Giters

cseagle / sk3wldbg

Debugger plugin for IDA Pro backed by the Unicorn Engine

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Memory write accesses?

govcert-ch opened this issue · comments

commented

This is not really a bug report - but as I did not find any forum dedicated to sk3wldbg, and I could not find out your direct E-mail address, I'm leaving this here (and yes, a discussion forum about sk3wldbg would be great :-). Let me start that I love sk3wldbg (and Unicorn in generic)!

My problem is how to allocate memory in a debug session? If a program at some point allocates memory via syscall, I need to emulate it. But in order to call mem_map from Unicorn (in Python), I'd need the relevant Uc object exposed. I assume this is not the case, or is it?

I tried an alternative path by creating a new segment in the idb (before starting the debugger), and filling it with zeroes, plus making it writable. In theory, it should be possible to return blob addresses from this scratch section to alloc calls. Indeed I can see the memory in the debugger, but trying to write into it manually gives a "Failed on uc_mem_write() with error returned 7: Invalid memory write (UC_ERR_WRITE_UNMAPPED)" error, so I guess the new section was not mapped into the unicorn part. Is there a way to create sections so they are mapped?

I finally tried to return an address from the start of the binary itself (marked as writable), and now I can manually write into this from debugger (via edit popup, or F2), but code that tries to write into it create a "405142: The instruction at 0x400080 attempted to write to write protected memory -> 0000000000400080 (exc.code b, tid 23227)" (note there is a small bug in the error message too, the code is at address 405142, not 400080 - this is the accessed memory).

Thanks again for the excellent plugin! Andy

commented

Andy, commit e172955 gets two IDC functions working:

     int64 sk3wl_mmap(int64 base, long size, int perms) where perms are a combination of:
         #define SEGPERM_EXEC  1         ///< Execute
         #define SEGPERM_WRITE 2         ///< Write
         #define SEGPERM_READ  4         ///< Read
     void sk3wl_munmap(int64 base, long size)
     sk3wl_mmap may be used to map new regions of memory into an emulated unicorn process

for example, after launching sk3wldbg, to map 2 pages of RWX at 0x5000000, invoke the following at the IDC command line (toggle the python button at the lower left of IDA)

sk3wl_mmap(0x500000, 0x2000, 7)

In python you can do the following:

rv = idaapi.idc_value_t()
idaapi.eval_idc_expr(rv, BADADDR, 'sk3wl_mmap(0x500000, 0x2000, 7)')

I am working on exposing these through some menus as well