drrun.exe segfault
26 views
Skip to first unread message
Holger Unterbrink
Apr 30, 2025, 8:19:29 AMApr 30
to DynamoRIO Users
This code
(compiled with VS2022) segfaults in drrun.exe (even without a client, pls see below):
#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
#include <intrin.h>
int main()
{
CONTEXT* ctx;
SIZE_T debugger_attached = 0;
printf("Starting....\n");
__try {
__writeeflags(__readeflags() | 0x100); // Set TF flag aka set CPU to single step
__nop(); // trigger exception in single step mode
}
__except (ctx = (GetExceptionInformation())->ContextRecord,
debugger_attached = (ctx->ContextFlags & CONTEXT_DEBUG_REGISTERS) ?
ctx->Dr0 | ctx->Dr1 | ctx->Dr2 | ctx->Dr3 : 0,
EXCEPTION_EXECUTE_HANDLER)
{
if (debugger_attached) {
printf("[INTEGRITY CHECK FAIL] Exception test: Hardware breakpoints detected!\n");
}
else {
printf("[SUCCESS] Exception test: No hardware breakpoints detected.\n");
}
}
printf("Done.\n");
}
#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
#include <intrin.h>
int main()
{
CONTEXT* ctx;
SIZE_T debugger_attached = 0;
printf("Starting....\n");
__try {
__writeeflags(__readeflags() | 0x100); // Set TF flag aka set CPU to single step
__nop(); // trigger exception in single step mode
}
__except (ctx = (GetExceptionInformation())->ContextRecord,
debugger_attached = (ctx->ContextFlags & CONTEXT_DEBUG_REGISTERS) ?
ctx->Dr0 | ctx->Dr1 | ctx->Dr2 | ctx->Dr3 : 0,
EXCEPTION_EXECUTE_HANDLER)
{
if (debugger_attached) {
printf("[INTEGRITY CHECK FAIL] Exception test: Hardware breakpoints detected!\n");
}
else {
printf("[SUCCESS] Exception test: No hardware breakpoints detected.\n");
}
}
printf("Done.\n");
}
$ "C:\tools\DynamoRIO-Windows-11.3.0\bin64\drrun.exe" -debug -- "C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe"
<Starting application C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe (14596)>
<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2085
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<Cleaning hooked Nt wrapper @0x00007ffdb10659b0 sysnum=0x1d3>
Starting....
<curiosity: rex.w on OPSZ_6_irex10_short4!>
<Stopping application C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe (14596)>
Segmentation fault
<Starting application C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe (14596)>
<Running on newer-than-this-build "Microsoft Windows 10-2009 x64">
<Early threads found>
<Initial options = -no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : ((((ptr_uint_t)pe_size) + ((os_page_size())-1)) & (~((ptr_uint_t)(os_page_size())-1))) == view_size || check_filter("win32.partial_map.exe", get_short_name(get_application_name())) in file D:\a\dynamorio\dynamorio\core\win32\module.c line 4054
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
0x000000c5c90fe990 0x0000000000000000
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : instr_get_opcode(instr_new) != instr_get_opcode(instr_old) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2082
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<CURIOSITY : instr_new == instrlist_first(ilist) || instr_new == instr_get_next(instrlist_first(ilist)) in file D:\a\dynamorio\dynamorio\core\win32\callback.c line 2085
version 11.3.0, build 1
-no_dynamic_options -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct
C:\tools\DynamoRIO-Windows-11.3.0/lib64\debug\dynamorio.dll=0x0000000015000000>
<Cleaning hooked Nt wrapper @0x00007ffdb10659b0 sysnum=0x1d3>
Starting....
<curiosity: rex.w on OPSZ_6_irex10_short4!>
<Stopping application C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe (14596)>
Segmentation fault
---
I admit it is a very special case as far as it is setting the CPU into single step and does some SEH tricks. Before I start debugging this in more detail, is it expected behavior or would a detailed analysis be interesting ?
Cheers,
Cheers,
Holger
P.S. Standalone the code works of course:
$ "C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe"
Starting....
[SUCCESS] Exception test: No hardware breakpoints detected.
Done.
$ "C:\Users\hunte\Documents\code\dr_crash\x64\Release\dr_crash.exe"
Starting....
[SUCCESS] Exception test: No hardware breakpoints detected.
Done.
Holger Unterbrink
Apr 30, 2025, 8:24:41 AMApr 30
to DynamoRIO Users
I forgot, OS is: Windows 11 24H2 (OS Build 26100.3915).
Derek Bruening
Apr 30, 2025, 11:46:50 AMApr 30
to Holger Unterbrink, DynamoRIO Users
This line indicates there is some invasive software on your machine injecting itself into every process and hooking system call wrappers:
<Cleaning hooked Nt wrapper @0x00007ffdb10659b0 sysnum=0x1d3>
DR tries to inter-operate with such hooks but it is not always easy. Xref https://github.com/DynamoRIO/dynamorio/issues/3243 and other filed issues.
This is where I would suggest starting: investigate the cause of the hook and make sure it is not messing up DR.
--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dynamorio-users/6c99b2f1-1da1-4c84-88c0-9f4fccf7ddb1n%40googlegroups.com.
Holger Unterbrink
May 2, 2025, 1:21:38 AMMay 2
to DynamoRIO Users
thx Derek ! I have an idea what it is, I ll double check.
Reply all
Reply to author
Forward
0 new messages