The corpus is empty, exiting about wtf HOT 10 CLOSED

from wtf.

I also seem to be having this exact issue. For a bit of background, I'm using WHV for the backend and took a snapshot using bdump.js in WinDBG preview on a HyperV VM with 4G ram and 1 core. Earlier I was having an issue where my memory dumps weren't being read in, but after further investigation I discovered it was due to this issue: #101 and I resolved it by adding code from https://github.com/hugsy/kdmp-parser/tree/new_type_support

The output and server exiting described by Flerov is exactly what I am experiencing. I did a virtual read of RIP at Init and InsertTestCase within my harness and they both returned the correct bytes. I should also mention that both of those functions are stripped down to the bare minimum, with Init only setting the end breakpoint and InsertTestCase not actually modifying the state of the program.

Any help would be greatly appreciated.

from wtf.

from wtf.

Hmmm I see. After copying the HEVD.cov file into my target directory I can see it's trying to apply coverage breakpoints now, so that is most likely the issue. I've tried to run gen_coveragefile_ida.py by loading it as a script in IDA but it's throwing an error at line 6392 "AttributeError: 'NoneType' object has no attribute 'Characteristics'". I couldn't really find any documentation for this script so I'm not sure if my setup is incorrect.

I'm running IDA Pro 7.5 with python3

from wtf.

The expected way to run this script is to open HEVD.sys (for example) in IDA and then run the script via the File / run menu. I also can't remember if I tested it out on the 7.5 version (which is getting old).

Cheers

from wtf.

Ok, that's the method I've been using to run it (while also having the correct IDB open). I know pretty much nothing about ida python API. Any pointers on what my issue may be? Exact stacktrace + error is:

error: Traceback (most recent call last):
File "", line 6416, in
File "", line 6392, in main
AttributeError: 'NoneType' object has no attribute 'Characteristics'

from wtf.

Hmmm, it seems like https://github.com/0vercl0k/wtf/blob/main/scripts/gen_coveragefile_ida.py#L6391 returns None? The loop basically goes through every functions that IDA found, and then try to find PE section in which it belongs and it isn't finding any which I don't think I've run into.

Are you looking at some kind of special executable? Is this a user-mode application or kernel-mode?

You can also try to replace:

            discardable = (sect.Characteristics & SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_DISCARDABLE']) != 0

by:

            discardable = (sect is not None) and (sect.Characteristics & SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_DISCARDABLE']) != 0

And see if it does the trick!

Cheers

from wtf.

This worked! Coverage breakpoints were added successfully

Unrelated to this issue, is it possible to load coverage to a module that isn't loaded in the dump file used for the state? For example, say you breakpoint on a user-mode process and you know it will send an IOCTL that will later send input to a second user-mode process. If you wanted to track the coverage for both user-mode processes, how would you do this? I've noticed that loading coverage will fail if it can't find the base. I'm guessing this is because when you scope into a process using .Process it won't contain modules of other processes

from wtf.

from wtf.

Closing this thread as it seems the issues were addressed and there hasn't been any new activity :)

Cheers

from wtf.