Develop Reference

Injecting `large` shellcode into a Windows process

Trying to determine the amount of executable free space within a process.
For example, the chrome.exe process with its loaded DLL's has 236,105 bytes available.
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ---> Free space: 331 bytes
C:\WINDOWS\SYSTEM32\ntdll.dll ---> Free space: 818 bytes
C:\WINDOWS\System32\KERNEL32.DLL ---> Free space: 4067 bytes
C:\WINDOWS\System32\KERNELBASE.dll ---> Free space: 2951 bytes
C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\chrome_elf.dll ---> Free space: 318 bytes
C:\WINDOWS\SYSTEM32\VERSION.dll ---> Free space: 1456 bytes
C:\WINDOWS\System32\msvcrt.dll ---> Free space: 2513 bytes
C:\WINDOWS\System32\ADVAPI32.dll ---> Free space: 153 bytes
C:\WINDOWS\System32\sechost.dll ---> Free space: 979 bytes
C:\WINDOWS\System32\RPCRT4.dll ---> Free space: 1397 bytes
C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL ---> Free space: 1789 bytes
C:\WINDOWS\System32\bcryptPrimitives.dll ---> Free space: 2612 bytes
C:\WINDOWS\system32\ntmarta.dll ---> Free space: 416 bytes
C:\WINDOWS\System32\ucrtbase.dll ---> Free space: 2715 bytes
C:\WINDOWS\System32\SHELL32.dll ---> Free space: 2011 bytes
C:\WINDOWS\System32\msvcp_win.dll ---> Free space: 382 bytes
C:\WINDOWS\System32\USER32.dll ---> Free space: 1754 bytes
C:\WINDOWS\System32\win32u.dll ---> Free space: 1450 bytes
C:\WINDOWS\System32\GDI32.dll ---> Free space: 3799 bytes
C:\WINDOWS\System32\gdi32full.dll ---> Free space: 2442 bytes
C:\WINDOWS\System32\IMM32.DLL ---> Free space: 3066 bytes
C:\WINDOWS\SYSTEM32\windows.storage.dll ---> Free space: 1507 bytes
C:\WINDOWS\System32\combase.dll ---> Free space: 2548 bytes
C:\WINDOWS\SYSTEM32\wintypes.dll ---> Free space: 3462 bytes
C:\WINDOWS\System32\SHCORE.dll ---> Free space: 1390 bytes
C:\WINDOWS\System32\shlwapi.dll ---> Free space: 3171 bytes
C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\chrome.dll ---> Free space: 112 bytes
C:\WINDOWS\System32\OLEAUT32.dll ---> Free space: 2177 bytes
C:\WINDOWS\System32\WS2_32.dll ---> Free space: 1488 bytes
C:\WINDOWS\System32\WINTRUST.dll ---> Free space: 3277 bytes
C:\WINDOWS\System32\CRYPT32.dll ---> Free space: 2225 bytes
C:\WINDOWS\SYSTEM32\WINMM.dll ---> Free space: 345 bytes
C:\WINDOWS\SYSTEM32\dbghelp.dll ---> Free space: 1112 bytes
C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL ---> Free space: 1915 bytes
C:\WINDOWS\SYSTEM32\USERENV.dll ---> Free space: 3232 bytes
C:\WINDOWS\SYSTEM32\Secur32.dll ---> Free space: 3651 bytes
C:\WINDOWS\SYSTEM32\UIAutomationCore.DLL ---> Free space: 1286 bytes
C:\WINDOWS\SYSTEM32\WINHTTP.dll ---> Free space: 2313 bytes
C:\WINDOWS\SYSTEM32\DWrite.dll ---> Free space: 2475 bytes
C:\WINDOWS\SYSTEM32\WINSPOOL.DRV ---> Free space: 982 bytes
C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL ---> Free space: 2241 bytes
C:\WINDOWS\SYSTEM32\SSPICLI.DLL ---> Free space: 3889 bytes
C:\WINDOWS\System32\MSASN1.dll ---> Free space: 1607 bytes
C:\WINDOWS\system32\uxtheme.dll ---> Free space: 2272 bytes
C:\WINDOWS\SYSTEM32\gpapi.dll ---> Free space: 77 bytes
C:\WINDOWS\SYSTEM32\wkscli.dll ---> Free space: 3885 bytes
C:\WINDOWS\SYSTEM32\netutils.dll ---> Free space: 1998 bytes
C:\WINDOWS\System32\profapi.dll ---> Free space: 2005 bytes
C:\WINDOWS\System32\ole32.dll ---> Free space: 3835 bytes
C:\WINDOWS\SYSTEM32\kernel.appcore.dll ---> Free space: 3242 bytes
C:\WINDOWS\System32\MSCTF.dll ---> Free space: 831 bytes
C:\WINDOWS\SYSTEM32\powrprof.dll ---> Free space: 516 bytes
C:\WINDOWS\SYSTEM32\UMPDC.dll ---> Free space: 2732 bytes
