New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recon x64 #56
Recon x64 #56
Conversation
SysVAmd64Call vs sysvamd64call
vdb/recon/__init__.py
Outdated
index (skipping the saved instruction pointer). | ||
''' | ||
cc = trace.getEmulator().getCallingConvention("stdcall") | ||
if "64" in trace.getMeta("Architecture"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Love the overall idea, however for future proofing, we cannot assume that any arch with the chars "64" in the name ( such as commodore64 ) are amd64. This probably needs to be come something more like a dict lookup of
(arch,plat):cc
Follow the @invisig0th recommendation
Do you need something else here man before merge? |
@cmaruti does this PR still function as expected on current Viv/Vdb? |
I don’t know atm; gonna check it |
@atlas0fd00m seems the whole breakpoint stuffs on win32 (32/64) does not work anymore :( BEFORE merging master branch into
AFTER merging master branch
import sys
VDB_ROOT = "C:\\vivisect"
sys.path.append(VDB_ROOT)
import vtrace
import vtrace.breakpoints as v_bp
import vdb.recon as v_rec
import vdb.recon.sniper as v_snip
def hookfunc(event, trace, retaddr, args, cc):
print('ret: 0x%.8x: %r' % (retaddr, args))
trace = vtrace.getTrace()
#v_snip.snipeDynArg(trace, 'user32.CreateWindowExW', 3)
#v_snip.snipeArgValue(trace, 'user32.CreateWindowExW', 1, 0x100)
#v_bp.addHook( trace, 'user32.CreateWindowExW', hookfunc )
v_rec.addReconBreak(trace, 'user32.CreateWindowExW', 'IUUI')
trace.execute(r'c:\windows\system32\calc.exe')
trace.setMode('RunForever', True)
trace.run() |
Windows has added significant changes to the debugging security model, requiring more permissions to write to a debugged process. since Breakpoints actually overwrite bytes in the target process (for Intel, Viv writes the Int3 instruction, or 0xCC at the breakpoint location). but wait, you're suggesting that this change has to do with an update to Viv? i apologize for the delay in responding, @cmaruti . i didn't realize you had (bad notification mechanisms for me apparently). can you give me more information about what version you were using before breakpoints stopped working? a date? |
Since a long time has passed can't be helpful. Probably the best approx was the date around the post before my last one |
my apologies, @cmaruti , apparently github stopped sending me email notifications and i only now realized it. i'm working out why this stopped working for you and will have a PR done soon. |
Np sir! I'll be more than happy to check it out later when done |
hey @cmaruti i'm not sure if this is a necessary change, since i think i've been running into issues where the user account simply lacks the permissions overall. but that doesn't answer your problem. https://github.com/atlas0fd00m/vivisect/tree/win_vdb_privs thanks! |
Hi @atlas0fd00m nothing changed from my side. Now I got the following trace and seems problem is elsehwere...
|
thanks for checking. can you give me any more specifics about what you think is causing this? i don't recognize that issue so it's hard to track it down on my side. also, did you install pywin32? |
can you share what's in |
Yep was totally unexpected also for me...
|
thanks, @cmaruti . i'll look into it. just to level-set on your environment, could you try using VDB on your machine, both mainline and this branch and let me know if you are able to set breakpoints on both (just standard VDB). thanks@ |
Hi @atlas0fd00m and sorry for the late reply; I have been away from the pc for a while I did a silly mistake in my script tracked down thanks to your input :D! I can confirm both of the branches (main and priv) work well with the recon commit on my Win10 box; I have also updated the posted script for your convenience |
d82f1c2
to
6c131c1
Compare
vdb/recon/__init__.py
Outdated
@@ -68,18 +68,28 @@ def reprargs(trace, fmt, args): | |||
r.append(rstr) | |||
return r | |||
|
|||
def detect_cc(trace): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i like this approach (calling detect_cc
) much better than inline hand-jamming...
please define the dictionary outside the function, so it doesn't get recreated every call.
also, these are the defaults (although i386/linux should be cdecl), but not necessarily the reality. what happens when the code gets it wrong? what's worst-case scenario?
thanks!
hey @cmaruti, could you please merge in master and resolve conflicts? i'm happy to help (DM me on Vertex Slack) for things that have dramatically changed over the past few years. |
hey @cmaruti , looking good, thanks for the improvements. let me know if you want to chat about some good unittests (and how to wrap them into our testing framework). that's all that's keeping us from merging this in. well, that and merging in the base branch. @rakuy0 and i just want to be sure we know if we break something moving forward. keeps us honest and improves the overall quality of vivisect. if you look back through our merged PR's, he and i are pretty frequently saying "hey, looks good! where's the tests?" lol. thanks, man, |
Sorry guys but unfortunately I had no time to put togheter an unit test atm but I will do in the upcoming weeks. I'm not good at that but I'll try to get by...saw a lot of example in the code repo |
unit test file
@atlas0fd00m let me know if the testrecon.py unit test file is fine... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry for the delay in response. i've been sitting on this review, trying to get the libc.exit hook fixed. i now have a fix in, and ready for moving forword.
currently your unittest fails. let's figure out why and then we can get this merged in.
unfortunately i believe part of this failure could be waiting on #550
Co-authored-by: atlas0fd00m <atlas@r4780y.com>
Co-authored-by: atlas0fd00m <atlas@r4780y.com>
Co-authored-by: atlas0fd00m <atlas@r4780y.com>
Co-authored-by: atlas0fd00m <atlas@r4780y.com>
Co-authored-by: atlas0fd00m <atlas@r4780y.com>
@cmaruti , could you pull in the latest master branch? @invisig0th just merged in a fix allowing Linux systems to pick-up library loads as they occur (which would affect your unittests). thanks! |
@atlas0fd00m CI tests failed once again :( |
so the other error went away tho. recon is working on AMD64. i'm guessing it is failing on i386 because of a test issue rather than a recon/vdb issue. we're getting close! |
@cmaruti , would you like any help on this? thanks again! |
Hi @atlas0fd00m and sorry for the late response... So I dunno what is the best way to handle this: do you usually put a swicth on your unit test file to run specific test based on the box architecture and os you are running on? Let me know what you want me to do :D
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
awesome. well done, @cmaruti and thank you!
Improved support for x64 systems