If you're running malware in IDA and get a error such as
8A1EE: The instruction at 0x8A1EE referenced memory at 0x0. The memory could not be written -> 0000000000000000 (exc.code c0000006, tid 2268)
Per the OALabs youtube video
This might be caused by the Debugger holding a handle to malware sample and the malware itself wanting its own exclusive handle to the file.
Thus the malware errors out because it cannot collect an exclusive handle to the malware sample since the debugger already has a handle.
To remediate, one potential fix is to try ...
- Set a breakpoint in IDA on startup
- In the debugger "Modules" window, find "ntdll.dll" and the "NtCreateFile" function, set a breakpoint
- Continue the debugger, it will eventually hit NtCreateFile
- Then "Continue until Return" multiple times until you return to the malware code
- In my case it was a call to "kernel32.dll" "CreateFileA" that triggered this call
- If you look at the parameters to "CreateFileA", the 3rd parameter was set to 0 which means an exclusive handle
- If you look in the return result of CreateFileA it returned FFFFFFFF which means an "invalid file handle" which is what's causing the error
- So, add a breakpoint to this CreateFileA call
- Kill the debugging process
- Re-launch the program until it hits your new breakpoint
- Change that 3rd parameter from 0x0 to 0x7 to give yourself full access
- Now allow it to run, and notice the return value is no longer FFFFFFFF , it's a valid file handle now, and thus you've gotten past that error caused by the exclusive handle!