Tuesday, October 20, 2020

Dynamic Data Resolver - Version 1.0.1 beta

By Holger Unterbrink.

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented.

We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two flavors: a release version and a debugging version. The latter will improve code quality and bug hunting. It helps to detect memory leaks and minor issues which are silently handled by the underlying DynamoRIO framework in the release version. We also improved the installer and the IDA plugin is now installed to the user plugin directory instead to the IDA installation directory under Program Files. The IDA plugin and all its dependencies are also now automatically installed by a script.  

You can download DDR, version 1.0.1 beta here

Fantastic news! DDR has won the HexRays IDA plugin contest 2020

We would like to thank HexRays for recognizing this plugin and awarding it with the first prize in their IDA plugin contest. We hope HexRays keeps up the fantastic work they are doing with IDA. It makes our reverse-engineering lives a bit easier every day.

 

DDR 1.01 beta version feature details

Improved installer

You still install DDR by executing the DDR_INSTALLER.py on the DDR server side like we have described it in our former DDR blog. The latest version of IDA now supports Python 3.8 so you can go with 3.8 on both sides — the DDR client and the server side. In this version, we have improved the installer, you don’t have to install the IDA plugin side manually anymore. The installation provides a Python script for the IDA plugin side, which is installing the plugin to the user plugin directory and also fixes all dependencies. Administrator rights aren’t necessary anymore for installing the plugin.


Improved tracing architecture of multi-threading samples

This is by far the biggest change in this version of DDR. We moved from the file-based approach to a shared memory object approach. If a sample is launching multiple threads and processes, tracing gets complex. The underlying DynamoRio framework supports multiple threads and processes. Threads are relatively easy to handle via the DynamoRio thread initialization and exit call back functions. Processes are a bit more difficult. Obviously, a separate instance of the DynamoRio client library (DDR32/64.dll) is running in every new process, which the initial sample starts at runtime. This means we can’t easily share data structures like global variables between these processes. We need an inter-process data sharing mechanism to synchronize the different tracing features, for example, which instruction data is written to which trace file. In the former version, we used files to track the processes and threads. Unfortunately, this is very time consuming and has certain other architecture disadvantages. For example, we need to know at certain points in the code, if the thread exit function is the one of the first process — in other words, the sample we are code tracing, or if it is an exit function of a sub process. There are also future features we are working on which will need this architecture change. 


DDR library debugging versions

We heavily improved the debugging capabilities of DDR. There are now two versions: one speed optimised release version and one debugging version of the ddr32.dll and ddr64.dll. The debugging versions can be found in the installer directory ‘ddr_installer\install_data\ddr32/64dbg.dll’. These debugging versions are not recommended for daily use — they are only there for troubleshooting in case DDR is crashing or not behaving as expected. 

They come with a huge overhead on additional output information that’s extremely useful for the developers to track down crashes and bugs in DDR. The debugging versions can also be used to debug the client library (ddr32/64.dll) in WinDbg. If you want to debug an issue you need to set up Windbg as described here.

Despite what the document says, we are using WinDbg, version 10.0.19041.1 on Windows 10, which works fine for the cases we handled so far. You can debug the DynamoRio client library (ddr32/64.dll aka DDR)  without using a DynamoRIO debugging version. This means you can attach the debugger to the client the way we are describing it below, no matter if the DynamoRio framework is a debugging version or a release version. You only have to use the debugging version of the client (ddr32/64dbg.dll). For most issues, it is usually enough to check the command line output of the DDR debugging versions, but if you need more details, the following section describes how to debug DDR with WinDbg. You can find sample debugging sessions in the Appendix.

You can control the verbose level of the output in the debugging version of ddr32/64.dll via the -d switch. At the moment only -d 5 is supported and is adding additional output. It will print additional information for every trace instruction, so use it with care. For most cases, run it without the -d parameter.

How to debug the DDR backend with WinDbg:
 
  • Install WinDbg.

  • Download the latest DynamoRIO github version to get the
    Load_syms, load_syms64 and load_symsWOW64 WinDbg scripts
    (Read the DynamoRio debugging blog for details).

  • Run WinDbg with the architecture-related script e.g.:

    Win10x64 and 32-bit client/sample:
    "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -pt 1 -c "$><C:\tools\dev\git\dynamorio\tools\windbg-scripts\load_symsWOW64"

    Win10x64 and 64-bit client/sample:
    "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -pt 1 -c "$><C:\tools\dev\DynamoRIO-Windows-8.0.0-1\bin64\load_syms64.txt"

  • Start the client library with a test sample. Use the most simple one first (testsample0). You can find them in the DDR installation directory. For example:

    C:\tools\dev\git\dynamorioX64_dbg\build\bin64\drrun.exe -c "C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll" -d 5 -c "C:\tools\DDRinstall\samples\testsample0_64_dyn.cfg" -- "C:\tools\DDRinstall\samples\testsample0_64_dyn.exe"

    Hint: You can find a sample configuration (.cfg file) in the docs directory of the installation directory (ddr_client_dll_sample_config32/64.txt) or you just automatically generate one by using the IDA plugin (by default it is written to the C:\tools\ddr\samples directory).

  • The debug version waits and shows a popup message box right after the start of the DLL, so you have time to attach the debugger to the sample process (which includes the DDR library). See the hint in the message box.

  • Once the debugger is attached successfully, click ok in the message box and start debugging.

Debugging hint:

Access violations from 'dynamorio!safe_read_asm_xxx' functions are expected and can be ignored in WinDbg.They are caused by the way DynamoRio implements these functions (Try-Except). They are handled by DynamoRio internally if you haven’t attached a debugger. In WinDbg, just proceed (F5) if something like this happens:

WinDbg Console:
(1df0.1a28) : Access violation - code c0000005(first chance)
         First chance exceptions are reported before any exception handling.
         This exception may be expected and handled.
         dynamorio!safe_read_asm_pre


The functions are heavily used in DDR, so you might see a lot of these exceptions. You can filter them by disable Access Violations in WinDbg. Most other serious exceptions will still break into the debugger.


Caveats

Beta version

Keep in mind, this is a beta version which is not yet heavily tested. Bugs are expected.

AMD CPU bug

There is a DDR independent AMD CPU bug that crashes the DynamoRio framework if a 32bit sample is executed on a 64bit machine and the WoW64 architecture is switching between the 32 and 64 bit world. The issue is identified and the root cause found. The DynamoRio team has released a special build here which fixes the issue. The new installer will ask you which version you want to install. Alternatively, you can download it later and replace the original DynamoRio directory with this one. Unzip DynamoRIO-Windows-8.0.18547.zip (latest one) and rename or backup the old directory (for example: C:\tools\DDR\DynamoRIO-Windows-8.0.0-1), then give the downloaded one the same name as the old one and move it to the same place.

You can read more details here. The bug is confirmed on Ryzen CPUs, but may also occur on other AMD CPUs. We haven’t seen any issues on Intel CPUs.

In some cases, a possible workaround, if you don’t want to use the latest DynamoRio built, is to set MaxLoaderThreads to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<name of your sample.exe>

Some AVs detecting the test samples as malware

Micorsoft Defender and others detect some of the test samples as malware. No worries, they do not contain any malicious functions, they are just simulating malware behaviour, for example launching another instance of themself. They can be executed without any risk. 

Appendix

Typical debugging session output for ‘testsample0_64_dyn.exe ’:

Cmd Line:
C:\tools\dev>C:\tools\dev\git\dynamorioX64_dbg\build\bin64\drrun.exe -c "C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll" -c "C:\tools\dev\samples\testsample0_64_dyn_trace.cfg" -- "C:\tools\dev\samples\testsample0_64_dyn.exe"

testsample0_64_dyn_trace.cfg:
L 140001000 140003000 20000 na TRUE "C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json"
L 140001000 140003000 20000 na TRUE "C:\tools\dev\samples\out_testsample0_64_dyn_trace2.json"

Output:
<Starting application C:\tools\dev\samples\testsample0_64_dyn.exe (11956)>
<cannot remove dll from rbtree: at root/min + can't find real tree>
<Running on newer-than-this-build "Microsoft Windows 10-2004 x64">
<Early threads found>
<Initial options = -no_dynamic_options -client_lib 'C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll;0;"-c" "C:\tools\dev\samples\testsample0_64_dyn_trace.cfg"' -client_lib64 'C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll;0;"-c" "C:\tools\dev\samples\testsample0_64_dyn_trace.cfg"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:112:dr_client_main(): dr_client_main started.

-------------------------------------- Debugging Hint -------------------------------------------
Access violations from 'dynamorio!safe_read_asm_xxx' are expected and can be ignored in WinDbg.
They are caused by the way DynamoRio has implemented these functions.
They are handled by DynamoRio internally. Just proceed (F5) if something like below happens:

(1df0.1a28) : Access violation - code c0000005(first chance)
         First chance exceptions are reported before any exception handling.
         This exception may be expected and handled.
         dynamorio!safe_read_asm_pre
------------------------------------------------------------------------------------------------

[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:142:dr_client_main(): Start initalizing DynamoRio Client (ddr.dll)
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:294:IncProcCounter(): First instance.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:324:IncProcCounter(): process counter = 1.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:434:getSharedProcessIDs(): Creating ProcessIDs shared memory.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:149:dr_client_main(): Saved PID 11956 in processids + 0
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:490:getSharedProcessNames(): Creating ProcessNames shared memory.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:156:dr_client_main(): Saved Processname testsample0_64_dyn.exe in processnames + 0

[DDR] [INFO] DDR Client DLL x64 version 1.01 beta initializing...
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:548:getSharedLogpath(): Creating Logpath shared memory object.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:580:getSharedLogpath(): [FIRST PROC FIRST THREAD] Using log path C:\tools\dev\samples\.
[DDR] [INFO] DDR Client DLL running from: C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug
[DDR] [INFO] Reading config from file: C:\tools\dev\samples\testsample0_64_dyn_trace.cfg
[DDR] [INFO] Trying to use trace logfile: C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json
[DDR] [INFO] Done creating logfiles.
[DDR] [INFO] Configuration file closed
[DDR] [INFO] Doing a light trace from 0x0000000140001000 to 0x0000000140003000 logging to C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json
[DDR] [INFO] Doing a light trace from 0x0000000140001000 to 0x0000000140003000 logging to C:\tools\dev\samples\out_testsample0_64_dyn_trace2.json

[DDR] [DEBUG] dr_client_main callbacks set.
[DDR] [INFO] Initalization done.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:251:dr_client_main(): dr_client_main end.


[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample0_64_dyn.exe Process ID = 11956 Threat ID = 5184 Thread counter = 1
[DDR] [INFO] New process, first thread started.
[DDR] [DEBUG] [MEMOP] allocated memory for main thread. Memaddr: 0x00007ff638923090 thread_id=5184 process_id=11956
[DDR] [INFO] writing thread info to: C:\tools\dev\samples\\ddr_threads_testsample0_64_dyn.exe_11956.txt
[DDR] [INFO] First thread. Setting main thread id to 5184
[DDR] [INFO] Samplename: C:\tools\dev\samples\testsample0_64_dyn.exe.
[DDR] [INFO] PEB            : 0x00000063d445b000
[DDR] [INFO] PE Imagebase   : 0x00007ff6b88d0000
[DDR] [INFO] PE EP          : 0x00007ff6b88d1724
[DDR] [INFO] File EP        : 0x0000000140001724
[DDR] [INFO] EP diff        : 0x00007ff5788d0000

[DDR] [DEBUG] event_thread_init_trace_instr end.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: dynamorio.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ddr_stable.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: drmgr.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: drwrap.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: testsample0_64_dyn.exe:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: VCRUNTIME140.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ucrtbase.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: KERNELBASE.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: KERNEL32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ntdll.dll:
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
<curiosity: rex.w on OPSZ_6_irex10_short4!>
main: 1. Memory allocated
Main: Buffer 1(@0x00000194B4700000 Size:113): PE12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
main: a is NOT greater 5.
main: a = 0 is NOT greater 5.
myfunc1: a = 2
myfunc2: a = 8
main: 1. a = 8 in main
myfunc1: a = 10
myfunc2: a = 12
myfunc2: a = 18
main: 2. a = 19 in main
main: 2. Memory allocated
main: Buffer 2(@0x00000196B4A30000 Size:116): TEST212345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
main: 1. Release succeeded.
main: 2. Release succeeded.

Main: Good bye...

<Application changing protections of system memory at least once (0x00007fffe8def000-0x00007fffe8df3000)>
[DDR] [DEBUG] event_module_load_trace_instr module loaded: msvcrt.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: RPCRT4.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: AppCore.dll:
<Stopping application C:\tools\dev\samples\testsample0_64_dyn.exe (11956)>

[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 1
[DDR] [INFO] Main thread (id = 5184) was terminated.
[DDR] [INFO] Fixing trace file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json
[DDR] [INFO] Fixing file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json
[DDR] [INFO] Fixed comma at the end of JSON file.
[DDR] [INFO] Opening file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json for writing
[DDR] [INFO] Writing fixed buffer to file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json
[DDR] [INFO] Done. Final logfile C:\tools\dev\samples\out_testsample0_64_dyn_trace1.json written. Length: 2025692 bytes.
[DDR] [INFO] Trace file fixed.
[DDR] [INFO] Fixing API trace file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1_apicalls.json
[DDR] [INFO] Fixing file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1_apicalls.json
[DDR] [INFO] JSON file is ok, no comma at the end found.
[DDR] [INFO] Opening file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1_apicalls.json for writing
[DDR] [INFO] Writing fixed buffer to file: C:\tools\dev\samples\out_testsample0_64_dyn_trace1_apicalls.json
[DDR] [INFO] Done. Final logfile C:\tools\dev\samples\out_testsample0_64_dyn_trace1_apicalls.json written. Length: 1172678 bytes.
[DDR] [INFO] API trace file fixed.
[DDR] [INFO] Time : 10:01:38:422
[DDR] [DEBUG] [MEMOP] Last living thread (thread_id = 5184 proccess = 11956) reached. Free'ing memory.
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff638923090 thread_id = 5184
[DDR] [DEBUG] [MEMOP] process memory free'ed.

[DDR] [DEBUG] event_thread_exit_trace_instr end.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:492:event_exit(): event_exit start.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:462:getSharedProcessIDs(): Not the first process.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:518:getSharedProcessNames(): ProcessNames: Not the first process.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:383:DecProcCounter(): Decreased process counter = 0.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:533:event_exit(): This is the last process running. No need to kill anything.
<Failed to suspend attached-but-never-scheduled thread 5832>
<Failed to suspend attached-but-never-scheduled thread 12256>
<Failed to suspend attached-but-never-scheduled thread 9792>

C:\tools\dev>pause
Press any key to continue . . .


Typical debugging session output for ‘testsample1_64.exe’ (multi-threading / multi-process):

CMD line:
C:\tools\dev>C:\tools\dev\git\dynamorioX64_dbg\build\bin64\drrun.exe -c "C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll" -c "C:\tools\dev\samples\testsample1_64.cfg" -- "C:\tools\dev\samples\testsample1_64.exe"

testsample1_64.cfg:
L 140001000 140003000 20000 na TRUE "C:\tools\dev\samples\out_testsample1_64_trace.json"

Output:
<Starting application C:\tools\dev\samples\testsample1_64.exe (12996)>
<cannot remove dll from rbtree: at root/min + can't find real tree>
<Running on newer-than-this-build "Microsoft Windows 10-2004 x64">
<Early threads found>
<Initial options = -no_dynamic_options -client_lib 'C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll;0;"-c" "C:\tools\dev\samples\testsample1_64.cfg"' -client_lib64 'C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug\ddr_stable.dll;0;"-c" "C:\tools\dev\samples\testsample1_64.cfg"' -code_api -probe_api -stack_size 56K -max_elide_jmp 0 -max_elide_call 0 -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:112:dr_client_main(): dr_client_main started.

-------------------------------------- Debugging Hint -------------------------------------------
Access violations from 'dynamorio!safe_read_asm_xxx' are expected and can be ignored in WinDbg.
They are caused by the way DynamoRio has implemented these functions.
They are handled by DynamoRio internally. Just proceed (F5) if something like below happens:

(1df0.1a28) : Access violation - code c0000005(first chance)
         First chance exceptions are reported before any exception handling.
         This exception may be expected and handled.
         dynamorio!safe_read_asm_pre
------------------------------------------------------------------------------------------------

[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:142:dr_client_main(): Start initializing DynamoRio Client (ddr.dll)
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:294:IncProcCounter(): First instance.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:324:IncProcCounter(): process counter = 1.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:434:getSharedProcessIDs(): Creating ProcessIDs shared memory.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:149:dr_client_main(): Saved PID 12996 in processids + 0
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:490:getSharedProcessNames(): Creating ProcessNames shared memory.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:156:dr_client_main(): Saved Processname testsample1_64.exe in processnames + 0

[DDR] [INFO] DDR Client DLL x64 version 1.01 beta initializing...
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:548:getSharedLogpath(): Creating Logpath shared memory object.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:580:getSharedLogpath(): [FIRST PROC FIRST THREAD] Using log path C:\tools\dev\samples\.
[DDR] [INFO] DDR Client DLL running from: C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug
[DDR] [INFO] Reading config from file: C:\tools\dev\samples\testsample1_64.cfg
[DDR] [INFO] Trying to use trace logfile: C:\tools\dev\samples\out_testsample1_64_trace.json
[DDR] [INFO] Logfile exists
[DDR] [INFO] Using new trace logfile: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996.json
[DDR] [INFO] Done creating logfiles.
[DDR] [INFO] Configuration file closed
[DDR] [INFO] Doing a light trace from 0x0000000140001000 to 0x0000000140003000 logging to C:\tools\dev\samples\out_testsample1_64_trace.json

[DDR] [DEBUG] dr_client_main callbacks set.
[DDR] [INFO] Initalization done.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:251:dr_client_main(): dr_client_main end.


[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample1_64.exe Process ID = 12996 Threat ID = 4820 Thread counter = 1
[DDR] [INFO] New process, first thread started.
[DDR] [DEBUG] [MEMOP] allocated memory for main thread. Memaddr: 0x00007ff699b22e48 thread_id=4820 process_id=12996
[DDR] [INFO] writing thread info to: C:\tools\dev\samples\\ddr_threads_testsample1_64.exe_12996.txt
[DDR] [INFO] First thread. Setting main thread id to 4820
[DDR] [INFO] Samplename: C:\tools\dev\samples\testsample1_64.exe.
[DDR] [INFO] PEB            : 0x0000006332792000
[DDR] [INFO] PE Imagebase   : 0x00007ff719ad0000
[DDR] [INFO] PE EP          : 0x00007ff719ad1f94
[DDR] [INFO] File EP        : 0x0000000140001f94
[DDR] [INFO] EP diff        : 0x00007ff5d9ad0000

[DDR] [DEBUG] event_thread_init_trace_instr end.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: dynamorio.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ddr_stable.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: drmgr.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: drwrap.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: testsample1_64.exe:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: VCRUNTIME140.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: win32u.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ucrtbase.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: KERNELBASE.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: msvcp_win.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: gdi32full.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: KERNEL32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: GDI32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: USER32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: IMM32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ntdll.dll:
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
<curiosity: rex.w on OPSZ_6_irex10_short4!>
main: 1. Memory allocated
Main: Buffer 1(@0x00000179F0190000 Size:113): PE12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
main: a is NOT greater 5.
<Application changing protections of system memory at least once (0x00007fffe8def000-0x00007fffe8df3000)>
[DDR] [DEBUG] event_module_load_trace_instr module loaded: msvcrt.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: RPCRT4.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: combase.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: UxTheme.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: OLEAUT32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: SECHOST.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: MSCTF.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: AppCore.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: bcryptPrimitives.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: NTMARTA.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: WS2_32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: CoreMessaging.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: WinTypes.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: SHCORE.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ADVAPI32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: CoreUIComponents.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: TextInputFramework.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: TextShaping.dll:

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample1_64.exe Process ID = 12996 Threat ID = 11068 Thread counter = 2
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff699b22fd8 thread_id=11068 process_id=12996
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many cases.

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample1_64.exe Process ID = 12996 Threat ID = 2492 Thread counter = 3
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff699b22f90 thread_id=2492 process_id=12996
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many cases.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ole32.dll:
main: Dialogbox: 0
main: a = 0 is NOT greater 5.
myfunc1: a = 2
myfunc2: a = 8
main: 1. a = 8 in main
myfunc1: a = 10
myfunc2: a = 12
myfunc2: a = 18
main: 2. a = 19 in main
main: 2. Memory allocated
main: Buffer 2(@0x0000017BF1FA0000 Size:116): TEST212345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
main: 1. Release succeeded.
main: 2. Release succeeded.
Main: starting thread 1 ....

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample1_64.exe Process ID = 12996 Threat ID = 11056 Thread counter = 4
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
Main: Thread 1 started. Waiting for it ...
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff699b23068 thread_id=11056 process_id=12996
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many case.
Threadfunc1: Start of thread function.
T1
T1
T1

Threadfunc1: End of thread function.

[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 4
[DDR] [INFO] Thread with id 11056 was terminated

[DDR] [DEBUG] event_thread_exit_trace_instr end.
Main: starting thread 2....
Main: Thread 2 started. Not waiting for it ...

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample1_64.exe Process ID = 12996 Threat ID = 708 Thread counter = 4
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff699b23020 thread_id=708 process_id=12996
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many case.
Threadfunc2: Start of thread function.
T2
Main: Process started.Main: starting thread 3....

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = testsample1_64.exe Process ID = 12996 Threat ID = 13228 Thread counter = 5
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
Main: Thread 3 started.
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff699b230b0 thread_id=13228 process_id=12996
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many case.
M
Threadfunc3: Start of thread function.
T3
T2
M
T2
T3
M
T2

Main: Good bye...


[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 5
[DDR] [INFO] Thread with id 708 was terminated

[DDR] [DEBUG] event_thread_exit_trace_instr end.

[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 4
[DDR] [INFO] Thread with id 13228 was terminated

[DDR] [DEBUG] event_thread_exit_trace_instr end.

[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 3
[DDR] [INFO] Thread with id 2492 was terminated

[DDR] [DEBUG] event_thread_exit_trace_instr end.

[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 2
[DDR] [INFO] Thread with id 11068 was terminated

[DDR] [DEBUG] event_thread_exit_trace_instr end.
<Stopping application C:\tools\dev\samples\testsample1_64.exe (12996)>

[DDR] [DEBUG] event_thread_exit_trace_instr start.
[DDR] [DEBUG] Thread counter: 1
[DDR] [INFO] Main thread (id = 4820) was terminated.
[DDR] [INFO] Fixing trace file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996.json
[DDR] [INFO] Fixing file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996.json
[DDR] [INFO] Fixed comma at the end of JSON file.
[DDR] [INFO] Opening file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996.json for writing
[DDR] [INFO] Writing fixed buffer to file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996.json
[DDR] [INFO] Done. Final logfile C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996.json written. Length: 2319302 bytes.
[DDR] [INFO] Trace file fixed.
[DDR] [INFO] Fixing API trace file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996_apicalls.json
[DDR] [INFO] Fixing file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996_apicalls.json
[DDR] [INFO] JSON file is ok, no comma at the end found.
[DDR] [INFO] Opening file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996_apicalls.json for writing
[DDR] [INFO] Writing fixed buffer to file: C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996_apicalls.json
[DDR] [INFO] Done. Final logfile C:\tools\dev\samples\out_testsample1_64_trace_testsample1_64.exe_12996_apicalls.json written. Length: 2218660 bytes.
[DDR] [INFO] API trace file fixed.
[DDR] [INFO] Time : 09:57:19:741
[DDR] [DEBUG] [MEMOP] Last living thread (thread_id = 4820 proccess = 12996) reached. Free'ing memory.
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff699b22e48 thread_id = 4820
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff699b22fd8 thread_id = 11068
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff699b22f90 thread_id = 2492
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff699b23068 thread_id = 11056
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff699b23020 thread_id = 708
[DDR] [DEBUG] [MEMOP] free'ing memory: 0x00007ff699b230b0 thread_id = 13228
[DDR] [DEBUG] [MEMOP] process memory free'ed.

[DDR] [DEBUG] event_thread_exit_trace_instr end.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:492:event_exit(): event_exit start.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:462:getSharedProcessIDs(): Not the first process.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:518:getSharedProcessNames(): ProcessNames: Not the first process.

[DDR] [INFO] DDR Client DLL x64 version 1.01 beta initializing...
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:585:getSharedLogpath(): Not the first process.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:600:getSharedLogpath(): [SUB THREAD] Using log path C:\tools\dev\samples\
.[DDR] [INFO] DDR Client DLL running from: C:\tools\dev\git\DynDataResolver\ddr_client\x64\Debug
[DDR] [INFO] Reading config from file: C:\tools\dev\samples\testsample1_64.cfg
[DDR] [INFO] Trying to use trace logfile: C:\tools\dev\samples\out_testsample1_64_trace.json
[DDR] [INFO] Logfile exists
[DDR] [INFO] Using new trace logfile: C:\tools\dev\samples\out_testsample1_64_trace_notepad.exe_1472.json
[DDR] [INFO] Done creating logfiles.
[DDR] [INFO] Configuration file closed
[DDR] [INFO] Doing a light trace from 0x0000000140001000 to 0x0000000140003000 logging to C:\tools\dev\samples\out_testsample1_64_trace.json

[DDR] [DEBUG] dr_client_main callbacks set.
[DDR] [INFO] Initalization done.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:251:dr_client_main(): dr_client_main end.


[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = notepad.exe Process ID = 1472 Threat ID = 9416 Thread counter = 1
[DDR] [INFO] New process, first thread started.
[DDR] [DEBUG] [MEMOP] allocated memory for main thread. Memaddr: 0x00007ff670b12e48 thread_id=9416 process_id=1472
[DDR] [INFO] writing thread info to: C:\tools\dev\samples\\ddr_threads_notepad.exe_1472.txt
[DDR] [INFO] First thread. Setting main thread id to 9416
[DDR] [INFO] Samplename: C:\windows\notepad.exe.
[DDR] [INFO] PEB            : 0x0000006f477c6000
[DDR] [INFO] PE Imagebase   : 0x00007ff6f0a90000
[DDR] [INFO] PE EP          : 0x00007ff6f0ab3c00
[DDR] [INFO] File EP        : 0x0000000140023c00
[DDR] [INFO] EP diff        : 0x00007ff5b0a90000

