Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  immunity debugger last exception (in range)

Topic created on: September 9, 2011 02:47 CDT by blowcheck .

Hi all,
i'm running immunity debugger V. 1.73, during a debugging of an executable i face each time the same exception: (E06D7363 - use shift+/F7/F8/F9 to pass exception to program), i added it under options->exceptions--Ignore also following custom exceptions or ranges as E06D7363, but checking also the log file the exception raise each seconds.
Someone have some advices on how to bypass it?
Is it a weird behaviour?
thanks in advance
LUC

  blowcheck     September 12, 2011 03:18.11 CDT
I have investigated in deep, no way to pass the exception.
Below what i did:
1)retn---> right-click follow in dump

below the registers status:
EAX 0018301C ASCII "Client"
ECX 00C326B0 Client.00C326B0
EDX 00000000
EBX 00000000
ESP 0012F698
EBP 0012F700
ESI 00000000
EDI 000000F4
EIP 7C90E514 ntdll.KiFastSystemCallRet
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty %#.19L
ST1 empty %#.19L
ST2 empty -UNORM 9726 00000000 00000003
ST3 empty -UNORM FE21 00000000 39487331
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


So EIP point to ntdll.KiFastSsytemCallRet, so seems something related to trap frame, sysenter doesn't save the return address, now what is the next step for find the solution and bypass the exception?
thanks in advance

  HiPPiEkiLLeR     September 18, 2011 18:44.45 CDT
First maybe update Immunity Debugger to less buggy version?
https://immunityinc.com/products-immdbg.shtml

  blowcheck     September 20, 2011 09:06.25 CDT
Ok hippiekiller thanks, i just asked because i would keep paimei up and running, if I install the latest immunity version also python change, i'm not sure if i will be able to install paimei with python 2.7

  blowcheck     April 20, 2012 06:10.27 CDT
I solved, i used !hidedebug.
Regards

Note: Registration is required to post to the forums.

There are 30,784 total registered users.


Recently Created Topics
Question about memor...
Dec/12
How can i find conne...
Nov/27
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit