search

illera88 / Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
https://docs.idaponce.com
Other
1.48k stars 72 forks source link

Access violation exception causing crash in IDA Pro 7.5 #120

Closed nikhilh-20 closed 3 years ago

nikhilh-20 commented 3 years ago

I'm running Python 2.7.18 on IDA 7.5.200619 and Ponce v0.3 causes a crash when exiting IDA. I don't know how to debug dump files but here's a WinDbg analysis:

...
...
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(eb4.1328): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
ntdll!NtGetContextThread+0x14:
00007ffa`ec57e484 c3              ret
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for Ponce.dll
*** WARNING: Unable to verify checksum for ida.dll
*** WARNING: Unable to verify checksum for ida.exe
*** WARNING: Unable to verify checksum for Qt5Widgets.dll
*** WARNING: Unable to verify checksum for Qt5Core.dll
*** WARNING: Unable to verify checksum for Qt5Gui.dll
*** WARNING: Unable to verify checksum for qwindows.dll

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Execute

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-EUFQHRN

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 3

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 53890

    Key  : Timeline.Process.Start.DeltaSec
    Value: 153

NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=0000000000000000 rbx=000002aebd6333b0 rcx=0000000000000201
rdx=00007ffab0bb3480 rsi=00007ffab1b7f930 rdi=000002aebd3f7ec0
rip=0000000000000000 rsp=000000fe277fa8b8 rbp=0000000000000000
 r8=0000000000000000  r9=000000000000005d r10=0000000000000007
r11=000000fe277fa3c0 r12=0000000000000000 r13=0000000000000000
r14=000002aeba75c340 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
00000000`00000000 ??              ???
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0000000000000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000008
   Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000

PROCESS_NAME:  ida.exe

EXECUTE_ADDRESS: 0

FAILED_INSTRUCTION_ADDRESS: 
+0
00000000`00000000 ??              ???

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000008

EXCEPTION_PARAMETER2:  0000000000000000

SYMBOL_NAME:  ponce!triton::arch::OperandWrapper::getConstImmediate+70fa

MODULE_NAME: Ponce

IMAGE_NAME:  Ponce.dll

STACK_COMMAND:  ~0s ; .ecxr ; kb

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_c0000005_Ponce.dll!triton::arch::OperandWrapper::getConstImmediate

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {e0e2c56d-e79d-370b-001c-5f101705e71e}

Followup:     MachineOwner
---------

I haven't used any features of Ponce yet. I have just installed it, so I don't know if this exception is caused while using any Ponce feature as well. Let me know if you need anything else from me.

illera88 commented 3 years ago

Does it only crash when exiting IDA? The stack trace is not helpful in this case. What we can do is adding an option in the config so it can save debug info to a file and you can send that so we can figure out what is going on.

nikhilh-20 commented 3 years ago

That's what I've observed so far. I tried the following steps to see if it crashes

This did not crash Ponce. Snippets like the following were seen in the console:

...
...
[+] Triton asking IDA for already syncronized register: edx. IDA returns value: 0x50 (P)
[+] Triton at 0x701019 : test edx, edx (Thread id: 3260)
[+] Triton asking IDA for already syncronized register: zf. IDA returns value: 0x0 
[+] Triton at 0x70101b : je 0x70103c (Thread id: 3260)
[+] Triton asking IDA for already syncronized register: ebp. IDA returns value: 0xaffa4c ()
[+] Triton asking IDA for already syncronized memory address: 0xaffa48 Size: 4. Value: 0xaffc5f ()
...
...

Is there an existing option to save the debug info to a file? I see there are two options for verbosity, Show Ponce debug info and Show EXTRA Ponce debug info but there's no option to save it to a user-defined file. It seems to print to IDA's console. Below is what prints to the console when I startup IDA and choose Show EXTRA Ponce debug info

[i] Config file Ponce.cfg not found

limitTime: 60
limitInstructionsTracingMode: 10000
use_symbolic_engine: symbolic engine enabled
showDebugInfo: true
showExtraDebugInfo: true
CONCRETIZE_UNDEFINED_REGISTERS: false
CONSTANT_FOLDING: false
SYMBOLIZE_INDEX_ROTATION: false
AST_OPTIMIZATIONS: false
TAINT_THROUGH_POINTERS: false
addCommentsControlledOperands: true
RenameTaintedFunctionNames: true
addCommentssymbolizexpresions: false
color_tainted: 99ffce
color_tainted_execution: e6e6e6
color_tainted_condition: b377
[+] Ponce plugin running!

Also, if it's relevant I don't see a Tainting options in the config file like I see in the Negate and inject a condition section in the README. Maybe, it's related to some features not loading or faulty loading which causes a crash later.

no_tainting_options

nikhilh-20 commented 3 years ago

I noticed there's the Optimizations section in my config file but not in the README illustrations. Is the README updated?

0ca commented 3 years ago

Hi @nikhilh-20 some images are not updated. We removed some configuration to simplify the usage. But that shouldn't be related with your issue.

I bet this issue is related with the function term executed when IDA closes: https://github.com/illera88/Ponce/blob/02116585118b647d3bd56404e00f81141a2b6864/src/main.cpp#L177

We will try to replicate it.

illera88 commented 3 years ago

Hi @nikhilh-20 ,

Sorry for the delay.

Can you try something? Can you delete the config file created by Ponce and try to run it again? It will create a new config file.

Let me know if it crashes.

nikhilh-20 commented 3 years ago

Interesting, I tried that. Ponce v0.3 doesn't seem to crash on 32-bit IDA Pro 7.5 (decompiler included) but it still crashes on 64-bit IDA Pro 7.5.

illera88 commented 3 years ago

Hi @nikhilh-20, There is a couple new versions of Ponce that hopefully address the issue you were facing. I'm closing this issue but feel free to reopen if problem persist in the last version.

Cheers