Crash on dumping parameters
Closed this issue · 1 comments
hasherezade commented
Test case
Issue
When dumping of the parameters is selected, produced trace is incomplete.
Using the default params.txt
:
kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
kernel32;GetProcAddress;2
advapi32;RegQueryValueW;3
kernel32;CreateFileW;6
The end of the tracelog:
17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
When LoadLibraryA was removed from params.txt
, the tracelog continues. Example:
175f0;msvcrt.fwrite
17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
d480;kernel32.GetProcAddress
13ad8;called: ?? [15440000+5c]
> 15440000+6e;SYSCALL:0x50(NtProtectVirtualMemory)
> 15440000+70;nim.[unnamedImageEntryPoint+125ee]*
13b09;called: ?? [15440000+2e]
[...]
Possible crash on dumping parameters of LoadLibraryA.
hasherezade commented
After the fix parameters were successfully traced:
17710;msvcrt.__iob_func
17610;msvcrt.fflush
15492;kernel32.GetCurrentProcess
d479;kernel32.LoadLibraryA
LoadLibraryA:
Arg[0] = ptr 0x00000000160d25a0 -> "amsi"
d480;kernel32.GetProcAddress
GetProcAddress:
Arg[0] = ptr 0x00007ffd17580000 -> {MZ\x90\x00\x03\x00\x00\x00}
Arg[1] = ptr 0x00000000160d25d0 -> "AmsiScanBuffer"
13ad8;called: ?? [16970000+5c]
> 16970000+6e;SYSCALL:0x50(NtProtectVirtualMemory)
> 16970000+70;nim_sample.[unnamedImageEntryPoint+125ee]*
13b09;called: ?? [16970000+2e]