search

DynamoRIO / dynamorio

Dynamic Instrumentation Tool Platform
Other
2.62k stars 557 forks source link

CRASH : On cmake builds - "Could not read process memory" on trying to inject x86-64 process from WOW64 (32bits) using any tool/client since PRi#803 #4927

Open N0fix opened 3 years ago

N0fix commented 3 years ago

Describe the bug

Upon using any given tool (drcov/drstrace) or empty client to trace a 32 bits PE executable spawning a 64 bits PE executable, DynamoRIO throws an error stating that it cannot read memory (twice), than informs that he cannot inject to the target process due to "Failed to follow into child process : Option propagation failed to find ProcessParameters." Reading loaded modules in spawned target process using Process Hacker 2 shows that DynamoRIO.dll is injected into the process at the time of the assert-popup stating "Failed to follow into child process : Option propagation failed to find ProcessParameters.".

Using old injection (adding -late option to drrun.exe) shows a different error (and no memory read error) : "Failed to follow into child process: Failed to get context of child thread".

Additional information: the process is spawned and stays in a suspended state in both cases (-late or not). This might indicate that dr_inject_process_create is working fine but later injection fails (I guess that those are the API used by drrun, but I did not check that).

This behavior happens since PRi#803. Any version prior to this PR just do not try to follow the child process.

To Reproduce

Steps to reproduce the behavior:

Create an empty client

#include "dr_api.h"
DR_EXPORT void
dr_client_main(client_id_t id, int argc, const char* argv[]){ }

Compile it in 32 and 64 bits.

Create the following application

Application is named "ConsoleApplication1.exe".

#include "stdafx.h"
#include "windows.h"

int main()
{
    STARTUPINFO si = { 0 };
    PROCESS_INFORMATION pi = { 0 };
    wchar_t cmd[] = L"C:\\fullprojectpath\\x64\\Release\\ConsoleApplication2.exe";
    PVOID oldvalue;
#ifdef WIN32
    MessageBoxA(nullptr, "ConsoleApp", "x86", MB_OK);
#else
    MessageBoxA(nullptr, "ConsoleApp", "x64", MB_OK);
#endif
    if (CopyFileA("ConsoleApplication1.exe", "ConsoleApplication2.exe", true)) {
        int FLAGS = 0;
        if (!Wow64DisableWow64FsRedirection(&oldvalue) || !CreateProcess(nullptr, cmd, 0, 0, 0, FLAGS, 0, 0, &si, &pi)) {
            MessageBoxA(nullptr, "ConsoleApp", "Err spawning 64bits proc", MB_OK);
        }
        ExitProcess(0);
    }
    return 0;
}

Build it as x64 and win32 app.

Instrument with drrun

Instrumenting the 32bits ConsoleApplication1.exe:

bin32\drrun.exe -debug -c32 .\dummy32.dll -- -c64 .\dummy64.dll -- .\ConsoleApplication1.exe

Versions

derekbruening commented 3 years ago

The win32.xarch test has been passing all this time. I think the first step is to figure out what is different in your test and win32.xarch on the GA CI. win32.xarch runs create_process to launch common.eflags.exe, with the large_options client -- so at first glance it seems comparable to this test. Does win32.xarch pass on your machine? Maybe it is something specific to your machine.

N0fix commented 3 years ago

The win32.xarch test has been passing all this time. I think the first step is to figure out what is different in your test and win32.xarch on the GA CI. win32.xarch runs create_process to launch common.eflags.exe, with the large_options client -- so at first glance it seems comparable to this test. Does win32.xarch pass on your machine? Maybe it is something specific to your machine.

I am not familiar with those procedures, can you provide me a link that would help me running those tests?

derekbruening commented 3 years ago

The win32.xarch test has been passing all this time. I think the first step is to figure out what is different in your test and win32.xarch on the GA CI. win32.xarch runs create_process to launch common.eflags.exe, with the large_options client -- so at first glance it seems comparable to this test. Does win32.xarch pass on your machine? Maybe it is something specific to your machine.

I am not familiar with those procedures, can you provide me a link that would help me running those tests?

https://dynamorio.org/page_test_suite.html#autotoc_md263

Sthg like in a 64-bit Visual Studio shell:

$ cmake -GNinja -DBUILD_TESTS=ON -DDEBUG=ON ../src
$ ninja
$ ctest -V -R win32.xarch
N0fix commented 3 years ago

Sthg like in a 64-bit Visual Studio shell:

$ cmake -GNinja -DBUILD_TESTS=ON -DDEBUG=ON ../src
$ ninja
$ ctest -V -R win32.xarch

I have been running the tests with : 

$ cmake -GNinja -DBUILD_TESTS=ON -DDEBUG=ON ..
$ ninja
$ ctest -V -R win32.xarch

Please note that I have added the environment variable ASM=ml64 as I was building a x64 build.

The test is not passing. The only error I can see is a regex one (maybe that is how the test is done, I am no expert of unit testing). Do you have an idea about what went wrong?

Here is the complete output of the test that I ran in a 64-bit Visual Studio shell:

UpdateCTestConfiguration  from :C:/Users/IEUser/Documents/DynamoRIO/build/DartConfiguration.tcl
Parse Config file:C:/Users/IEUser/Documents/DynamoRIO/build/DartConfiguration.tcl
UpdateCTestConfiguration  from :C:/Users/IEUser/Documents/DynamoRIO/build/DartConfiguration.tcl
Parse Config file:C:/Users/IEUser/Documents/DynamoRIO/build/DartConfiguration.tcl
Test project C:/Users/IEUser/Documents/DynamoRIO/build
Constructing a list of tests
Done constructing a list of tests
Updating test list for fixtures
Added 0 tests to meet fixture requirements
Checking test dependency graph...
Checking test dependency graph end
test 8
    Start 8: win32.xarch

8: Test command: "C:\Program Files\CMake\bin\ctest.exe" "-V" "--build-and-test" "C:/Users/IEUser/Documents/DynamoRIO" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch" "--build-generator" "Ninja" "--build-target" "dynamorio" "--build-target" "common.eflags" "--build-target" "client.large_options.dll" "--build-noclean" "--build-makeprogram" "C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe" "--build-options" "-DDEBUG=ON" "-DBUILD_TESTS=ON" "-DBUILD_DOCS=OFF" "-DBUILD_SAMPLES=OFF" "-DBUILD_EXT=OFF" "-DBUILD_CLIENTS=OFF" "--test-command" "C:/Users/IEUser/Documents/DynamoRIO/build/bin64/drrun.exe" "-dr_home" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch" "-stderr_mask" "0xC" "-msgbox_mask" "0" "-dumpcore_mask" "0x7d" "-staged" "-c32" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/client.large_options.dll.dll" "-paramA" "foo" "-paramB" "bar" "--" "-c64" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/bin/client.large_options.dll.dll" "-paramA" "foo" "-paramB" "bar" "--" "C:/Users/IEUser/Documents/DynamoRIO/build/bin64/create_process.exe" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/common.eflags.exe"
8: Environment variables: 
8:  ASM=ml
8:  PATH=C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\bin\HostX86\x86;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\VC\VCPackages;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\bin\Roslyn;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Team Tools\Performance Tools\x64;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Team Tools\Performance Tools;C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\VSPerfCollectionTools\\x64;C:\Program Files (x86)\Microsoft Visual Studio\Shared\Common\VSPerfCollectionTools\;C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6.1 Tools\x64\;C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64;C:\Program Files (x86)\Windows Kits\10\bin\x64;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\\MSBuild\15.0\bin;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\OpenSSH\bin;C:\Program Files\CMake\bin;C:\Strawberry\c\bin;C:\Strawberry\perl\site\bin;C:\Strawberry\perl\bin;;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\CommonExtensions\Microsoft\CMake\Ninja
8:  LIB=C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\x86;C:\Program Files (x86)\Windows Kits\NETFXSDK\4.6.1\lib\um\x86;C:\Program Files (x86)\Windows Kits\10\lib\10.0.17763.0\ucrt\x86;C:\Program Files (x86)\Windows Kits\10\lib\10.0.17763.0\um\x86;
8:  LIBPATH=C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\x86;C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\lib\x86\store\references;C:\Program Files (x86)\Windows Kits\10\UnionMetadata\10.0.17763.0;C:\Program Files (x86)\Windows Kits\10\References\10.0.17763.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319;
8: Test timeout computed to be: 1500
8: Internal cmake changing into directory: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
8: ======== CMake output     ======
8: Building for x86
8: Version number: 8.0.0
8: Found assembler: C:/Program Files (x86)/Microsoft Visual Studio/2017/Community/VC/Tools/MSVC/14.16.27023/bin/Hostx86/x86/ml.exe
8: Found message compiler: C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x64/mc.exe
8: Targeting subsystem 5.01
8: MFC not found: disabling DRstats
8: Could NOT find ZLIB (missing: ZLIB_LIBRARY) (found version "1.2.11")
8: WARNING: vera++ not found: disabling code style checks
8: Using Visual Studio 12 generators
8: Processing tests and generating expected output patterns
8: Found C:/Strawberry/c/bin/libstdc++-6.dll, enabling api.symtest
8: Configuring done
8: Generating done
8: Build files have been written to: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
8: ======== End CMake output ======
8: Change Dir: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
8: 
8: Run Build Command(s):C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe dynamorio && ninja: no work to do.
8: 
8: Change Dir: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
8: 
8: Run Build Command(s):C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe common.eflags && ninja: no work to do.
8: 
8: Change Dir: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
8: 
8: Run Build Command(s):C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe client.large_options.dll && ninja: no work to do.
8: 
8: Running test command: "C:/Users/IEUser/Documents/DynamoRIO/build/bin64/drrun.exe" "-dr_home" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch" "-stderr_mask" "0xC" "-msgbox_mask" "0" "-dumpcore_mask" "0x7d" "-staged" "-c32" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/client.large_options.dll.dll" "-paramA" "foo" "-paramB" "bar" "--" "-c64" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/bin/client.large_options.dll.dll" "-paramA" "foo" "-paramB" "bar" "--" "C:/Users/IEUser/Documents/DynamoRIO/build/bin64/create_process.exe" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/common.eflags.exe"
8: large_options passed: -paramA foo -paramB bar
8: creating subprocess "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/common.eflags.exe"
8: OK 1 CF
8: OK 0 CF
8: OK 1 PF
8: OK 0 PF
8: OK 1 AF
8: OK 0 AF
8: OK 1 ZF
8: OK 0 ZF
8: OK 1 SF
8: OK 0 SF
8: OK 1 DF
8: OK 0 DF
8: OK 1 OF
8: OK 0 OF
8: parent done
8: large_options exiting
8: 
1/1 Test #8: win32.xarch ......................***Failed  Required regular expression not found. Regex=[.*large_options passed: -paramA foo -paramB bar
creating subprocess ".*xarch/suite/tests/bin/common.eflags.exe"
large_options passed: -paramA foo -paramB bar
OK 1 CF
OK 0 CF
OK 1 PF
OK 0 PF
OK 1 AF
OK 0 AF
OK 1 ZF
OK 0 ZF
OK 1 SF
OK 0 SF
OK 1 DF
OK 0 DF
OK 1 OF
OK 0 OF
large_options exiting
parent done
large_options exiting
[ 
]*$
] 11.73 sec
Internal cmake changing into directory: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
======== CMake output     ======
Building for x86
Version number: 8.0.0
Found assembler: C:/Program Files (x86)/Microsoft Visual Studio/2017/Community/VC/Tools/MSVC/14.16.27023/bin/Hostx86/x86/ml.exe
Found message compiler: C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x64/mc.exe
Targeting subsystem 5.01
MFC not found: disabling DRstats
Could NOT find ZLIB (missing: ZLIB_LIBRARY) (found version "1.2.11")
WARNING: vera++ not found: disabling code style checks
Using Visual Studio 12 generators
Processing tests and generating expected output patterns
Found C:/Strawberry/c/bin/libstdc++-6.dll, enabling api.symtest
Configuring done
Generating done
Build files have been written to: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch
======== End CMake output ======
Change Dir: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch

Run Build Command(s):C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe dynamorio && ninja: no work to do.

Change Dir: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch

Run Build Command(s):C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe common.eflags && ninja: no work to do.

Change Dir: C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch

Run Build Command(s):C:/PROGRA~2/MIB055~1/2017/COMMUN~1/Common7/IDE/COMMON~1/MICROS~1/CMake/Ninja/ninja.exe client.large_options.dll && ninja: no work to do.

Running test command: "C:/Users/IEUser/Documents/DynamoRIO/build/bin64/drrun.exe" "-dr_home" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch" "-stderr_mask" "0xC" "-msgbox_mask" "0" "-dumpcore_mask" "0x7d" "-staged" "-c32" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/client.large_options.dll.dll" "-paramA" "foo" "-paramB" "bar" "--" "-c64" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/bin/client.large_options.dll.dll" "-paramA" "foo" "-paramB" "bar" "--" "C:/Users/IEUser/Documents/DynamoRIO/build/bin64/create_process.exe" "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/common.eflags.exe"
large_options passed: -paramA foo -paramB bar
creating subprocess "C:/Users/IEUser/Documents/DynamoRIO/build/suite/tests/xarch/suite/tests/bin/common.eflags.exe"
OK 1 CF
OK 0 CF
OK 1 PF
OK 0 PF
OK 1 AF
OK 0 AF
OK 1 ZF
OK 0 ZF
OK 1 SF
OK 0 SF
OK 1 DF
OK 0 DF
OK 1 OF
OK 0 OF
parent done
large_options exiting

0% tests passed, 1 tests failed out of 1

Total Test time (real) =  11.88 sec

The following tests FAILED:
      8 - win32.xarch (Failed)
N0fix commented 3 years ago

Apart from the build from sources, the same incorrect behavior occurs using the prebuilt cronbuild.binaries. EDIT: managed to pass the tests on an other Windows 10. I'm investigating if the issue is still occuring.

N0fix commented 3 years ago

Some updates. I have been building DynRIO from source on different Windows OS (10/7), and cmake builds fails the win32.xarch test, while ninja ones pass the test. No idea why my first build in my above messages using ninja failed. Maybe I was mixing up cmake and ninja build at this time.

derekbruening commented 3 years ago

cmake builds fails the win32.xarch test, while ninja ones pass the test.

All builds use cmake to configure. Do you mean building with a Visual Studio (2017?) generator fails, while a ninja generator passes? The GA CI uses ninja: https://github.com/DynamoRIO/dynamorio/runs/2718908036?check_suite_focus=true

N0fix commented 3 years ago

All builds use cmake to configure. Do you mean building with a Visual Studio (2017?) generator fails, while a ninja generator passes? The GA CI uses ninja: https://github.com/DynamoRIO/dynamorio/runs/2718908036?check_suite_focus=true

Yes, building with a Visual Studio 2017 fails while ninja passes, e.g: From an x86 Visual Studio prompt:

cmake -G"Visual Studio 15 2017" -DBUILD_TESTS=on ..
cmake --build . --config RelWithDebInfo
ctest -V -R win32.xarch # fails
cmake -G"Ninja" -DBUILD_TESTS=on ..
ninja
ctest -V -R win32.xarch # pass

(Same behavior happens in x64, no matters if building debug build or not)