Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
I have problems with regression introduced by this commit: d50675c. I'm not sure which edge cases were fixed there but surely there are cases that got broken by this change. Everything works well when program is started under x64dbg but problem arises if you attach to a process which remapped certain modules in a specific way. Under those circumstances integer underflow will occurr and regions with negative sizes will appear in Memory Map.
I've prepared a small repro for this problem. Reproduction steps:
I managed to fix that with one simple check. Assumptions of existing logic are now enforced.
However I found something interesting. I compared 2 scenarios:
There are still discrepancies between those cases and it seems that Windows itself is at fault here. When unmapping view of section via NtUnmapViewOfSection, debug event is fired to notify debugger that module got unloaded. Usually that's fine because loader will also remove module from PEB. When unampping manually that obviously won't occurr, so detaching debugger and reattaching it will result in "dll loaded" event for dll that isn't loaded or got remapped as in this case.
Easiest fix for this would be to add extra validation logic in