Summary
After enabling SR71's Process Instrumentation Callback, some target processes exit shortly after launch (ACCESS_VIOLATION). The failure appears tied to how the callback restores execution state and how much work is done while already inside the instrumentation path.
The callback path assumed one PIC return convention, where the previous PC/SP state was available through the expected TEB-backed fields. On this system, the observed callback behavior used a stack-return ABI instead.
Because SR71 restored state using the wrong technique, the callback would return incorrectly. On top of that, logging/IPC or other instrumented operations performed from inside the callback path could trigger recursive instrumentation.
Summary
After enabling SR71's Process Instrumentation Callback, some target processes exit shortly after launch (ACCESS_VIOLATION). The failure appears tied to how the callback restores execution state and how much work is done while already inside the instrumentation path.
The callback path assumed one PIC return convention, where the previous PC/SP state was available through the expected TEB-backed fields. On this system, the observed callback behavior used a stack-return ABI instead.
Because SR71 restored state using the wrong technique, the callback would return incorrectly. On top of that, logging/IPC or other instrumented operations performed from inside the callback path could trigger recursive instrumentation.