Comments (8)
taviso
commented on May 24, 2024
1
Seems okay to me, although I don't remember why I wrote it like that :)
I think I need to add more error checking and debug output when things go wrong, which hopefully will help track down the cause. I'll update this issue when I've added better error handling, thanks so much for your help debugging it!
from loadlibrary.
stknob
commented on May 24, 2024
1
There's an expert-level kernel config option to disable the modify_ldt syscall (CONFIG_MODIFY_LDT_SYSCALL, "Processor type and features" -> "Enable the LDT (local descriptor table"), you might want to check if it is disabled on your machine. Example from a box where it does work:
$ zgrep MODIFY_LDT /proc/config.gz
CONFIG_MODIFY_LDT_SYSCALL=y
from loadlibrary.
taviso
commented on May 24, 2024
That means it's probably crashing inside the DLL somewhere, these are painful to debug. Can you do x/i $pc and i r and then switch to the frame with main, and do p image and paste the output and I'll try to think what the problem might be.
(To switch to the right frame, type bt and look at the number of the frame with main in it (e.g. #12 0xwhatever main would be frame 12, then type frame <number>)
from loadlibrary.
Ristovski
commented on May 24, 2024
Program received signal SIGSEGV, Segmentation fault.
0xf6da4f3d in ?? ()
(gdb) bt
#0 0xf6da4f3d in ?? ()
#1 0x0804c534 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at mpclient.c:187
(gdb) x/i $pc
=> 0xf6da4f3d: pushl %fs:0x0
(gdb) i r
eax 0xffffbc4c -17332
ecx 0x43a3 17315
edx 0x0 0
ebx 0xf6912110 -158260976
esp 0xffffbc38 0xffffbc38
ebp 0xffffbc58 0xffffbc58
esi 0xf7eb1000 -135589888
edi 0xffffbd0c -17140
eip 0xf6da4f3d 0xf6da4f3d
eflags 0x10286 [ PF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) frame 1
#1 0x0804c534 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at mpclient.c:187
187 image.entry((PVOID) 'MPEN', DLL_PROCESS_ATTACH, NULL);
(gdb) p image
$1 = {name = "engine/mpengine.dll", '\000' <repeats 108 times>, entry = 0xf6da48c8, image = 0xf6912008,
size = 10395648, type = 2, nt_hdr = 0xf6912110, opt_hdr = 0xf6912128}
from loadlibrary.
taviso
commented on May 24, 2024
Hmm, thanks, that's unexpected - %fs is 0, which means syscall(__NR_modify_ldt) failed. I don't know what might have caused that... everything else seems normal.
Can you paste the output of disassemble /m setup_nt_threadinfo, maybe that will have some clues.
from loadlibrary.
Ristovski
commented on May 24, 2024
Dump of assembler code for function setup_nt_threadinfo:
626 {
0x08057330 <+0>: sub $0x1c,%esp
0x08057338 <+8>: mov 0x20(%esp),%edx
627 static EXCEPTION_FRAME ExceptionFrame;
628 static NT_TIB ThreadInfo;
629 struct user_desc pebdescriptor = {
0x08057333 <+3>: movzbl 0xc(%esp),%eax
0x0805733c <+12>: movl $0x0,(%esp)
0x08057343 <+19>: movl $0x8096628,0x4(%esp)
0x0805734b <+27>: and $0xffffff80,%eax
0x0805734e <+30>: movl $0x1c,0x8(%esp)
0x08057356 <+38>: or $0x41,%eax
0x08057359 <+41>: mov %al,0xc(%esp)
630 .entry_number = 0,
631 .base_addr = (uintptr_t) &ThreadInfo,
632 .limit = sizeof ThreadInfo,
633 .seg_32bit = 1,
634 .contents = 0,
635 .read_exec_only = 0,
636 .limit_in_pages = 0,
637 .seg_not_present = 0,
638 .useable = 1,
639 };
640
641 if (ExceptionHandler) {
0x0805735d <+45>: test %edx,%edx
0x0805735f <+47>: je 0x805737b <setup_nt_threadinfo+75>
642 if (ThreadInfo.ExceptionList) {
643 DebugLog("Resetting ThreadInfo.ExceptionList");
644 }
645 ExceptionFrame.handler = ExceptionHandler;
0x08057361 <+49>: mov %edx,0x8096624
646 ExceptionFrame.prev = NULL;
0x08057367 <+55>: movl $0x0,0x8096620
647 ThreadInfo.ExceptionList = &ExceptionFrame;
0x08057371 <+65>: movl $0x8096620,0x8096628
648 }
649
650 if (syscall(__NR_modify_ldt, LDT_WRITE, &pebdescriptor, sizeof pebdescriptor) != 0) {
0x0805737b <+75>: push $0x10
0x0805737d <+77>: lea 0x4(%esp),%eax
0x08057381 <+81>: push %eax
0x08057382 <+82>: push $0x1
0x08057384 <+84>: push $0x7b
0x08057386 <+86>: call 0x8048fd0 <syscall@plt>
0x0805738b <+91>: add $0x10,%esp
0x08057390 <+96>: test %eax,%eax
0x08057392 <+98>: jne 0x80573a0 <setup_nt_threadinfo+112>
651 return false;
0x0805738e <+94>: xor %edx,%edx
652 }
653
654 // Install descriptor
655 asm("mov %[segment], %%fs" :: [segment] "r"(7));
0x08057394 <+100>: mov $0x7,%eax
0x08057399 <+105>: mov %eax,%fs
656
657 return true;
0x0805739b <+107>: mov $0x1,%edx
658 }
0x080573a0 <+112>: mov %edx,%eax
0x080573a2 <+114>: add $0x1c,%esp
0x080573a5 <+117>: ret
End of assembler dump.
from loadlibrary.
taviso
commented on May 24, 2024
Doh, of course. Does that explain the problem you see @Ristovski?
If not, can you try strace -femodify_ldt ./mpclient?
from loadlibrary.
Ristovski
commented on May 24, 2024
# CONFIG_MODIFY_LDT_SYSCALL is not set
modify_ldt(1, {entry_number:0, base_addr:0x8096628, limit:28, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:0, seg_not_present:0, useable:1}, 16) = -1 ENOSYS (Function not implemented)
Thanks everyone!
goes off to recompile kernel
from loadlibrary.
Related Issues (20)
- APIs patching fails with selinux enabled
- Unable to load multiple dll images HOT 5
- mpclient: failed to resolve function HOT 16
- __rsignal(RSIG_BOOTENGINE) returned failure, missing definitions? HOT 13
- scan(): __rsignal(RSIG_SCAN_STREAMBUFFER) returned failure, file unreadable HOT 2
- Engine version 1.349.149.0 (2021/09/04) breaks mpclient HOT 2
- Replacing a thiscall function HOT 1
- Trying to load library and link to module HOT 2
- Is there any way to load a dll depends on msvcrt*.dll
- About msvc##.dll solution
- mpclient fails with latest defender update. HOT 2
- Trace/breakpoint trap (core dumped) HOT 2
- lastest windows defender can't work
- Segmentation fault at fixup_reloc HOT 3
- mpclient: function at 0x5a741c8a attempted to call an unknown symbol HOT 6
- Trace/breakpoint trap - error/unknown symbol HOT 2
- Possible to check the virus database version and timestamp?
- MPClient - No debugging symbols found HOT 1
- Engine version 1.339.932.0 (2021/05/18) breaks mpclient HOT 3
- Take care of floating point registers during calling convention switches
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from loadlibrary.