Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / programming / exceptions
 

Application Crashes without a Trace / No Dumpfile

5.00/5 (3 votes)
7 Sep 2022MIT1 min read 7.1K  
Symantec can cause valid applications to crash and be gone without a trace
When hunting down unexpected application termination, I found Symantec to be the unlikely cause of all the grief. I'll explain how. Should you ever have an unexplainable application close, this may be happening.

Introduction

I was running a test for performing SID translation in a parallel_for loop. Everything worked fine but about 1 time in 7, my application disappeared without a trace. I looked at possible race conditions but didn't find anything obviously wrong. After an evening of trimming down the code, I reproduced it to this:

C++
PSID pSID;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&SIDAuth, 2,
    SECURITY_BUILTIN_DOMAIN_RID,
    DOMAIN_ALIAS_RID_ADMINS,
    0, 0, 0, 0, 0, 0,
    &pSID);

concurrency::parallel_for(size_t(0), (size_t)1000, [&](size_t i) {
        LPTSTR sidString = NULL;
        if (!ConvertSidToStringSid(pSID, &sidString)) {
            return;
        }
        LocalFree(sidString);
    });

cout << "test" << endl;
Sleep(1000);

I tried catching C++ exceptions which there weren't, I tried catching a structural exception which wasn't there either. There was absolutely nothing going on except my application just ceased to exist. I checked the event logs, but nothing there either.

Then I started running my test program via the shell without debugger present, and then this started to show up in the application log every time it disappeared.

Image 1

That's when I remembered a blog post from Raymond Chen where he explains how applications mysteriously died after an anti malware service detoured RPC calls (which Microsoft does not support) and messed up, leading to the application no longer following any expected execution path and just dying. In my case, I already know that exception 0xc0000005 is an access violation, and RPCRT4.dll is the RPC library, and I do have an invasive anti-malware program installed so...

Image 2

Image 3

Which explains everything. The code isn't doing anything wrong. There is no exception to be C++ or structured caught. It's just Symantec which has wormed its way inside the RPC chain (possibly because it screws up the multithreading itself when it hooks into RPC) and decides that something nefarious is going on and as a result, just rips the application from existence.

History

  • 7th September, 2022: Initial version

License

This article, along with any associated source code and files, is licensed under The MIT License



Permalink

Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Article Copyright 2022 by Bruno van Dooren
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-10-20:1