Wenzel
commented
6 years ago The value of Win32StartAddress is correct. The problem is that it's a userland address that is just not mapped yet therefore, there is no physical frame.
Open Wenzel opened 6 years ago
Wenzel
commented
6 years ago The value of Win32StartAddress is correct. The problem is that it's a userland address that is just not mapped yet therefore, there is no physical frame.
Wenzel
commented
6 years ago Solution 1: watch the page tables until the missing page is inserted:
Solution 2:
MmAccessFaultSolution 3:
ntdll!RtlUserThreadStart or ntdll!LdrpInitializeThreadWenzel
commented
6 years ago The safe_breakpoint callbacks are not safe yet.
There is a moment where the guest is paused, and no event is being reported.
Waiting for events
{'data': {'mem_event': <libvmi.event.MemEvent object at 0x7fb6eab24f98>,
'symbol': 'MmAccessFault',
'target_gfn': 10449,
'target_vaddr': 18446735277659332128},
'slat_id': 0,
'type': 'SINGLESTEP',
'vcpu_id': 0,
'version': 5,
'x86_regs': {'rax': '0xfffffa80010d64f0',
'rip': '0xfffff800028d1c0f',
'rsp': '0xfffff88002f84420'}}
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for events
Waiting for eventsWe need to debug this.
Wenzel
commented
6 years ago Another solution would be to find the Windows kernel API responsible for mapping a defined page, and break on it.
Wenzel
commented
6 years ago new solution: singlestep until ring 3
problem is that i'm not receiving single step event at some point...
Wenzel
commented
6 years ago Blocked by https://github.com/libvmi/libvmi/issues/636
To be really useful, we need to be able to attach to a new process being created, and break on the entrypoint.
This address should be in the
Win32StartAddressfield of theETHREAD.with the latest progress on
symbolsbranch:the
Win32StartAddressfield contains an uncomplete/invalid address. is this an offset ???Next steps: