delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2012/03/01/17:45:07

X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-2.2 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,RCVD_IN_DNSWL_LOW,TW_BJ,TW_YG
X-Spam-Check-By: sourceware.org
Message-ID: <4F4FFBD8.1080803@cwilson.fastmail.fm>
Date: Thu, 01 Mar 2012 17:44:40 -0500
From: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
Reply-To: Charles Wilson <cygwin AT cwilson DOT fastmail DOT fm>
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: cygheap base mismatch detected
References: <4F4E7CC8 DOT 9090804 AT cwilson DOT fastmail DOT fm> <20120301105139 DOT GF2257 AT calimero DOT vinschen DOT de> <CAB8Xom9nR9g=R_uzzZM5D+OHZ3wQhkJ+F5tAKBL0xL60iTc9rA AT mail DOT gmail DOT com> <20120301121442 DOT GG2257 AT calimero DOT vinschen DOT de>
In-Reply-To: <20120301121442.GG2257@calimero.vinschen.de>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 3/1/2012 7:14 AM, Corinna Vinschen wrote:
> Hmm.  cygcheck loads the Cygwin DLL dynamically.  It does not depend on
> any other Cygwin distro DLL.  But it's started from a Cygwin parent.  So
> the loaded CYgwin DLL checks the layout just like it had been linked
> against.  And apparently it gets rebased at load time.  Which means to
> me, there's another DLL already loaded into the process at an address
> which overlaps with the address space the Cygwin DLL should have been
> loaded to.
> 
> So I guess you just have to find out what is the cause for rebasing
> the Cygwin DLL.  Try VMMap from sysinternals with a cygcheck -svr piped
> into less, so that you can easily observe the process in vmmap.

It appears to be C:\WINDOWS\SysWOW64\PGHook.dll which is part of Avecto
Privilege Guard (which could certainly be classed as a BLODA IMO; thank
you paranoid corporate IT policies...).

For cygcheck, PGHook.dll gets loaded at its desired image base:

$ objdump -p /c/Windows/syswow64/pghook.dll |grep ImageBase
ImageBase               61100000

So, it appears that for normal cygwin processes, PGHook gets rebased
elsewhere, and cygwin "wins."  For instance, /bin/top.exe -> PGHook gets
loaded at 01FD000, b/c cygwin1.dll is already at 0x61000000.  OTOH,
there's nothing in the cygcheck.exe process that prevents PGHook from
getting its desired base addr -- which then conflicts with cygwin's
desired base addr when it is (later) dynloaded.

Is there some workaround that could be used? It's not as if cygcheck is
really trying to initialize and *use* cygwin1.dll facilities, is it? So,
perhaps cygwin1.dll/dcrt0 could ignore the fact that it has been
rebased, when dynamically loaded? (or perhaps, only when dynloaded by
some app named 'cygcheck.exe').

--
Chuck

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019