Click here to Skip to main content
15,867,997 members
Articles / General Programming / Exceptions
Tip/Trick

Application Crashes without a Trace / No Dumpfile

Rate me:
Please Sign up or sign in to vote.
5.00/5 (3 votes)
7 Sep 2022MIT1 min read 5.8K   1   7
Symantec can cause valid applications to crash and be gone without a trace
When hunting down unexpected application termination, I found Symantec to be the unlikely cause of all the grief. I'll explain how. Should you ever have an unexplainable application close, this may be happening.

Introduction

I was running a test for performing SID translation in a parallel_for loop. Everything worked fine but about 1 time in 7, my application disappeared without a trace. I looked at possible race conditions but didn't find anything obviously wrong. After an evening of trimming down the code, I reproduced it to this:

C++
PSID pSID;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&SIDAuth, 2,
    SECURITY_BUILTIN_DOMAIN_RID,
    DOMAIN_ALIAS_RID_ADMINS,
    0, 0, 0, 0, 0, 0,
    &pSID);

concurrency::parallel_for(size_t(0), (size_t)1000, [&](size_t i) {
        LPTSTR sidString = NULL;
        if (!ConvertSidToStringSid(pSID, &sidString)) {
            return;
        }
        LocalFree(sidString);
    });

cout << "test" << endl;
Sleep(1000);

I tried catching C++ exceptions which there weren't, I tried catching a structural exception which wasn't there either. There was absolutely nothing going on except my application just ceased to exist. I checked the event logs, but nothing there either.

Then I started running my test program via the shell without debugger present, and then this started to show up in the application log every time it disappeared.

Image 1

That's when I remembered a blog post from Raymond Chen where he explains how applications mysteriously died after an anti malware service detoured RPC calls (which Microsoft does not support) and messed up, leading to the application no longer following any expected execution path and just dying. In my case, I already know that exception 0xc0000005 is an access violation, and RPCRT4.dll is the RPC library, and I do have an invasive anti-malware program installed so...

Image 2

Image 3

Which explains everything. The code isn't doing anything wrong. There is no exception to be C++ or structured caught. It's just Symantec which has wormed its way inside the RPC chain (possibly because it screws up the multithreading itself when it hooks into RPC) and decides that something nefarious is going on and as a result, just rips the application from existence.

History

  • 7th September, 2022: Initial version

License

This article, along with any associated source code and files, is licensed under The MIT License


Written By
Software Developer
Belgium Belgium
I am a former professional software developer (now a system admin) with an interest in everything that is about making hardware work. In the course of my work, I have programmed device drivers and services on Windows and linux.

I have written firmware for embedded devices in C and assembly language, and have designed and implemented real-time applications for testing of satellite payload equipment.

Generally, finding out how to interface hardware with software is my hobby and job.

Comments and Discussions

 
QuestionHow to find out Pin
Alois Kraus8-Sep-22 12:25
Alois Kraus8-Sep-22 12:25 
AnswerRe: How to find out Pin
Bruno van Dooren8-Sep-22 19:26
mvaBruno van Dooren8-Sep-22 19:26 
GeneralRe: How to find out Pin
Alois Kraus8-Sep-22 20:24
Alois Kraus8-Sep-22 20:24 
GeneralRe: How to find out Pin
Alois Kraus12-Sep-22 1:38
Alois Kraus12-Sep-22 1:38 
QuestionNice one Pin
Chris Maunder8-Sep-22 2:54
cofounderChris Maunder8-Sep-22 2:54 
QuestionWindows defender. Pin
Ron Anders8-Sep-22 2:10
Ron Anders8-Sep-22 2:10 
QuestionRecursion disappearance Pin
jmaida7-Sep-22 17:00
jmaida7-Sep-22 17:00 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.