Failed to allocate the clone RAM buffer about sigmakerex HOT 13 CLOSED

The RAM error is strange, appears to get a signed number.
SigMakerEx: * Failed to find a base or reference signature for selected function. * this one is normal though. It's saying that the function is not unique and it can't find a unique referencing function.

Taking a look..
I don't have your IDB so complicates troubleshooting this.
The error is at Search.cpp#L38.

Okay not thinking this was even possible, but put in that msg to catch it, it first fails in the copy so yea the match operation will fail as well. Ignore the match result. Focus on the clone error.

Is this in a live IDB debugging session?
Is the IDB rebased? It shouldn't matter but apparently somehow the the inf.min_ea is larger than the inf.max_ea hence the resulting signed size.

Go to options and turn on the verbose output mode.
Let's see what the above #L16 .."min_ea: 0x%llX, max_ea: 0x%llX, size: 0x%llX".. line outputs.

from sigmakerex.

The RAM error is strange, appears to get a signed number. SigMakerEx: * Failed to find a base or reference signature for selected function. * this one is normal though. It's saying that the function is not unique and it can't find a unique referencing function.

Taking a look.. I don't have your IDB so complicates troubleshooting this. The error is at Search.cpp#L38.

Okay not thinking this was even possible, but put in that msg to catch it, it first fails in the copy so yea the match operation will fail as well. Ignore the match result. Focus on the clone error.

Is this in a live IDB debugging session? Is the IDB rebased? It shouldn't matter but apparently somehow the the inf.min_ea is larger than the inf.max_ea hence the resulting signed size.

Go to options and turn on the verbose output mode. Let's see what the above #L16 .."min_ea: 0x%llX, max_ea: 0x%llX, size: 0x%llX".. line outputs.

Hello, sorry for the late reply. I reanalyzed the IDB and the problem was solved.

from sigmakerex.

Mo problem glad it was resolved. Sounds like the DB was broken.

from sigmakerex.

Just so you know, I tried the above solution. I'm still getting the RAM error:

SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000

SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **

Function is not unique, looking for a reference function sig.
[0] Function ref @ 0x000001403EA0A7, Func: 0x000001403E9FB0
SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000

SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **
 Ref not unique or error occurred, skipped.
[1] Function ref @ 0x0000014079F63E, Func: 0x0000014079F5D8
SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000

SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **
 Ref not unique or error occurred, skipped.
[2] Function ref @ 0x000001409A14FB, Func: 0x000001409A14B0
SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000

SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **
 Ref not unique or error occurred, skipped.
[3] Function ref @ 0x000001409A8755, Func: 0x000001409A14B0
 Ref not unique or error occurred, skipped.
[4] Function ref @ 0x000001409A8774, Func: 0x000001409A14B0
 Ref not unique or error occurred, skipped.
[5] Function ref @ 0x00000140A371F3, Func: 0x00000140A1EEE4
SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000

SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **
 Ref not unique or error occurred, skipped.
[6] Function ref @ 0x00000140A918A2, Func: 0x00000140A917C8
SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000

SigMakerEx: ** Failed to allocate the clone RAM buffer of size: 0xFFFFF77F80021000 ! **
 Ref not unique or error occurred, skipped.
SigMakerEx: * Failed to find a base or reference signature for selected function. *

from sigmakerex.

You should have opened a new issue since this one was closed. If you're a different person, the OP will probably get an email about it too.

Anyhow, it looks like the same problem too. Being a corrupt IDB.
So some of the same questions. Is in a live debugger session?
What version of IDA is this?

Looks like this is from some sort of memory dump too (vs loading a functional PE file like an ".exe" from disk).
If it's a memory dump, you probably need to fix the PE header.

Just think for a minute. Does SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000 look valid to you? IDA is telling you, the size of the IDB is 18,446,734,997,852,647,424.

It would take at least 16,777,208 terabytes (1,073,741,824 gigabytes) to just store this image on disk or load it into RAM.
Must have taken IDA ages to load..

from sigmakerex.

You should have opened a new issue since this one was closed. If you're a different person, the OP will probably get an email about it too.

