vmi_read_addr_va returns VMI_FAILURE
66 views
Skip to first unread message
Junya Gao
Mar 14, 2018, 11:15:43 AM3/14/18
to vmitools
In Windows 7, I want to get a dll's version via Libvmi. I can use windbg to get the true address of the version section for my program accuracy verification.
First I can get notepad.exe's ntdll.dll base address using libvmi, and then I can get the true value of "e_lfanew" in the DOS header in virtual address space. Follow that I can locate the offset address of .rsrc which is 0xe0000.
So, I use "vmi_read_addr_va(vmi,dllBase+rsrc_virtAddress+0x010+0x008+0x008,pid,&entryFirstMember)" to read the version's root node's value.
I print the sum address of second parameter, it is 0x777c0020, and pid is the notepad.exe's pid.
I use this command "dt _IMAGE_RESOURCE_DIRECTORY_ENTRY 0x777c0020" in windbg and find the first 4 bytes value is 0x10 which stands for its version node, its output is as follows:
lkd> dt _IMAGE_RESOURCE_DIRECTORY_ENTRY 0x777c0020
uxtheme!_IMAGE_RESOURCE_DIRECTORY_ENTRY
+0x000 NameOffset: 0y00000000000000000000000000010000(0x10)
+0x000 NameIsString: 0y0
+0x000 Name: 0x10
+0x000 Id: 0x10
+0x004 OffsetToData: 0x80000058
+0x004 OffsetToDirectory:0y0000000000000000000000001011000(0x58)
+0x004 DataIsDirectory:0y1
but vmi_read_addr_va return VMI_FAILURE. The return information is not so definite and this command's debug output is as follows:
--PID cache hit 1920 -- 0x000000007dc03160
--PAE PTLookup: lookup vaddr = 0x00000000777c0020 dtb = 0x000000007dc03160
--MEMORY cache hit 0x7dc03000
--PAE PTLookup: pdpi_entry = 0x000000007dc03168, pdpi_value = 0x000000007628a801
--PAE PTLookup: pdpe = 0x7628a801
--MEMORY cache hit 0x7628a000
--PAE PTLookup: pgd_entry = 0x7628add8, pgd_value = 0x14a65867
--PAE PTLookup: pte_entry = 0x14a65e00
--MEMORY cache hit 0x14a65000
--PAE PTLookup: pte_entry = 0x14a65e00, pte_value = 0x00000000
--PAE PTLookup: paddr = 0x0000000000000000
Any help wound be appreciated! Thanks in advance.
First I can get notepad.exe's ntdll.dll base address using libvmi, and then I can get the true value of "e_lfanew" in the DOS header in virtual address space. Follow that I can locate the offset address of .rsrc which is 0xe0000.
So, I use "vmi_read_addr_va(vmi,dllBase+rsrc_virtAddress+0x010+0x008+0x008,pid,&entryFirstMember)" to read the version's root node's value.
I print the sum address of second parameter, it is 0x777c0020, and pid is the notepad.exe's pid.
I use this command "dt _IMAGE_RESOURCE_DIRECTORY_ENTRY 0x777c0020" in windbg and find the first 4 bytes value is 0x10 which stands for its version node, its output is as follows:
lkd> dt _IMAGE_RESOURCE_DIRECTORY_ENTRY 0x777c0020
uxtheme!_IMAGE_RESOURCE_DIRECTORY_ENTRY
+0x000 NameOffset: 0y00000000000000000000000000010000(0x10)
+0x000 NameIsString: 0y0
+0x000 Name: 0x10
+0x000 Id: 0x10
+0x004 OffsetToData: 0x80000058
+0x004 OffsetToDirectory:0y0000000000000000000000001011000(0x58)
+0x004 DataIsDirectory:0y1
but vmi_read_addr_va return VMI_FAILURE. The return information is not so definite and this command's debug output is as follows:
--PID cache hit 1920 -- 0x000000007dc03160
--PAE PTLookup: lookup vaddr = 0x00000000777c0020 dtb = 0x000000007dc03160
--MEMORY cache hit 0x7dc03000
--PAE PTLookup: pdpi_entry = 0x000000007dc03168, pdpi_value = 0x000000007628a801
--PAE PTLookup: pdpe = 0x7628a801
--MEMORY cache hit 0x7628a000
--PAE PTLookup: pgd_entry = 0x7628add8, pgd_value = 0x14a65867
--PAE PTLookup: pte_entry = 0x14a65e00
--MEMORY cache hit 0x14a65000
--PAE PTLookup: pte_entry = 0x14a65e00, pte_value = 0x00000000
--PAE PTLookup: paddr = 0x0000000000000000
Any help wound be appreciated! Thanks in advance.
Tamas K Lengyel
Mar 14, 2018, 11:18:16 AM3/14/18
to vmit...@googlegroups.com
My first thought was that he section might simply not be loaded into
memory when you are doing the introspection. Using an in-guest tool
will always fetch it for you from disk when it is not available in
memory. So my question is, did you try reading it with VMI right after
you been able to read it with windbg?
> --
> You received this message because you are subscribed to the Google Groups
> "vmitools" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vmitools+u...@googlegroups.com.
> To post to this group, send email to vmit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/vmitools.
> For more options, visit https://groups.google.com/d/optout.
memory when you are doing the introspection. Using an in-guest tool
will always fetch it for you from disk when it is not available in
memory. So my question is, did you try reading it with VMI right after
you been able to read it with windbg?
> You received this message because you are subscribed to the Google Groups
> "vmitools" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vmitools+u...@googlegroups.com.
> To post to this group, send email to vmit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/vmitools.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages