Machine crash

[yguseto]

Hi
I try set some function(ex : NtWriteFile) as breakpoint
After dc, target machine going blue screen
What's the reason?

[Wenzel]

You need to help me here and give me more details

• what VM are you trying to introspect ? (r2vmi has only been tested on WIndows XP and Windows 7)
• what did you see on r2 output ?

the main reason is that the operating system took the software breakpoint itself, and of course it cannot process it.

the breakpoint should removed and singlestepped (depending where you are) when you hit continue.
pay attention to r2's output, i added a lot of debugging messages there, maybe you can find an error, or something went wrong in libvmi.

[yguseto]

R2 output @Wenzel
W7 x64

__breakpoint, set: 1, addr: fffff800029e19a0, hw: 0
__write
__continue, sig: 0
__wait
__wait: Listen to VMI events...
cb_on_int3
cb_on_int3: wrong process svchost.exe (0x9e142000)
__write
__wait: Listen to VMI events...
VMI_ERROR: process_singlestep error: no singlestep handler is registered in LibVMI
__wait: Fail to listen to events
__reg_read, type: 0, size:7168
__select
__system: command: pid 0
__reg_read, type: 0, size:7168
__reg_read, type: 0, size:7168
__reg_read, type: 1, size:7168
__reg_read, type: 2, size:7168
__reg_read, type: 3, size:7168
__reg_read, type: 4, size:7168
__reg_read, type: 5, size:7168
__reg_read, type: 6, size:7168
__reg_read, type: 0, size:7168
__reg_read, type: 1, size:7168
__reg_read, type: 2, size:7168
__reg_read, type: 3, size:7168
__reg_read, type: 4, size:7168
__reg_read, type: 5, size:7168
__reg_read, type: 6, size:7168
__read, offset: fffff8000260ef75
__reg_read, type: 0, size:7168
[0xfffff8000260ef75]> 

[Wenzel]

Well, it looks like something went wrong when trying to singlestep on the breakpoint.
you should investigate into this.
look into the wait implementation of the plugin

[Wenzel]

Hi,

I think #38 will solve your problem.

Can you retry with just 1 vcpu ?