Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on dumping parameters #38

Closed
hasherezade opened this issue Aug 10, 2023 · 1 comment
Closed

Crash on dumping parameters #38

hasherezade opened this issue Aug 10, 2023 · 1 comment
Assignees
@hasherezade
Labels
bug Something isn't working

Comments

@hasherezade
Copy link
Owner

Test case

Issue

When dumping of the parameters is selected, produced trace is incomplete.

Using the default params.txt:

kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
kernel32;GetProcAddress;2
advapi32;RegQueryValueW;3
kernel32;CreateFileW;6

The end of the tracelog:

17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA

When LoadLibraryA was removed from params.txt, the tracelog continues. Example:

175f0;msvcrt.fwrite
17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
d480;kernel32.GetProcAddress
13ad8;called: ?? [15440000+5c]
> 15440000+6e;SYSCALL:0x50(NtProtectVirtualMemory)
> 15440000+70;nim.[unnamedImageEntryPoint+125ee]*
13b09;called: ?? [15440000+2e]
[...]

Possible crash on dumping parameters of LoadLibraryA.
@hasherezade hasherezade added the bug Something isn't working label Aug 10, 2023
@hasherezade hasherezade self-assigned this Aug 10, 2023
hasherezade added a commit that referenced this issue Aug 10, 2023
@hasherezade
[BUGFIX] Improved sanitizing of Unicode strings (Issue #38)
f9813d8
hasherezade added a commit that referenced this issue Aug 10, 2023
@hasherezade
[BUGFIX] Improved check if the pointer is readable. Improved unicode …
18807e6 
…sanitizing (Issue #38)
@hasherezade
Copy link
Owner Author

After the fix parameters were successfully traced:

17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
LoadLibraryA:
	Arg[0] = ptr 0x00000000160d25a0 -> "amsi"

d480;kernel32.GetProcAddress
GetProcAddress:
	Arg[0] = ptr 0x00007ffd17580000 -> {MZ\x90\x00\x03\x00\x00\x00}
	Arg[1] = ptr 0x00000000160d25d0 -> "AmsiScanBuffer"

13ad8;called: ?? [16970000+5c]
> 16970000+6e;SYSCALL:0x50(NtProtectVirtualMemory)
> 16970000+70;nim_sample.[unnamedImageEntryPoint+125ee]*
13b09;called: ?? [16970000+2e]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hasherezade hasherezade

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hasherezade