An alternative hypothesis is that the memory is seen as executable,You mean a fresh trace? I highly doubt that. In my studies, the failing
but the contents of the memory is still seen as 00 00 00 00 by the
executing CPU, which decodes as `add [eax], ax`, and would segfault
given that rax contained 0xC. That said, rapidly flipping page
protection causing confusion seems a more likely hypothesis.
On Fri, Nov 18, 2016 at 1:43 PM, Igor Ehrlich <igor.a.ehrlich@xxxxxxxxx>
wrote:
Please note, you are most probably not experiencing the issue withcode
reading/writing. You are experiencing an issue with __executing__ the
that's right under your RIP (first instruction of the compiled trace).that
Region mapping will show CODE attribute for it, but I believe it is not
way at the moment of execution within the hardware.
An alternative hypothesis is that the memory is seen as executable,
but the contents of the memory is still seen as 00 00 00 00 by the
executing CPU, which decodes as `add [eax], ax`, and would segfault
given that rax contained 0xC. That said, rapidly flipping page
protection causing confusion seems a more likely hypothesis.