guard32.dll blocking gdb

Hi guys,
first thing to say i already searched the forum and the old theads related to my problem do not have any working solution.
My problem is that somehow (since the last comodo update to v5.4) there is a guard32.dll attached to my applikation that blocks debugging (just tried gdb) with a SIGSEGV segmentation fault.
The runntimestack at this point looks like this:


0	??				C:\Windows\SysWOW64\guard32.dll	0	0x100127c3	
1	?? 				C:\Windows\SysWOW64\guard32.dll	0	0x10012b02	
2	guard32!?Exported@@YAXXZ	C:\Windows\SysWOW64\guard32.dll	0	0x100270d2	
3	guard32!?Exported@@YAXXZ	C:\Windows\SysWOW64\guard32.dll	0	0x1002715e	
4	?? 				C:\Windows\SysWOW64\guard32.dll	0	0x1000a0ce	
5	?? 				C:\Windows\SysWOW64\guard32.dll	0	0x1000a176	
6	ntdll!RtlEnlargedUnsignedMultiply C:\Windows\system32\ntdll.dll	0	0x77209930	
7	??		0	0x10000000	
8	ntdll!RtlIsNameInExpression	C:\Windows\system32\ntdll.dll	0	0x7720d8a9	
9	?? 				C:\Windows\SysWOW64\guard32.dll	0	0x1000a158	
10	ntdll!RtlIsCriticalSectionLocked C:\Windows\system32\ntdll.dll	0	0x7720d76c	
11	??		0		

My system is running windows 7 x64 (Build: 7601 sp1) all updates installed. Using CIS (5.4.189822.1355) (no other av programm or something like)
What i already tried.
Uninstalling comodo: debugging works.
Reinstalling comodo: debugging blocked
added all debugger files to my save files and also added them to defense+ memory interception(dunno how its called in the english version).: debugging blocked.
Disabled sandbox and permanently disable D+: debugging blocked (this worked for me pre 5.4 CIS)
Disabling windows DEP: debugging blocked

I’ve read something about unloading guard32.dll but all those posts were related to windows xp and as windows 7 uses a new way to handle memory i couldnt find some way to unload it.

Thanks all in advance.
Greeting Ditma

This is worth a bug report I would say.

Please consider filing a bug report in the Bug Reports - CIS board following the format as described in FORMAT & GUIDE - just COPY/PASTE it!.

As Eric says probably worth a bug report.

Before you make one, please check you have exempted all necessary files from buffer overflow protection under D+ Settings ~ Execution Control Settings ~ Detect shellcode injections (ie buffer overflow exemptions). This is supposed to exempt from all guard32.dll interactions as well as just shellcode protection. If it doesn’t it’s a bug or the normal behavior of CIS has been changed without telling us mods :slight_smile:

More on use of debuggers in this FAQ: here.

Best wishes

Mouse

Well i double checked all settings and even tried a few other configurations and also reinstalled and just configured it like in the debugger tutorial described. Still no debugging.
Thanks for your fast respone i think reporting it as a bug would be the best way to go.

Makes sense to me

Best wishes

Mike

this issue is still not resolved in 5.4.x

what is most annoying is that these dll’s (guard32/64) are injected regardless of the fact that i have D+ disabled and do not use the A/V.

also, as pointed out in another thread, these dll’s appear to be useless from a malware attack POV.

my answer is simply to stop them from loading at all - problem solved and GDB works as it should, at least in my case.

on another point of utter uselessness, i can only shake my head and wonder what in the heck the devs were thinking as i watch comodo install itself thrice; once in its program directory, once in a sub-directory of its program directory (???), and then as the msi package in the windows installer. what in the is the logic behind this when (it appears) all 3 are equally compromisable?

Edit by EricJH: fixed the url

I want to repeat that this problem still exists, version 5.10.x.
Still this is not fixed? I found reports of this error dating back to 2009 or even 2008, and this is not getting fixed? why??

Have you tried the fixes in this trace: Comodo Forum

Best wishes

Mouse

great, this solution works! I didn’t come across this thread because I looked for stuff about guard32.dll.

thank you!

No problem. This and other useful info for developer is cross referenced in this FAQ: Development tool fixes.