sudo icon indicating copy to clipboard operation
sudo copied to clipboard
verified publisher icon microsoft

Sudo tries to leverage the kernel DLLs before loading them

Open mobilejon opened this issue 1 year ago • 5 comments

Sudo for Windows version

1.0.0

Windows build number

10.0.26100.1742

Other Software

N/A

Steps to reproduce

Using Sudo in CMD or w/e.

I found that prior to loading the nll.dll Sudo, is trying to use it as I found in the stack trace:

image graphic

Expected Behavior

N/A

Actual Behavior

I don't think it's a behavioral issue, but upon debugging and looking at how Sudo works for an upcoming blog I noticed that is probably not the right behavior. The issue goes away once ntdll.dll is loaded

mobilejon avatar Oct 08 '24 17:10 mobilejon

What tool is that?

DHowett avatar Dec 04 '24 20:12 DHowett

What tool is that?

I can't tell what software this is but it's likely a debugging or crash analysis tool.

AvogatoWizardWhisker avatar Dec 05 '24 18:12 AvogatoWizardWhisker

That is procmon

mobilejon avatar Dec 05 '24 18:12 mobilejon

That is procmon

I knew the interface looks so familair.

AvogatoWizardWhisker avatar Dec 05 '24 19:12 AvogatoWizardWhisker

This is a bug caused by recent security hardening changes to the Process Monitor kernel driver. Try viewing the process start event of any other third party program and they all have the exact same issue.

You'll need to downgrade to an older version or wait for Procmon to include support for virtual handles with SymInitialize.

dmex avatar Jan 16 '25 02:01 dmex