C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22621.608_none_a9444ca7c10bb01d\COMCTL32.dll ---> Free space: 906 bytes
C:\WINDOWS\System32\DPAPI.dll ---> Free space: 2906 bytes
C:\WINDOWS\system32\nlansp_c.dll ---> Free space: 3021 bytes
C:\WINDOWS\System32\NSI.dll ---> Free space: 522 bytes
C:\WINDOWS\SYSTEM32\dhcpcsvc6.DLL ---> Free space: 950 bytes
C:\WINDOWS\SYSTEM32\DNSAPI.dll ---> Free space: 4070 bytes
C:\WINDOWS\System32\clbcatq.dll ---> Free space: 2980 bytes
C:\WINDOWS\SYSTEM32\textinputframework.dll ---> Free space: 2081 bytes
C:\Windows\System32\Windows.UI.dll ---> Free space: 2690 bytes
C:\WINDOWS\SYSTEM32\WTSAPI32.dll ---> Free space: 3071 bytes
C:\WINDOWS\SYSTEM32\mscms.dll ---> Free space: 176 bytes
C:\WINDOWS\SYSTEM32\WINSTA.dll ---> Free space: 3879 bytes
C:\WINDOWS\System32\SETUPAPI.dll ---> Free space: 1656 bytes
C:\WINDOWS\SYSTEM32\DEVOBJ.dll ---> Free space: 1043 bytes
C:\WINDOWS\SYSTEM32\cfgmgr32.dll ---> Free space: 2106 bytes
C:\WINDOWS\System32\MMDevApi.dll ---> Free space: 152 bytes
C:\Windows\System32\wpnapps.dll ---> Free space: 1320 bytes
C:\Windows\System32\OneCoreUAPCommonProxyStub.dll ---> Free space: 147 bytes
C:\Windows\System32\FirewallAPI.dll ---> Free space: 3741 bytes
C:\Windows\System32\fwbase.dll ---> Free space: 3686 bytes
C:\WINDOWS\SYSTEM32\PROPSYS.dll ---> Free space: 502 bytes
C:\WINDOWS\SYSTEM32\LINKINFO.dll ---> Free space: 1837 bytes
C:\WINDOWS\system32\twinapi.dll ---> Free space: 406 bytes
C:\WINDOWS\system32\dataexchange.dll ---> Free space: 1487 bytes
C:\WINDOWS\system32\twinapi.appcore.dll ---> Free space: 1915 bytes
C:\WINDOWS\SYSTEM32\dwmapi.dll ---> Free space: 2035 bytes
C:\Windows\System32\Windows.Media.dll ---> Free space: 3790 bytes
C:\WINDOWS\SYSTEM32\atlthunk.dll ---> Free space: 1317 bytes
C:\WINDOWS\SYSTEM32\OLEACC.dll ---> Free space: 1106 bytes
C:\WINDOWS\system32\directmanipulation.dll ---> Free space: 2731 bytes
C:\WINDOWS\SYSTEM32\CoreMessaging.dll ---> Free space: 655 bytes
C:\WINDOWS\SYSTEM32\CoreUIComponents.dll ---> Free space: 125 bytes
C:\WINDOWS\System32\CRYPTSP.dll ---> Free space: 1636 bytes
C:\WINDOWS\system32\rsaenh.dll ---> Free space: 4062 bytes
C:\Windows\System32\Windows.System.Launcher.dll ---> Free space: 786 bytes
C:\Windows\System32\msvcp110_win.dll ---> Free space: 580 bytes
C:\WINDOWS\SYSTEM32\windows.staterepositorycore.dll ---> Free space: 902 bytes
C:\WINDOWS\system32\explorerframe.dll ---> Free space: 74 bytes
C:\WINDOWS\system32\mswsock.dll ---> Free space: 2290 bytes
C:\WINDOWS\SYSTEM32\sxs.dll ---> Free space: 2578 bytes
C:\WINDOWS\SYSTEM32\wlanapi.dll ---> Free space: 405 bytes
C:\WINDOWS\SYSTEM32\MobileNetworking.dll ---> Free space: 3530 bytes
C:\Windows\System32\Windows.Devices.Radios.dll ---> Free space: 1869 bytes
C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\optimization_guide_internal.dll ---> Free space: 287 bytes
C:\Windows\System32\DevDispItemProvider.dll ---> Free space: 2760 bytes
C:\WINDOWS\SYSTEM32\ncrypt.dll ---> Free space: 3045 bytes
C:\WINDOWS\SYSTEM32\NTASN1.dll ---> Free space: 3067 bytes
C:\WINDOWS\SYSTEM32\bcrypt.dll ---> Free space: 1319 bytes
C:\WINDOWS\system32\PCPKsp.dll ---> Free space: 951 bytes
C:\WINDOWS\SYSTEM32\tbs.dll ---> Free space: 2259 bytes
C:\WINDOWS\System32\Speech\Common\sapi.dll ---> Free space: 3428 bytes
C:\WINDOWS\System32\WTDSENSOR.dll ---> Free space: 1488 bytes
C:\Windows\System32\Windows.Media.MediaControl.dll ---> Free space: 2711 bytes
C:\WINDOWS\system32\windowscodecs.dll ---> Free space: 1830 bytes
C:\WINDOWS\SYSTEM32\edputil.dll ---> Free space: 3234 bytes
C:\Windows\System32\Windows.Security.Credentials.UI.UserConsentVerifier.dll ---> Free space: 804 bytes