[DDR] [DEBUG] event_thread_init_trace_instr end.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: dynamorio.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ddr_stable.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: drmgr.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: drwrap.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: notepad.exe:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: COMCTL32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: win32u.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ucrtbase.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: KERNELBASE.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: msvcp_win.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: gdi32full.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: KERNEL32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: msvcrt.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: GDI32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: combase.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: SHCORE.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: RPCRT4.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: USER32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: IMM32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ntdll.dll:
<curiosity: rex.w on OPSZ_6_irex10_short4!>
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
<Application changing protections of system memory at least once (0x00007fffe8def000-0x00007fffe8df3000)>
[DDR] [DEBUG] event_module_load_trace_instr module loaded: bcryptPrimitives.dll:
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] Operant is XMM Register this is not supported in the moment
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:383:DecProcCounter(): Decreased process counter = 1.
[DDR] [INFO] Main process PID 12996 (testsample1_64.exe) process exit function reached. Waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:546:event_exit(): Using log path C:\tools\dev\samples\
.[DDR] [INFO] Writing process info to: C:\tools\dev\samples\ddr_processtrace.txt
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:560:event_exit(): writing processes to processfile: PID: 12996 (testsample1_64.exe)
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\main.c:560:event_exit(): writing processes to processfile: PID: 1472 (notepad.exe)
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: SECHOST.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: ADVAPI32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: AppCore.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: UxTheme.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: CLBCatQ.DLL:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: MrmCoreR.dll:
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: SHELL32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: Wldp.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: Windows.Storage.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: SHLWAPI.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: OLEAUT32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: MSCTF.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: TextShaping.dll:
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: MPR.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: WinTypes.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: efswrt.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: twinapi.appcore.dll:

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = notepad.exe Process ID = 1472 Threat ID = 13188 Thread counter = 2
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff670b12fd8 thread_id=13188 process_id=1472
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many case.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = notepad.exe Process ID = 1472 Threat ID = 3256 Thread counter = 3
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff670b12f90 thread_id=3256 process_id=1472
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many case.

[DDR] [DEBUG] event_thread_init_trace_instr start.
[DDR] [INFO] New thread initialization started. Appname = notepad.exe Process ID = 1472 Threat ID = 6644 Thread counter = 4
[DDR] [INFO] Existing process. New thread started.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\trace_instr.c:119:event_thread_init_trace_instr(): Using log path C:\tools\dev\samples\
[DDR] [DEBUG] [MEMOP] allocated memory for sub thread. Memaddr: 0x00007ff670b13020 thread_id=6644 process_id=1472
[DDR] [WARNING] This is not the first thread. Multithreaded is not supported, but works in many case.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: OLEACC.dll:
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] event_module_load_trace_instr module loaded: NTMARTA.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: WS2_32.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: CoreMessaging.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: CoreUIComponents.dll:
[DDR] [DEBUG] event_module_load_trace_instr module loaded: TextInputFramework.dll:
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [DEBUG] C:\tools\dev\git\DynDataResolver\ddr_client\ddr_stable\ddr_helper_functions.c:418:GetProcCounter(): process counter = 1.
[DDR] [INFO] waiting for other processes to exit.
[DDR] [INFO] Time out reached. Some processes launched by the main process are still running. Trying to terminate them...
[DDR] [INFO] Trying to kill PID: 1472 (notepad.exe)
[DDR] [INFO] PID: 1472 (notepad.exe) successfully terminated
<Failed to suspend attached-but-never-scheduled thread 12652>
<Failed to suspend attached-but-never-scheduled thread 14136>
<Failed to suspend attached-but-never-scheduled thread 12028>

C:\tools\dev>pause
Press any key to continue . . .



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.