Skip to content

Dirty exception hook#1

Open
oopsmishap wants to merge 3 commits intomainfrom
dirty-exception-hook
Open

Dirty exception hook#1
oopsmishap wants to merge 3 commits intomainfrom
dirty-exception-hook

Conversation

@oopsmishap
Copy link
Owner

@oopsmishap oopsmishap commented Jan 24, 2023

Putting it as a PR to allow and easy code change view.

Output of ramen_noodle.py:

`quiet=True` 
interrupt 3 (#BP, Breakpoint), cip = 6ce353, cs = 23
we hit a bp! info: entrypoint bp address: 6ce352 original: bytearray(b'\xe8')
commit(0x6ea000[0x1d000], PAGE_READWRITE)
found rwx commit
commit(0x1180000[0x1d000], PAGE_EXECUTE_READWRITE)
found rwx commit
initial unsupported access UC_MEM_FETCH_PROT of 118607f[1] = 0, cip = 118607f
final unsupported access UC_MEM_FETCH_PROT of 1186080[1] = 0, cip = 118607f
catching ExecuteProtection 0x118607f
potential stage3 buffer 0x1180000[0x1d000] (rwx)
first bytes of region: bytearray(b'RSL\x01\x05\x00d\x00\x7f`\x00\x00\x80\xcd\x01\x00\x18\x01\x00\x00\x00\xad\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00')
Saved dump to "E:/tmp/ramen_1180000.bin"
`quiet=False` 
emu_start(6ce320, deadbeef, 0)
interrupt 3 (#BP, Breakpoint), cip = 6ce353, cs = 23
handling exception...
we hit a bp! info: entrypoint bp address: 6ce352 original: bytearray(b'\xe8')
restoring breakpoint: 6ce352
emu_start(6ce352, deadbeef, 0)
syscall: ZwAllocateVirtualMemory(
    HANDLE ProcessHandle = 0xffffffff /* NtCurrentProcess() */,
    PVOID* BaseAddress = 0x19f96c,
    ULONG_PTR ZeroBits = 0x0,
    SIZE_T* RegionSize = 0x19f99c,
    ULONG AllocationType = 0x1000,
    ULONG Protect = 0x4
)
commit(0x6ea000[0x1d000], PAGE_READWRITE)
status = 0
syscall: ZwAllocateVirtualMemory(
    HANDLE ProcessHandle = 0xffffffff /* NtCurrentProcess() */,
    PVOID* BaseAddress = 0x19fec4,
    ULONG_PTR ZeroBits = 0x0,
    SIZE_T* RegionSize = 0x19fec0,
    ULONG AllocationType = 0x1000,
    ULONG Protect = 0x40
)
found rwx commit
commit(0x1180000[0x1d000], PAGE_EXECUTE_READWRITE)
found rwx commit
status = 0
syscall: ZwAccessCheck(
    SECURITY_DESCRIPTOR* SecurityDescriptor = 0xffffffff,
    HANDLE ClientToken = 0x19fec4,
    ACCESS_MASK DesiredAccess = 0x0,
    GENERIC_MAPPING* GenericMapping = 0x19fec0,
    PRIVILEGE_SET* PrivilegeSet = 0x1000,
    ULONG* PrivilegeSetLength = 0x40,
    ACCESS_MASK* GrantedAccess = 0x6e8368,
    NTSTATUS* AccessStatus = 0x1d000
)
status = 0
initial unsupported access UC_MEM_FETCH_PROT of 118607f[1] = 0, cip = 118607f
final unsupported access UC_MEM_FETCH_PROT of 1186080[1] = 0, cip = 118607f
fetch from 0x1186081[1] already reported
fetch from 0x1186082[1] already reported
fetch from 0x1186083[1] already reported
...
(continues for a long time, it's a bug)
...
fetch from 0x11862b9[1] already reported
fetch from 0x11862ba[1] already reported
handling exception...
catching ExecuteProtection 0x118607f
potential stage3 buffer 0x1180000[0x1d000] (rwx)
first bytes of region: bytearray(b'RSL\x01\x05\x00d\x00\x7f`\x00\x00\x80\xcd\x01\x00\x18\x01\x00\x00\x00\xad\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00')
Saved dump to "E:/tmp/ramen_1180000.bin"
emu_start(deadbeef, deadbeef, 0)
emulation finished, cip = deadbeef

Process finished with exit code 0

@oopsmishap oopsmishap force-pushed the dirty-exception-hook branch from cb30977 to db1e7ac Compare January 25, 2023 22:17
@oopsmishap oopsmishap force-pushed the dirty-exception-hook branch from db1e7ac to 042eef6 Compare January 25, 2023 22:19
@mrexodia mrexodia mentioned this pull request Mar 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oopsmishap