Another problem with unpacking
57 views
Skip to first unread message
Bugi
Jun 2, 2012, 7:22:59 AM6/2/12
to ether-devel
When using unpack-execution detection (userspace) I have the following
strange problem.
The first few ether controller invocations work fine and I can use the
unpacking feature of Ether.
After that I always get the following error message:
./ether 1 unpack_userspace calc_upx.exe
After init:
shared_page_ptr: 0xffff830000fdb000
shared_page_mfn: 0xfdb
domid_source: 0
event_channel_port: 29
Shared Page va: 0x7f9f02615000
Shared Page test:
Page-Sharing is A-OK!
Trying to bind to local port...
Success, bound to local port: 30
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: calc_upx.exe
Execution of Target detected:
Image Base: 0x1000000
Image Size: 0x28000
Entry Point: 0x1020250
destroying memhash
done destroying table
Possible OEP 01012475
Segmentation fault
I'm not completely sure, but it seems to be that the "point of no
return" is after a crash of the host system (caused by "instrtrace" or
"unpack_hypervisor"). Does anyone have an idea what unintended changes
in the host system could be responsible for my problem?
Tracing system calls and memory writes work without any problems.
Would be great if someone could help me. Thank you!
Greetings
strange problem.
The first few ether controller invocations work fine and I can use the
unpacking feature of Ether.
After that I always get the following error message:
./ether 1 unpack_userspace calc_upx.exe
After init:
shared_page_ptr: 0xffff830000fdb000
shared_page_mfn: 0xfdb
domid_source: 0
event_channel_port: 29
Shared Page va: 0x7f9f02615000
Shared Page test:
Page-Sharing is A-OK!
Trying to bind to local port...
Success, bound to local port: 30
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: calc_upx.exe
Execution of Target detected:
Image Base: 0x1000000
Image Size: 0x28000
Entry Point: 0x1020250
destroying memhash
done destroying table
Possible OEP 01012475
Segmentation fault
I'm not completely sure, but it seems to be that the "point of no
return" is after a crash of the host system (caused by "instrtrace" or
"unpack_hypervisor"). Does anyone have an idea what unintended changes
in the host system could be responsible for my problem?
Tracing system calls and memory writes work without any problems.
Would be great if someone could help me. Thank you!
Greetings
Artem Dinaburg
Jun 2, 2012, 4:57:10 PM6/2/12
to ether...@googlegroups.com
Have you tried using gdb to see where the segmentation fault occurs? Is it always repeatable on the same exe?
Artem
Danny Quist
Jun 2, 2012, 9:12:57 PM6/2/12
to ether...@googlegroups.com
Type:
ulimit -c 0
Run the ether command like you have before with userspace unpacking again, which should create a core file. Email that and I'll look into it.
Run the ether command like you have before with userspace unpacking again, which should create a core file. Email that and I'll look into it.
Danny
On Sat, Jun 2, 2012 at 7:22 AM, Bugi <bu...@gmx.info> wrote:
Bugi
Jun 4, 2012, 3:55:13 PM6/4/12
to ether-devel
Sorry for my late response.
Yes, the segmentation fault is always repeatable on the same exe. I
was able to narrow the problem to the arguments of fwrite() in
unpack_dump_memory() (file unpack.c). I'm not quite sure what is going
wrong.
@Danny: I have sent you an email with the core files.
Thanks to you both!
Yes, the segmentation fault is always repeatable on the same exe. I
was able to narrow the problem to the arguments of fwrite() in
unpack_dump_memory() (file unpack.c). I'm not quite sure what is going
wrong.
@Danny: I have sent you an email with the core files.
Thanks to you both!
PJ
Apr 10, 2014, 12:30:15 AM4/10/14
to ether...@googlegroups.com
Have you and danny found a fix for this issue? Im curious since I am having the same issue.
PJ
Danny Quist
Apr 11, 2014, 11:38:38 AM4/11/14
to ether...@googlegroups.com
Hi,
Ether is no longer under active development. I know of a few places that are doing development work on it, but aren't able to share their changes.
Danny
On Wed, Apr 9, 2014 at 9:30 PM, PJ <perryjone...@gmail.com> wrote:
Have you and danny found a fix for this issue? Im curious since I am having the same issue.
PJ
--
---
You received this message because you are subscribed to the Google Groups "ether-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ether-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
PJ
Apr 11, 2014, 11:51:15 AM4/11/14
to ether...@googlegroups.com
Thank you Danny,
Right now I am conducting research into extending Ether and eventually VERA at Concordia University. If ever I have any questions may I contact you to pick your brain?
Thank you,
Perry
PJ
Apr 11, 2014, 11:54:13 AM4/11/14
to ether...@googlegroups.com
On a side note, would you happen to have info on the places that are doing development work on it? Maybe my research team might be able to come up with some kind of compromise to share information.
Perry
On Friday, April 11, 2014 11:38:38 AM UTC-4, Danny wrote:
On Friday, April 11, 2014 11:38:38 AM UTC-4, Danny wrote:
Danny Quist
Apr 11, 2014, 12:43:26 PM4/11/14
to ether...@googlegroups.com
Sure.
Danny
Reply all
Reply to author
Forward
0 new messages