frida-gum icon indicating copy to clipboard operation
frida-gum copied to clipboard

Published 20 hours ago verified publisher icon frida

Incorrect Symbol Resolution (v12.9.4)

Open FuzzySecurity opened this issue 4 years ago • 3 comments

This behaviour was observed on Windows, I have not tested this on other supported platforms. There are two issues here.

(1) DebugSymbol.fromAddress: Incorrect symbol address resolution

If you call fromAddress like this:

var modObject = DebugSymbol.fromAddress(someFunction+0xaa);

Expected result:

modObject.address == someFunction

Observed result: The address property of modObject contains the address provided as an argument not the address of the start of that Symbol.

modObject.address == someFunction+0xaa

(2) DebugSymbol.fromAddress: Incorrect symbol name resolution

To solve this issue I tried to call DebugSymbol.fromAddress and then use modObject.name in a call to DebugSymbol.fromName to get the pointer to the start of the symbol. However I found that fromAddress incorrectly resolved the symbol name.

Repro

Below you have my test callback for stalker events to illustrate both issues.

function neo4jEventList(events, modules, hFile){
    for (var i=0; i<events.length; i++) {
        var execEvent = events[i];
        //var modFrom = modules.find(execEvent[1]);
        //var modTo = modules.find(execEvent[2]);
        //var symFrom = DebugSymbol.fromAddress(execEvent[1]);
        //var symTo = DebugSymbol.fromAddress(execEvent[2]);
        //
        //var execObject = {
        //    nodetype: execEvent[0],
        //    callDepth: execEvent[3],
        //    moduleFrom: modFrom.name,
        //    symbolFrom: symFrom.name + "+" + execEvent[1].sub(symFrom.address),
        //    moduleTo: modTo.name,
        //    symbolTo: symTo.name + "+" + execEvent[2].sub(symTo.address)
        //};
        
        //send(JSON.stringify(execObject));
        var symFrom = DebugSymbol.fromAddress(execEvent[1]);
        var pSym = DebugSymbol.fromName(symFrom.name)
        send("Pointer: " + execEvent[1] + "; SymFromAddress: " + symFrom.address + "; Name: " + symFrom.name + "; SymFromName: " + pSym.address);
    }
}

image

image

FuzzySecurity avatar May 31 '20 12:05 FuzzySecurity

yes, in this version, it always return

xxx.so!xxsxfun+xxxxx

it is an inconvenience to me (may be others) to get the offset, in 12.8.20 it works fan, but 12.9.4 it broken.

ohroy avatar Jun 12 '20 04:06 ohroy

This is still an issue in v12.10.4

FuzzySecurity avatar Jul 10 '20 09:07 FuzzySecurity

@FuzzySecurity Can you confirm that this was not an issue in 12.8.20 as reported by @rozbo? If it's a regression I suspect it was introduced when we upgraded the bundled DbgHelp.dll.

oleavr avatar Jul 11 '20 19:07 oleavr