Wintrospection plugin attempts to use uninitialized WindowsProcessManager #1618
Description
Work environment
| Questions | Answers |
|---|---|
| System PANDA runs on OS/arch/bits | panda-system-i386 |
| PANDA module affected | wintrospection |
| Source of PANDA | git clone |
| Version/git commit | 6f3a1c8 |
Expected behavior
Calling get_current_process_handle osi API function when the current process is 0 returns some kind of dummy value, like maybe 0.
Actual behavior
Segmentation fault because the process object's vmem field is null so it can't be used to get the asid
Steps to reproduce the behavior
Write a little plugin that calls get_current_process_handle and run it on a recording that occasionally has a process 0.
- Use code markdown
CODEto make your code visible
When wintrospection notices a task change (via callback or the asid heurestic), it resets the WindowsProcessManager and then, if the current process is not 0, initializes it. But if the current process is 0, the new WindowsProcessManager will not be initialized, so the vmem field in its process object will be 0.
This has been noticed with a Windows 2000 recording (using asid change heuristic) and a Windows XP SP3 recording (using task change callback).
Additional Logs, screenshots, source code, configuration dump, ...
Drag and drop zip archives containing the Additional info here, don't use external services or link.
Screenshots can be directly dropped here.