[Bug 50194] New: x64dbg snapshots >= 2020-11-12_05-12 crashes on unimplemented function ntdll.dll.NtCreateDebugObject when attaching to process
https://bugs.winehq.org/show_bug.cgi?id=50194
Bug ID: 50194 Summary: x64dbg snapshots >= 2020-11-12_05-12 crashes on unimplemented function ntdll.dll.NtCreateDebugObject when attaching to process Product: Wine Version: 5.22 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. I've reported it to x64dbg project as well since they switched the debug engine implementation to use native API for attaching to processes.
https://github.com/x64dbg/x64dbg/issues/2525
Copy/pasta from there:
...
Symptom: attaching to any 32-bit or 64-bit process results in x32dbg/x64dbg crash. If x32dbg/x64dbg is registered as default crash handler you get a nice debugger crash "fork" bomb ;-)
It crashes on unimplemented NtCreateDebugObject() which is native API.
https://source.winehq.org/git/wine.git/blob/40d4fbe45997a1820296e7909ba22125...
--- snip --- 162 # @ stub NtCreateDebugObject --- snip ---
Even with a small stub it wouldn't work because NtDebugActiveProcess is a stub as well.
https://source.winehq.org/git/wine.git/blob/40d4fbe45997a1820296e7909ba22125...
The native API used to implement remote breakin:
https://github.com/x64dbg/TitanEngine/blob/91f57815c886d6bef94f1b512d60c5e2d...
--- snip --- static NTSTATUS NTAPI DbgUiConnectToDbg_() { if(NtCurrentTeb()->DbgSsReserved[1] != NULL) return STATUS_SUCCESS;
OBJECT_ATTRIBUTES ObjectAttributes; InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); return NtCreateDebugObject(&NtCurrentTeb()->DbgSsReserved[1], DEBUG_ALL_ACCESS, &ObjectAttributes, 0); }
// Source: https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329... BOOL WINAPI DebugActiveProcess_(IN DWORD dwProcessId) { /* Connect to the debugger */ NTSTATUS Status = DbgUiConnectToDbg_(); if(!NT_SUCCESS(Status)) { BaseSetLastNTError(Status); return FALSE; }
/* Get the process handle */ HANDLE Handle = ProcessIdToHandle(dwProcessId); if(!Handle) { return FALSE; }
/* Now debug the process */ Status = DbgUiDebugActiveProcess_(Handle);
/* Close the handle since we're done */ NtClose(Handle);
/* Check if debugging worked */ if(!NT_SUCCESS(Status)) { /* Fail */ BaseSetLastNTError(Status); return FALSE; }
/* Success */ return TRUE; } --- snip ---
Apparently this debugging functionality which makes use of native API was switched to being a debug engine default here:
https://github.com/x64dbg/TitanEngine/commit/0a1c3236b84ab1e6022116e38df1cc5... ("Make SafeAttach the default")
Previously it could be controlled by *SafeAttach* config setting which is still there but now no longer usable:
https://github.com/x64dbg/x64dbg/blob/dad16543c320640fe681b8d897235bf8d6c301...
--- snip --- SetEngineVariable(UE_ENGINE_SAFE_ATTACH, settingboolget("Engine", "SafeAttach")); --- snip ---
A workaround exists: use the last snapshot before the breaking change:
https://sourceforge.net/projects/x64dbg/files/snapshots/snapshot_2020-11-05_...
As already mentioned a simple stub prevents the crash but doesn't make debugging work.
--- snip --- $ wine ./x32dbg.exe ... 0144:fixme:process:NtCreateDebugObject (0x7ff72f24 1f000f 0x614fe78 0), stub! 0144:fixme:process:NtDebugActiveProcess (0x214 (nil)), stub! --- snip ---
I will create follow-up bug(s) to cover the missing functionality.
$ sha1sum snapshot_2020-11-12_05-12.zip 6e88d4ce8fb967d08b381084f9ab805e5bcc4f18 snapshot_2020-11-12_05-12.zip
$ du -sh snapshot_2020-11-12_05-12.zip 32M snapshot_2020-11-12_05-12.zip
$ wine --version wine-5.22-96-g4957599bbf5
Regards
https://bugs.winehq.org/show_bug.cgi?id=50194
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Summary|x64dbg snapshots >= |x64dbg snapshots >= |2020-11-12_05-12 crashes on |2020-11-12_05-12 crash on |unimplemented function |unimplemented function |ntdll.dll.NtCreateDebugObje |ntdll.dll.NtCreateDebugObje |ct when attaching to |ct when attaching to |process |process URL| |https://sourceforge.net/pro | |jects/x64dbg/files/snapshot | |s/snapshot_2020-11-12_05-12 | |.zip/download
https://bugs.winehq.org/show_bug.cgi?id=50194
David Torok dt@zeroitlab.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dt@zeroitlab.com
https://bugs.winehq.org/show_bug.cgi?id=50194
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |5ebc20c65609cc1b8643b427104 | |ed386094a65c1 URL|https://sourceforge.net/pro |https://web.archive.org/web |jects/x64dbg/files/snapshot |/20210127234740/https://git |s/snapshot_2020-11-12_05-12 |hub.com/x64dbg/x64dbg/relea |.zip/download |ses/download/snapshot/snaps | |hot_2021-01-14_13-25.zip
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/5ebc20c65609cc1b8643b42710... ("ntdll: Implement NtCreateDebugObject().").
Thanks Alexandre
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll,+sync,+server wine ./x32dbg.exe >>log.txt 2>&1 ... 0144:Call ntdll.NtCreateDebugObject(7ff52f24,001f000f,0636fe44,00000000) ret=034f22e4 0144: create_debug_obj( access=001f000f, objattr={rootdir=0000,attributes=00000000,sd={},name=L""} ) 0144: create_debug_obj() = 0 { handle=0218 } 0144:Ret ntdll.NtCreateDebugObject() retval=00000000 ret=034f22e4 0144:Call ntdll.NtOpenProcess(0636fe78,00000c3a,0636fe5c,0636fe3c) ret=034f2355 0144: open_process( pid=0130, access=00000c3a, attributes=00000000 ) 0144: open_process() = 0 { handle=021c } 0144:Ret ntdll.NtOpenProcess() retval=00000000 ret=034f2355 0144:Call ntdll.NtDebugActiveProcess(0000021c,00000218) ret=034f2377 0144:fixme:process:NtDebugActiveProcess (0x21c 0x218), stub! 0144:Ret ntdll.NtDebugActiveProcess() retval=00000000 ret=034f2377 ... --- snip ---
https://web.archive.org/web/20210127234740/https://github.com/x64dbg/x64dbg/...
Next is bug 50195 ("x64dbg snapshots >= 2020-11-12_05-12 need ntdll.dll.NtDebugActiveProcess implementation to debug process via attach").
$ sha1sum snapshot_2021-01-14_13-25.zip e39756243f419db6f4d2213227ab266ae0618163 snapshot_2021-01-14_13-25.zip
$ du -sh snapshot_2021-01-14_13-25.zip 32M snapshot_2021-01-14_13-25.zip
$ wine --version wine-6.0-271-g24b9203d354
Regards
https://bugs.winehq.org/show_bug.cgi?id=50194
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.1.
-
WineHQ Bugzilla