Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exceptions are arisen and debugger is detached. #14

Open
alexandreborges opened this issue Jan 12, 2018 · 2 comments
Open

Exceptions are arisen and debugger is detached. #14

alexandreborges opened this issue Jan 12, 2018 · 2 comments

Comments

@alexandreborges
Copy link

Chris,

Good morning. How are you?

Almost certainly, it is my mistake because I haven't had enough time for debugging it.

Anyway, it follows a little information:

1. Windows 7 x86
2. IDA Pro 6.95
3. I've compiled the plugin by using Visual Studio 2015.
4. The tested file some executables.

The problem: soon the debugging process starts (using Ske3wDbg, step-by-step instruction), several exceptions (I've tried to pass them back to application) are risen and the debugger is detached.

I've tested the plugin using several malwares (including an educational one). Finally, few evidences (related to the educational malware -- the most simple executable that I could find) follow attached:

1. Screenshot
2. My compiled plugin version (and its associated PDB file)
3. The idb database of the executable.
4. The executable (educational program).

Last lines of Output Window are:

found input file C:\Users\AB\Pictures\educational_malware.exe
reading file of 1536 bytes
loadPE32
map_mem_zero(0x401000, 0x402000, 0x7)
Allocated at 0x401000 in map_mem_zero
Copying bytes 0x200:0x400 into block
map_mem_zero(0x402000, 0x403000, 0x3)
Allocated at 0x402000 in map_mem_zero
Copying bytes 0x400:0x600 into block
map_mem_zero(0x30000, 0x130000, 0x7)
Allocated at 0x30000 in map_mem_zero
401000: process Unicorn Process has started (pid=22703)
20AC: The instruction at 0x20ac attempted to execute from unmapped memory -> 000020AC (exc.code b, tid 9130)
20AC: The instruction at 0x20ac attempted to execute from unmapped memory -> 000020AC (exc.code b, tid 9130)
Debugger: detached from process

Unfortunately, the same issue has happen while using its pre-compiled version. Therefore, I must have commited a trivial mistake.

Please, I am sorry for bothering you with it.

Have an amazing day, Chris.

Alexandre.

Evidences.zip
@cseagle
Copy link
Owner

cseagle commented Mar 14, 2018

Alexandre, for some reason I can't open the zip file, my best guess based on the messages above is that you have stepped into a library function call. sk3wldbg doesn't resolve any imported function address, so if you end up stepping into a thunk function, the thunk will load the IAT value rather than the resolved function address. 20AC looks like it's probably an unresolved IAT entry.

@alexandreborges
Copy link
Author

Chris,

Good morning. How are you?

Thank you for the reply. Certainly, your answer gave me a clear idea about what's happening.

I hope I can meet you in the next BlackHat conference.

Take care and have an amazing day.

Alexandre.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cseagle @alexandreborges