Author Topic: guard32.dll blocking gdb  (Read 5602 times)

Offline Ditma1

  • Newbie
  • *
  • Posts: 2
guard32.dll blocking gdb
« on: May 15, 2011, 08:19:02 AM »
Hi guys,
first thing to say i already searched the forum and the old theads related to my problem do not have any working solution.
My problem is that somehow (since the last comodo update to v5.4) there is a guard32.dll attached to my applikation that blocks debugging (just tried gdb) with a SIGSEGV segmentation fault.
The runntimestack at this point looks like this:
Code: [Select]
0 ?? C:\Windows\SysWOW64\guard32.dll 0 0x100127c3
1 ?? C:\Windows\SysWOW64\guard32.dll 0 0x10012b02
2 guard32!?Exported[at][at]YAXXZ C:\Windows\SysWOW64\guard32.dll 0 0x100270d2
3 guard32!?Exported[at][at]YAXXZ C:\Windows\SysWOW64\guard32.dll 0 0x1002715e
4 ?? C:\Windows\SysWOW64\guard32.dll 0 0x1000a0ce
5 ?? C:\Windows\SysWOW64\guard32.dll 0 0x1000a176
6 ntdll!RtlEnlargedUnsignedMultiply C:\Windows\system32\ntdll.dll 0 0x77209930
7 ?? 0 0x10000000
8 ntdll!RtlIsNameInExpression C:\Windows\system32\ntdll.dll 0 0x7720d8a9
9 ?? C:\Windows\SysWOW64\guard32.dll 0 0x1000a158
10 ntdll!RtlIsCriticalSectionLocked C:\Windows\system32\ntdll.dll 0 0x7720d76c
11 ?? 0
My system is running windows 7 x64 (Build: 7601 sp1) all updates installed. Using CIS (5.4.189822.1355) (no other av programm or something like)
What i already tried.
Uninstalling comodo: debugging works.
Reinstalling comodo: debugging blocked
added all debugger files to my save files and also added them to defense+ memory interception(dunno how its called in the english version).: debugging blocked.
Disabled sandbox and permanently disable D+: debugging blocked (this worked for me pre 5.4 CIS)
Disabling windows DEP: debugging blocked

I've read something about unloading guard32.dll but all those posts were related to windows xp and as windows 7 uses a new way to handle memory i couldnt find some way to unload it.

Thanks all in advance.
Greeting Ditma

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19722
Re: guard32.dll blocking gdb
« Reply #1 on: May 15, 2011, 10:16:08 AM »
This is worth a bug report I would say.

Please consider filing  a bug report in the Bug Reports - CIS board following the format as described in FORMAT & GUIDE - just COPY/PASTE it!.

Online mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9927
Re: guard32.dll blocking gdb
« Reply #2 on: May 16, 2011, 06:04:23 AM »
As Eric says probably worth a bug report.

Before you make one, please check you have exempted all necessary files from buffer overflow protection under D+ Settings ~ Execution Control Settings ~ Detect shellcode injections (ie buffer overflow exemptions). This is supposed to exempt from all guard32.dll interactions as well as just shellcode protection. If it doesn't it's a bug or the normal behavior of CIS has been changed without telling us mods :)

More on use of debuggers in this FAQ: here.

Best wishes

Mouse

Offline Ditma1

  • Newbie
  • *
  • Posts: 2
Re: guard32.dll blocking gdb
« Reply #3 on: May 18, 2011, 12:16:30 PM »
Well i double checked all settings and even tried a few other configurations and also reinstalled and just configured it like in the debugger tutorial described. Still no debugging.
Thanks for your fast respone i think reporting it as a bug would be the best way to go.

Online mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9927
Re: guard32.dll blocking gdb
« Reply #4 on: May 18, 2011, 12:56:02 PM »
Well i double checked all settings and even tried a few other configurations and also reinstalled and just configured it like in the debugger tutorial described. Still no debugging.
Thanks for your fast respone i think reporting it as a bug would be the best way to go.

Makes sense to me

Best wishes

Mike

Offline forum.Man

  • Newbie
  • *
  • Posts: 15
Re: guard32.dll blocking gdb
« Reply #5 on: May 23, 2011, 09:07:17 AM »
this issue is still not resolved in 5.4.x

what is most annoying is that these dll's (guard32/64) are injected regardless of the fact that i have D+ disabled and do not use the A/V.

also, as pointed out in another thread, these dll's appear to be useless from a malware attack POV.

my answer is simply to stop them from loading at all - problem solved and GDB works as it should, at least in my case.

on another point of utter uselessness, i can only shake my head and wonder what in the heck the devs were thinking as i watch comodo install itself thrice; once in its program directory, once in a sub-directory of its program directory (???), and then as the msi package in the windows installer.  what in the is the logic behind this when (it appears) all 3 are equally compromisable?  


Edit by EricJH: fixed the url
« Last Edit: May 23, 2011, 10:48:42 AM by EricJH »

Offline Puzzleman

  • Newbie
  • *
  • Posts: 8
Re: guard32.dll blocking gdb
« Reply #6 on: April 17, 2012, 04:09:34 PM »
I want to repeat that this problem still exists, version 5.10.x.
Still this is not fixed? I found reports of this error dating back to 2009 or even 2008, and this is not getting fixed? why??

Online mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9927
Re: guard32.dll blocking gdb
« Reply #7 on: April 18, 2012, 06:16:24 AM »
I want to repeat that this problem still exists, version 5.10.x.
Still this is not fixed? I found reports of this error dating back to 2009 or even 2008, and this is not getting fixed? why??

Have you tried the fixes in this trace: https://forums.comodo.com/defense-sandbox-help-cis/gdb-problem-solved-t47299.0.html

Best wishes

Mouse

Offline Puzzleman

  • Newbie
  • *
  • Posts: 8
Re: guard32.dll blocking gdb
« Reply #8 on: April 18, 2012, 09:48:53 AM »
great, this solution works! I didn't come across this thread because I looked for stuff about guard32.dll.

thank you!

Online mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9927
Re: guard32.dll blocking gdb
« Reply #9 on: April 18, 2012, 10:05:06 AM »
great, this solution works! I didn't come across this thread because I looked for stuff about guard32.dll.

thank you!

No problem. This and other useful info for developer is cross referenced in this FAQ: Development tool fixes.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek