search

dshikashio / Pybag

Python module for Windbg's dbgeng plus additional wrappers.
MIT License
54 stars 15 forks source link

Windows ARM64 is detected as "unknown" #20

Open mscottford opened 1 month ago

mscottford commented 1 month ago

When importing pybag.win32.kernel32 a warning message is displayed that the processor architecture could not be detected. This appears to be because 12 is not in the _arch_map that's used by _get_arch. What's the best way to add it in? I'm happy to help with this one.

J-Rigs commented 1 month ago

@mscottford does this Pull Request solve the issue? https://github.com/dshikashio/Pybag/pull/21

mscottford commented 1 month ago

That fixes the specific thing that I reported. I don't get that exact warning anymore.

I was hoping that the problem that I was running into would be fixed so simply. I'm trying to use Ghidra to debug an executable on Windows arm64. From looking through the source for Pybag, it looks like ultimately a context needs to be added for arm64 (and maybe just arm, too) for that to work correctly.

I'm getting the following stack trace when running against the branch for #21.

  File "C:\Users\ScottFord\Downloads\ghidra_11.1.1_PUBLIC_20240614\ghidra_11.1.1_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg
\src\ghidradbg\util.py", line 33, in <module>
    from pybag import pydbg, userdbg, kerneldbg, crashdbg
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\__init__.py", line 57, in <modu
le>
    from .pydbg      import DbgEng
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\pydbg.py", line 11, in <module>
    from .dbgeng.idebugclient    import DebugClient
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\idebugclient.py", line 7
, in <module>
    from .idebugadvanced        import DebugAdvanced
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\idebugadvanced.py", line
 6, in <module>
    from . import win32
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\win32\__init__.py", line
 183, in <module>
    from . import kernel32
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\win32\kernel32.py", line
 483, in <module>
    ACCESS_VIOLATION_TYPE_READ      = EXCEPTION_READ_FAULT
                                      ^^^^^^^^^^^^^^^^^^^^
NameError: name 'EXCEPTION_READ_FAULT' is not defined

I tried digging into winnt.h to see I could pull together a context quickly, but I think it might be beyond my experience right now. At least in the time that I have to try and debug this executable. 🤷🏼

Anyway. Awesome project! I look forward to watching it continue to develop. I know that Windows arm/arm64 isn't super common at the moment. I'm running within a VM from macOS.

dshikashio commented 1 month ago

This requires adding a new context_XXX.py file for each missing architecture (in this case ARM64). This should only matter if you are using GetThreadContext from IDebugAdvanced.