Jump to content

Deep Behavioral Inspection blocks threads of .NET process after loading a golang DLL


Recommended Posts

Hello,
 
We are building software in .NET that will have to load a DLL written in golang (with cgo).
While doing compatibility testing we discovered that the Deep Behavioral Inspection of
ESET Smart Security Premium will lead to some DLLs being injected into our process and eventually
blocking several threads. This is reproducible with a minimal C# console application that loads an
almost empty DLL written in go. Loading the DLL from the main process thread works in some cases.
Disabling Deep Behavioral Inspection or adding an exclusion for the binary prevents this,
but it's not an option in production.
 
Any help is appreciated! On request, I can provide .NET and golang code, with instructions.
 
Product name: ESET Smart Security Premium
Product version: 14.1.20.0
Operating system: Windows 10 Pro(64-bit)Version 10.0 (Build 19041)
Machine: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz, 65233 MB RAM
 
Main process thread stuck when trying to create other threads:
 
Current frame: ntdll!NtWaitForSingleObject+0x14
Child-SP RetAddr Caller, Callee
0000009a487fdd00 00007ff984906941 ebehmoni+0x16941
0000009a487fdd50 00007ff9848ff30b ebehmoni+0xf30b, calling ebehmoni+0x20c10
0000009a487fdd90 00007ff9848f7a3b ebehmoni+0x7a3b, calling ntdll!NtQueryInformationThread
0000009a487fddc0 00007ff9849060d1 ebehmoni+0x160d1, calling ebehmoni+0xf2d0
0000009a487fde20 00007ff9848f2604 ebehmoni+0x2604, calling ebehmoni+0x9890
0000009a487fdec0 00007ff98492b7b0 ebehmoni+0x3b7b0, calling ebehmoni+0x2540
0000009a487fdf50 00007ff9a6c3516f KERNELBASE!CreateRemoteThreadEx+0x29f, calling ebehmoni+0x3b6d8
0000009a487fe210 00007ff9851672e3 clr!ETW::SamplingLog::SendStackTrace+0x138, calling clr!_security_check_cookie
0000009a487fe230 00007ff9a949e3a9 ntdll!RtlpExtendHeap+0x61, calling ntdll!RtlpInsertFreeBlock
0000009a487fe270 00007ff9848f3c6d ebehmoni+0x3c6d, calling ebehmoni+0x3a10
0000009a487fe2a0 00007ff98490292e ebehmoni+0x1292e, calling ebehmoni+0x207e0
0000009a487fe2c0 00007ff9a94bdf4c ntdll!RtlpAllocateHeap+0xdec, calling ntdll!RtlLeaveCriticalSection
0000009a487fe2e0 00007ff984902823 ebehmoni+0x12823, calling ebehmoni+0x12880
0000009a487fe300 00007ff9a94bb86b ntdll!RtlpLowFragHeapAllocFromContext+0x21b, calling ntdll!RtlpLfhFindClearBitAndSet
0000009a487fe320 00007ff984929b29 ebehmoni+0x39b29, calling ebehmoni+0x127a0
0000009a487fe330 00007ff9848f3478 ebehmoni+0x3478, calling ebehmoni+0x3c20
0000009a487fe390 00007ff9a94e07b0 ntdll!RtlSetLastWin32Error+0x40, calling ntdll!_security_check_cookie
0000009a487fe3e0 00007ff9a6c6234c KERNELBASE!CreateEventW+0x8c, calling ntdll!RtlSetLastWin32Error
0000009a487fe470 00007ff984e27dea clr!CLREventBase::CreateManualEvent+0x3a, calling KERNEL32!CreateEventW
0000009a487fe4a0 00007ff984e280bd clr!Thread::AllocHandles+0x86, calling clr!CLRException::HandlerState::CleanupTry
0000009a487fe4f0 00007ff9a916b5dd KERNEL32!CreateThreadStub+0x3d, calling KERNELBASE!CreateRemoteThreadEx
0000009a487fe500 00007ff984ccf9c7 clr!operator new+0x2f
0000009a487fe540 00007ff984e29370 clr!Thread::CreateNewOSThread+0xb2, calling KERNEL32!CreateThreadStub
0000009a487fe5c0 00007ff984e2925f clr!Thread::CreateNewThread+0x91, calling clr!Thread::CreateNewOSThread
0000009a487fe5e0 00007ff984e17b73 clr!Thread::IncExternalCount+0x77, calling clr!StoreObjectInHandle
0000009a487fe630 00007ff984e17fcc clr!ThreadNative::StartInner+0x2f1, calling clr!Thread::CreateNewThread
0000009a487fe668 00007ff984cc6b53 clr!SafeHandle::DangerousRelease+0x63, calling clr!LazyMachStateCaptureState
0000009a487fe6d0 00007ff98117ca51 (MethodDesc 00007ff980d368c0 +0x151 DomainNeutralILStubClass.IL_STUB_PInvoke(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)), calling (MethodDesc 00007ff980d13ab8 +0 System.StubHelpers.StubHelpers.SafeHandleRelease(System.Runtime.InteropServices.SafeHandle))
0000009a487fe7b8 00007ff98117c9c8 (MethodDesc 00007ff980d368c0 +0xc8 DomainNeutralILStubClass.IL_STUB_PInvoke(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr))
0000009a487fe800 00007ff984e184f9 clr!ThreadNotStarted+0x19, calling clr!Thread::HasValidThreadHandle
0000009a487fe8a0 00007ff984e17d54 clr!ThreadNative::Start+0x94, calling clr!ThreadNative::StartInner
0000009a487fe8e0 00007ff9810b71fa (MethodDesc 00007ff980d13840 +0x8a System.IO.StreamWriter.Flush(Boolean, Boolean))
0000009a487fe920 00007ff9810bb22b (MethodDesc 00007ff980d0eb60 +0xb System.Threading.Thread.GetDomain()), calling 00007ff984ccadd0 (stub for System.Threading.Thread.GetFastDomainInternal())
0000009a487fe990 00007ff9810a4125 (MethodDesc 00007ff980d03b08 +0x25 System.Runtime.Remoting.Messaging.CallContext.get_Principal()), calling (MethodDesc 00007ff980e4ff00 +0 System.Threading.ExecutionContext+Reader.get_LogicalCallContext())
0000009a487fe9c0 00007ff9810a3e7a (MethodDesc 00007ff980d0e7e8 +0x6a System.Threading.Thread.Start(System.Threading.StackCrawlMark ByRef)), calling (MethodDesc 00007ff980d03b08 +0 System.Runtime.Remoting.Messaging.CallContext.get_Principal())
0000009a487fe9d8 00007ff984e17d23 clr!ThreadNative::Start+0x63, calling clr!LazyMachStateCaptureState
0000009a487fea00 00007ff9810a3dfe (MethodDesc 00007ff980d0e7c8 +0x1e System.Threading.Thread.Start()), calling (MethodDesc 00007ff980d0e7e8 +0 System.Threading.Thread.Start(System.Threading.StackCrawlMark ByRef))

0000009a487fea30 00007ff925760a52 (MethodDesc 00007ff925655a48 +0x1c2 ConsoleWithDll.Program.Main(System.String[])), calling (MethodDesc 00007ff980d0e7c8 +0 System.Threading.Thread.Start())

 

 

Link to comment
Share on other sites

  • Administrators

We have raiesed a ticket for developers. If more data is needed, we'll let you know.

Link to comment
Share on other sites

  • ESET Moderators
1 hour ago, Alex C said:
Any help is appreciated! On request, I can provide .NET and golang code, with instructions.

Hello @Alex C,

please provide us with the code and instructions, we will attempt to reproduce the issue and debug it in-house.

Send me and @Marcos a private message with it and reference to this forum topic.

Thank you, Peter

P_ESSW-12997

Link to comment
Share on other sites

The Go programming language is the "current rage" among malware developers. Glad to see Eset DBI injecting the hell out of those apps.

Link to comment
Share on other sites

  • 3 weeks later...
  • ESET Moderators

Hello @Alex C,

the development team looked into it and opened a bug report for it so I guess an in-depth analysis of it will be required...

Peter

P_ESSW-13088

Link to comment
Share on other sites

  • 4 weeks later...
  • ESET Moderators

Hello @Alex C,

 

the issue should be resolved in new Deep behavioral inspection support module 1115

btw. the issue seems to be on the Go side https://github.com/golang/go/issues/41075 , but will be fixed by the module update on our side.

 

Peter on behalf of he team responsible

Link to comment
Share on other sites

Thank you for the fix and for mentioning the root cause! Seems like we'll need to update our compiler just to be sure it won't cause other issues.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...