a1ext / labeless

Labeless is a multipurpose IDA Pro plugin system for labels/comments synchronization with a debugger backend, with complex memory dumping and interactive Python scripting capabilities.
Other
514 stars 82 forks source link

IDADump randomly fail to read memory regions #51

Closed tim-le closed 4 years ago

tim-le commented 5 years ago

IDADump issue

Environment

labeless v1.1.4.0, 64 bit x64dbg, python2,

IDA-side information

in PyOlly stderr logs, sometimes, VirtualQueryEx failed with error 998, however the memory regoin was surely accessable on x64dbg.

Problem Description

Describe the problem/bug as clearly as possible.

Steps to Reproduce

1.try IDAdump by regions, then check out stderr log , then compare the dumped result in IDA hex view to the x64dbg memory view.

Possible Solutions

I think the problem could be a bug in python2 ctypes (python3 seems no such issues), however we could handle it carefully. I found two APIs were referred, VirtualProtectEx and VirtualQueryEx, both there are SIZE_T in prototype. see https://github.com/a1ext/labeless/blob/2f6c867deba6c414b8ed83d911c7b86dc9dd2d73/deploy/labeless/backend/x64dbg/utils.py#L208 and https://github.com/a1ext/labeless/blob/2f6c867deba6c414b8ed83d911c7b86dc9dd2d73/deploy/labeless/backend/x64dbg/utils.py#L213

example, look at C.sizeof(mbi), gave a 32 bits int 0x30, but should be a SIZE_T in prototype which is 64 bits on x64,
or, ctypes will finally call on VirtualQueryEx with a undefined high 32bits value like 0x????????00000030, after changing to C.c_size_t(C.sizeof(mbi)) and C.c_size_t(GRANULARITY) , IDADump works perfectly.

a1ext commented 4 years ago

Hi @tim-le, thanks for the contribution. There is a build of the fix, could you install the .whl and check if it solves your issue?