Injecting `large` shellcode into a Windows process - windows

Trying to determine the amount of executable free space within a process.
For example, the chrome.exe process with its loaded DLL's has 236,105 bytes available.
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ---> Free space: 331 bytes
C:\WINDOWS\SYSTEM32\ntdll.dll ---> Free space: 818 bytes
C:\WINDOWS\System32\KERNEL32.DLL ---> Free space: 4067 bytes
C:\WINDOWS\System32\KERNELBASE.dll ---> Free space: 2951 bytes
C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\chrome_elf.dll ---> Free space: 318 bytes
C:\WINDOWS\SYSTEM32\VERSION.dll ---> Free space: 1456 bytes
C:\WINDOWS\System32\msvcrt.dll ---> Free space: 2513 bytes
C:\WINDOWS\System32\ADVAPI32.dll ---> Free space: 153 bytes
C:\WINDOWS\System32\sechost.dll ---> Free space: 979 bytes
C:\WINDOWS\System32\RPCRT4.dll ---> Free space: 1397 bytes
C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL ---> Free space: 1789 bytes
C:\WINDOWS\System32\bcryptPrimitives.dll ---> Free space: 2612 bytes
C:\WINDOWS\system32\ntmarta.dll ---> Free space: 416 bytes
C:\WINDOWS\System32\ucrtbase.dll ---> Free space: 2715 bytes
C:\WINDOWS\System32\SHELL32.dll ---> Free space: 2011 bytes
C:\WINDOWS\System32\msvcp_win.dll ---> Free space: 382 bytes
C:\WINDOWS\System32\USER32.dll ---> Free space: 1754 bytes
C:\WINDOWS\System32\win32u.dll ---> Free space: 1450 bytes
C:\WINDOWS\System32\GDI32.dll ---> Free space: 3799 bytes
C:\WINDOWS\System32\gdi32full.dll ---> Free space: 2442 bytes
C:\WINDOWS\System32\IMM32.DLL ---> Free space: 3066 bytes
C:\WINDOWS\SYSTEM32\windows.storage.dll ---> Free space: 1507 bytes
C:\WINDOWS\System32\combase.dll ---> Free space: 2548 bytes
C:\WINDOWS\SYSTEM32\wintypes.dll ---> Free space: 3462 bytes
C:\WINDOWS\System32\SHCORE.dll ---> Free space: 1390 bytes
C:\WINDOWS\System32\shlwapi.dll ---> Free space: 3171 bytes
C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\chrome.dll ---> Free space: 112 bytes
C:\WINDOWS\System32\OLEAUT32.dll ---> Free space: 2177 bytes
C:\WINDOWS\System32\WS2_32.dll ---> Free space: 1488 bytes
C:\WINDOWS\System32\WINTRUST.dll ---> Free space: 3277 bytes
C:\WINDOWS\System32\CRYPT32.dll ---> Free space: 2225 bytes
C:\WINDOWS\SYSTEM32\WINMM.dll ---> Free space: 345 bytes
C:\WINDOWS\SYSTEM32\dbghelp.dll ---> Free space: 1112 bytes
C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL ---> Free space: 1915 bytes
C:\WINDOWS\SYSTEM32\USERENV.dll ---> Free space: 3232 bytes
C:\WINDOWS\SYSTEM32\Secur32.dll ---> Free space: 3651 bytes
C:\WINDOWS\SYSTEM32\UIAutomationCore.DLL ---> Free space: 1286 bytes
C:\WINDOWS\SYSTEM32\WINHTTP.dll ---> Free space: 2313 bytes
C:\WINDOWS\SYSTEM32\DWrite.dll ---> Free space: 2475 bytes
