sk3wldbg icon indicating copy to clipboard operation
sk3wldbg copied to clipboard

Published 20 hours ago verified publisher icon cseagle

Exceptions are arisen and debugger is detached.

Open alexandreborges opened this issue 7 years ago • 2 comments

Chris,

Good morning. How are you?

Almost certainly, it is my mistake because I haven't had enough time for debugging it.

Anyway, it follows a little information:

1. Windows 7 x86 2. IDA Pro 6.95 3. I've compiled the plugin by using Visual Studio 2015. 4. The tested file some executables.

The problem: soon the debugging process starts (using Ske3wDbg, step-by-step instruction), several exceptions (I've tried to pass them back to application) are risen and the debugger is detached.

I've tested the plugin using several malwares (including an educational one). Finally, few evidences (related to the educational malware -- the most simple executable that I could find) follow attached:

1. Screenshot 2. My compiled plugin version (and its associated PDB file) 3. The idb database of the executable. 4. The executable (educational program).

Last lines of Output Window are:

found input file C:\Users\AB\Pictures\educational_malware.exe reading file of 1536 bytes loadPE32 map_mem_zero(0x401000, 0x402000, 0x7) Allocated at 0x401000 in map_mem_zero Copying bytes 0x200:0x400 into block map_mem_zero(0x402000, 0x403000, 0x3) Allocated at 0x402000 in map_mem_zero Copying bytes 0x400:0x600 into block map_mem_zero(0x30000, 0x130000, 0x7) Allocated at 0x30000 in map_mem_zero 401000: process Unicorn Process has started (pid=22703) 20AC: The instruction at 0x20ac attempted to execute from unmapped memory -> 000020AC (exc.code b, tid 9130) 20AC: The instruction at 0x20ac attempted to execute from unmapped memory -> 000020AC (exc.code b, tid 9130) Debugger: detached from process

Unfortunately, the same issue has happen while using its pre-compiled version. Therefore, I must have commited a trivial mistake.

Please, I am sorry for bothering you with it.

Have an amazing day, Chris.

Alexandre.

Evidences.zip

alexandreborges avatar Jan 12 '18 03:01 alexandreborges

Alexandre, for some reason I can't open the zip file, my best guess based on the messages above is that you have stepped into a library function call. sk3wldbg doesn't resolve any imported function address, so if you end up stepping into a thunk function, the thunk will load the IAT value rather than the resolved function address. 20AC looks like it's probably an unresolved IAT entry.

cseagle avatar Mar 14 '18 04:03 cseagle

Chris,

Good morning. How are you?

Thank you for the reply. Certainly, your answer gave me a clear idea about what's happening.

I hope I can meet you in the next BlackHat conference.

Take care and have an amazing day.

Alexandre.

alexandreborges avatar Mar 14 '18 05:03 alexandreborges