Instruction at 0x77956c72 not supported by Triton: sysenter

[USSCltd]

An error occired in the process of taint execution ( ida 6.8 (win8.0 x64) -> windbg (win7sp1 x32) ): Instruction at 0x77956c72 not supported by Triton: sysenter I know triton applied under x64 elf-file (Linux only)...

Whether it is possible to limit the coverage area in the trace (eg only executable, not the library)? Do I understand correctly that the trace goes through breakpoints and not through the DBI (pin)? Thanks.

[0ca]

HI @USSCltd,

The sysenter is not supported but the execution should continue to the next instruction after the sysenter. https://github.com/illera88/Ponce/blob/master/Ponce/src/callbacks.cpp#L76

Does Ponce crash after that sysenter?

About the coverage, it would be possible to limit the coverage and not go inside the library functions. The IDA sdk offers this option:

ST_OVER_LIB_FUNC

https://www.hex-rays.com/products/ida/support/sdkdoc/group___s_t__.html#gac2b1ae7ed8a193891d1dbec3e74c681c But then you would loose the taint tracking for example after a memcpy. So I am not sure fi it is useful to ignore the library code.

And about the tracing, we aren't using any DBI, we use the tracing engine IDA offers: https://www.hex-rays.com/products/ida/support/sdkdoc/group__dbg__funcs__strace.html#gad244471ed51cd387fb9d9d372126c4a7

To step trace, IDA activates the step-by-step feature of the processor, and generates a dbg_trace notification after each step in the current thread. This mechanism is currently only available for plugins !

But in the future we want to try the IDA PIN debugger: https://www.hex-rays.com/products/ida/support/idadoc/1652.shtml

[USSCltd]

I'm sorry, all right. It was "NtTerminateThread" syscall and why everything stopped at sysenter.

[0ca]

Hehe cool!