Open FuzzySecurity opened 1 year ago
Hi @FuzzySecurity, thx for the bug report!
Do you have any anti-virus that could have injected the dbgeng.dll or dbghelp.dll into binaryninja.exe?
The issue is we must load a particular dbgeng.dll/dbghelp.dll that comes with the binary ninja installation, rather than the one that comes with the system. However, when anti-virus injects dbgeng.dll, they typically inject the system one.
Can you use some tool, e.g., ProcessExplorer to check the list of loaded DLLs in the binaryninja.exe?
I am transferring this issue to our debugger repo.
Hey @xusheng6, I wouldn't expect AV/EDR to inject the dbg libraries into a process they inspect. But I checked for you dbgeng
is loaded from the binja folder. dbghelp
is not, it is loaded from System32 (I think this must be a path issue, it's not AV).
It is very likely caused by AV or some other products. In fact, I have helped another customer troubleshoot this issue and found out it is his AV injecting the dbghelp.dll. To figure out who actually causes the system dbghelp.dll to be loaded in binaryninja.exe, you can take the following steps:
That really shouldn't be the case. The dbg libraries are not used by AV or EDR, they aren't meant to be. In any case, I completely disabled AV and you can see binja tries to look in a number of different places for the library before loading it from System32. Then later it tries to load again from the correct folder but I guess it doesn't because the same library is already present in the module memory space (it will be registered at that point in PEB_LDR_DATA
).
I think the logic when the module is initially loaded by binja need a patch probably to look in the correct directory. Stack trace is fine.
Btw, have you joined our slack https://slack.binary.ninja?
heh. it's irrelevant nowadays, since everybody explicitly loads it by path instead of strongname, but you can do some things with SxS to ensure that you link with the exact versions of dbghelp/dbgeng that you require (https://github.com/arizvisa/dbgeng.msi/tree/master/Makefile). really, tho, m$ should've resolved this for all of us python-dbgeng-library users a long time ago.
For me the
WinDbg
integration is not working. I tried this on the mainline version and in dev as well. I tired also toReinstall DbgEng Redistributable
which didn't make any difference.Sample output below of spawning a process to debug:
It looks ok on the filesystem.
Binary Ninja Version: 3.4.4080-dev Personal, 842d9298 Platform: Windows 11 Version 21H2