PROGRAM ABORT : Process exited before reaching the target method - due to partial memory read from process

Question

PROGRAM ABORT : Process exited before reaching the target method - due to partial memory read from process

piotrbania opened this issue 6 months ago · 3 comments

Hey Ivan,

I've been trying to use Jackalope on some PE binary. Jackalope kinda refused working with it due to the:
"[-] PROGRAM ABORT : Process exited before reaching the target method"

Which was odd since the target method was exported and available in the PE export section and the debugger itself catches the exported function execution without any problems.

Anyway long story short the culprit was in the Debugger::GetProcOffset function:

DWORD Debugger::GetProcOffset(HMODULE module, const char *name) {
  char* base_of_dll = (char*)module;
  DWORD size_of_image = GetImageSize(base_of_dll);

  // try the exported symbols next
  char* modulebuf = (char*)malloc(size_of_image);
  SIZE_T num_read;
  if (!ReadProcessMemory(child_handle, base_of_dll, modulebuf, size_of_image, &num_read) ||
    (num_read != size_of_image))
  {
    FATAL("Error reading target memory\n"); // -> HERE
  }

The cause was that ReadProcessMemory returned error ( ERROR_PARTIAL_COPY - 299 (0x12B) - Only part of a ReadProcessMemory or WriteProcessMemory request was completed).

In my case it was due to the .retplne section (retpoline) which had PAGE_NOACCESS rights set.

Long story short, simply changing the FATAL("Error reading target memory\n"); to WARN appears to solve the problem (when GetLastError() == ERROR_PARTIAL_COPY) .

Obviously this is far from being a "proper fix" but just leaving the information here in case anyone else encounters this issue. Peace.

Answer 1 · 2024-06-04T10:46:13.000Z

Hey Piotr,

Thanks for reporting! Looks like the approach of reading the entire module in one go isn't working well in this case and needs to be rewritten somewhat.

Just to understand the issue better, do you know how come Jackalope wasn't erroring out with "Error reading target memory" instead of erroring out with "Process exited before reaching the target method"? I'd expect getting the former error if there was an issue with memory read. Or did you change the reading code already at this point.

For anyone reading, the alternative to -target_method is specifying the offset directly via -target_offset which doesn't do the symbol lookup.

Answer 2 · 2024-06-04T11:05:31.000Z

AFAIR i had to change the some variable in the debugger.cpp to verbose debug events otherwise i only got:
[!] WARNING: Target function not reached, retrying with a clean process
...
[-] PROGRAM ABORT : Process exited before reaching the target method

maybe there was some verbose flag in the command line that i forgot about :)

Answer 3 · 2024-06-10T14:11:27.000Z

Hi, the GetProcOffset issue should be fixed in googleprojectzero/TinyInst@338dde5
It now reads only PE headers and the export table, so unusual permissions on other pages shouldn't matter.

I'm tentatively closing the issue, but I'd appreciate it if you could give it a spin against your target again and check if it works correctly.