Giters

cseagle / sk3wldbg

Debugger plugin for IDA Pro backed by the Unicorn Engine

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Exceptions are arisen and debugger is detached.

alexandreborges opened this issue · comments

commented

Chris,

Good morning. How are you?

Almost certainly, it is my mistake because I haven't had enough time for debugging it.

Anyway, it follows a little information:

1. Windows 7 x86
2. IDA Pro 6.95
3. I've compiled the plugin by using Visual Studio 2015.
4. The tested file some executables.

The problem: soon the debugging process starts (using Ske3wDbg, step-by-step instruction), several exceptions (I've tried to pass them back to application) are risen and the debugger is detached.

I've tested the plugin using several malwares (including an educational one). Finally, few evidences (related to the educational malware -- the most simple executable that I could find) follow attached:

1. Screenshot
2. My compiled plugin version (and its associated PDB file)
3. The idb database of the executable.
4. The executable (educational program).

Last lines of Output Window are:

found input file C:\Users\AB\Pictures\educational_malware.exe
reading file of 1536 bytes
loadPE32
map_mem_zero(0x401000, 0x402000, 0x7)
Allocated at 0x401000 in map_mem_zero
Copying bytes 0x200:0x400 into block
map_mem_zero(0x402000, 0x403000, 0x3)
Allocated at 0x402000 in map_mem_zero
Copying bytes 0x400:0x600 into block
map_mem_zero(0x30000, 0x130000, 0x7)
Allocated at 0x30000 in map_mem_zero
401000: process Unicorn Process has started (pid=22703)
20AC: The instruction at 0x20ac attempted to execute from unmapped memory -> 000020AC (exc.code b, tid 9130)
20AC: The instruction at 0x20ac attempted to execute from unmapped memory -> 000020AC (exc.code b, tid 9130)
Debugger: detached from process

Unfortunately, the same issue has happen while using its pre-compiled version. Therefore, I must have commited a trivial mistake.

Please, I am sorry for bothering you with it.

Have an amazing day, Chris.

Alexandre.

Evidences.zip

commented

Alexandre, for some reason I can't open the zip file, my best guess based on the messages above is that you have stepped into a library function call. sk3wldbg doesn't resolve any imported function address, so if you end up stepping into a thunk function, the thunk will load the IAT value rather than the resolved function address. 20AC looks like it's probably an unresolved IAT entry.

commented

Chris,

Good morning. How are you?

Thank you for the reply. Certainly, your answer gave me a clear idea about what's happening.

I hope I can meet you in the next BlackHat conference.

Take care and have an amazing day.

Alexandre.