Exetools  

Go Back   Exetools > General > Developer Section

Notices

View Poll Results: Would you use this debugger?
Yes (mainly x32) 92 28.66%
Not at all 24 7.48%
Yes, if it gets better (please post feature suggestions) 89 27.73%
Yes (mainly x64) 116 36.14%
Voters: 321. You may not vote on this poll

Reply
 
Thread Tools Display Modes
  #61  
Old 03-28-2014, 16:13
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
I read somewhere that you can use commands based on the TitanEngine itself - does this include for instance DumpProcess by any chance?
I tried using Scylla's process dumper, but its no good for me as it keeps creating this messed up dump...

The best would be to have a proper dumper like OllyDumpEx, which produces a very good dumped executable on PE32

Anyways, back to my question; is there any chance I can use TitanEngine's DumpProcess within the x64_Dbg for this purpose?
Reply With Quote
The Following User Says Thank You to n00b For This Useful Post:
Indigo (07-19-2019)
  #62  
Old 03-28-2014, 17:42
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@n00b: currently i didnt implement this command, but take a look at the plugin engine. its easy to add a command.

greetingd
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
n00b (03-28-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #63  
Old 03-28-2014, 19:38
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 60 Times in 19 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
Quote:
Originally Posted by n00b View Post
I tried using Scylla's process dumper, but its no good for me as it keeps creating this messed up dump...
messed up dump?
Reply With Quote
The Following User Says Thank You to Carbon For This Useful Post:
Indigo (07-19-2019)
  #64  
Old 03-29-2014, 02:18
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
Yeah, it simply won't run when dumped - I also tried with another tool, which dumps the process aswell - and it ran, but the size increased exponentially to say the least... Went from 40mb to 70mb...
Reply With Quote
The Following User Says Thank You to n00b For This Useful Post:
Indigo (07-19-2019)
  #65  
Old 03-29-2014, 07:41
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@n00b: I'll create a small plugin for you to see if its working. Will do that after the new release of x64dbg

Greetings
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
n00b (03-29-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #66  
Old 03-29-2014, 15:24
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
Thank you so much mate, that would be really helpful indeed
@Carbon: The tool I used which managed to create a working dump, is VSD v1.0 x64
Reply With Quote
The Following User Says Thank You to n00b For This Useful Post:
Indigo (07-19-2019)
  #67  
Old 03-30-2014, 16:14
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 11
Thanks Rcvd at 59 Times in 20 Posts
n00b Reputation: 26
@mr.exodia: So, I'm trying to create my own plugin here - and I was curious, how do I get the current RIP of any process through a plugin?
I have checked both example plugin, and the TitanHide plugin for clues - even looked quickly at the headers which to include...

I'm not the most experienced coder of plugins, so I apoligize for looking too noobish - hehe

Big regards
Reply With Quote
The Following User Says Thank You to n00b For This Useful Post:
Indigo (07-19-2019)
  #68  
Old 03-31-2014, 04:56
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@n00b: Thanks for the interest. You can either use the Bridge export 'DbgValFromString' or you can use TitanEngine (just call GetContextData).

some example code:
Code:
//Bridge
//you can also use 'CIP' for an architecture-independent IP register
duint rip=DbgValFromString("RIP"); //"RIP" can be anything that's an expression
//TitanEngine
rip=GetContextData(UE_RIP);
Feel free to post here if you have feature requests.

@everyone:
V1.2ALPHA is out!

Changelog:
- many small crash fixes (stack overflows etc)
- many fixes regarding the Dump window
- different dump views
- bugs with valfromstring fixed (now much faster)
- latest development version of TitanEngine Community Edition (many, many, many fixes)
- simple thread view
- project design overview (x64_dbg_sceme.vsd), useful for plugin developers
- TLS callback support
- informative window title
- user preferences (eg on which events to break)
- bug with the recent file list fixed
- ignore exception ranges
- debug strings are now displayed (escaped)
- added 'xor' command
- many fixes in the script engine
- simple stack display

Download:
https://bitbucket.org/mrexodia/x64_dbg/downloads

Greetings,

Mr. eXoDia
Reply With Quote
The Following 4 Users Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (03-31-2014), MarcElBichon (03-31-2014), n00b (03-31-2014), winndy (03-31-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #69  
Old 03-31-2014, 06:21
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Sorry, I could not edit my previous post anymore..

Attached an example plugin (DumpProcess), I tested it for a simple DLL + EXE and it appears to work fine. Feel free to (ab)use it however you like.

EDIT: @n00b, seems like I've misread your question. To get the RIP of any process, you should use the function GetThreadContext, enum the threads in a process using CreateToolhelp32Snapshot & Thread32Next and then get the RIP of the thread you're interested in...

Greetings,

Mr. eXoDia
Attached Files
File Type: rar testplugin_002.rar (249.7 KB, 32 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ali56s (04-02-2014), n00b (03-31-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #70  
Old 04-05-2014, 06:36
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
V1.3ALPHA is out!

Changelog:
- added reference searching 'ref value[,page]'
- added string reference searching (little button in the upper-right or the command 'strref [page]'
- fixed a bug when you removed all ignored exception ranges.

Download:
https://bitbucket.org/mrexodia/x64_dbg/downloads

Greetings,

Mr. eXoDia
Reply With Quote
The Following 4 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ahmadmansoor (04-06-2014), chessgod101 (04-06-2014), Wannabe (04-05-2014), winndy (04-05-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #71  
Old 04-08-2014, 06:27
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
V1.5ALPHA is out (lol, kinda spamming)

Changelog:
- fixed some bugs with references
- added the 'Previous (-)' and 'Next (+)' function (to get back to your previous address of interest). This has a maximum depth of 1024, but it's easy to change this to any other value, since I use dynamic arrays

Download:
https://bitbucket.org/mrexodia/x64_dbg/downloads

Greetings,

Mr. eXoDia
Reply With Quote
The Following 5 Users Gave Reputation+1 to mr.exodia For This Useful Post:
ahmadmansoor (04-09-2014), chessgod101 (04-11-2014), cjack (04-08-2014), Sir.V65j (04-17-2014), uranus64 (04-09-2014)
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #72  
Old 04-09-2014, 20:22
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@stev: ... ok thats the download link I provided.
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
  #73  
Old 04-12-2014, 02:08
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Hi mr.exodia,

I have a machine who has a hard disk more than one tera, partitioned into multiple disk drive (disk drive letter: c, d, e, f ... p)

x64_dbg display "error starting process (invalid pe?)!" when I try to debug something in disk drive (letter: M, N, O or P)

it works fine on (disk drive letter: C,D,E.......L)
__________________
Computer Forensics
Reply With Quote
The Following User Says Thank You to Insid3Code For This Useful Post:
Indigo (07-19-2019)
  #74  
Old 04-16-2014, 16:57
s0me0n3 s0me0n3 is offline
Family
 
Join Date: Mar 2012
Posts: 134
Rept. Given: 42
Rept. Rcvd 95 Times in 33 Posts
Thanks Given: 16
Thanks Rcvd at 43 Times in 28 Posts
s0me0n3 Reputation: 95
I have mutliple HDDs, too, all splitted into seperated partitions.

I have my x64_dbg on th C drive, so please explain what you do:
Where lays the debugger? Where do you try to debug? Did you tried running the debugger as admin to ensure you have the right to read and write on every path? Does it happens with ANY file you try to debug? Do you tried it over a network path or do you simply tried debugging a file from your normal windows from another partition?

Some more info will help finding and fixing the problem.
Reply With Quote
The Following User Says Thank You to s0me0n3 For This Useful Post:
Indigo (07-19-2019)
  #75  
Old 04-16-2014, 21:29
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 490
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 89
Thanks Rcvd at 714 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hi,

I have also noticed this problem, I think there is some bug with both TitanEngine (DLLLoader) and x64_dbg. Unfortunately I cannot reproduce the bug very well.

Greetings
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Indigo (07-19-2019)
Reply

Tags
bit, debugger, x32, x64, x64_dbg

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AdvancedScript x64dbg Plugin ahmadmansoor Developer Section 14 10-15-2019 00:35
DBG2AP - x64dbg plugin Agmcz Community Tools 1 06-15-2019 07:14
nfd - x64dbg plugin hors Community Tools 2 04-01-2018 08:18
CopyToAsm - x64dbg plugin mrfearless Community Tools 0 03-04-2018 08:36
x64dbg python Storm Shadow Developer Section 6 08-04-2017 15:29


All times are GMT +8. The time now is 04:51.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )