Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not query process cookie when attaching #2164

Mattiwatti opened this issue May 5, 2019 · 0 comments


None yet
1 participant
Copy link

commented May 5, 2019

Steps to reproduce:

  • Enable process cookie querying.
  • Attach to a running process (e.g. another instance of x64dbg) and do some stuff in the debuggee.
  • Whenever NtQueryInformationProcess is called, a "breakpoint reached not in list!" message is generated.

IMO it would be fine to only call HandleNtdllLoad (which is responsible for setting the initial bp on NtQueryInformationProcess) if the process was created and not attached to. The cookie is only guaranteed to be queried in LdrpInitializeProcess -> RtlSetUnhandledExceptionFilter -> RtlEncodePointer. All other ways of reaching RtlEncodePointer/RtlDcodePointer happen only under specific circumstances, like the debuggee adding a VEH, or when ntdll calls the exception handlers, so they are not reliable anyway.

Another thing about HandleNtdllLoad is that it could be changed to return without setting a breakpoint if the OS is >= Windows 8, because in that case the cookie can just be queried by the debugger. Both of these changes would reduce conflicts with other code that reads NtQueryInformationProcess and finds an unexpected breakpoint byte (e.g. ScyllaHide).

Related: #1747

Edit: I see that this was already mentioned in #1964, but no fix was given other than to disable the cookie setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.