sk3wldbg icon indicating copy to clipboard operation
sk3wldbg copied to clipboard

Published 20 hours ago verified publisher icon cseagle

Instruction attempted to execute from unmapped memory

Open OevreFlataeker opened this issue 6 years ago • 3 comments

I try to use the sk3wldbg plugin with IDA Pro 7.2 I could not get it to compile properly with 7.3 and the IDA SDK 7.3

I built the 64bit versions both of the unicorn engine and sk3wldbg and installed it at the proper place in the IDA installation directory.

The code I want to emulate is a small part of a Windows Kernel driver subroutine. Basically it the code "mov"s some constants into stackspace and then performs some kind of calculation over these values in a loop. I place the cursor on the first of these instructions and run the debugger and choose "Start from here".

IDA gives me the following errors:

found input file D:\driver.fffffa8001b0e000.sys reading file of 28672 bytes loadPE64 map_mem_zero(000000013FB90000, 000000013FB90400, 0x3) Allocated at 000000013FB90000 in map_mem_zero Copying bytes 0x0:0x400 into block map_mem_zero(000000013FB91000, 000000013FB92000, 0x5) Allocated at 000000013FB91000 in map_mem_zero Copying bytes 0x1000:0x2000 into block map_mem_zero(000000013FB92000, 000000013FB93000, 0x1) Allocated at 000000013FB92000 in map_mem_zero Copying bytes 0x2000:0x3000 into block map_mem_zero(000000013FB93000, 000000013FB94000, 0x3) Allocated at 000000013FB93000 in map_mem_zero Copying bytes 0x3000:0x4000 into block map_mem_zero(000000013FB94000, 000000013FB95000, 0x1) Allocated at 000000013FB94000 in map_mem_zero Copying bytes 0x4000:0x5000 into block map_mem_zero(000000013FB95000, 000000013FB96000, 0x5) Allocated at 000000013FB95000 in map_mem_zero Copying bytes 0x5000:0x6000 into block map_mem_zero(000000013FB96000, 000000013FB97000, 0x1) Allocated at 000000013FB96000 in map_mem_zero Copying bytes 0x6000:0x7000 into block map_mem_zero(0000000000030000, 0000000000130000, 0x7) Allocated at 0000000000030000 in map_mem_zero map_mem_zero(000000013FB98000, 000000013FC98000, 0x3) Allocated at 000000013FB98000 in map_mem_zero PC was not set previously, going with screen EA13FB91000: process driver.fffffa8001b0e000.sys has started (pid=33476) PDBSRC: loading symbols for 'driver.fffffa8001b0e000.sys'... PDB: using PDBIDA provider FFFFF80002690000: The instruction at FFFFF80002690000 attempted to execute from unmapped memory -> FFFFF80002690000 (exc.code b, tid 22773)

Whats wrong? Do I need to prepare something before I can start debugging the code?

The same error occurs when I choose to start from the entrypoint.

OevreFlataeker avatar Sep 16 '19 17:09 OevreFlataeker

I was just playing around and found that if I set RBP to a value well below RSP, resp RSP further away from the end of the "stack segment" the emu executed properly. So apparently I need to setup all the registers to a sensible state. Is this an expected manual user action?

OevreFlataeker avatar Sep 16 '19 18:09 OevreFlataeker

@OevreFlataeker How did you manage to set the register values before running the debugger?

joelreymont avatar Apr 12 '23 19:04 joelreymont

Sorry, this has been more than 3 years ago... I honestly don't remember...

OevreFlataeker avatar Apr 13 '23 10:04 OevreFlataeker