Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debugger crashed on command 'yara' #2015

Open
cozil opened this Issue Aug 31, 2018 · 3 comments

Comments

Projects
None yet
4 participants
@cozil
Copy link

cozil commented Aug 31, 2018

Debugger crashed while running command 'yara' with only one argument.

I looked into the source code, and found an issue:

    if(IsArgumentsLessThan(argc, 2))
        return false;
    duint addr = 0;
    SELECTIONDATA sel;
    GuiSelectionGet(GUI_DISASSEMBLY, &sel);
    addr = sel.start;

    duint base = 0;
    duint size = 0;
    duint mod = ModBaseFromName(argv[2]);

argv[2] is not available while running command 'yara' with only one argument.
Should check if argc > 2 before use it.

@mrexodia mrexodia added the bug label Sep 1, 2018

@mrexodia

This comment has been minimized.

Copy link
Member

mrexodia commented Sep 1, 2018

To solve this issue: remove yara from x64dbg.

@torusrxxx

This comment has been minimized.

Copy link
Member

torusrxxx commented Sep 8, 2018

To make it clear: if(IsArgumentsLessThan(argc, 2)) already checks the number of arguments. The real cause is Yara.

@balintf

This comment has been minimized.

Copy link
Contributor

balintf commented Oct 31, 2018

To make it clear: if(IsArgumentsLessThan(argc, 2)) already checks the number of arguments. The real cause is Yara.

This only checks that the yara command was given at least one argument, but the cause of the crash is that x64dbg uses the second argument at argv[2], which is only valid if argc > 2. By adding checks before argv[2] usages and some default values for the argc == 2 case, I was able to get the yara command working with only one argument.

To solve this issue: remove yara from x64dbg.

Do you mean remove it from the 64 bit version, or remove it entirely from x64dbg? Could you elaborate on why do you think yara should be removed? (I don't use it personally, but some might find it useful)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.