Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PROGRAM ABORT : Process exited before reaching the target method - due to partial memory read from process #57

Closed
piotrbania opened this issue Jun 4, 2024 · 3 comments
Closed

PROGRAM ABORT : Process exited before reaching the target method - due to partial memory read from process #57

piotrbania opened this issue Jun 4, 2024 · 3 comments

Comments

@piotrbania
Copy link

Hey Ivan,

I've been trying to use Jackalope on some PE binary. Jackalope kinda refused working with it due to the:
"[-] PROGRAM ABORT : Process exited before reaching the target method"

Which was odd since the target method was exported and available in the PE export section and the debugger itself catches the exported function execution without any problems.

Anyway long story short the culprit was in the Debugger::GetProcOffset function:

DWORD Debugger::GetProcOffset(HMODULE module, const char *name) {
  char* base_of_dll = (char*)module;
  DWORD size_of_image = GetImageSize(base_of_dll);

  // try the exported symbols next
  char* modulebuf = (char*)malloc(size_of_image);
  SIZE_T num_read;
  if (!ReadProcessMemory(child_handle, base_of_dll, modulebuf, size_of_image, &num_read) ||
    (num_read != size_of_image))
  {
    FATAL("Error reading target memory\n"); // -> HERE
  }

The cause was that ReadProcessMemory returned error ( ERROR_PARTIAL_COPY - 299 (0x12B) - Only part of a ReadProcessMemory or WriteProcessMemory request was completed).

In my case it was due to the .retplne section (retpoline) which had PAGE_NOACCESS rights set.

Long story short, simply changing the FATAL("Error reading target memory\n"); to WARN appears to solve the problem (when GetLastError() == ERROR_PARTIAL_COPY) .

Obviously this is far from being a "proper fix" but just leaving the information here in case anyone else encounters this issue. Peace.
@ifratric
Copy link
Collaborator

ifratric commented Jun 4, 2024
edited
Loading

Hey Piotr,

Thanks for reporting! Looks like the approach of reading the entire module in one go isn't working well in this case and needs to be rewritten somewhat.

Just to understand the issue better, do you know how come Jackalope wasn't erroring out with "Error reading target memory" instead of erroring out with "Process exited before reaching the target method"? I'd expect getting the former error if there was an issue with memory read. Or did you change the reading code already at this point.

For anyone reading, the alternative to -target_method is specifying the offset directly via -target_offset which doesn't do the symbol lookup.

@piotrbania
Copy link
Author

AFAIR i had to change the some variable in the debugger.cpp to verbose debug events otherwise i only got:
[!] WARNING: Target function not reached, retrying with a clean process
...
[-] PROGRAM ABORT : Process exited before reaching the target method

maybe there was some verbose flag in the command line that i forgot about :)

@ifratric
Copy link
Collaborator

Hi, the GetProcOffset issue should be fixed in googleprojectzero/TinyInst@338dde5
It now reads only PE headers and the export table, so unusual permissions on other pages shouldn't matter.

I'm tentatively closing the issue, but I'd appreciate it if you could give it a spin against your target again and check if it works correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ifratric @piotrbania