Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jmp in memory allocation : "Could not get module base" #64

Closed
tonybounty opened this issue Feb 12, 2021 · 3 comments
Closed

jmp in memory allocation : "Could not get module base" #64

tonybounty opened this issue Feb 12, 2021 · 3 comments

Comments

@tonybounty
Copy link

I debug a program (with x64dbg) that create a new memory allocation (VirtualAlloc) en drop executable code inside and then jmp to this memory.
Before jump I dump this allocation to file and I load it as new segment in IDA Pro, I set the same address as in x64dbg.
However, ret-sync won't jump inside because it isn't in the module :

[sync] UpdateState(00540585): could not get module base...

(00540585 exist in IDA after creating manually seg/loading bin)

So, before reading all plugin Python code, is any solution to follow code in allocation ?
@bootleg
Copy link
Owner

bootleg commented Feb 13, 2021
edited

Hi @tonybounty,

indeed dynamically allocated code is complex to handle and basically breaks ret-sync dispatching based on module names. Windbg offers a powerful API IDebugSymbols3::AddSyntheticModule to handle these situations. To the best of my knowledge there is not something similar in the x64dbg API.

However with the x64dbg plugin you can try the following workaround:

  • syncmodauto off
  • idblist
  • idbn xx

I've just added the syncmodauto command to x64dbg in the commit b1b7be1 . It tells ret-sync to stop automatically resolving and switching modules/idb.

With idblist you get the list of all the idb attached to the dispatcher (if you have more than one)

With idbn you force syncing with the idb you selected at the previous step; for example idbn 0 to select the first one.

It should do the trick.

@bootleg
Copy link
Owner

bootleg commented Mar 5, 2021

closing this one as it seems ok with the workaround. Please reopen if necessary.

@bootleg bootleg closed this as completed Mar 5, 2021
@Kojuda
Copy link

Kojuda commented Jun 23, 2022

I have tried several things :

  • Loading the injected PE as segment at the same loading offset inside an IDB of the victim process
  • Create a IDB with the extracted injected PE with the same base address and the same name of the debugged process in x64dbg
  • Load the injected PE as an external binary inside the extracted process.

I have extracted all of them with PE-Sieve that gives the better results. The mentioned commands above don't prevent the error message "Could not get module base..."

I don't know how to handle this since a need to debug the running victim process.

@Kojuda Kojuda mentioned this issue Jul 4, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bootleg @tonybounty @Kojuda