Instruction attempted to execute from unmapped memory

Question

Instruction attempted to execute from unmapped memory

OevreFlataeker opened this issue 5 years ago · comments

I try to use the sk3wldbg plugin with IDA Pro 7.2 I could not get it to compile properly with 7.3 and the IDA SDK 7.3

I built the 64bit versions both of the unicorn engine and sk3wldbg and installed it at the proper place in the IDA installation directory.

The code I want to emulate is a small part of a Windows Kernel driver subroutine.
Basically it the code "mov"s some constants into stackspace and then performs some kind of calculation over these values in a loop.
I place the cursor on the first of these instructions and run the debugger and choose "Start from here".

IDA gives me the following errors:

found input file D:\driver.fffffa8001b0e000.sys
reading file of 28672 bytes
loadPE64
map_mem_zero(000000013FB90000, 000000013FB90400, 0x3)
Allocated at 000000013FB90000 in map_mem_zero
Copying bytes 0x0:0x400 into block
map_mem_zero(000000013FB91000, 000000013FB92000, 0x5)
Allocated at 000000013FB91000 in map_mem_zero
Copying bytes 0x1000:0x2000 into block
map_mem_zero(000000013FB92000, 000000013FB93000, 0x1)
Allocated at 000000013FB92000 in map_mem_zero
Copying bytes 0x2000:0x3000 into block
map_mem_zero(000000013FB93000, 000000013FB94000, 0x3)
Allocated at 000000013FB93000 in map_mem_zero
Copying bytes 0x3000:0x4000 into block
map_mem_zero(000000013FB94000, 000000013FB95000, 0x1)
Allocated at 000000013FB94000 in map_mem_zero
Copying bytes 0x4000:0x5000 into block
map_mem_zero(000000013FB95000, 000000013FB96000, 0x5)
Allocated at 000000013FB95000 in map_mem_zero
Copying bytes 0x5000:0x6000 into block
map_mem_zero(000000013FB96000, 000000013FB97000, 0x1)
Allocated at 000000013FB96000 in map_mem_zero
Copying bytes 0x6000:0x7000 into block
map_mem_zero(0000000000030000, 0000000000130000, 0x7)
Allocated at 0000000000030000 in map_mem_zero
map_mem_zero(000000013FB98000, 000000013FC98000, 0x3)
Allocated at 000000013FB98000 in map_mem_zero
PC was not set previously, going with screen EA13FB91000: process driver.fffffa8001b0e000.sys has started (pid=33476)
PDBSRC: loading symbols for 'driver.fffffa8001b0e000.sys'...
PDB: using PDBIDA provider
FFFFF80002690000: The instruction at FFFFF80002690000 attempted to execute from unmapped memory -> FFFFF80002690000 (exc.code b, tid 22773)

Whats wrong? Do I need to prepare something before I can start debugging the code?

The same error occurs when I choose to start from the entrypoint.

daubsi · Answer 1 · Tue Sep 17 2019 02:27:04 GMT+0800 (China Standard Time)

I was just playing around and found that if I set RBP to a value well below RSP, resp RSP further away from the end of the "stack segment" the emu executed properly. So apparently I need to setup all the registers to a sensible state. Is this an expected manual user action?

Joel Reymont · Answer 2 · Thu Apr 13 2023 03:01:51 GMT+0800 (China Standard Time)

@OevreFlataeker How did you manage to set the register values before running the debugger?

daubsi · Answer 3 · Thu Apr 13 2023 18:24:13 GMT+0800 (China Standard Time)

Sorry, this has been more than 3 years ago... I honestly don't remember...