Anyhow, it looks like the same problem too. Being a corrupt IDB.

So some of the same questions. Is in a live debugger session?

What version of IDA is this?

Looks like this is from some sort of memory dump too (vs loading a functional PE file like an ".exe" from disk).

If it's a memory dump, you probably need to fix the PE header.

Just think for a minute. Does SearchData::CloneIdb: min_ea: 0x7FFE0000, max_ea: 0xFFFFF78000001000, size: 0xFFFFF77F80021000 look valid to you? IDA is telling you, the size of the IDB is 18,446,734,997,852,647,424.

It would take at least 16,777,208 terabytes (1,073,741,824 gigabytes) to just store this image on disk or load it into RAM.

Must have taken IDA ages to load..

Hi, thank you for replying.

1. No this is not in a debugger session.

2. This is not a memory dump it's just ntoskrnl loaded from disk not memory.

3. Yes I can see the size is terabytes lol.

This plugin worked great before, it just randomly started doing this. Which is why I commented on this post. And it only took IDA 5-10min to load

I was posting this comment to report a bug, not shitting on your work. This project is great and I wish it worked for me lol

from sigmakerex.

Works for me! (old developer joke):

Np, took no offense. Was being funny about it.

But then an older version of Windows 10 64bit.
I don't doubt you're having a problem, just trying to figure out why.

What version of the one you are looking at?

What version of IDA?
Any other plugins active?
I wonder, the assumption is for any PE file is that they load in one contagious chunk. For any Windows module there is a base address and length basically. The process is built from a series of segments with virtual addresses.
I wouldn't think it was possible to have segments that jump around over different memory spaces.

Copy a screen shot of the segments.
Like this one, which is for this particular dump:

from sigmakerex.

Works for me! (old developer joke):

Np, took no offense. Was being funny about it.

But then an older version of Windows 10 64bit. I don't doubt you're having a problem, just trying to figure out why.

What version of the one you are looking at?

What version of IDA? Any other plugins active? I wonder, the assumption is for any PE file is that they load in one contagious chunk. For any Windows module there is a base address and length basically. The process is built from a series of segments with virtual addresses. I wouldn't think it was possible to have segments that jump around over different memory spaces.

Copy a screen shot of the segments. Like this one, which is for this particular dump:

Thanks for replying and helping.

My Ntos version:

IDA Version: IDA Pro 7.7

Active Plugins: ClassInformer & SigMakerEx (Plus all the other default shit in the plugins folder)

PE Segments:

from sigmakerex.

Okay, there it is. Didn't even know this was even possible with the PE format.

Windows 10 right? And looks like a most recent update. Update to 22H2?
I'm trying to find the same exact version.

Maybe it's a thing, but don't recall seeing a PE file with broken up different address blocks in 20 plus years.
Maybe shared memory segments with a specified address.
Again trying to get the same version, but is there any data in those segments or just uninitialized filter bytes?
Anything has references in or out of those two extreme segments?
Notice they are both only a page in size.

Will have to get a copy and think about how to handle these. I would imagine it will break any other tool that uses the min/max address range including a lot of IDA's own sample scripts and plugins.

For now, you can probably just go to Edit -> Segments -> "Delete segment.." on those two. If just uninitialized data, it will make no difference.

from sigmakerex.

Yea its windows 10 22H2, I did upgrade to windows pro, maybe that could be why?

I'll have to check if there is data in these segments. I'll post a new comment when I do so.

from sigmakerex.

Yes this actually worked deleting the segments, and a signature is created again with ease. Such an easy fix lol, thanks alot.

Just so you know this bug does not just happen with ntoskrnl.exe it happens with any file thats dropped inside of IDA.

from sigmakerex.

I forgot to mention yeah a temp fix was just deleting those segments because I saw they were there, but magically after reanalysing the idb they were gone.

from sigmakerex.

Good to know. Deleting those odd segments at the end shouldn't affect anything.
I'm sure I'll run into that version of ntoskrnl.exe soon and try it in IDA 8.x

from sigmakerex.