C:\Windows\System32\cryptngc.dll ---> Free space: 1633 bytes
C:\WINDOWS\SYSTEM32\apphelp.dll ---> Free space: 3107 bytes
C:\WINDOWS\system32\NetworkExplorer.dll ---> Free space: 3241 bytes
C:\WINDOWS\SYSTEM32\ntshrui.dll ---> Free space: 1964 bytes
C:\WINDOWS\SYSTEM32\srvcli.dll ---> Free space: 2209 bytes
C:\WINDOWS\SYSTEM32\cscapi.dll ---> Free space: 1654 bytes
C:\WINDOWS\SYSTEM32\policymanager.dll ---> Free space: 1842 bytes
C:\Windows\System32\TaskFlowDataEngine.dll ---> Free space: 112 bytes
C:\Windows\System32\MsSpellCheckingFacility.dll ---> Free space: 1077 bytes
C:\Windows\System32\Bcp47Langs.dll ---> Free space: 1964 bytes
C:\Windows\System32\Windows.Devices.Sensors.dll ---> Free space: 1652 bytes
C:\Windows\System32\BiWinrt.dll ---> Free space: 706 bytes
C:\Windows\System32\BitsProxy.dll ---> Free space: 2131 bytes
C:\WINDOWS\SYSTEM32\webauthn.dll ---> Free space: 2692 bytes
Total Free Space: 236105 bytes
The output was produced by this code
#include <windows.h>
#include <psapi.h>
#include <tchar.h>
#include <stdio.h>
#include <intrin.h>
#include <math.h>
int total_free_space = 0;
int ModuleFreeSpace(const char* file_path) {
HANDLE hFile = CreateFileA(file_path, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Could not open file %s\n", file_path);
return 1;
}
HANDLE hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hFileMapping == NULL) {
printf("Could not create file mapping for %s\n", file_path);
CloseHandle(hFile);
return 1;
}
LPVOID lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if (lpFileBase == NULL) {
printf("Could not map view of file for %s\n", file_path);
CloseHandle(hFileMapping);
CloseHandle(hFile);
return 1;
}
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)lpFileBase;
PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS)((LPBYTE)lpFileBase + dos_header->e_lfanew);
PIMAGE_SECTION_HEADER section_header = IMAGE_FIRST_SECTION(nt_headers);
for (int i = 0; i < nt_headers->FileHeader.NumberOfSections; i++, section_header++) {
if (strcmp((char*)section_header->Name, ".text") == 0) {
DWORD section_size = section_header->Misc.VirtualSize;
DWORD section_used_space = section_header->SizeOfRawData;
DWORD section_free_space = section_size - section_used_space;
total_free_space += abs((int)section_free_space);
printf("Free space: %d bytes\n", abs((int)section_free_space));
//LPVOID start_address = (LPVOID)((LPBYTE)lpFileBase + section_header->VirtualAddress + section_used_space);
//printf("Start address of free space: %p\n", start_address);
break;
}
}
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
}
void ListProcessModules(DWORD dwPID) {
HMODULE hMods[1024];
HANDLE hProcess;
DWORD cbNeeded;
unsigned int i;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, dwPID);
if (NULL == hProcess) {
_tprintf(TEXT("\n[ERROR] Could not open process (pid: %d)\n"), dwPID);
return;
}
if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {
for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {
CHAR szModName[MAX_PATH];
if (GetModuleFileNameExA(hProcess, hMods[i], szModName,
sizeof(szModName) / sizeof(CHAR))) {
printf("%s ---> ", szModName);
ModuleFreeSpace(szModName);
}
}
}
CloseHandle(hProcess);
}
int main(int argc, char* argv[]) {
// Get the target PID
if (argc < 2) {
printf("Usage: %s <target PID>\n", argv[0]);
return 1;
}
DWORD targetPID = atoi(argv[1]);
ListProcessModules(targetPID);
printf("Total Free Space: %d bytes\n", total_free_space);
return 0;
}
Question
Is it possible to inject large shellcode into a process using some kind of jump/call chaining between these various executable free spaces in memory?

How to extract USB device type and its drive letter from ETW

So I'm writing a simple ETW logger to provide a trigger-event state machine to wake up whenever a new USB device is connected. Using microsoft's Messages analyzer I managed to trace and receive USB "new usb device information" traces using the following filter Microsoft_Windows_USB_USBHUB3.Summary == "New USB Device Information"
However, after examining the packet, there is no way for me to differentiate between USB mass storage devices and other USB devices(camera?)
Available values from the trace:
Name Value Bit Offset Bit Length Type
pointerValue 132972247379928 64 64 UInt64
Fid_HubDevice 0x000078F011FC3CC8 0 64 Etw.EtwPointer
pointerValue 132972489227464 0 64 UInt64
Fid_UsbDevice 0x000078F00391EFD8 64 64 Etw.EtwPointer
Fid_PortNumber 1 128 32 UInt32
Fid_DeviceDescription USB Mass Storage Device 160 384 String
Fid_DeviceInterfacePath \??\USB#VID_0781&PID_5567#200602669107DD62F0E0#{a5dcbf10-6530-11d2-901f-00c04fb951ed} 544 1376 String
Fid_DeviceDescriptor fid_DeviceDescriptor{Fid_bLength=18,Fid_bDescriptorType=1,Fid_bcdUSB=512,Fid_bDeviceClass=0,Fid_bDeviceSubClass=0,Fid_bDeviceProtocol=0,Fid_bMaxPacketSize0=64,Fid_idVendor=1921,Fid_idProduct=21863,Fid_bcdDevice=295,Fid_iManufacturer=1,Fid_iProduct=2,Fid_iSerialNumber=3,Fid_bNumConfigurations=1} 1920 144 Microsoft_Windows_USB_USBHUB3.fid_DeviceDescriptor
Fid_bLength 18 1920 8 Byte
Fid_bDescriptorType 1 1928 8 Byte
Fid_bcdUSB 0x0200 1936 16 UInt16
Fid_bDeviceClass 0 1952 8 Byte
Fid_bDeviceSubClass 0 1960 8 Byte
Fid_bDeviceProtocol 0 1968 8 Byte
Fid_bMaxPacketSize0 64 1976 8 Byte
Fid_idVendor 0x0781 1984 16 UInt16
Fid_idProduct 0x5567 2000 16 UInt16
Fid_bcdDevice 0x0127 2016 16 UInt16
Fid_iManufacturer 1 2032 8 Byte
Fid_iProduct 2 2040 8 Byte
Fid_iSerialNumber 3 2048 8 Byte
Fid_bNumConfigurations 1 2056 8 Byte
Fid_ConfigurationDescriptorLength 0x0020 2064 16 UInt16
Fid_ConfigurationDescriptor [9,2,32,0,1,1,0,128,100,9,4,0,0,2,8,6,80,0,7,5,129,2,0,2,0,7,5,2,2,0,2,1] 2080 256 ArrayValue`1
Fid_PdoName \Device\USBPDO-13 2336 288 String
Fid_Suspended 1 2624 8 Byte
Fid_PortPathDepth 1 2632 32 UInt32
Fid_PortPath [1,0,0,0,0,0] 2664 192 ArrayValue`1
Fid_PciBus 0x00000000 2856 32 UInt32
Fid_PciDevice 0x00000014 2888 32 UInt32
Fid_PciFunction 0x00000000 2920 32 UInt32
Fid_PciVendorId 0x00008086 2952 32 UInt32
Fid_PciDeviceId 0x0000A12F 2984 32 UInt32
Fid_PciRevisionId 0x00000031 3016 32 UInt32
Fid_CurrentWdfPowerDeviceState 0x00000005 3048 32 UInt32
Fid_Usb20LpmStatus 0x00000006 3080 32 UInt32
Fid_ControllerParentBusType ControllerParentBusTypePci 3112 32 MapControllerParentBusType
Fid_AcpiVendorId NULL 3144 40 String
Fid_AcpiDeviceId NULL 3184 40 String
Fid_AcpiRevisionId NULL 3224 40 String
Fid_PortFlagAcpiUpcValid 1 3264 8 Byte
Fid_PortConnectorType 255 3272 8 Byte
Fid_UcmConnectorId 0x0000000000000001 3280 64 UInt64
