Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Instruction attempted to execute from unmapped memory #26

Open
OevreFlataeker opened this issue Sep 16, 2019 · 3 comments
Open

Instruction attempted to execute from unmapped memory #26

OevreFlataeker opened this issue Sep 16, 2019 · 3 comments

Comments

@OevreFlataeker
Copy link

I try to use the sk3wldbg plugin with IDA Pro 7.2 I could not get it to compile properly with 7.3 and the IDA SDK 7.3

I built the 64bit versions both of the unicorn engine and sk3wldbg and installed it at the proper place in the IDA installation directory.

The code I want to emulate is a small part of a Windows Kernel driver subroutine.
Basically it the code "mov"s some constants into stackspace and then performs some kind of calculation over these values in a loop.
I place the cursor on the first of these instructions and run the debugger and choose "Start from here".

IDA gives me the following errors:

found input file D:\driver.fffffa8001b0e000.sys
reading file of 28672 bytes
loadPE64
map_mem_zero(000000013FB90000, 000000013FB90400, 0x3)
Allocated at 000000013FB90000 in map_mem_zero
Copying bytes 0x0:0x400 into block
map_mem_zero(000000013FB91000, 000000013FB92000, 0x5)
Allocated at 000000013FB91000 in map_mem_zero
Copying bytes 0x1000:0x2000 into block
map_mem_zero(000000013FB92000, 000000013FB93000, 0x1)
Allocated at 000000013FB92000 in map_mem_zero
Copying bytes 0x2000:0x3000 into block
map_mem_zero(000000013FB93000, 000000013FB94000, 0x3)
Allocated at 000000013FB93000 in map_mem_zero
Copying bytes 0x3000:0x4000 into block
map_mem_zero(000000013FB94000, 000000013FB95000, 0x1)
Allocated at 000000013FB94000 in map_mem_zero
Copying bytes 0x4000:0x5000 into block
map_mem_zero(000000013FB95000, 000000013FB96000, 0x5)
Allocated at 000000013FB95000 in map_mem_zero
Copying bytes 0x5000:0x6000 into block
map_mem_zero(000000013FB96000, 000000013FB97000, 0x1)
Allocated at 000000013FB96000 in map_mem_zero
Copying bytes 0x6000:0x7000 into block
map_mem_zero(0000000000030000, 0000000000130000, 0x7)
Allocated at 0000000000030000 in map_mem_zero
map_mem_zero(000000013FB98000, 000000013FC98000, 0x3)
Allocated at 000000013FB98000 in map_mem_zero
PC was not set previously, going with screen EA13FB91000: process driver.fffffa8001b0e000.sys has started (pid=33476)
PDBSRC: loading symbols for 'driver.fffffa8001b0e000.sys'...
PDB: using PDBIDA provider
FFFFF80002690000: The instruction at FFFFF80002690000 attempted to execute from unmapped memory -> FFFFF80002690000 (exc.code b, tid 22773)

Whats wrong? Do I need to prepare something before I can start debugging the code?

The same error occurs when I choose to start from the entrypoint.

@OevreFlataeker
Copy link
Author

I was just playing around and found that if I set RBP to a value well below RSP, resp RSP further away from the end of the "stack segment" the emu executed properly. So apparently I need to setup all the registers to a sensible state. Is this an expected manual user action?

@joelreymont
Copy link

@OevreFlataeker How did you manage to set the register values before running the debugger?

@OevreFlataeker
Copy link
Author

Sorry, this has been more than 3 years ago... I honestly don't remember...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants