Skip to content
This repository has been archived by the owner on Nov 17, 2021. It is now read-only.

Break on new a process entrypoint address #13

Open
Wenzel opened this issue May 17, 2018 · 6 comments
Open

Break on new a process entrypoint address #13

Wenzel opened this issue May 17, 2018 · 6 comments
Labels
Goal Next objective on the project Priority: High

Comments

@Wenzel
Copy link
Owner

Wenzel commented May 17, 2018

To be really useful, we need to be able to attach to a new process being created, and break on the entrypoint.

This address should be in the Win32StartAddress field of the ETHREAD.

with the latest progress on symbols branch:

At KiStartUserThread: mspaint.exe, CR3: 0x655eb000
EPROCESS 0xfffffa80044a4060
ETHREAD 0xfffffa800410e160
Win32StartAddress 0xffcc2eb8

the Win32StartAddress field contains an uncomplete/invalid address. is this an offset ???

Next steps:

  • check the value of Win32StartAddress with WinDBG
  • check the value of StartAddress
@Wenzel Wenzel added Priority: High Goal Next objective on the project labels May 17, 2018
@Wenzel
Copy link
Owner Author

Wenzel commented May 17, 2018
edited

The value of Win32StartAddress is correct.
The problem is that it's a userland address that is just not mapped yet
therefore, there is no physical frame.

@Wenzel
Copy link
Owner Author

Wenzel commented May 27, 2018
edited

Solution 1: watch the page tables until the missing page is inserted:

  • translate Win32StartAddress to paddr
  • look what entry is missing
  • watch this entry for modifications

Solution 2:

  • add breakpoint on MmAccessFault
  • step over the call
  • test if our target address is mapped now

Solution 3:

  • find an API in ntdll to break on
  • ntdll!RtlUserThreadStart or ntdll!LdrpInitializeThread
  • break
  • check if our address is mapped now
  • i don't the address of any ntdll APIs
  • break on NtContinue

@Wenzel
Copy link
Owner Author

Wenzel commented May 27, 2018

The safe_breakpoint callbacks are not safe yet.
There is a moment where the guest is paused, and no event is being reported.

Waiting for events
{'data': {'mem_event': <libvmi.event.MemEvent object at 0x7fb6eab24f98>,
          'symbol': 'MmAccessFault',
          'target_gfn': 10449,
          'target_vaddr': 18446735277659332128},
 'slat_id': 0,
 'type': 'SINGLESTEP',
 'vcpu_id': 0,
 'version': 5,
 'x86_regs': {'rax': '0xfffffa80010d64f0',
              'rip': '0xfffff800028d1c0f',
              'rsp': '0xfffff88002f84420'}}
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events

We need to debug this.

@Wenzel
Copy link
Owner Author

Wenzel commented May 27, 2018

Another solution would be to find the Windows kernel API responsible for mapping a defined page, and break on it.

@Wenzel Wenzel mentioned this issue May 30, 2018
Merged
@Wenzel
Copy link
Owner Author

Wenzel commented Jun 5, 2018

new solution: singlestep until ring 3

problem is that i'm not receiving single step event at some point...

@Wenzel
Copy link
Owner Author

Wenzel commented Jun 5, 2018

Blocked by libvmi/libvmi#636

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Goal Next objective on the project Priority: High
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Wenzel