Sergey Kovalev issues

Results 13 issues of


                                            Sergey Kovalev

Plug-ins intersection on injection breaks results

In #1450 it have been noticed several messages `Failed to read address` from `syscalls` plug-in. This start to occur after making `libusermode` to inject `MmCopyVirtualMemory` instead of page faults. I...

"userhook" fails with "SysWOW64/kernel32.dll" on PE header page unloaded

On "Windows 10 build 1803 x64" I have noticed that for 32-bit executable the first page becomes inaccessible: ``` 1648814892.301051 [USERHOOK] Found DLL which is worth processing 74f60000 (0x74f60000, \Windows\SysWOW64\kernel32.dll)...

"--terminate" option breaks procdump plug-in

Discovered during work on #1280 : * If "procdump" plugin was not stopped the termination of injected process would lead to process dump. * Though it would not wait for...

libdrakvuf: event_uid not set for every event handler

`drakvuf_trap_info_t.event_uid` is set only in two cases: * [pre_mem_cb](https://github.com/tklengyel/drakvuf/blob/a0c962a0268bcd486e1726b51cd0d8d385a68177/src/libdrakvuf/vmi.c#L505) * [int3_cb](https://github.com/tklengyel/drakvuf/blob/a0c962a0268bcd486e1726b51cd0d8d385a68177/src/libdrakvuf/vmi.c#L687) In all other event handlers (e.g. `cr3_cb`) it remains unset (just 0). Is this by design? If so we...

libdrakvuf: check return context error for Windows

It have been noticed that some return hooks not triggered. E.g. for `apimon` and `procmon` plug-ins there was a lack of return callbacks for `CreateWindowExW` and `NtCreateUserProcess` in some cases....

apimon not working for WoW64 processes

# Abstract There is no `apimon` messages for `SysWOW64\*.dll` hooks. # How to reproduce * Provide `--dll-hooks-list` like that: `SysWOW64\ntdll.dll,NtGetContextThread,log,handle,pcontext` * Provide `--json-wow /path/to/wow/ntdll.json` (thanks to @icedevml to notice that)...

Use attached process data for Windows by default

This is a proposal. From [Inside NT's Asynchronous Procedure Call](https://www.drdobbs.com/inside-nts-asynchronous-procedure-call/184416590): ``` Asynchronous Procedure Calls (APCs) are a fundamental building block in NT's asynchronous processing architecture. Basically, APCs allow user programs...

What is the error with fast singlestep?

I have noticed a comment: https://github.com/tklengyel/drakvuf/blob/bd35d25f1cd95270588417d99d05220775451c17/src/libdrakvuf/vmi.c#L1611 What is the error? Is there a fix? Can I help to debug it?

question

apimon slows down Windows 8.1Update 1 x64

For some reason scanning with dll-hooks.txt like this: ``` kernel32.dll,GetModuleFileNameA,log,hModule:hmodule,lpFilename:lpstr,nSize:dword kernel32.dll,GetModuleFileNameW,log,hModule:hmodule,lpFilename:lpstr,nSize:dword ``` , slows down the Windows several times. This could be clearly seen with injection of _EXCEL.EXE_

`libusermode` not support x86

As the code [states](https://github.com/tklengyel/drakvuf/blob/0cdb2f4e11c29e515b987e8c289da93c569c2ee1/src/libusermode/userhook.cpp#L793) for non-x64: "[USERHOOK] Usermode hooking is not yet supported on this architecture/bitness.\n" @icedevml could you please clarify why. I have read #669 and #675 but there...