Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscalls: support multiple symbols for one RVA #1795

Closed

Conversation

drmkeeper
Copy link

ArbPreprocessEntry, NtFlushInstructionCache, NtCompleteConnectPort and many other symbols are pointing to the same RVA.
It leads to the following scenario:

  1. NtFlushInstructionCache() hook is requested
  2. Drakvuf parses ssdt, finds the first symbol for this shared RVA (ArbPreprocessEntry) and skips this RVA entry
  3. NtFlushInstructionCache() calls are not logged
    It will happen in all cases when two or more symbols are pointing to the same RVA.

This PR adds code to find all symbols, related to the RVA, store them in a vector and then set traps for all requested syscalls.

@drakvuf-jenkins
Copy link
Collaborator

Can one of the admins verify this patch?

@tklengyel
Copy link
Owner

@drakvuf-jenkins Test this please

@tklengyel
Copy link
Owner

@drakvuf-jenkins Test this please

2 similar comments
@tklengyel
Copy link
Owner

@drakvuf-jenkins Test this please

@tklengyel
Copy link
Owner

@drakvuf-jenkins Test this please

@tklengyel
Copy link
Owner

There are regressions with this PR merged and it requires additional testing

@drmkeeper
Copy link
Author

Can you please say if there is a way to see what exactly is wrong?
I'm looking at https://ci.drakvuf.com/job/DRAKVUF-windows7-sp1-x64/1391/console and it has some errors like "windows7-sp1-x64-jenkins is an invalid domain identifier (rc=-6)" which I do not understand.
Or the problem is "Syscalls: 0"?
Locally I'm running syscalls plugin with hooks list from https://github.com/tklengyel/drakvuf/blob/main/ci/syscalls.txt and there are events from this plugin on win7-x64..

Are any other logs avaliable?

@tklengyel
Copy link
Owner

Yes, it looks like the first run catches no syscalls and when it tries a restart the second drakvuf instance fails to startup. This usually is a sign that the VM crashed.

@drmkeeper drmkeeper closed this Sep 18, 2024
@drmkeeper drmkeeper deleted the fix/multiple_symbols_on_one_rva branch September 18, 2024 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants