Pybag icon indicating copy to clipboard operation
Pybag copied to clipboard
verified publisher icon dshikashio

Windows ARM64 is detected as "unknown"

Open mscottford opened this issue 1 year ago • 3 comments

When importing pybag.win32.kernel32 a warning message is displayed that the processor architecture could not be detected. This appears to be because 12 is not in the _arch_map that's used by _get_arch. What's the best way to add it in? I'm happy to help with this one.

mscottford avatar Jul 09 '24 22:07 mscottford

@mscottford does this Pull Request solve the issue? https://github.com/dshikashio/Pybag/pull/21

J-Rigs avatar Jul 10 '24 00:07 J-Rigs

That fixes the specific thing that I reported. I don't get that exact warning anymore.

I was hoping that the problem that I was running into would be fixed so simply. I'm trying to use Ghidra to debug an executable on Windows arm64. From looking through the source for Pybag, it looks like ultimately a context needs to be added for arm64 (and maybe just arm, too) for that to work correctly.

I'm getting the following stack trace when running against the branch for #21.

  File "C:\Users\ScottFord\Downloads\ghidra_11.1.1_PUBLIC_20240614\ghidra_11.1.1_PUBLIC\Ghidra\Debug\Debugger-agent-dbgeng\pypkg
\src\ghidradbg\util.py", line 33, in <module>
    from pybag import pydbg, userdbg, kerneldbg, crashdbg
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\__init__.py", line 57, in <modu
le>
    from .pydbg      import DbgEng
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\pydbg.py", line 11, in <module>
    from .dbgeng.idebugclient    import DebugClient
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\idebugclient.py", line 7
, in <module>
    from .idebugadvanced        import DebugAdvanced
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\idebugadvanced.py", line
 6, in <module>
    from . import win32
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\win32\__init__.py", line
 183, in <module>
    from . import kernel32
  File "C:\Users\ScottFord\AppData\Local\Programs\Python\Python312-arm64\Lib\site-packages\pybag\dbgeng\win32\kernel32.py", line
 483, in <module>
    ACCESS_VIOLATION_TYPE_READ      = EXCEPTION_READ_FAULT
                                      ^^^^^^^^^^^^^^^^^^^^
NameError: name 'EXCEPTION_READ_FAULT' is not defined

I tried digging into winnt.h to see I could pull together a context quickly, but I think it might be beyond my experience right now. At least in the time that I have to try and debug this executable. 🤷🏼

Anyway. Awesome project! I look forward to watching it continue to develop. I know that Windows arm/arm64 isn't super common at the moment. I'm running within a VM from macOS.

mscottford avatar Jul 10 '24 14:07 mscottford

This requires adding a new context_XXX.py file for each missing architecture (in this case ARM64). This should only matter if you are using GetThreadContext from IDebugAdvanced.

dshikashio avatar Jul 10 '24 23:07 dshikashio

Switched to using py-win32more which has a definition for ARM. Untested change (for ARM) since I don't have an ARM test environment. Get thread context works fine on amd64. Adding to version 2.2.14

dshikashio avatar Jan 21 '25 04:01 dshikashio