Closed Bug 1696571 Opened 8 months ago Closed 3 months ago

Crash in [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | mozilla::net::NewTCPSocketPair] (Ad Muncher + FortiClient)

Categories

(External Software Affecting Firefox :: Other, defect)

Unspecified
Windows 10
defect

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/6ce4901a-d76a-4e91-8d1a-f1da70210301

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 am64-34121.dll am64-34121.dll@0x75d0 
1 nss3.dll PR_MD_CONNECT nsprpub/pr/src/md/windows/w95sock.c:163
2 nss3.dll SocketConnect nsprpub/pr/src/io/prsocket.c:273
3 xul.dll mozilla::net::NewTCPSocketPair netwerk/base/PollableEvent.cpp:101
4 xul.dll mozilla::net::PollableEvent::PollableEvent netwerk/base/PollableEvent.cpp:173
5 xul.dll mozilla::net::nsSocketTransportService::Run netwerk/base/nsSocketTransportService2.cpp:1088
6 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1148
7 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:302
8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:328
9 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:310

This is a weird stack. According to a quick web search, this DLL is for "Ad Muncher 64-bit Hook DLL", so it sounds like this is some ad blocker that tries to hook into the process?

I confirmed the current version of Ad Muncher, downloadable at https://www.admuncher.com/download, has the same version (= 4.73.0.30530) of am64-34121.dll and see the hooking behavior. It simply hooks ws2_32!connect, but it works without any crash.

In the crash dumps, interestingly, Ad Muncher's hook function AM64_34121+0x75d0 was also hooked, which caused read AV.

AM64_34121+0x75d0: (original)
00000001`800075d0 48895c2408      mov     qword ptr [rsp+8],rbx
00000001`800075d5 48896c2418      mov     qword ptr [rsp+18h],rbp
00000001`800075da 56              push    rsi

AM64_34121+0x75d0: (in the crash dumps)
00000001`800075d0 ff25728a5a4e    jmp     qword ptr [00000001`ce5b0048] <<<< crash here due to read AV
00000001`800075d6 896c2418        mov     dword ptr [rsp+18h],ebp
00000001`800075da 56              push    rsi

This seems that Ad Muncher was hooked by another third-party. Actually all dumps with this signature contain AntiExploitCore64.dll, that is a part of another third-party application FortiClient (https://www.forticlient.com/). So having both FortiClient and Ad Muncher at the same time may cause this crash, but I could not confirm that because the latest downloadable FortiClient did not have AntiExploitCore64.dll.

Crash Signature: [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | mozilla::net::NewTCPSocketPair] → [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | mozilla::net::NewTCPSocketPair] [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | ssl_SecureConnect | ssl_Connect | nsSSLIOLayerConnect] [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | mozilla::n…
Summary: Crash in [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | mozilla::net::NewTCPSocketPair] → Crash in [@ am64-34121.dll | PR_MD_CONNECT | SocketConnect | mozilla::net::NewTCPSocketPair] (Ad Muncher + FortiClient)

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.