loadlib bug #1449

0ffffffffh opened this Issue Feb 2, 2017 · 4 comments


None yet

2 participants

0ffffffffh commented Feb 2, 2017 edited

Debugger causes an access violation randomly when the loadlib command called.

I think the origin of this bug is TitanEngine's SetBPX function. The loadlib command uses remote code injection technique to load library. It writes the loader payload and set a breakpoint at the end of payload. Ok. But sometimes SetBPX does not set breakpoint. And naturally it doesn't handle the cbDebugLoadBPX And as a result, the debugger tries to continue the payload code and it crashes.


mrexodia commented Feb 2, 2017

Please be sure to check if this happens without plugins also.

0ffffffffh commented Feb 3, 2017 edited

Actually, this issue is not related with user perspective. Because, I used this command to get work a plugin's feature that I develop. Why I used that? I was looking for something to load a library in being debugged process. But I realized that the SDK does not provides a function directly. TitanEngine provides RemoteLoadLibrary but it does not work at all.

So I said If I can use the DbgCmdExec, I can be able to send command to the debugger programmatically. So I did. Its runs without problem for less frequently calls. When this command called frequently it runs unstable. So I put some Sleep after DbgCmdExec call to clear suspicion. And its runs again without any problem.

I dig it a little more

When it crashes, seems the main thread trying to free an invalid memory blocks.
x64dbg.exe: 0xC0000374: A heap has been corrupted (parameters: 0x00007FFDF494F6B0).


Meanwhile, When I take a look to my worker thread it seems to runs as expected.

If the loadlib usage is invalid behavior, it would be great some support API for that task.

mrexodia commented Feb 3, 2017
0ffffffffh commented Feb 3, 2017 edited

I created a sample plugin which is generated bug that we discussed. I experienced same problems with fresh plugin. Here is my sample plugin repo


PS: Platform X64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment