r2vmi icon indicating copy to clipboard operation
r2vmi copied to clipboard
verified publisher icon Wenzel

Break on new a process entrypoint address

Open Wenzel opened this issue 7 years ago • 6 comments

To be really useful, we need to be able to attach to a new process being created, and break on the entrypoint.

This address should be in the Win32StartAddress field of the ETHREAD.

with the latest progress on symbols branch:

At KiStartUserThread: mspaint.exe, CR3: 0x655eb000
EPROCESS 0xfffffa80044a4060
ETHREAD 0xfffffa800410e160
Win32StartAddress 0xffcc2eb8

the Win32StartAddress field contains an uncomplete/invalid address. is this an offset ???

Next steps:

  • check the value of Win32StartAddress with WinDBG
  • check the value of StartAddress

Wenzel avatar May 17 '18 08:05 Wenzel

The value of Win32StartAddress is correct. The problem is that it's a userland address that is just not mapped yet therefore, there is no physical frame.

Wenzel avatar May 17 '18 18:05 Wenzel

Solution 1: watch the page tables until the missing page is inserted:

  • translate Win32StartAddress to paddr
  • look what entry is missing
  • watch this entry for modifications

Solution 2:

  • add breakpoint on MmAccessFault
  • step over the call
  • test if our target address is mapped now

Solution 3:

  • find an API in ntdll to break on
  • ntdll!RtlUserThreadStart or ntdll!LdrpInitializeThread
  • break
  • check if our address is mapped now
  • i don't the address of any ntdll APIs
  • break on NtContinue

Wenzel avatar May 27 '18 15:05 Wenzel

The safe_breakpoint callbacks are not safe yet. There is a moment where the guest is paused, and no event is being reported.

Waiting for events
{'data': {'mem_event': <libvmi.event.MemEvent object at 0x7fb6eab24f98>,
          'symbol': 'MmAccessFault',
          'target_gfn': 10449,
          'target_vaddr': 18446735277659332128},
 'slat_id': 0,
 'type': 'SINGLESTEP',
 'vcpu_id': 0,
 'version': 5,
 'x86_regs': {'rax': '0xfffffa80010d64f0',
              'rip': '0xfffff800028d1c0f',
              'rsp': '0xfffff88002f84420'}}
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events

We need to debug this.

Wenzel avatar May 27 '18 18:05 Wenzel

Another solution would be to find the Windows kernel API responsible for mapping a defined page, and break on it.

Wenzel avatar May 27 '18 18:05 Wenzel

new solution: singlestep until ring 3

problem is that i'm not receiving single step event at some point...

Wenzel avatar Jun 05 '18 13:06 Wenzel

Blocked by https://github.com/libvmi/libvmi/issues/636

Wenzel avatar Jun 05 '18 13:06 Wenzel