r2vmi Machine crash

Hi I try set some function(ex : NtWriteFile) as breakpoint After dc, target machine going blue screen What's the reason?

Jan 06 '19 00:01 yguseto

You need to help me here and give me more details

what VM are you trying to introspect ? (r2vmi has only been tested on WIndows XP and Windows 7)
what did you see on r2 output ?

the main reason is that the operating system took the software breakpoint itself, and of course it cannot process it.

the breakpoint should removed and singlestepped (depending where you are) when you hit continue. pay attention to r2's output, i added a lot of debugging messages there, maybe you can find an error, or something went wrong in libvmi.

Jan 06 '19 00:01 Wenzel

R2 output @Wenzel W7 x64

__breakpoint, set: 1, addr: fffff800029e19a0, hw: 0
__write
__continue, sig: 0
__wait
__wait: Listen to VMI events...
cb_on_int3
cb_on_int3: wrong process svchost.exe (0x9e142000)
__write
__wait: Listen to VMI events...
VMI_ERROR: process_singlestep error: no singlestep handler is registered in LibVMI
__wait: Fail to listen to events
__reg_read, type: 0, size:7168
__select
__system: command: pid 0
__reg_read, type: 0, size:7168
__reg_read, type: 0, size:7168
__reg_read, type: 1, size:7168
__reg_read, type: 2, size:7168
__reg_read, type: 3, size:7168
__reg_read, type: 4, size:7168
__reg_read, type: 5, size:7168
__reg_read, type: 6, size:7168
__reg_read, type: 0, size:7168
__reg_read, type: 1, size:7168
__reg_read, type: 2, size:7168
__reg_read, type: 3, size:7168
__reg_read, type: 4, size:7168
__reg_read, type: 5, size:7168
__reg_read, type: 6, size:7168
__read, offset: fffff8000260ef75
__reg_read, type: 0, size:7168
[0xfffff8000260ef75]>

Jan 06 '19 00:01 yguseto

Well, it looks like something went wrong when trying to singlestep on the breakpoint. you should investigate into this. look into the wait implementation of the plugin

Jan 06 '19 01:01 Wenzel

Hi,

I think #38 will solve your problem.

Can you retry with just 1 vcpu ?

Apr 12 '19 12:04 Wenzel