radare2
radare2 copied to clipboard
radareorg
Issue Breaking on Win32 DLL Functions
#15953 # Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits (mandatory) | Windows 10 x64 |
| File format of the file you reverse (mandatory) | PE |
| Architecture/bits of the file (mandatory) | x86-32 bits |
| r2 -v full output, not truncated (mandatory) | radare2 4.3.1 6 @ windows-x86-64 git.4.3.1 |
| commit: 54ac837b5503f10f91e2069ac357791f7a3e635a build: Fri 03/06/2020__15:52:24.93 |
Expected behavior
To break at VirtualAlloc. If I try this in x64Dbg, it will break on VirtualAlloc.
Actual behavior
(5948) Fatal exception (access violation) in thread 5936
Steps to reproduce the behavior
Hash of file to download from VirusTotal -> 47363b94cee907e2b8926c1be61150c7
r.cmd('aaaa')
r.cmd('doo')
r.cmd('db main')
r.cmd('doo')
r.cmd('dc')
r.cmd('dc')
r.cmd('dc')
r.cmd('db 0x00402dda')
r.cmd('dc')
r.cmd('ds 2')
r.cmd('dsu 0x0302CA57') # another bug here, i can't continue execution here, i get some access violation, so i have to single step which takes FOREVER
## Example:
[0x0302c940]> db 0x0302CA57
[0x0302c940]> dc
(6864) Fatal exception (access violation) in thread 6092
##
r.cmd('ds 1')
r.cmd('dsu 0x00191446') # same with here, but I can continue execution in other debuggers, but with radare2 im forced to single step to hit this breakpoint
r.cmd('dr al=0xC0') # patch a debugger check
r.cmd('ds 2')
r.cmd('? [sym.imp.KERNEL32.dll_VirtualAlloc]')
> hex: 0x752c66b0
r.cmd('db [sym.imp.KERNEL32.dll_VirtualAlloc]')
r.cmd('db')
> 0x00401100 - 0x00401101 1 --x sw break enabled valid cmd="" cond="" name="main" module=""
0x00402dda - 0x00402ddb 1 --x sw break enabled valid cmd="" cond="" name="0x00402dda" module=""
0x752c66b0 - 0x752c66b1 1 --x sw break enabled valid cmd="" cond="" name="[sym.imp.KERNEL32.dll_VirtualAlloc]" module=""[0x00191446]>
r.cmd('dc') # this is where it breaks
> (5948) Fatal exception (access violation) in thread 5936
Sometimes it will hit the breakpoint at VirtualAlloc, but if I try again to hit the breakpoint because in the malware you have to hit it twice I get:
[0x001923f2]> dc
(5948) Fatal exception (access violation) in thread 5936
Again, if you try all this steps on x64Dbg, you will successfully break at VirtualAlloc twice. Even if you get the access violation in x64Dbg, you can keep on continuing execution until it will reach VirtualAlloc a 2nd time. The ultimate goal is to break on VirtualAlloc twice, then be able to set a breakpoint at WriteProcessMemory, and hit that twice. But I have trouble hitting VirtualAlloc at all. If I do hit it once, then it will definitely give me an access violation after trying for the second time.
@GustavoLCR I see this is assigned to you. Do you think you'll be able to complete this for next release? I'm asking not to put pressure, just to try cleaning up a bit the issues that are assigned for the next milestone.
