UWP app crashes when we try to detect DLL injection

Question

UWP app crashes when we try to detect DLL injection

Rahul K 51

As of now we are not doing any injection but we do have some detection code,
not sure if windows defender is causing any issue.

So, we are getting exception when we run the detection code:
below is the exception:

Faulting module name: ntdll.dll, version: 10.0.19041.928, time stamp: 0x9bed63d6
Exception code: 0x060c201e
Fault offset: 0x00000000000cb3f0
Faulting process id: 0x3e28
Faulting application start time: 0x01d7b654e8bc5eaa

reference:
https://social.msdn.microsoft.com/Forums/vstudio/en-US/44233770-4575-438c-8c40-8489cd7e388f/dll-injection-into-uwp-app-causes-it-to-crash?forum=vcgeneral

Nico Zhu (Shanghai Wicresoft Co,.Ltd.) 12,866 Reputation points

2021-10-08T08:27:46.4+00:00

We have not detection code to reproduce your problem, could you mind share the code that cause the problem?

Rahul K 51

not sure aboubt the erroneous code but we are suspecting the below one.

hModule = GetModuleHandleA(("ntdll.dll"));
    if (hModule != NULL)
    {
        if ((NtQueryInformationThread =
            (NTQUERYINFOMATIONTHREAD)GetProcAddress(hModule, ("NtQueryInformationThread"))))
    .......
    ........

Nico 126 Reputation points

2021-10-11T01:54:38.44+00:00

Could you tell what feature you want to implement with ntdll.dll?
Rahul K 51 Reputation points

2021-10-11T05:42:52.06+00:00

We have a c++ library which is integated to the UWP App.
The c++ library has some detection code with uses APIs from ntdll.
We are suspecting that while loading the ntdll APIs there might be some issue.(This is only our guess)
Currently we are getting "This app cant open" message while trying to open the UWP app.
Nico 126 Reputation points

2021-10-11T07:01:47.607+00:00

Have ntdll.dll worked before?

1 answer

Your answer

Nico Zhu (Shanghai Wicresoft Co,.Ltd.) 12,866 Reputation points

2021-10-08T08:27:46.4+00:00

We have not detection code to reproduce your problem, could you mind share the code that cause the problem?
Rahul K 51 Reputation points

2021-10-08T11:50:49.78+00:00

not sure aboubt the erroneous code but we are suspecting the below one.

hModule = GetModuleHandleA(("ntdll.dll")); if (hModule != NULL) { if ((NtQueryInformationThread = (NTQUERYINFOMATIONTHREAD)GetProcAddress(hModule, ("NtQueryInformationThread")))) ....... ........
Nico 126 Reputation points

2021-10-11T01:54:38.44+00:00

Could you tell what feature you want to implement with ntdll.dll?
Rahul K 51 Reputation points

2021-10-11T05:42:52.06+00:00

We have a c++ library which is integated to the UWP App.
The c++ library has some detection code with uses APIs from ntdll.
We are suspecting that while loading the ntdll APIs there might be some issue.(This is only our guess)
Currently we are getting "This app cant open" message while trying to open the UWP app.
Nico 126 Reputation points

2021-10-11T07:01:47.607+00:00

Have ntdll.dll worked before?

Answer 1

Hello anonymous user-5396

That is a likely explanation, I have experienced same Exception codes when running some specific security softwares, in my case from FSecure, but since the DLL is from Microsoft the statement in your reference link makes complete sense:

"This is done intentionally to prevent DLL injection by malware. I don't think there's a reasonable workaround though. To work your injected DLL must be a part of the UWP package. And if so, the app may not be approved for inclusion into the Windows Store. The last one is just a guess. I'm not a Microsoft employee. Additionally I don't know if it would work cross-UWP-apps either."

I would try to sandbox into a clean and isolated VM (just in case) with all security disabled to see if it can make any change.

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

Share via

UWP app crashes when we try to detect DLL injection

1 answer

Your answer