You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi everyone, we' ve encountered a problem while perfoming some tests with the drakvuf-sandbox. In our case, injector seems to be randomly hanging for an undefined amount of time . We use the drakvuf + sandbox compiled directly from the source code, tag 1.0 and 0.18.2 respectively.
We've added some temporary log points in the source to avoid the overhead of PRINT_DEBUG and we have this situation:
The logs were added along the injector path (64 bit) that creates the remote process and waits for its termination. As it is clearly visible, from the termination to the explorer user-mode breakpoint being hit, 5 minutes passes but depending on the situation, the bp might be never hit again.
We noticed that the "injection" user-mode breakpoint is placed on a "casual" address from the trap-frame so after the injector STEP3 (return of ResumeThread call) it seems that, by our understanding, there is not guarantee that this code will be touched again from explorer.exe. Could this be the reason of the hang?
Is there any reason why the "STEP4" code cannot be direcly called from the wait_for_termination_cb function instead of relying on the explorer breakpoint?
We also noticed that in the related sandox issue (CERT-Polska/drakvuf-sandbox#749), timeouts were fixed but in our case killing the injector process in the middle of the drakvuf loop, prevents any other instances to be launched with this error
The text was updated successfully, but these errors were encountered:
If you kill any drakvuf/injector process with SIGTERM you should not get that error when you try to launch again. If you kill -9 then you would get that error. You can also specify a timeout for injector after which it would exit cleanly in case the injection didn't go through in time.
Hi everyone, we' ve encountered a problem while perfoming some tests with the drakvuf-sandbox. In our case,
injector
seems to be randomly hanging for an undefined amount of time . We use the drakvuf + sandbox compiled directly from the source code, tag 1.0 and 0.18.2 respectively.We've added some temporary log points in the source to avoid the overhead of PRINT_DEBUG and we have this situation:
The logs were added along the injector path (64 bit) that creates the remote process and waits for its termination. As it is clearly visible, from the termination to the explorer user-mode breakpoint being hit, 5 minutes passes but depending on the situation, the bp might be never hit again.
We noticed that the "injection" user-mode breakpoint is placed on a "casual" address from the trap-frame so after the injector STEP3 (return of ResumeThread call) it seems that, by our understanding, there is not guarantee that this code will be touched again from explorer.exe. Could this be the reason of the hang?
Is there any reason why the "STEP4" code cannot be direcly called from the
wait_for_termination_cb
function instead of relying on the explorer breakpoint?We also noticed that in the related sandox issue (CERT-Polska/drakvuf-sandbox#749), timeouts were fixed but in our case killing the injector process in the middle of the drakvuf loop, prevents any other instances to be launched with this error
The text was updated successfully, but these errors were encountered: