffa2a593f92 in ntdll!memmove () from C:\WINDOWS\SYSTEM32\ntdll.dll
#1 0x00007ffa2a606121 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#2 0x00007ffa2a606442 in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#3 0x00007ffa2a605cac in ntdll!PssNtWalkSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#4 0x00007ffa2a603f23 in ntdll!PssNtCaptureSnapshot () from C:\WINDOWS\SYSTEM32\ntdll.dll
#5 0x00007ffa280f00de in PssCaptureSnapshot () from C:\WINDOWS\System32\KernelBase.dll
0x00007ffa2a593f89 <+137>: cmp %rcx,%r11
0x00007ffa2a593f8c <+140>: ja 0x7ffa2a594100 <ntdll!memmove+512>
=> 0x00007ffa2a593f92 <+146>: movups (%rcx,%rdx,1),%xmm0
0x00007ffa2a593f96 <+150>: add $0x10,%rcx
0x00007ffa2a593f9a <+154>: test $0xf,%cl
0x00007ffa2a593f9d <+157>: je 0x7ffa2a593fb1 <ntdll!memmove+177>
--
Fahrradverkehr in Deutschland: http://radwege.udoline.de/
GPG: A245 F153 0636 6E34 E2F3 E1EB 817A B14D 3E7E 482E
Fahrradverkehr in Deutschland: http://radwege.udoline.de/
GPG: A245 F153 0636 6E34 E2F3 E1EB 817A B14D 3E7E 482E