1

I am trying to hook a function to Notepad.exe, so that it will encrypt a file when saving. I have dis-assembled it with IDA. I want to place breakpoints on the saving subroutine which I have identified. When starting a Notepad process inside the IDA debugger, I can use notepad fine but when try to "Save As" from inside the Notepad the process crashes with the following error:

7FFE28C9565C: unknown exception code 6BA (exc.code 6ba, tid 10436)

What can I do to solve this?

A problem that might be related is that when I first dis-assemble notepad.exe I get a popup asking me to place the path of api-ms-win-shcore-path-l1-1-0.dll, which I can't find.

Improve this question

1 Answer 1

Reset to default
2

Value 6BA is 1722 in decimal so most likely corresponds to the following Win32 error code:

// // MessageId: RPC_S_SERVER_UNAVAILABLE // // MessageText: // // The RPC server is unavailable. // #define RPC_S_SERVER_UNAVAILABLE 1722L

At a guess, the system function used for the save dialog tries to communicate with some RPC service but it's not available (e.g. it's used only in some Windows versions or configurations). Since standalone Notepad works, most likely the code is prepared to handle this exception so you can try to continue execution and select "pass exception to the program".

Improve this answer
2
  • Thank you for the response! Where can I pass an exception to the program in the IDA interface? Commented Dec 28, 2023 at 16:16
  • @YizharAmir the choice is shown when you try to continue execution (step or run) Commented Dec 30, 2023 at 22:19

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.