search

n4r1b / ferrisetw

Basically a KrabsETW rip-off written in Rust
Other
65 stars 24 forks source link

Panic on Kernel Trace close #85

Closed pathtofile closed 1 year ago

pathtofile commented 1 year ago

Hi there,

I get a panic when I try to call .stop() on a Kernel Trace. Basic code:

let provider_io = Provider::kernel(&kernel_providers::FILE_IO_PROVIDER)
    .build()
    .unwrap();

let mut trace = KernelTrace::new()
    .named(String::from("HijackWatcher"))
    .enable(provider_io)
    .start()
    .unwrap();

std::thread::sleep(Duration::new(3, 0));
trace.stop();

Strack Trace:

thread '<unnamed>' panicked at 'called `Option::unwrap()` on a `None` value', C:\Users\xxx\.cargo\registry\src\github.com-1ecc6299db9ec823\ferrisetw-0.1.1\src\trace.rs:112:30
stack backtrace:
   0:     0x7ff6de00a782 - std::backtrace_rs::backtrace::dbghelp::trace
                               at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\..\..\backtrace\src\backtrace\dbghelp.rs:98
   1:     0x7ff6de00a782 - std::backtrace_rs::backtrace::trace_unsynchronized
                               at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\..\..\backtrace\src\backtrace\mod.rs:66
   2:     0x7ff6de00a782 - std::sys_common::backtrace::_print_fmt
                               at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\sys_common\backtrace.rs:66
   3:     0x7ff6de00a782 - std::sys_common::backtrace::_print::impl$0::fmt
                               at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src\sys_common\backtrace.rs:45

Windows version:

OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22621 N/A Build 22621
pathtofile commented 1 year ago

(note in my code I do use .add_callback(), but omitted it here as I still got the same error)

pathtofile commented 1 year ago

Some more information, I get the same panic on the kernel trace example in the sourcecode, but not on the user trace example,

daladim commented 1 year ago

Hello. I suppose you're using ferrisetw 0.1.

This bug looks very much like #45 , which has been fixed in ferrisetw 1.0...which is not released yet (I'm waiting for @n4r1b to release it after #82 is merged).

I suggest you try this crate from its GitHub repo instead of from crates.io, using the next_major_version branch (the API has slightly changed, but you can generate the doc using cargo doc to read more). Please tell me whether you still run into this issue :)

pathtofile commented 1 year ago

Thanks for all the hard work!, I'll close this issue and re-open it if I encounter the same issue :-)