Alex C 0 Posted May 7, 2021 Share Posted May 7, 2021 Hello, We are building software in .NET that will have to load a DLL written in golang (with cgo). While doing compatibility testing we discovered that the Deep Behavioral Inspection of ESET Smart Security Premium will lead to some DLLs being injected into our process and eventually blocking several threads. This is reproducible with a minimal C# console application that loads an almost empty DLL written in go. Loading the DLL from the main process thread works in some cases. Disabling Deep Behavioral Inspection or adding an exclusion for the binary prevents this, but it's not an option in production. Any help is appreciated! On request, I can provide .NET and golang code, with instructions. Product name: ESET Smart Security Premium Product version: 14.1.20.0 Operating system: Windows 10 Pro(64-bit)Version 10.0 (Build 19041) Machine: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz, 65233 MB RAM Main process thread stuck when trying to create other threads: Current frame: ntdll!NtWaitForSingleObject+0x14 Child-SP RetAddr Caller, Callee 0000009a487fdd00 00007ff984906941 ebehmoni+0x16941 0000009a487fdd50 00007ff9848ff30b ebehmoni+0xf30b, calling ebehmoni+0x20c10 0000009a487fdd90 00007ff9848f7a3b ebehmoni+0x7a3b, calling ntdll!NtQueryInformationThread 0000009a487fddc0 00007ff9849060d1 ebehmoni+0x160d1, calling ebehmoni+0xf2d0 0000009a487fde20 00007ff9848f2604 ebehmoni+0x2604, calling ebehmoni+0x9890 0000009a487fdec0 00007ff98492b7b0 ebehmoni+0x3b7b0, calling ebehmoni+0x2540 0000009a487fdf50 00007ff9a6c3516f KERNELBASE!CreateRemoteThreadEx+0x29f, calling ebehmoni+0x3b6d8 0000009a487fe210 00007ff9851672e3 clr!ETW::SamplingLog::SendStackTrace+0x138, calling clr!_security_check_cookie 0000009a487fe230 00007ff9a949e3a9 ntdll!RtlpExtendHeap+0x61, calling ntdll!RtlpInsertFreeBlock 0000009a487fe270 00007ff9848f3c6d ebehmoni+0x3c6d, calling ebehmoni+0x3a10 0000009a487fe2a0 00007ff98490292e ebehmoni+0x1292e, calling ebehmoni+0x207e0 0000009a487fe2c0 00007ff9a94bdf4c ntdll!RtlpAllocateHeap+0xdec, calling ntdll!RtlLeaveCriticalSection 0000009a487fe2e0 00007ff984902823 ebehmoni+0x12823, calling ebehmoni+0x12880 0000009a487fe300 00007ff9a94bb86b ntdll!RtlpLowFragHeapAllocFromContext+0x21b, calling ntdll!RtlpLfhFindClearBitAndSet 0000009a487fe320 00007ff984929b29 ebehmoni+0x39b29, calling ebehmoni+0x127a0 0000009a487fe330 00007ff9848f3478 ebehmoni+0x3478, calling ebehmoni+0x3c20 0000009a487fe390 00007ff9a94e07b0 ntdll!RtlSetLastWin32Error+0x40, calling ntdll!_security_check_cookie 0000009a487fe3e0 00007ff9a6c6234c KERNELBASE!CreateEventW+0x8c, calling ntdll!RtlSetLastWin32Error 0000009a487fe470 00007ff984e27dea clr!CLREventBase::CreateManualEvent+0x3a, calling KERNEL32!CreateEventW 0000009a487fe4a0 00007ff984e280bd clr!Thread::AllocHandles+0x86, calling clr!CLRException::HandlerState::CleanupTry 0000009a487fe4f0 00007ff9a916b5dd KERNEL32!CreateThreadStub+0x3d, calling KERNELBASE!CreateRemoteThreadEx 0000009a487fe500 00007ff984ccf9c7 clr!operator new+0x2f 0000009a487fe540 00007ff984e29370 clr!Thread::CreateNewOSThread+0xb2, calling KERNEL32!CreateThreadStub 0000009a487fe5c0 00007ff984e2925f clr!Thread::CreateNewThread+0x91, calling clr!Thread::CreateNewOSThread 0000009a487fe5e0 00007ff984e17b73 clr!Thread::IncExternalCount+0x77, calling clr!StoreObjectInHandle 0000009a487fe630 00007ff984e17fcc clr!ThreadNative::StartInner+0x2f1, calling clr!Thread::CreateNewThread 0000009a487fe668 00007ff984cc6b53 clr!SafeHandle::DangerousRelease+0x63, calling clr!LazyMachStateCaptureState 0000009a487fe6d0 00007ff98117ca51 (MethodDesc 00007ff980d368c0 +0x151 DomainNeutralILStubClass.IL_STUB_PInvoke(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)), calling (MethodDesc 00007ff980d13ab8 +0 System.StubHelpers.StubHelpers.SafeHandleRelease(System.Runtime.InteropServices.SafeHandle)) 0000009a487fe7b8 00007ff98117c9c8 (MethodDesc 00007ff980d368c0 +0xc8 DomainNeutralILStubClass.IL_STUB_PInvoke(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)) 0000009a487fe800 00007ff984e184f9 clr!ThreadNotStarted+0x19, calling clr!Thread::HasValidThreadHandle 0000009a487fe8a0 00007ff984e17d54 clr!ThreadNative::Start+0x94, calling clr!ThreadNative::StartInner 0000009a487fe8e0 00007ff9810b71fa (MethodDesc 00007ff980d13840 +0x8a System.IO.StreamWriter.Flush(Boolean, Boolean)) 0000009a487fe920 00007ff9810bb22b (MethodDesc 00007ff980d0eb60 +0xb System.Threading.Thread.GetDomain()), calling 00007ff984ccadd0 (stub for System.Threading.Thread.GetFastDomainInternal()) 0000009a487fe990 00007ff9810a4125 (MethodDesc 00007ff980d03b08 +0x25 System.Runtime.Remoting.Messaging.CallContext.get_Principal()), calling (MethodDesc 00007ff980e4ff00 +0 System.Threading.ExecutionContext+Reader.get_LogicalCallContext()) 0000009a487fe9c0 00007ff9810a3e7a (MethodDesc 00007ff980d0e7e8 +0x6a System.Threading.Thread.Start(System.Threading.StackCrawlMark ByRef)), calling (MethodDesc 00007ff980d03b08 +0 System.Runtime.Remoting.Messaging.CallContext.get_Principal()) 0000009a487fe9d8 00007ff984e17d23 clr!ThreadNative::Start+0x63, calling clr!LazyMachStateCaptureState 0000009a487fea00 00007ff9810a3dfe (MethodDesc 00007ff980d0e7c8 +0x1e System.Threading.Thread.Start()), calling (MethodDesc 00007ff980d0e7e8 +0 System.Threading.Thread.Start(System.Threading.StackCrawlMark ByRef)) 0000009a487fea30 00007ff925760a52 (MethodDesc 00007ff925655a48 +0x1c2 ConsoleWithDll.Program.Main(System.String[])), calling (MethodDesc 00007ff980d0e7c8 +0 System.Threading.Thread.Start()) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted May 7, 2021 Administrators Share Posted May 7, 2021 We have raiesed a ticket for developers. If more data is needed, we'll let you know. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted May 7, 2021 ESET Moderators Share Posted May 7, 2021 1 hour ago, Alex C said: Any help is appreciated! On request, I can provide .NET and golang code, with instructions. Hello @Alex C, please provide us with the code and instructions, we will attempt to reproduce the issue and debug it in-house. Send me and @Marcos a private message with it and reference to this forum topic. Thank you, Peter P_ESSW-12997 Link to comment Share on other sites More sharing options...
itman 1,659 Posted May 7, 2021 Share Posted May 7, 2021 The Go programming language is the "current rage" among malware developers. Glad to see Eset DBI injecting the hell out of those apps. Link to comment Share on other sites More sharing options...
Alex C 0 Posted May 26, 2021 Author Share Posted May 26, 2021 Hello, any progress on this? Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted May 26, 2021 ESET Moderators Share Posted May 26, 2021 Hello @Alex C, the development team looked into it and opened a bug report for it so I guess an in-depth analysis of it will be required... Peter P_ESSW-13088 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted June 18, 2021 ESET Moderators Share Posted June 18, 2021 Hello @Alex C, the issue should be resolved in new Deep behavioral inspection support module 1115 btw. the issue seems to be on the Go side https://github.com/golang/go/issues/41075 , but will be fixed by the module update on our side. Peter on behalf of he team responsible Link to comment Share on other sites More sharing options...
Alex C 0 Posted June 18, 2021 Author Share Posted June 18, 2021 Thank you for the fix and for mentioning the root cause! Seems like we'll need to update our compiler just to be sure it won't cause other issues. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted June 23, 2021 ESET Moderators Share Posted June 23, 2021 Hello @Alex C, you are welcome, credit does to our dev team as the whole analysis was done by them. Keeping thing up to date is for sure recommended... Peter Nightowl 1 Link to comment Share on other sites More sharing options...
Recommended Posts