C:\WINDOWS\SYSTEM32\WINSPOOL.DRV ---> Free space: 982 bytes
C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL ---> Free space: 2241 bytes
C:\WINDOWS\SYSTEM32\SSPICLI.DLL ---> Free space: 3889 bytes
C:\WINDOWS\System32\MSASN1.dll ---> Free space: 1607 bytes
C:\WINDOWS\system32\uxtheme.dll ---> Free space: 2272 bytes
C:\WINDOWS\SYSTEM32\gpapi.dll ---> Free space: 77 bytes
C:\WINDOWS\SYSTEM32\wkscli.dll ---> Free space: 3885 bytes
C:\WINDOWS\SYSTEM32\netutils.dll ---> Free space: 1998 bytes
C:\WINDOWS\System32\profapi.dll ---> Free space: 2005 bytes
C:\WINDOWS\System32\ole32.dll ---> Free space: 3835 bytes
C:\WINDOWS\SYSTEM32\kernel.appcore.dll ---> Free space: 3242 bytes
C:\WINDOWS\System32\MSCTF.dll ---> Free space: 831 bytes
C:\WINDOWS\SYSTEM32\powrprof.dll ---> Free space: 516 bytes
C:\WINDOWS\SYSTEM32\UMPDC.dll ---> Free space: 2732 bytes
C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22621.608_none_a9444ca7c10bb01d\COMCTL32.dll ---> Free space: 906 bytes
C:\WINDOWS\System32\DPAPI.dll ---> Free space: 2906 bytes
C:\WINDOWS\system32\nlansp_c.dll ---> Free space: 3021 bytes
C:\WINDOWS\System32\NSI.dll ---> Free space: 522 bytes
C:\WINDOWS\SYSTEM32\dhcpcsvc6.DLL ---> Free space: 950 bytes
C:\WINDOWS\SYSTEM32\DNSAPI.dll ---> Free space: 4070 bytes
C:\WINDOWS\System32\clbcatq.dll ---> Free space: 2980 bytes
C:\WINDOWS\SYSTEM32\textinputframework.dll ---> Free space: 2081 bytes
C:\Windows\System32\Windows.UI.dll ---> Free space: 2690 bytes
C:\WINDOWS\SYSTEM32\WTSAPI32.dll ---> Free space: 3071 bytes
C:\WINDOWS\SYSTEM32\mscms.dll ---> Free space: 176 bytes
C:\WINDOWS\SYSTEM32\WINSTA.dll ---> Free space: 3879 bytes
C:\WINDOWS\System32\SETUPAPI.dll ---> Free space: 1656 bytes
C:\WINDOWS\SYSTEM32\DEVOBJ.dll ---> Free space: 1043 bytes
C:\WINDOWS\SYSTEM32\cfgmgr32.dll ---> Free space: 2106 bytes
C:\WINDOWS\System32\MMDevApi.dll ---> Free space: 152 bytes
C:\Windows\System32\wpnapps.dll ---> Free space: 1320 bytes
C:\Windows\System32\OneCoreUAPCommonProxyStub.dll ---> Free space: 147 bytes
C:\Windows\System32\FirewallAPI.dll ---> Free space: 3741 bytes
C:\Windows\System32\fwbase.dll ---> Free space: 3686 bytes
C:\WINDOWS\SYSTEM32\PROPSYS.dll ---> Free space: 502 bytes
C:\WINDOWS\SYSTEM32\LINKINFO.dll ---> Free space: 1837 bytes
C:\WINDOWS\system32\twinapi.dll ---> Free space: 406 bytes
C:\WINDOWS\system32\dataexchange.dll ---> Free space: 1487 bytes
C:\WINDOWS\system32\twinapi.appcore.dll ---> Free space: 1915 bytes
C:\WINDOWS\SYSTEM32\dwmapi.dll ---> Free space: 2035 bytes
C:\Windows\System32\Windows.Media.dll ---> Free space: 3790 bytes
C:\WINDOWS\SYSTEM32\atlthunk.dll ---> Free space: 1317 bytes
C:\WINDOWS\SYSTEM32\OLEACC.dll ---> Free space: 1106 bytes
C:\WINDOWS\system32\directmanipulation.dll ---> Free space: 2731 bytes
C:\WINDOWS\SYSTEM32\CoreMessaging.dll ---> Free space: 655 bytes
C:\WINDOWS\SYSTEM32\CoreUIComponents.dll ---> Free space: 125 bytes
C:\WINDOWS\System32\CRYPTSP.dll ---> Free space: 1636 bytes
C:\WINDOWS\system32\rsaenh.dll ---> Free space: 4062 bytes
C:\Windows\System32\Windows.System.Launcher.dll ---> Free space: 786 bytes
C:\Windows\System32\msvcp110_win.dll ---> Free space: 580 bytes
C:\WINDOWS\SYSTEM32\windows.staterepositorycore.dll ---> Free space: 902 bytes
C:\WINDOWS\system32\explorerframe.dll ---> Free space: 74 bytes
C:\WINDOWS\system32\mswsock.dll ---> Free space: 2290 bytes
C:\WINDOWS\SYSTEM32\sxs.dll ---> Free space: 2578 bytes
C:\WINDOWS\SYSTEM32\wlanapi.dll ---> Free space: 405 bytes
C:\WINDOWS\SYSTEM32\MobileNetworking.dll ---> Free space: 3530 bytes
C:\Windows\System32\Windows.Devices.Radios.dll ---> Free space: 1869 bytes
C:\Program Files (x86)\Google\Chrome\Application\109.0.5414.120\optimization_guide_internal.dll ---> Free space: 287 bytes
C:\Windows\System32\DevDispItemProvider.dll ---> Free space: 2760 bytes
C:\WINDOWS\SYSTEM32\ncrypt.dll ---> Free space: 3045 bytes
C:\WINDOWS\SYSTEM32\NTASN1.dll ---> Free space: 3067 bytes
C:\WINDOWS\SYSTEM32\bcrypt.dll ---> Free space: 1319 bytes
C:\WINDOWS\system32\PCPKsp.dll ---> Free space: 951 bytes
C:\WINDOWS\SYSTEM32\tbs.dll ---> Free space: 2259 bytes
C:\WINDOWS\System32\Speech\Common\sapi.dll ---> Free space: 3428 bytes
C:\WINDOWS\System32\WTDSENSOR.dll ---> Free space: 1488 bytes
C:\Windows\System32\Windows.Media.MediaControl.dll ---> Free space: 2711 bytes
C:\WINDOWS\system32\windowscodecs.dll ---> Free space: 1830 bytes
C:\WINDOWS\SYSTEM32\edputil.dll ---> Free space: 3234 bytes
C:\Windows\System32\Windows.Security.Credentials.UI.UserConsentVerifier.dll ---> Free space: 804 bytes
C:\Windows\System32\cryptngc.dll ---> Free space: 1633 bytes
C:\WINDOWS\SYSTEM32\apphelp.dll ---> Free space: 3107 bytes
C:\WINDOWS\system32\NetworkExplorer.dll ---> Free space: 3241 bytes
C:\WINDOWS\SYSTEM32\ntshrui.dll ---> Free space: 1964 bytes
C:\WINDOWS\SYSTEM32\srvcli.dll ---> Free space: 2209 bytes
C:\WINDOWS\SYSTEM32\cscapi.dll ---> Free space: 1654 bytes
C:\WINDOWS\SYSTEM32\policymanager.dll ---> Free space: 1842 bytes
C:\Windows\System32\TaskFlowDataEngine.dll ---> Free space: 112 bytes
C:\Windows\System32\MsSpellCheckingFacility.dll ---> Free space: 1077 bytes
C:\Windows\System32\Bcp47Langs.dll ---> Free space: 1964 bytes
C:\Windows\System32\Windows.Devices.Sensors.dll ---> Free space: 1652 bytes
C:\Windows\System32\BiWinrt.dll ---> Free space: 706 bytes
C:\Windows\System32\BitsProxy.dll ---> Free space: 2131 bytes
C:\WINDOWS\SYSTEM32\webauthn.dll ---> Free space: 2692 bytes
Total Free Space: 236105 bytes
The output was produced by this code
#include <windows.h>
#include <psapi.h>
#include <tchar.h>
#include <stdio.h>
#include <intrin.h>
#include <math.h>
int total_free_space = 0;
int ModuleFreeSpace(const char* file_path) {
HANDLE hFile = CreateFileA(file_path, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Could not open file %s\n", file_path);
return 1;
}
HANDLE hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (hFileMapping == NULL) {
printf("Could not create file mapping for %s\n", file_path);
CloseHandle(hFile);
return 1;
}
LPVOID lpFileBase = MapViewOfFile(hFileMapping, FILE_MAP_READ, 0, 0, 0);
if (lpFileBase == NULL) {
printf("Could not map view of file for %s\n", file_path);
CloseHandle(hFileMapping);
CloseHandle(hFile);
return 1;
}
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)lpFileBase;
PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS)((LPBYTE)lpFileBase + dos_header->e_lfanew);
PIMAGE_SECTION_HEADER section_header = IMAGE_FIRST_SECTION(nt_headers);
for (int i = 0; i < nt_headers->FileHeader.NumberOfSections; i++, section_header++) {
if (strcmp((char*)section_header->Name, ".text") == 0) {
DWORD section_size = section_header->Misc.VirtualSize;
DWORD section_used_space = section_header->SizeOfRawData;
DWORD section_free_space = section_size - section_used_space;
total_free_space += abs((int)section_free_space);
printf("Free space: %d bytes\n", abs((int)section_free_space));
//LPVOID start_address = (LPVOID)((LPBYTE)lpFileBase + section_header->VirtualAddress + section_used_space);
//printf("Start address of free space: %p\n", start_address);
break;
}
}
UnmapViewOfFile(lpFileBase);
CloseHandle(hFileMapping);
CloseHandle(hFile);
}
void ListProcessModules(DWORD dwPID) {
HMODULE hMods[1024];
HANDLE hProcess;
DWORD cbNeeded;
unsigned int i;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, dwPID);
if (NULL == hProcess) {
_tprintf(TEXT("\n[ERROR] Could not open process (pid: %d)\n"), dwPID);
return;
}
if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded)) {
for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {
CHAR szModName[MAX_PATH];
if (GetModuleFileNameExA(hProcess, hMods[i], szModName,
sizeof(szModName) / sizeof(CHAR))) {
printf("%s ---> ", szModName);
ModuleFreeSpace(szModName);
}
}
}
CloseHandle(hProcess);
}
int main(int argc, char* argv[]) {
// Get the target PID
if (argc < 2) {
printf("Usage: %s <target PID>\n", argv[0]);
return 1;
}
DWORD targetPID = atoi(argv[1]);
ListProcessModules(targetPID);
printf("Total Free Space: %d bytes\n", total_free_space);
return 0;
}
Question
Is it possible to inject large shellcode into a process using some kind of jump/call chaining between these various executable free spaces in memory?

Related

How to create a mapped device with a specific sector size?

I have implemented my own device mapper target and I am able to create a mapped device with dmsetup create command.
The problem is that the sector size for this device becomes the default 512 bytes, and I would like to change it to 4096 bytes similar to dm-verity targets.
For instance, below is the sector size for a dm-verity device, and fdisk reports 4096 bytes:
$sudo fdisk -l /dev/mapper/dmv
Disk /dev/mapper/dmv: 8 KiB, 8192 bytes, 2 sectors
Units: sectors of 1 * 4096 = 4096 bytes
Sector size (logical/physical): 4096 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Below is the sector size for my own target, and fdisk reports 512 bytes:
sudo fdisk -l /dev/mapper/my-target
Disk /dev/mapper/my-target: 8 KiB, 8192 bytes, 16 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
How can I set the sector size for my own device mapper target? I couldn't find where this is done in libdevmapper or cryptsetup source for the dm-verity case.
Cheers!

How to extract USB device type and its drive letter from ETW

So I'm writing a simple ETW logger to provide a trigger-event state machine to wake up whenever a new USB device is connected. Using microsoft's Messages analyzer I managed to trace and receive USB "new usb device information" traces using the following filter Microsoft_Windows_USB_USBHUB3.Summary == "New USB Device Information"
However, after examining the packet, there is no way for me to differentiate between USB mass storage devices and other USB devices(camera?)
Available values from the trace:
Name Value Bit Offset Bit Length Type
pointerValue 132972247379928 64 64 UInt64
Fid_HubDevice 0x000078F011FC3CC8 0 64 Etw.EtwPointer
pointerValue 132972489227464 0 64 UInt64
Fid_UsbDevice 0x000078F00391EFD8 64 64 Etw.EtwPointer
Fid_PortNumber 1 128 32 UInt32
Fid_DeviceDescription USB Mass Storage Device 160 384 String
Fid_DeviceInterfacePath \??\USB#VID_0781&PID_5567#200602669107DD62F0E0#{a5dcbf10-6530-11d2-901f-00c04fb951ed} 544 1376 String
Fid_DeviceDescriptor fid_DeviceDescriptor{Fid_bLength=18,Fid_bDescriptorType=1,Fid_bcdUSB=512,Fid_bDeviceClass=0,Fid_bDeviceSubClass=0,Fid_bDeviceProtocol=0,Fid_bMaxPacketSize0=64,Fid_idVendor=1921,Fid_idProduct=21863,Fid_bcdDevice=295,Fid_iManufacturer=1,Fid_iProduct=2,Fid_iSerialNumber=3,Fid_bNumConfigurations=1} 1920 144 Microsoft_Windows_USB_USBHUB3.fid_DeviceDescriptor
Fid_bLength 18 1920 8 Byte
Fid_bDescriptorType 1 1928 8 Byte
Fid_bcdUSB 0x0200 1936 16 UInt16
Fid_bDeviceClass 0 1952 8 Byte
Fid_bDeviceSubClass 0 1960 8 Byte
Fid_bDeviceProtocol 0 1968 8 Byte
Fid_bMaxPacketSize0 64 1976 8 Byte
Fid_idVendor 0x0781 1984 16 UInt16
Fid_idProduct 0x5567 2000 16 UInt16
Fid_bcdDevice 0x0127 2016 16 UInt16
Fid_iManufacturer 1 2032 8 Byte
Fid_iProduct 2 2040 8 Byte
Fid_iSerialNumber 3 2048 8 Byte
Fid_bNumConfigurations 1 2056 8 Byte
Fid_ConfigurationDescriptorLength 0x0020 2064 16 UInt16
Fid_ConfigurationDescriptor [9,2,32,0,1,1,0,128,100,9,4,0,0,2,8,6,80,0,7,5,129,2,0,2,0,7,5,2,2,0,2,1] 2080 256 ArrayValue`1
Fid_PdoName \Device\USBPDO-13 2336 288 String
Fid_Suspended 1 2624 8 Byte
Fid_PortPathDepth 1 2632 32 UInt32
Fid_PortPath [1,0,0,0,0,0] 2664 192 ArrayValue`1
Fid_PciBus 0x00000000 2856 32 UInt32
Fid_PciDevice 0x00000014 2888 32 UInt32
Fid_PciFunction 0x00000000 2920 32 UInt32
Fid_PciVendorId 0x00008086 2952 32 UInt32
Fid_PciDeviceId 0x0000A12F 2984 32 UInt32
Fid_PciRevisionId 0x00000031 3016 32 UInt32
Fid_CurrentWdfPowerDeviceState 0x00000005 3048 32 UInt32
Fid_Usb20LpmStatus 0x00000006 3080 32 UInt32
Fid_ControllerParentBusType ControllerParentBusTypePci 3112 32 MapControllerParentBusType
Fid_AcpiVendorId NULL 3144 40 String
Fid_AcpiDeviceId NULL 3184 40 String
Fid_AcpiRevisionId NULL 3224 40 String
Fid_PortFlagAcpiUpcValid 1 3264 8 Byte
Fid_PortConnectorType 255 3272 8 Byte
Fid_UcmConnectorId 0x0000000000000001 3280 64 UInt64
EtwKeywords Keywords{StandardKeywords=WindowsEtwKeywords{EventlogClassic=False,CorrelationHint=False,AuditSuccess=False,AuditFailure=False,SQM=False,WDIDiag=False,WDIContext=False,Reserved=False},Default=True,USBError=False,IRP=False,Power=False,PnP=True,Performance=False,HeadersBusTrace=False,PartialDataBusTrace=False,FullDataBusTrace=False,StateMachine=False,Enumeration=False,VerifyDriver=False,HWVerifyHost=False,HWVerifyHub=False,HWVerifyDevice=False,Rundown=False,Device=False,Hub=False,Compat=False,ControllerCommand=False,MsMeasures=True} Microsoft_Windows_USB_USBHUB3.Keywords
Limitations:
No strings comparisons
Must use ETW mechanism

Deadlocked in windows filter graph

this is a hard to reproduce bug, but I finally managed to reproduce it. However, I do not have a clear understanding of what might have caused it. I am currently trying to push myself through this bug and figure out the source of error.
Wondering if someone can give me some directions or hints.
My program is deadlocked in the stop function in Directshow Filter graph.
here is the call stack:
ntdll.dll!_ZwDeviceIoControlFile#40() + 0x15 bytes
ntdll.dll!_ZwDeviceIoControlFile#40() + 0x15 bytes
KernelBase.dll!_CreateEventExW#16() + 0x6e bytes
ksproxy.ax!SetState() + 0x3e bytes
ksproxy.ax!Inactive() + 0x3d bytes
ksproxy.ax!CKsOutputPin::Inactive() + 0x1d bytes
ksproxy.ax!CKsProxy::Stop() + 0x59 bytes
quartz.dll!CFilterGraph::Stop() + 0x123f3 bytes
quartz.dll!CFGControl::CImplMediaControl::Stop() + 0x12dba bytes <--- Called into direct show
*cam.dll!UVCCamera::Shutdown() Line 140 + 0x1b bytes C++
cam.dll!anonymous namespace'::closeCamera(unsigned int hCamera) Line 297 C++
cam.dll!anonymous namespace'::CoreThreadFunc(void * data) Line 916 + 0xb bytes C++
kernel32.dll!#BaseThreadInitThunk#12() + 0x12 bytes
ntdll.dll!__RtlUserThreadStart#8() + 0x27 bytes
ntdll.dll!_RtlUserThreadStart#8() + 0x1b bytes*

I may have solved this problem by using the method described at the end of the link below:
http://social.msdn.microsoft.com/Forums/en-US/windowsdirectshowdevelopment/thread/53563921-6398-491c-999c-3bfaa2f218ca/
Now I am getting a different error!

msctf/d3d11 crash on exit()

I have an application using DX11.
The debug build works well. But the release build crash on exit().
The stack:
000007fef697d630()
user32.dll!DispatchHookA() + 0x72 bytes
user32.dll!CallHookWithSEH() + 0x27 bytes
user32.dll!__fnHkINLPMSG() + 0x59 bytes
ntdll.dll!KiUserCallbackDispatcherContinue()
user32.dll!NtUserPeekMessage() + 0xa bytes
user32.dll!PeekMessageW() + 0x89 bytes
msctf.dll!RemovePrivateMessage() + 0x52 bytes
msctf.dll!SYSTHREAD::DestroyMarshalWindow() - 0x1b7a bytes
msctf.dll!TF_UninitThreadSystem() + 0xc4 bytes
msctf.dll!CicFlsCallback() + 0x40 bytes
ntdll.dll!RtlProcessFlsData() + 0x84 bytes
ntdll.dll!LdrShutdownProcess() + 0xa9 bytes
ntdll.dll!RtlExitUserProcess() + 0x90 bytes
msvcr100.dll!doexit(int code=0, int quick=0, int retcaller=0) Line 621 + 0x11 bytes
If I call LoadLibrary("d3d11.dll") before calling exit(), there is no crash.

How do I debug Illegal Instruction exception?

I'm getting this exception when trying to use dbgeng from mdbglib: First-chance exception at 0x037ba4f4 (dbgeng.dll) in ASDumpAnalyzer.exe: 0xC000001D: Illegal Instruction. I'm wondering how to go about debugging this?
It is throwing on the assembly instruction vmcpuid. When I step over that instruction the code works as expected.
Stack trace:
dbgeng.dll!X86IsVirtualMachine() + 0x44 bytes
dbgeng.dll!LiveUserDebugServices::GetTargetInfo() + 0x95 bytes
dbgeng.dll!LiveUserTargetInfo::InitFromServices() + 0x95 bytes
dbgeng.dll!LiveUserTargetInfo::WaitForEvent() + 0x4f bytes
dbgeng.dll!WaitForAnyTarget() + 0x5f bytes
dbgeng.dll!RawWaitForEvent() + 0x2ae bytes
dbgeng.dll!DebugClient::WaitForEvent() + 0xb0 bytes
[Managed to Native Transition]
mdbglib.dll!MS::Debuggers::DbgEng::DebugControl::WaitForEvent(unsigned int timeout = 0) Line 107 + 0x38 bytes C++
mdbglib.dll!MS::Debuggers::DbgEng::Debuggee::WaitForEvent(unsigned int timeout = 0) Line 365 C++
ASDumpAnalyzer.exe!ASDumpAnalyzer.Program.WriteMemoryDump() Line 51 + 0xd bytes C#
ASDumpAnalyzer.exe!ASDumpAnalyzer.Program.Main() Line 21 + 0x5 bytes C#
mscoree.dll!__CorExeMain#0() + 0x34 bytes
kernel32.dll!_BaseProcessStart#4() + 0x23 bytes

Have you tried not breaking on first chance exceptions? I bet that X86IsVirtualMachine has a __try/__finally block around VMCPUID... since it's not a valid instruction you're probably not running under a VM.

Resources