Process stopped with exit code 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN)

[simonsan]

When hooking a function call within a binary the process stops with this exit code:

Process stopped with exit code 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN)

I read up on this issue here: https://devblogs.microsoft.com/oldnewthing/20190108-00/?p=100655

On functions that the compiler recognizes as subject to buffer overrun problems, the compiler allocates space on the stack before the return address. On function entry, the allocated space is loaded with a security cookie that is computed once at module load. On function exit, and during frame unwinding on 64-bit operating systems, a helper function is called to make sure that the value of the cookie is still the same. A different value indicates that an overwrite of the stack may have occurred. If a different value is detected, the process is terminated.

Can I do something about this with this library or do I need to approach it differently?

[e-codes-stuff]

This is most likely a problem with how you are hooking the function, the stack shouldnt get corrupted unless your function signature is wrong or you are manually breaking something in the hook code. Can you post more details on what you are hooking and what the code looks like?

[simonsan]

@e-codes-stuff Currently the repository is private, can I invite you? Posting code is currently not possible, unfortunately.

[e-codes-stuff]

I would be willing to take a look if invited, but most likely I would say your problem is that you don't have a correct function signature, that will often result in stack corruption

[simonsan]

Reverse engineered:

void CANDIDATE_6(void *ssl_struct,SOCKET socket,UCHAR *plaintext_buffer,int plaintext_buffer_length,
                int *sent_size

// detour
pub(crate) static SendHook: unsafe extern "system" fn(
    *const c_void,
    SOCKET,
    *const c_char,
    c_int,
    *const c_int
) -> c_void;