Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x64db crash on attaching to specific exe, no plugins, no db #2163

Open
MoonDoggie42 opened this issue May 4, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@MoonDoggie42
Copy link

commented May 4, 2019

Duncan,
I'm getting a strange crash and minidump on startup on a file that doesn't even have a .db entry and all plugins disabled.

x64dbg version - April 17, 2019.

I've uploaded several minidumps here:
https://drive.google.com/drive/folders/1hu97HUTtBA_f52vQEqD7mkGgiHgYbPGh?usp=sharing

Can you spot the issue?

Here's the !analyze -v output:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(7f18.3c8c): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=00000000 ebx=06db3278 ecx=00950000 edx=00950000 esi=06db3230 edi=06db3240
eip=7789b78c esp=06c3bb4c ebp=06c3bb58 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtGetContextThread+0xc:
7789b78c c20800 ret 8
0:015> !analyze -v
ERROR: FindPlugIns 8007007b


  •                                                                         *
    
  •                    Exception Analysis                                   *
    
  •                                                                         *
    

KEY_VALUES_STRING: 1

Key  : AV.Dereference
Value: String

Key  : AV.Fault
Value: Read

Key  : Analysis.CPU.Sec
Value: 1

Key  : Analysis.Elapsed.Sec
Value: 5

Key  : Analysis.Memory.CommitPeak.Mb
Value: 161

Key  : Timeline.Process.Start.DeltaSec
Value: 16

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
Name:
Time: 2019-05-04T17:29:55.51Z
Diff: 28051 mSec

Timeline: Dump.Current
Name:
Time: 2019-05-04T17:29:27.0Z
Diff: 0 mSec

Timeline: Process.Start
Name:
Time: 2019-05-04T17:29:11.0Z
Diff: 16000 mSec

DUMP_CLASS: 2

DUMP_QUALIFIER: 400

MODLIST_WITH_TSCHKSUM_HASH: a225f3439677b40fba71cb81d88a83d430b3d124

MODLIST_SHA1_HASH: e4dcb7ecb7e81d6d3368856fe699c8903ce307fd

DUMP_FLAGS: 0

DUMP_TYPE: 2

CONTEXT: (.ecxr)
eax=06c3da38 ebx=6173d6dc ecx=00950000 edx=00950000 esi=06c3e11c edi=72617453
eip=617e28e9 esp=06c3da08 ebp=06c3da44 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
x32dbg!DllMain+0x1fd29:
617e28e9 66833f00 cmp word ptr [edi],0 ds:002b:72617453=????
Resetting default scope

FAULTING_IP:
x32dbg!DllMain+1fd29
617e28e9 66833f00 cmp word ptr [edi],0

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 617e28e9 (x32dbg!DllMain+0x0001fd29)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 72617453
Attempt to read from address 72617453

DEFAULT_BUCKET_ID: INVALID_POINTER_READ

PROCESS_NAME: x32dbg.exe

FOLLOWUP_IP:
x32dbg!DllMain+1fd29
617e28e9 66833f00 cmp word ptr [edi],0

READ_ADDRESS: 72617453

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 72617453

WATSON_BKT_PROCSTAMP: 5cb76474

WATSON_BKT_PROCVER: 0.0.2.5

PROCESS_VER_PRODUCT: x64dbg

WATSON_BKT_MODULE: x32dbg.dll

WATSON_BKT_MODSTAMP: 5cb764aa

WATSON_BKT_MODOFFSET: 828e9

BUILD_VERSION_STRING: 10.0.17134.376 (WinBuild.160101.0800)

ANALYSIS_SESSION_HOST: COLIN-PC

ANALYSIS_SESSION_TIME: 05-04-2019 10:29:55.0051

ANALYSIS_VERSION: 10.0.18869.1002 x86fre

THREAD_ATTRIBUTES:
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_STRING_DEREFERENCE

PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT

PROBLEM_CLASSES:

ID:     [0n313]
Type:   [@ACCESS_VIOLATION]
Class:  Addendum
Scope:  BUCKET_ID
Name:   Omit
Data:   Omit
PID:    [Unspecified]
TID:    [0x3c8c]
Frame:  [0] : x32dbg!DllMain

ID:     [0n285]
Type:   [INVALID_POINTER_READ]
Class:  Primary
Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
        BUCKET_ID
Name:   Add
Data:   Omit
PID:    [Unspecified]
TID:    [0x3c8c]
Frame:  [0] : x32dbg!DllMain

ID:     [0n184]
Type:   [STRING_DEREFERENCE]
Class:  Primary
Scope:  BUCKET_ID
Name:   Add
Data:   Omit
PID:    [Unspecified]
TID:    [0x3c8c]
Frame:  [0] : x32dbg!DllMain

LAST_CONTROL_TRANSFER: from 617a4594 to 617e28e9

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
06c3da44 617a4594 06c3e11c 72617453 3c1a00ce x32dbg!DllMain+0x1fd29
06c3ea5c 616dd711 6173d6dc 0000730c 7725f570 x32dbg+0x44594
06c3f7c8 616ee7b4 0000730c 7725f5d0 0000730c TitanEngine!DebugLoop+0x321
06c3f7e0 617ab0c1 0000730c 00000001 618b27e0 TitanEngine!AttachDebugger+0xc4
06c3f880 617abead 0000730c 00000001 06c3f8a4 x32dbg+0x4b0c1
06c3f890 77208494 0000730c 77208470 4e8712e6 x32dbg+0x4bead
06c3f8a4 778941c8 0000730c 69d46b06 00000000 kernel32!BaseThreadInitThunk+0x24
06c3f8ec 77894198 ffffffff 778af351 00000000 ntdll!__RtlUserThreadStart+0x2f
06c3f8fc 00000000 617abea0 0000730c 00000000 ntdll!_RtlUserThreadStart+0x1b

THREAD_SHA1_HASH_MOD_FUNC: 969cbaa32c16d874b7b47792ea0ad4ccc5e3e6cd

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1d753e3f3aa19a568912118ec2b5ee7f25477f56

THREAD_SHA1_HASH_MOD: a47b952a7309382d288678a37e950e10e2fadb04

FAULT_INSTR_CODE: 3f8366

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: x32dbg!DllMain+1fd29

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: x32dbg

IMAGE_NAME: x32dbg.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 5cb764aa

STACK_COMMAND: ~15s ; .ecxr ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_x32dbg.dll!DllMain

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_STRING_DEREFERENCE_x32dbg!DllMain+1fd29

FAILURE_EXCEPTION_CODE: c0000005

FAILURE_IMAGE_NAME: x32dbg.dll

BUCKET_ID_IMAGE_STR: x32dbg.dll

FAILURE_MODULE_NAME: x32dbg

BUCKET_ID_MODULE_STR: x32dbg

FAILURE_FUNCTION_NAME: DllMain

BUCKET_ID_FUNCTION_STR: DllMain

BUCKET_ID_OFFSET: 1fd29

BUCKET_ID_MODTIMEDATESTAMP: 5cb764aa

BUCKET_ID_MODCHECKSUM: 153523

BUCKET_ID_MODVER_STR: 0.0.0.0

BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_STRING_DEREFERENCE_

FAILURE_PROBLEM_CLASS: APPLICATION_FAULT

FAILURE_SYMBOL_NAME: x32dbg.dll!DllMain

TARGET_TIME: 2019-05-04T17:29:27.000Z

OSBUILD: 17134

OSSERVICEPACK: 706

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 256

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2022-11-13 06:35:21

BUILDDATESTAMP_STR: 160101.0800

BUILDLAB_STR: WinBuild

BUILDOSVER_STR: 10.0.17134.376

ANALYSIS_SESSION_ELAPSED_TIME: 15c8

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_x32dbg.dll!dllmain

FAILURE_ID_HASH: {51c75edc-fe8e-e271-d5ef-cf49d5b06b3d}

Followup: MachineOwner

0:015> .exr -1
ExceptionAddress: 617e28e9 (x32dbg!DllMain+0x0001fd29)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000

@mrfearless

This comment has been minimized.

Copy link
Contributor

commented May 4, 2019

The crashdumps show a few plugins still enabled:

Highlightfish.dp32	D:\RE\Debuggers\x64dbg\release\x32\plugins\Highlightfish.dp32	0.0.0.0
Rtti.dp32	D:\RE\Debuggers\x64dbg\release\x32\plugins\Rtti.dp32	0.0.0.0
ScyllaHideX64DBGPlugin.dp32	D:\RE\Debuggers\x64dbg\release\x32\plugins\ScyllaHideX64DBGPlugin.dp32	0.0.0.0
SwissArmyKnife.dp32	D:\RE\Debuggers\x64dbg\release\x32\plugins\SwissArmyKnife.dp32	0.0.0.0

I would disable those to check its not one of them first.

@MoonDoggie42

This comment has been minimized.

Copy link
Author

commented May 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.