EtwKeywords Keywords{StandardKeywords=WindowsEtwKeywords{EventlogClassic=False,CorrelationHint=False,AuditSuccess=False,AuditFailure=False,SQM=False,WDIDiag=False,WDIContext=False,Reserved=False},Default=True,USBError=False,IRP=False,Power=False,PnP=True,Performance=False,HeadersBusTrace=False,PartialDataBusTrace=False,FullDataBusTrace=False,StateMachine=False,Enumeration=False,VerifyDriver=False,HWVerifyHost=False,HWVerifyHub=False,HWVerifyDevice=False,Rundown=False,Device=False,Hub=False,Compat=False,ControllerCommand=False,MsMeasures=True} Microsoft_Windows_USB_USBHUB3.Keywords
Limitations:
No strings comparisons
Must use ETW mechanism

Slow booting process after adding mem=16M in boot parameters

My linux-3.0 kernel was panicking saying ERROR: Failed to allocate 0x1000 bytes below 0x0. while booting. So I changed the bootargs and added a boot parameter mem = 16M. Now it boots fine but it takes a lot of time to boot. I have tried with higher mem value also but it does not work. Below are the logs:
`Machine: KZM9D
arm_add_memory: 0 0x40000000 0x1000000
Memory policy: ECC disabled, Data cache writealloc
bootmem_init: max_low=0x266240, max_high=0x266240
<6>Section 8256 and 8250 (node 0)<c> have a circular dependency on usemap and pgdat allocations
<7>On node 0 totalpages: 0
<7>On node 1 totalpages: 0
<7>On node 2 totalpages: 0
<7>On node 3 totalpages: 0
<7>On node 4 totalpages: 0
<7>On node 5 totalpages: 0
<7>On node 6 totalpages: 0
<7>On node 7 totalpages: 0
high_memory: e0000000
Zone PFN ranges:
Normal 0x00040000 -> 0x00041000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00040000 -> 0x00041000
<7>On node 0 totalpages: 4096
<7> Normal zone: 36 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 4060 pages, LIFO batch:0
<6>boottime: reserved memory at 0x40002000 size 0x2000
mm_init_owner
<6>PERCPU: Embedded 8 pages/cpu #c087f000 s9824 r8192 d14752 u32768
<7>pcpu-alloc: s9824 r8192 d14752 u32768 alloc=8*4096
<7>pcpu-alloc: [0] 0 [0] 1
build_all_zonelists
Built 1 zonelists in Node order, mobility grouping on. Total pages: 4060
Policy zone: Normal
page_alloc_init
<5>Kernel command line: console=ttyS1,115200n8 root=/dev/nfs ip=9.8.7.6 nfsroot=1.2.3.7:/tftpboot/arm/ rootwait rw mem=16M
parse_early_param
<6>PID hash table entries: 64 (order: -4, 256 bytes)
<6>Dentry cache hash table entries: 2048 (order: 2, 24576 bytes)
<6>Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
<6>Memory: 16MB = 16MB total
<5>Memory: 7824k/7824k available, 8560k reserved, 0K highmem
<5>Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
vmalloc : 0xe0800000 - 0xf0000000 ( 248 MB)
lowmem : 0xc0000000 - 0xe0000000 ( 512 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.text : 0xc0008000 - 0xc0704024 (7153 kB)
.init : 0xc0705000 - 0xc0740660 ( 238 kB)
.data : 0xc0742000 - 0xc078dc18 ( 304 kB)
.bss : 0xc078dc18 - 0xc07f2950 ( 404 kB)
<6>Preemptible hierarchical RCU implementation.
<6>NR_IRQS:374`

Deadlocked in windows filter graph

this is a hard to reproduce bug, but I finally managed to reproduce it. However, I do not have a clear understanding of what might have caused it. I am currently trying to push myself through this bug and figure out the source of error.
Wondering if someone can give me some directions or hints.
My program is deadlocked in the stop function in Directshow Filter graph.
here is the call stack:
ntdll.dll!_ZwDeviceIoControlFile#40() + 0x15 bytes
ntdll.dll!_ZwDeviceIoControlFile#40() + 0x15 bytes
KernelBase.dll!_CreateEventExW#16() + 0x6e bytes
ksproxy.ax!SetState() + 0x3e bytes
ksproxy.ax!Inactive() + 0x3d bytes
ksproxy.ax!CKsOutputPin::Inactive() + 0x1d bytes
ksproxy.ax!CKsProxy::Stop() + 0x59 bytes
quartz.dll!CFilterGraph::Stop() + 0x123f3 bytes
quartz.dll!CFGControl::CImplMediaControl::Stop() + 0x12dba bytes <--- Called into direct show
*cam.dll!UVCCamera::Shutdown() Line 140 + 0x1b bytes C++
cam.dll!anonymous namespace'::closeCamera(unsigned int hCamera) Line 297 C++
cam.dll!anonymous namespace'::CoreThreadFunc(void * data) Line 916 + 0xb bytes C++
kernel32.dll!#BaseThreadInitThunk#12() + 0x12 bytes
ntdll.dll!__RtlUserThreadStart#8() + 0x27 bytes
ntdll.dll!_RtlUserThreadStart#8() + 0x1b bytes*

I may have solved this problem by using the method described at the end of the link below:
http://social.msdn.microsoft.com/Forums/en-US/windowsdirectshowdevelopment/thread/53563921-6398-491c-999c-3bfaa2f218ca/
Now I am getting a different error!

msctf/d3d11 crash on exit()

I have an application using DX11.
The debug build works well. But the release build crash on exit().
The stack:
000007fef697d630()
user32.dll!DispatchHookA() + 0x72 bytes
user32.dll!CallHookWithSEH() + 0x27 bytes
user32.dll!__fnHkINLPMSG() + 0x59 bytes
ntdll.dll!KiUserCallbackDispatcherContinue()
user32.dll!NtUserPeekMessage() + 0xa bytes
user32.dll!PeekMessageW() + 0x89 bytes
msctf.dll!RemovePrivateMessage() + 0x52 bytes
msctf.dll!SYSTHREAD::DestroyMarshalWindow() - 0x1b7a bytes
msctf.dll!TF_UninitThreadSystem() + 0xc4 bytes
msctf.dll!CicFlsCallback() + 0x40 bytes
ntdll.dll!RtlProcessFlsData() + 0x84 bytes
ntdll.dll!LdrShutdownProcess() + 0xa9 bytes
ntdll.dll!RtlExitUserProcess() + 0x90 bytes
msvcr100.dll!doexit(int code=0, int quick=0, int retcaller=0) Line 621 + 0x11 bytes
If I call LoadLibrary("d3d11.dll") before calling exit(), there is no crash.