frida-gum icon indicating copy to clipboard operation
frida-gum copied to clipboard

Published 20 hours ago verified publisher icon frida

interceptor "STATUS_STACK_BUFFER_OVERRUN"

Open nblog opened this issue 2 years ago • 2 comments

chrome version: 90.0.4430.93 or last version

inject code:

/* chrome ver: 90.0.4430.93 */

function chromium_symbol(chromium_core) {

    let base = new NativePointer(chromium_core.base);

    return {

        "net::URLRequestContext": {
            "URLRequestContext::CreateRequest": base.add(0x1AE600),
        }

    }

}

var symbol = chromium_symbol( Process.getModuleByName("chrome.dll") );


function trace_chromium_URLRequest() {

    Interceptor.attach( symbol["net::URLRequestContext"]["URLRequestContext::CreateRequest"] , {
        onEnter(args) {

        },
        onLeave(retval) {

        }
    });

}


trace_chromium_URLRequest();

image

EXCEPTION_DEBUG_INFO:
           dwFirstChance: 0
           ExceptionCode: C0000409 (STATUS_STACK_BUFFER_OVERRUN)
          ExceptionFlags: 00000001
        ExceptionAddress: 00007FFAE478E666 chrome.00007FFAE478E666
        NumberParameters: 1
ExceptionInformation[00]: 0000000000000039

i have also tried to use "frida-gum" library, which will cause the same problem.

nblog avatar May 12 '22 08:05 nblog

win10 support "CET-enforced CFI/shadow stacks", this will cause the x86_64 interceptor scheme to trigger "STATUS_STACK_BUFFER_OVERRUN"

nblog avatar May 24 '22 02:05 nblog

temporary solution: powershell: Set-ProcessMitigation -Name chrome.exe -Disable UserShadowStack

nblog avatar May 30 '22 07:05 nblog