Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 15:50
    mrexodia closed #2206
  • 15:50

    mrexodia on development

    DBG: fix bugfix closes #2206 (compare)

  • 15:30
    mrexodia closed #2183
  • 15:30
    mrexodia commented #2183
  • 15:27
    wk-952 opened #2206
  • 15:22

    mrexodia on development

    GUI: don't follow patch in disa… DBG: improve symbol handling (compare)

  • Aug 21 19:14
    UnlimitedChild opened #2205
  • Aug 20 22:07
    ahkrichards opened #2204
  • Aug 20 12:24
    codemanxpensive commented on 7212e85
  • Aug 19 14:21

    mrexodia on development

    DBG: better heuristics for dete… (compare)

  • Aug 18 23:59
    ab22 opened #2203
  • Aug 18 12:50
    mrexodia closed #1828
  • Aug 18 12:49
    mrexodia closed #1985
  • Aug 18 12:49
    mrexodia commented #1985
  • Aug 18 12:48
    mrexodia closed #2022
  • Aug 18 12:48
    mrexodia commented #2022
  • Aug 18 12:44
    mrexodia closed #1943
  • Aug 18 12:44
    mrexodia commented #1943
  • Aug 18 12:43
    mrexodia closed #1928
  • Aug 18 12:43
    mrexodia closed #1853
x64dbgbot
@x64dbgbot
<Malware Utkonos> I tried adding a switch -h inside the quotation marks, and it returns an error “Could not set command line!”
x64dbgbot
@x64dbgbot
<mrexodia> Not really, works fine for me (re @x64dbg_bot: <Malware Utkonos> Is there a trick to using the “Change Command Line” feature in the File menu?)
<mrexodia> Yeah jesus (re @x64dbg_bot: <Nukem> i see that we are still getting the stop emails lol)
x64dbgbot
@x64dbgbot
<c0rt3x0> @mrexodia how can we add https://github.com/corelan/mona/blob/master/mona.py to x64dbg ?
x64dbgbot
@x64dbgbot
<c0rt3x0> with a seperated window ?
x64dbgbot
@x64dbgbot
<billy-jon> is there a way to make a list of patches reapply automatically when i restart the process?
x64dbgbot
@x64dbgbot
<mrfearless> File->Patch File->Import. browse for .1337 file to import. Then Patch File button
<billy-jon> right. but if i do restart process it seems i need to do that again?
<mrfearless> yes
<billy-jon> so im asking if there is a way to have it re-apply automatically the way breakpoints do
x64dbgbot
@x64dbgbot
<mrfearless> I think maybe the script or the commands could be extended to include a patchload or patchsave perhaps
<mrfearless> there are a few patch related functions in the DbgFunctions: PatchGet, PatchInRange, MemPatch, PatchRestoreRange, PatchEnum, PatchRestore, PatchFile, PatchGetEx
<mrfearless> just would need to register a command and tie in the logic to call the appropriate function
<mrfearless> and do error checking, make sure target debuggee is loaded etc
<billy-jon> that's a good point. there may not be a universally acceptable time to install them. but i guess whenever the bps are applied should work for this too?
x64dbgbot
@x64dbgbot
<billy-jon> i assume that bps are stored in the .ini file? maybe another entry to reference a patch file for a given binary?
<mrexodia> There is a plugin (re @x64dbg_bot: <billy-jon> so im asking if there is a way to have it re-apply automatically the way breakpoints do)
x64dbgbot
@x64dbgbot
<mrfearless> yes in the .dd32 or .dd64 file (re @x64dbg_bot: <billy-jon> i assume that bps are stored in the .ini file? maybe another entry to reference a patch file for a given binary?)
<billy-jon> oh cool
x64dbgbot
@x64dbgbot
<Tornikepa> Hello, how to read code utf8 unicode?
<Tornikepa> Now i see blank space
x64dbgbot
@x64dbgbot
<Malware Utkonos> i see some odd behavior trying to copy the text of a command in x64dbg or to paste something into the command entry box.
<Malware Utkonos> it doesn’t work and appears to do a lot of work before failing
<Malware Utkonos> i should say it doesn’t do anything, but it takes a long time
x64dbgbot
@x64dbgbot
<Ab> does it always happen?
<Ab> I'm not at my desk atm
x64dbgbot
@x64dbgbot
<billy-jon> i wonder if i may have discovered a bug in x64dbg. while analysing a malware sample, a call to VirtualProtect() which attempts to set PAGE_EXECUTE_READWRITE for the whole module [base, base+PEHeader->SizeOfImage] causes the .text segment to vanish from the memory map and be considered invalid by x64dbg. however if i step through i can see RIP proceeding as expected through those addresses. there is also a rep movsb instruction shortly after the
<billy-jon> VirtualProtect() call which successfully copies data from the now-vanished .text segment. i looked for some kind of a hook on VirtualProtect() and found none.
<billy-jon> i tried reproducing it in a hello-world cpp file, but there it behaves normally
<billy-jon> and regardless of what is going on, x64dbg should never forget about this memory i think?
<billy-jon> my next step was to try and build my own x64dbg and debug it, find where the code is that forgets about the .text segment, and try to learn why it is deciding to do that
x64dbgbot
@x64dbgbot
<mrfearless> it probably sets up an exception handler and when the protected memory is hit it checks for type of exception - single step etc = debugger, otherwise unprotect the memory and continue - think i read about this recently with some post on twitter or somewhere relating to malware or ransomware
<mrfearless> this was the reference i was thinking of: https://secrary.com/Random/anti_re_simple/
x64dbgbot
@x64dbgbot
<billy-jon> it does indeed add a single VEH with first=1 beforehand, but im not sure what you mean by "when the protected memory is hit"
<billy-jon> i have a bp on the indirect call to VirtualProtect(), which i have stepped through one instruction at a time. the .text segment disappears only following the syscall instruction with id 0x50 (which is the correct id)
<billy-jon> the indirect call is within the .text segment and there is nothing special about it at this point afaik
<billy-jon> i guess they might be using an instrumentation callback to hook the return to usermode following the syscall? o.O
<billy-jon> ive never tried it but im assuming that x64dbg would pickup an instrumentation callback since RIP would be different than the value following the syscall instruction
x64dbgbot
@x64dbgbot
<billy-jon> hrm nope cant be that either i dont think because im not seeing a call to NtSetInformationProcess() which afaik would be required?
x64dbgbot
@x64dbgbot
<billy-jon> if anyone replied my client got messed up during that net split
x64dbgbot
@x64dbgbot
<n> I want break before call a func, which command should I do
<n> bpx is not working
x64dbgbot
@x64dbgbot
<mrexodia> Maybe. The problem is that x64dbg has a different idea of reality with regards to memory per default, but yeah probably the header shouldn’t disappear (re @x64dbg_bot: <billy-jon> and regardless of what is going on, x64dbg should never forget about this memory i think?)
x64dbgbot
@x64dbgbot
<shaddycls> are there any known issues setting command line in x64?
x64dbgbot
@x64dbgbot
<mrexodia> No
x64dbgbot
@x64dbgbot
<shaddycls> yep, nevermind
<shaddycls> findout that the syntax is:
init "binary.exe","arg1 arg2 ..."
x64dbgbot
@x64dbgbot
<billy-jon> mrexodia, is there any kind of under-the-hood commands i can issue and show you the output of to troubleshoot this? or at this point am i needing to try and do my own build and debug?