Weekly digest 1511 Dec 2016, by mrexodia
This is number fifteen of the weekly digests. This time it will highlight the things that happened in the last two weeks, since last week wasn’t so busy.
Log redirection encoding
Previously the default log redirect option was UTF-16 with BOM, but this has been changed to support UTF-8 Everywhere. You can get the old behaviour back in the settings dialog if you favor UTF-16.
Properly enforce size limits for comments and labels
The sizes of labels and comments are limited to ~256 characters and this is now properly enforced in the GUI to avoid nasty surprises. You will now also be warned if you set a duplicate label.
Large address awareness
The 32 bit version of x64dbg previously wasn’t ‘Large address aware’. It now is, which means that you can consume more than 2GB of memory if you feel like it.
Optimized logging speed
The logging should be somewhat faster now, especially when redirecting it to a file and disabling the GUI log. You can find more details here, but the numbers might be off since additional changes were not made and no benchmarks were done.
Fixed a crash when clicking out of range in the side bar
Issue #1299 described a crash and a dump was provided but I did not have debug symbols for that particular build. To figure out what was happening I used x64dbg to debug x64dbg and then some pattern searching to find the crash location in a build for which I did have symbols. The person who opened the issue and a video is available here.
Recently a tool called pe_unmapper by malware analyst hasherezade was released and I thought it would be a nice thing to have in x64dbg so I added it to Scylla since it already had a framework to do exactly that. You can find a simple video demonstration here.
Plugin API to get useful information about the current debuggee
There are some new functions available for plugins that help with querying the
PROCESS_INFORMATION of the debuggee. These functions are:
BRIDGE_IMPEXP HANDLE DbgGetProcessHandle(); BRIDGE_IMPEXP HANDLE DbgGetThreadHandle(); BRIDGE_IMPEXP DWORD DbgGetProcessId(); BRIDGE_IMPEXP DWORD DbgGetThreadId();
Various improvements to the type system
Issue #1305 highlights some issues with the type system, various have been addressed and hopefully everything is a bit more stable now…
Various additional styles have been added on the wiki. Check them out below!
Case-insensitive regex search in symbol view
It is now possible to use both case sensitive and insensitive regex searching in the symbol view.
GUI speed improvements
A bad locking mechanism has been replaced by Event Objects, resulting in a noticeable performance improvement, mostly when visiting types.
Intercept more functions for crashdumps
Some crash dumps were missing information and Nukem addressed this in pull request #1338. This might help on some Windows 10 installations.
Don’t change selection when the search text changes
Thanks to lynnux’ pull request #1340 the last cursor position will now be remembered when removing the search string in the search list view. This is very useful if you want to for example find string references in close proximity to one you are looking for. Below is a GIF demonstrating this new feature.
Make x64dbg run on Wine again
There is a branch called wine that runs under Wine. The reason that x64dbg is not running under Wine is that the Concurrency::unbounded_buffer is not implemented. The branch is not very well-tested but feedback is appreciated!
Added more advanced plugin callbacks
In pull request #1314 torusrxxx added automatic detection of PEB fields as labels. This functionality has instead been moved to the LabelPEB plugin and the plugin callbacks
CB_VALTOSTRING have been added to allow plugins to add additional behavior to the expression resolver.
Print additional information on access violations
An interesting piece of documentation on access violation exceptions is now represented in x64dbg with pull request #1361 by changeofpace.
The first element of the array contains a read-write flag that indicates the type of operation that caused the access violation. If this value is zero, the thread attempted to read the inaccessible data. If this value is 1, the thread attempted to write to an inaccessible address. If this value is 8, the thread causes a user-mode data execution prevention (DEP) violation.
The second array element specifies the virtual address of the inaccessible data.
Fixed incorrect detection of unary operators
(1<<5)+4 would be interpreted as incorrect because the
+ was treated as a unary operator. This has now been fixed!
Remove breakpoints when clearing the database
The dbclear command didn’t remove breakpoints from the process, causing some weird behavior if you hit a breakpoint anyway. This should now be fixed.
Fixed bug with searching in the memory map
A bug has been fixed in the findallmem command where the size argument was interpreted incorrectly and thus causing searching the entire process memory to fail.
Improvements to the breakpoint view
Pull requests #1359 by ThunderCls and #1346 by ner0x652 have added some improvements to the breakpoint view. You can now see if CIP is on the current breakpoint and the edit dialog will show the full symbolic address in the title.
Find window in the attach dialog
You can now find a window by title in the attach dialog to attach to a process without knowing the PID. There is also a new config command that can be used by scripts to get/set configuration values. More details in pull request #1355.
Thanks a lot to all the contributors!
That has been about it for this time again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!