I'm trying to identify a bug in a program (32bit) which could probably lead to code execution. So far I debugged the application with ollydbg and ran my exploit code. Then ollydbg gives me an exception.
If I press "Ctrl+F9" nothing seems to be executed of my shellcode
In contrast when the exception occures and I step through the next instructions with "F8" I finally reach my shellcode and it gets executet
If I run the application without ollydbg, my shellcode also doesn't get executed
Why does my shellcode get executed when I step to the next instructions an otherwise not? What's then the normal case when I run my application without a debugger?
Thanks a lot!
When an exception is raised in a thread the system will first check if a debugger is attached.
If a debugger is attached the exception is reported to the debugger (and not to the faulting process or thread). In ollydbg (and most debuggers) you then have the choice to do something with that exception.
The 1st one is to pass that exception to the faulting thread (CTRL+F9) in ollydbg.
The system will look at the EXCEPTION_REGISTRATION_RECORD for the current thread and walks the list of EXCEPTION_REGISTRATION structures (each of these structures has an exception handler) and check if a handler can handle the exception.
If a handler can handle the exception, the stack is unwind (to a certain point) and the thread might continue its life.
If no handler can handle the exception, the final handler is called and the program crashes (the system will then usually display a dialog box informing the user that the process crashed).
This is exactly the same behavior in the case no debugger is attached.
Thus, in your case, passing the exception to the debugger will probably unwind the stack, and the thread will continue its execution after the location of the exception (or simply crash the whole application if the exception couldn't be handled).
The second option - when a debugger is attached - is to not pass the exception to the faulting thread (using one of the step [into | over] / run button). In this case the system will not search for any handler and the thread will either simply rethrow the exception (if it can't pass over it) or continue execution like nothing happened (if the debugger knows how to handle it).
You should check which type (most probably one of: Access violation in read / write ; breakpoint exception) of exception is raised and correct the problem (see at the bottom of the ollydbg window, it will tell you which kind of exception has been raised) if you want to execute your shellcode without problem.
Related
I am using the JetBrains Self Profiling API. For the most part it works great, but I have hit a problem that sometimes when I call DotTrace.SaveData it does not return. DotTrace.SaveData just keeps executing and thus everything after it does not get executed.
What I have tried:
Put it in a try catch block.
Ensure that the target folder is not locked. (It can write the intermediate files just fine.)
Ensure that there are not other instances or threads calling DotTrace profiling methods.
Ensure that the profiler has been initialized and attached.
It is frustrating because it does not throw an exception or give any details. It just hangs.
How can I debug more what is causing this issue?
I am developing an UEFI application for ARM64 (ARMv8-A) and I have come across the issue: "Synchronous Exceptions at 0xFF1BB0B8."
This value (0x0FF1BB0B8) is exception link register (ELR). ELR holds the exception return address.
There are a number of sources of Synchronous exceptions (https://developer.arm.com/documentation/den0024/a/AArch64-Exception-Handling/Synchronous-and-asynchronous-exceptions):
Instruction aborts from the MMU. For example, by reading an
instruction from a memory location marked as Execute Never.
Data Aborts from the MMU. For example, Permission failure or alignment checking.
SP and PC alignment checking.
Synchronous external aborts. For example, an abort when reading translation table.
Unallocated instructions.
Debug exceptions.
I can't update BIOS firmware to output more debug information. Is there any way to detect more precisely what causes Synchronous Exception?
Can I use the value of ELR (0x0FF1BB0B8) to locate the issue? I compile with -fno-pic -fno-pie options.
I've been studying assembly lately and i can't seem to understand how the exceptions work exactly. More specific, i get the message Exception 6 occurred and ignored. Can someone please explain what exactly does this mean? I am using qtspim.
Exceptions may be caused by hardware or software. An exception is like an unscheduled function call that jumps to a new address.
The program may encounter an error condition such as
an undefined instruction. The program then jumps to code in the operating system (OS), which may choose to terminate the program. Other causes of exceptions are division by zero, attempts to read some nonexistent memory, hardware malfunctions, debugger breakpoints, and arithmetic overflow.
The processor records the cause of an exception and the value of the PC
at the time the exception occurs. It then jumps to the exception handler function. The exception handler is code (usually in the OS) that examines the
cause of the exception and responds appropriately, It then returns to the program that
was executing before the exception took place.
In MIPS, the exception handler is always located at 0x80000180. When an exception occurs, the processor always jumps to this instruction address, regardless of the cause.
The MIPS architecture uses a special-purpose register, called the Cause
register, to record the cause of the exception.
MIPS uses another special-purpose register called the Exception
Program Counter (EPC) to store the value of the PC at the time an
exception takes place. The processor returns to the address in EPC after
handling the exception. This is analogous to using $ra to store the old
value of the PC during a jal instruction.
I'm reading about HW\SW interrupts and something isn't clear to me:
When the normal flow is interrupted by an exception ("software interrupt"), the address of the instruction which caused the interrupt is saved, and then the OS gives the exception handler a chance to handle it.
The point I'm not sure about is which instruction is processed after the handler finishes:
If the same "faulty" instruction in run again, it might cause the same exception.
If the next instruction is run, aren't we losing the affect of the previous instruction (which might cause a "normal" exception, such as page fault)?
The instruction that caused the fault is executed again. The idea is that the handler should make appropriate changes so that the instruction will be able to execute properly.
For instance, if an instruction causes a page fault because it tries to access virtual memory that's paged out, the OS will load the page from backing store, update the page table, and then restart the instruction. This time it will succeed because the page is in RAM.
If the handler doesn't fix things, you'll get another interrupt when it's restarted, and the process will repeat.
what will the program behave when they have two exceptions.
And none of them have been caught yet.
what type of handler will be called .
lets say both the exceptions were of different type.
i apologize if i am not clear but i feel i have made myself clear enough.
thank you!!!
what if the try block throws an exception and try block is exited which destroyes all the automatic variables.Lets say one was an automatic object and its destructor again threw an exception.Now we have two uncaught exception.My question is based on this fact.
thank you!!
It depends entirely on the language. However, in all the languages I know there can't ever be multiple exceptions at the same time (in the same thread). If an exception has been thrown, it travels up the call stack until it's caught, with no code executing during this time. If the exception is not caught, the program crashes before another can be thrown. If it is caught, the exception is no longer "active" and if the handler throws a new exception, the old one is forgotten.
At the CPU level (on x86), there is a situation called a double fault:
On the x86 architecture, a double fault exception occurs if the processor encounters a problem while trying to service a pending interrupt or exception.
However, this kind of "double fault" is a very low level situation and is only of concern to the operating system kernel.
Few languages or frameworks can do a good job of handling an exception that occurs while cleaning up from an earlier exception. Effective handling of such situations would require the cleanup code to know what exception, if any, occurred on the "main line". Conceptually it would not be at all difficult for such information to be provided to cleanup code, but frameworks generally don't provide it.
Otherwise, normal behavior in C++ is to hard-crash the system when an exception occurs during the cleanup from another exception; Java and .NET languages generally abandon any pending exception if a cleanup exception occurs. Newer versions of Java, however, include a feature which (if used) will handles such things much better. In a try-with-resources block, an exception which occurs while cleaning up resources when no other exceptions are pending will be treated normally; if, however, an exception was pending, the pending exception will remain pending but have the new exception added to its list of "suppressed exceptions". It would be nice if there were a way of specifying that a particular finally block should behave the same way, but I don't know of any feature for that.
When Exception is occurred then complier unwind stack(closing current functions and going to back, caller function). If no exception is caught in main than complier called abort function. By this program terminate abnormally.
But during unwinding stack if another exception is occurred(for your case in destructor) than at this time/point without reaching main function, compiler called abort function which terminate program abnormally.
If you know that exception could be occurred in destructor than you must handled in destructor .Means in destructor you should have catch block to catch that exception. By this way second exception generated is to be handled within a destructor and this exception is not out from the destructor and program is to saved from crash due to two exception generated at a time
Complier handle only one exception at a time. If compiler find more than one exception call abort function by which program terminate abnormally.