OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Topic created on: June 1, 2006 02:48 CDT by haha20001 .

When using the "proecess stalker" tool to debug the winword.exe ,it can't work.

ismak		June 1, 2006 04:39.23 CDT
Yes, i have the same problem. I receive an ACCESS VIOLATION after the breakpoints are loaded. Another thing is that breakpoints list for Winword.exe or mso.dll are about 500.000 elements, and Process Stalker spend a lot of time to load them (12 hours). Is it a problem or is the normal behaviour of Process Stalker?

morphique		June 1, 2006 05:57.32 CDT
Pedram is releasing the new version of Process Stalker next month which'll have all the issues fixed.

pedram		June 1, 2006 10:58.40 CDT
In situations with so many breakpoints I would go about handling it by first doing a function only trace. Then expanding those hit functions into basic blocks and re-tracing. This combination of filtering and function->bb expansion should do the trick for you. The reason why it's likely crashing is due to the mislabeling of data as code during the analysis phase. Jump tables for example may be embedded within the function and do not correctly get "ignored" as data during the bb discovery phase. Again, try doing a function only trace and see how that pans out. The time it takes to analyze and prep large binaries such as Word is definitely stifling. I've had various ideas on how to discover basic blocks "on the fly", but have never coded anything up in that direction. If anyone has any interesting ideas regarding this matter ... I'm all ears. -pedram

haha20001		June 5, 2006 02:24.37 CDT
I have tried the function only trace,but it report ACCESS VIOLATION all the time.

pedram		June 5, 2006 15:58.45 CDT
> I have tried the function only trace,but it report ACCESS VIOLATION all the time. Yeah, I'm going to need a little more details to be of any help there. Drop me a private message with more details if you can't share them here or better yet, wait a week and use the new stuff (which I actually actively maintain).

haha20001		June 5, 2006 19:27.36 CDT
It's very simple

pedram		June 14, 2006 12:15.17 CDT
Apologies for the late response, been busy. The fault is more then likely due to the misrepresentation of data as code. Therefore causint the debugger componenet of Process Stalker to set breakpoints where it shouldn't. This is a generic problem with IDA and a complex problem to solve in general. Try re-analyzing your target while disabling the "Make final analysis pass" option under "Kernel options 1". Dealing with large binaries in general is also a bit cumbersome I realize, especially in the new (actually replacement) version of the tool that is coming out later in the week.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Imagery

SoySauce Blueprint
Jun 6, 2008