x64dbgpylib icon indicating copy to clipboard operation
x64dbgpylib copied to clipboard
verified publisher icon x64dbg

Error in getDebuggedName that prevents mona's find from working

Open ngo opened this issue 6 years ago • 5 comments

When trying to use mona's find feature I get the following error:

mona.mona("find -s '\xff\xe4' -m binary.exe") =>

<b>  File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\mona.py", line 18391, in main</b>
<b>    commands[command].parseProc(opts)</b>
<b>  File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\mona.py", line 11814, in procFind</b>
<b>    thislog = logfile.reset()</b>
<b>  File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\mona.py", line 2454, in reset</b>
<b>    debuggedname = dbg.getDebuggedName()</b>
<b>  File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\x64dbgpylib.py", line 900, in getDebuggedName</b>
<b>    print offset</b>
<b>  File "C:\tools\pwn\x64dbg\release\x32\plugins\x64dbgpy\pykd.py", line 262, in loadUnicodeString</b>
<b>    raise DbgException("Corrupted UNICODE_STRING structure")</b>
<b>DbgException: Corrupted UNICODE_STRING structure</b>

The exception happens because of an error on parsing the PEB in x64dbgpylib. In getDebuggedName, x64dbgpylib uses getPEBInfo().ProcessParameters from pykd, which returns an object of type typePtr (a pointer to a struct RTL_USER_PROCESS_PARAMETERS). It then needs to dereference the pointer and get the ImagePathName member. So the code uses the __add__ operation of typePtr, which resolves to __add__ of typeBase, which uses the address of the typePtr itsel, instead of using the address of the struct that it points to. So, python code ProcessParameters + offset results in PEB->process_parameters + offset, but we need *(PEB->process_parameters) + offset.

Demonstration (x32 app):

  1. Get the peb addr:
Command: peb()
002FB000
  1. Get the result of the __add__ (as you can see this is peb + 0x48, which is not what we want)
Command: print hex(x64dbgpylib.getPEBInfo().ProcessParameters + 0x38)
0x2fb048

In order to have the correct pointer we have to cast ProcessParameters to int, because it will cause the __int__ method of class typePrimitive to be used (which dereferences the pointer). Verification:

Command: print hex(x64dbgpylib.getPEBInfo().ProcessParameters) + 0x38)
0x5818e8

So, the line

sImageFile = pykd.loadUnicodeString(ProcessParameters + offset).encode("utf8")

shold be changed as follows:

sImageFile = pykd.loadUnicodeString(int(ProcessParameters) + offset).encode("utf8")

After this fix mona's find command starts to work for me.

https://github.com/x64dbg/x64dbgpylib/blob/d3b67021880f924860437098b05c3d879aae1a2f/x64dbgpylib.py#L900

ngo avatar Jul 29 '19 11:07 ngo

Feel free to open a PR! This project isn’t really being maintained anymore.

mrexodia avatar Jul 29 '19 11:07 mrexodia

See https://github.com/x64dbg/x64dbgpylib/pull/13

ngo avatar Jul 29 '19 11:07 ngo

Great, thanks for quick reply and merge.

ngo avatar Jul 29 '19 11:07 ngo

No worries. Tell me if you’re interested in maintaining this project (for a time).

On Mon, 29 Jul 2019 at 13:32, ngo [email protected] wrote:

Great, thanks for quick reply and merge.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/x64dbg/x64dbgpylib/issues/12?email_source=notifications&email_token=AASYFGIZXFNVDNYZK2CO64TQB3IMPA5CNFSM4IHRIA22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3ANQNA#issuecomment-515954740, or mute the thread https://github.com/notifications/unsubscribe-auth/AASYFGPAN7NOTOH5PLHIOPDQB3IMPANCNFSM4IHRIA2Q .

mrexodia avatar Jul 29 '19 11:07 mrexodia

I'm not proficient enough in binary exploitation and RE to maintain a project like this, but I might be able to help with some python-related issues. Feel free to ping me if such issues arise.

ngo avatar Jul 29 '19 11:07 ngo