Closed fish3rman closed 1 month ago
Thanks for the detailed report ππ½
There were some issues recently around Wow64 that might / might not be related:
snapshot
/ dbgeng-rs
(https://github.com/0vercl0k/snapshot/issues/8) fixed by https://github.com/0vercl0k/dbgeng-rs/commit/0b13186ad3ee89994692389cdb9465c18461e8f1symbolizer-rs
didn't extract the Wow64 modules off the kernel dump (https://github.com/0vercl0k/addr-symbolizer-rs/issues/1); fix is up in https://github.com/0vercl0k/addr-symbolizer-rs/commit/a1c2887996406c0d5ba8926d3844719b24778d07 but not merged yetSo basically, you should make sure you updated snapshot
to the latest version to grab your dump file and if you want to use symbolizer-rs
you should checkout the fbl_libify
branch and build it yourself with (cargo build --release
).
I'll check the code / your results more closely this week though.
Cheers
Okay I looked closer at your regs.json
and I can see that the segment limit is 0xfffff
instead of 0xffffffff
so I think you updating snapshot to >= 0.2.2
will resolve your issue; I believe you are hitting https://github.com/0vercl0k/snapshot/issues/8.
Cheers
yes the problem was the old version of snapshot.
thanks π
Awesome, sorry for the bug!
Cheers
Hi! I made test binary referenced by #106 . It works properly in a 64-bit binary, but something wrong with 32-bit. The strange thing is that when tracing, the address of
reader.exe
is not recorded. Instead of this, the start function ininput.trace
isnt!KiGeneralProtectionFault
Code
```c++ #define _CRT_SECURE_NO_WARNINGS #includeharness
```c++ // Disable pagefiles https://www.tomshardware.com/reviews/ssd-performance-tweak,2911-4.html #include "backend.h" #include "crash_detection_umode.h" #include "fshandle_table.h" #include "fshooks.h" #include "targets.h" #includekd> .process /i /p ffffd88a3219f080 You need to continue execution (press 'g') for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff804
53bff050 cc int 3 kd> .reload /user Loading User Symbols ..... kd> lmsmu start end module name 00007ff9
b0ff0000 00007ff9b11e5000 ntdll (deferred) 00000000
008e0000 00000000008e7000 reader (deferred) 00007ff9
b0e00000 00007ff9b0e59000 wow64 (deferred) 00000000
77d70000 0000000077d7a000 wow64cpu (deferred) 00007ff9
af900000 00007ff9af983000 wow64win (deferred) kd> u 00000000
008e0000 + 11d9 ** WARNING: Unable to verify checksum for reader.exe reader!wmain+0x79 [C:\wtf\targets\reader\harness\reader\main.cpp @ 50]: 00000000008e11d9 83c408 add esp,8 00000000
008e11dc 6a00 push 0 00000000008e11de 6880000040 push 40000080h 00000000
008e11e3 6a03 push 3 00000000008e11e5 6a00 push 0 00000000
008e11e7 6a01 push 1 00000000008e11e9 6800000080 push 0FFFFFFFF80000000h 00000000
008e11ee ff7604 push qword ptr [rsi+4] kd> bp 00000000008e0000 + 11d9 kd> g The context is partially valid. Only x86 user-mode context is available. Breakpoint 0 hit reader!wmain+0x79: 00000000
008e11d9 83c408 add esp,8 32.kd:x86> bc 32.kd:x86> !wow64exts.sw Switched to Host mode 32.kd> !snapshot c:\dump [dbgeng-rs] Dumping the CPU state into c:\dump\state.19041.1.amd64fre.vb_release.191206-1406.20240807_0540\regs.json.. [dbgeng-rs] Dumping the memory state into c:\dump\state.19041.1.amd64fre.vb_release.191206-1406.20240807_0540\mem.dmp.. Creating c:\dump\state.19041.1.amd64fre.vb_release.191206-1406.20240807_0540\mem.dmp - Full memory range dump 0% written. 5% written. 40 sec remaining. ValidateSequenceNumber: Sequence number too far ahead for validation. 10% written. 35 sec remaining. 15% written. 30 sec remaining. 20% written. 30 sec remaining. 25% written. 27 sec remaining. 30% written. 26 sec remaining. 35% written. 24 sec remaining. 40% written. 19 sec remaining. 45% written. 17 sec remaining. 50% written. 16 sec remaining. 55% written. 14 sec remaining. 60% written. 12 sec remaining. 65% written. 11 sec remaining. 70% written. 9 sec remaining. 75% written. 8 sec remaining. 80% written. 7 sec remaining. 85% written. 5 sec remaining. 90% written. 3 sec remaining. 95% written. 1 sec remaining. Wrote 4.0 GB in 35 sec. The average transfer rate was 117.0 MB/s. Dump successfully written [dbgeng-rs] Done!Symbolizer
Environment
Windows 10 21H2(OS Build 19044.1288), Hyper-v with 4GB, 1core
Disable pagefile + lockmem + Disabled KVA shadow via disable-kva.cmd
Attachment https://drive.google.com/file/d/1yVPfTyjE-bWZktyoZ1OFxg9ZmWwjBJ60/view?usp=sharing