Reverse Engineering Asked by Coburn64 on July 13, 2021
I’m currently analyzing a piece of software inside a Windows 10 QEMU virtual machine which is connected to a remote GDB debugger. I have set breakpoints to audit what the application is doing.
I have set breakpoints in GDB of the applications’ OEP and some of the RIP addresses (is that even correct term?) of it’s functions. However, this is where I’m tripping over.
When these functions fire, GDB pauses QEMU and I can see that the breakpoint was hit. QEMU’s virtual machine is paused and I can do things like save memory dump and whatnot via the QEMU Monitor. However I wanted to see, for example, what the next address is that the function calls. So I use si to step to the next instruction. This is literally Russian roulette – it will sometimes step onto the next instruction, or cause the Win10 VM to freeze and then crash to a BSOD with either KERNEL_EXCEPTION_NOT_HANDLED or SERVICE_EXCEPTION_NOT_HANDLED, etc.
I was reading somewhere that I need to tell Windows to relax its internal stack protection by enabling "Debugging Mode" so it doesn’t BSOD when I use step instruction. Is this correct or am I using the wrong GDB command that’s causing Windows to BSOD?
Cheers.
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP