Comments (5)
What is happening at the crash site? Try these commands x/i $pc
and i r
. The call to GetModuleFileNameA()
seems sane, it's possible it didn't like the result. Maybe it was trying to find path separators in there? I think by default it will just be fakename.exe
.
It looks like you just a few instructions into the routine at loc_1000D552
, can you show the disassembly?
e.g.: x/20i loc_1000D552
from loadlibrary.
Thanks for the quick response.
I've increased the verbosity of the winapi calls and the segfault occurs after a LeaveCriticalSection.
GetModuleFileNameA(): (nil), 0xf7d8a62c, 260 => 12
EnterCriticalSection(): : 0xf7d8a5e8
LeaveCriticalSection(): : 0xf7d8a5e8
Program received signal SIGSEGV, Segmentation fault.
0xf7d8055a in loc_1000D552 () at {standard input}:3208
3208 {standard input}: No such file or directory.
The output of the requested commands:
(gdb) x/i $pc
=> 0xf7d8055a <loc_1000D552>: mov (%esi),%al
(gdb) i r
eax 0x4 4
ecx 0xffffcf1c -12516
edx 0x0 0
ebx 0x0 0
esp 0xffffcf1c 0xffffcf1c <RtlUnwind+136806056>
ebp 0xffffcf48 0xffffcf48 <RtlUnwind+136806100>
esi 0x0 0
edi 0x0 0
eip 0xf7d8055a 0xf7d8055a <loc_1000D552>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x73 115
gs 0x63 99
(gdb) x/20i loc_1000D552
=> 0xf7d8055a <loc_1000D552>: mov (%esi),%al
0xf7d8055c <loc_1000D552+2>: cmp %bl,%al
0xf7d8055e <loc_1000D552+4>: je 0xf7d80572 <loc_1000D56A>
0xf7d80560 <loc_1000D552+6>: cmp $0x3d,%al
0xf7d80562 <loc_1000D552+8>: je 0xf7d80565 <loc_1000D55D>
0xf7d80564 <loc_1000D552+10>: inc %edi
0xf7d80565 <loc_1000D55D>: push %esi
0xf7d80566 <loc_1000D55D+1>: call 0xf7d81828 <_strlen>
0xf7d8056b <loc_1000D55D+6>: pop %ecx
0xf7d8056c <loc_1000D55D+7>: lea 0x1(%esi,%eax,1),%esi
0xf7d80570 <loc_1000D55D+11>: jmp 0xf7d8055a <loc_1000D552>
0xf7d80572 <loc_1000D56A>: lea 0x4(,%edi,4),%eax
0xf7d80579 <loc_1000D56A+7>: push %eax
0xf7d8057a <loc_1000D56A+8>: call 0xf7d7c600 <_malloc>
0xf7d8057f <loc_1000D56A+13>: mov %eax,%esi
0xf7d80581 <loc_1000D56A+15>: pop %ecx
0xf7d80582 <loc_1000D56A+16>: cmp %ebx,%esi
0xf7d80584 <loc_1000D56A+18>: mov %esi,0xf7d8a57c
0xf7d8058a <loc_1000D56A+24>: jne 0xf7d80594 <loc_1000D58C>
0xf7d8058c <loc_1000D56A+26>: push $0x9
(gdb)
from loadlibrary.
So it's a NULL dereference, it was expecting the value in %esi
to be an ANSI string (because it then passes it to strlen()
), but it's NULL. It's tough to guess what went wrong from this, but the critical section stuff is probably not related.
Because it's so close to a call to GetModuleFileNameA
, and it was clearly expecting an ANSI string here...I think it must be related to that. A shot in the dark, try changing GetModuleFileNameA
to return something like C:\foo\whatever.exe
, and see if it works (remember to double slashes, like \\
).
It's hard to guess any further without seeing what the dll is trying to do. If you also have a Windows machine, you could put a breakpoint there and see what the string is (da @esi
in windbg commands), that might help you guess what went wrong.
from loadlibrary.
Oh, but this line is interesting:
0xf7d80560 <loc_1000D552+6>: cmp $0x3d,%al
It looks like it was expecting an =
character in there. Hmm. It would be surprising if that was a pathname, maybe it's trying to parse the environment - it would be normal for those to contain equals.
It does call GetEnvironmentStringsW
earlier on, so maybe it was expecting an environment variable to be set and didn't find it. There's no way to guess which one variable it wanted from that debugging output, you will need to poke around in the code (or maybe you will just get really lucky and can guess from the strings
output!).
from loadlibrary.
Thanks for the pointers! I've taken a quick look at the API calls made in Windows.
The first call to WideCharToMultiByte
takes in the environment string (just looking for where =
is passed around), it also passes NULL
for lpMultiByteStr
, so your stub function returns 0 here, while it returns a positive value in Windows.
The documentation of the return value is a little confusing:
If successful, returns the number of bytes written to the buffer pointed to by lpMultiByteStr. If the function succeeds and cbMultiByte is 0, the return value is the required size, in bytes, for the buffer indicated by lpMultiByteStr. Also see dwFlags for info about how the WC_ERR_INVALID_CHARS flag affects the return value when invalid sequences are input.
I think the stub needs to account for the second condition, where cbMultiByte
is 0
so the return value indicates how big lpMultiByteStr
needs to be.
Simply patching your WideCharToMultiByte
function to return cchWideChar
instead of 0
eliminated the segfault.
I'll tidy up my changes and make a pull request.
from loadlibrary.
Related Issues (20)
- APIs patching fails with selinux enabled
- Unable to load multiple dll images HOT 5
- mpclient: failed to resolve function HOT 16
- __rsignal(RSIG_BOOTENGINE) returned failure, missing definitions? HOT 13
- scan(): __rsignal(RSIG_SCAN_STREAMBUFFER) returned failure, file unreadable HOT 2
- Engine version 1.349.149.0 (2021/09/04) breaks mpclient HOT 2
- Replacing a thiscall function HOT 1
- Trying to load library and link to module HOT 2
- Is there any way to load a dll depends on msvcrt*.dll
- About msvc##.dll solution
- mpclient fails with latest defender update. HOT 2
- Trace/breakpoint trap (core dumped) HOT 2
- lastest windows defender can't work
- Segmentation fault at fixup_reloc HOT 3
- mpclient: function at 0x5a741c8a attempted to call an unknown symbol HOT 6
- malware not detected, while it should HOT 4
- Possible to check the virus database version and timestamp?
- MPClient - No debugging symbols found HOT 1
- Engine version 1.339.932.0 (2021/05/18) breaks mpclient HOT 3
- Take care of floating point registers during calling convention switches
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loadlibrary.