Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strange BSOD with multiple shadowed pages #23

Open
celtic1990 opened this issue Dec 22, 2018 · 5 comments
Open

Strange BSOD with multiple shadowed pages #23

celtic1990 opened this issue Dec 22, 2018 · 5 comments

Comments

@celtic1990
Copy link

celtic1990 commented Dec 22, 2018
edited
Loading

Hi guys. I am having weird issue I wonder if anyone else have experience. Sorry for my poor English.

I am making multiple hook on Kernel function. Hook is work OK. I am make multiple shadow page and all is work OK. But when I am try to hide certain combination of page, BSOD with KERNEL_SECURITY_CHECK_FAILURE and no idea why.

From my Debug Output:
dbg

The combination of last 2 are causing BSOD. Other combination OK. But 3 and 4 in picture together make BSOD. But all Debug addresses look normal to me? I am not understanding why they cannot work together.

@wbenny Can you advice me master? 👍 🥇
@wbenny
Copy link
Owner

wbenny commented Dec 22, 2018

Hi, can you share dump/pdb or at least crash stack trace?

@celtic1990
Copy link
Author

Hello sorry for slow....holiday with family :) This is my crash dump. I don't understand why is crashing sometimes with some combination, other times OK. So weird. I'm just using basic array for multiple page and check address to return correct page. I am crash without making hook even. I create ReadAligned and ExecuteAligned pages same way as you are. Then I do mp::ipi_call to initialize same way as you are. That is all I do to make this BSOD.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack
	extents for the thread.
Arg2: ffffde0b94ea4870, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffde0b94ea47c8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1


STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER:  HP

SYSTEM_PRODUCT_NAME:  860-010

SYSTEM_SKU:  M9Z94AA#ABA

SYSTEM_VERSION:  1.04

BIOS_VENDOR:  AMI

BIOS_VERSION:  A0.07

BIOS_DATE:  10/26/2015

BASEBOARD_MANUFACTURER:  HP

BASEBOARD_PRODUCT:  2B4B

BASEBOARD_VERSION:  1.04

DUMP_TYPE:  1

BUGCHECK_P1: 4

BUGCHECK_P2: ffffde0b94ea4870

BUGCHECK_P3: ffffde0b94ea47c8

BUGCHECK_P4: 0

TRAP_FRAME:  cccccccccccccccc -- (.trap 0xcccccccccccccccc)
Unable to read trap frame at cccccccc`cccccccc

EXCEPTION_RECORD:  cccccccccccccccc -- (.exr 0xcccccccccccccccc)
Cannot read Exception record @ cccccccccccccccc

CPU_COUNT: 8

CPU_MHZ: d50

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: C2'00000000 (cache) C2'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


BUGCHECK_STR:  0x139

PROCESS_NAME:  taskhostw.exe

CURRENT_IRQL:  e

DEFAULT_BUCKET_ID:  FAIL_FAST_INCORRECT_STACK

WATSON_BKT_EVENT:  BEX

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000004

ANALYSIS_SESSION_HOST:  ADMIN

ANALYSIS_SESSION_TIME:  12-23-2018 11:37:55.0907

ANALYSIS_VERSION: 10.0.17763.1 amd64fre

BAD_STACK_POINTER:  ffffde0b94ea4548

LAST_CONTROL_TRANSFER:  from fffff803f224ac69 to fffff803f223a0a0

STACK_TEXT:  
ffffde0b`94ea4548 fffff803`f224ac69 : 00000000`00000139 00000000`00000004 ffffde0b`94ea4870 ffffde0b`94ea47c8 : nt!KeBugCheckEx
ffffde0b`94ea4550 fffff803`f224b010 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : nt!KiBugCheckDispatch+0x69
ffffde0b`94ea4690 fffff803`f224961f : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : nt!KiFastFailDispatch+0xd0
ffffde0b`94ea4870 fffff803`f227c077 : ffffde0b`94ea5150 ffffde0b`94ea5150 cccccccc`cccccccc cccccccc`cccccccc : nt!KiRaiseSecurityCheckFailure+0x2df
ffffde0b`94ea4a00 fffff803`f214e770 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`00000003 cccccccc`cccccccc : nt!RtlpGetStackLimits+0x12c017
ffffde0b`94ea4a30 fffff803`f2150613 : ffffde0b`94ea5908 ffffde0b`94ea5650 ffffde0b`94ea5908 ffffde0b`94ea5ee9 : nt!RtlDispatchException+0x70
ffffde0b`94ea5120 fffff803`f224ad42 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : nt!KiDispatchException+0x1f3
ffffde0b`94ea57d0 fffff803`f22453d2 : fffff803`9a706de0 ffffde0b`94ea59d8 ffffde0b`94ea5ee9 fffff803`9a706de0 : nt!KiExceptionDispatch+0xc2
ffffde0b`94ea59b0 fffff803`9a6f18a3 : fffff803`9a6f15f9 00000000`00000000 00000000`02a009e3 ffffde0b`94ecf64a : nt!KiBreakpointTrap+0x2d2
ffffde0b`94ea5b40 fffff803`9a6f15f9 : 00000000`00000000 00000000`02a009e3 ffffde0b`94ecf64a ffffde0b`94ea5c49 : hvppdrv+0x18a3
ffffde0b`94ea5b48 fffff803`9a700dbd : ffffde0b`94ead000 00000000`02a00000 ffffde0b`94ea5e01 fffff803`f20ae733 : hvppdrv+0x15f9
ffffde0b`94ea5b78 fffff803`9a701a87 : ffffde0b`94ead000 00000000`02a00000 00000000`02a00000 00000001`fc560000 : hvppdrv+0x10dbd
ffffde0b`94ea5c08 fffff803`9a6f3556 : ffffde0b`94ead000 00000000`02a00000 00000000`02a00000 00000000`02b4f000 : hvppdrv+0x11a87
ffffde0b`94ea5c38 fffff803`9a6f7bc6 : ffffde0b`94eaf210 ffffde0b`94e9e000 cccccccc`cccccccc cccccccc`cccccccc : hvppdrv+0x3556
ffffde0b`94ea5de8 fffff803`9a6f19b6 : ffffde0b`94eaf210 ffffde0b`94e9e000 cccccccc`cccccccc cccccccc`cccccccc : hvppdrv+0x7bc6
ffffde0b`94ea5e38 fffff803`9a6f1b8e : ffffde0b`94ea5f28 ffffde0b`94eaf210 cccccccc`00000002 cccccccc`cccccccc : hvppdrv+0x19b6
ffffde0b`94ea5e78 fffff803`9a6f1ea5 : ffffde0b`94eaf210 ffffde0b`94ea5f28 00000000`00006800 00000000`00000246 : hvppdrv+0x1b8e
ffffde0b`94ea5ec8 fffff803`9a6f2881 : ffffde0b`94eaf210 ffffde0b`94ea5f28 cccccccc`00006820 00000000`00000246 : hvppdrv+0x1ea5
ffffde0b`94ea5f08 fffff803`9a702978 : ffffde0b`94eaf000 ffffde0b`94e9e000 cccccccc`cccccccc cccccccc`cccccccc : hvppdrv+0x2881
ffffde0b`94ea5f48 fffff803`9a705f32 : ffffde0b`94e9e000 00000000`00000002 ffffde0b`94ea6000 fffff803`9a704e59 : hvppdrv+0x12978
ffffde0b`94ea5fb8 fffff803`9a701fef : fffff803`9a6f8027 ffffde0b`94eaf000 bfebfbff`7ffafbff 00000000`00000007 : hvppdrv+0x15f32
ffff8180`5bbd5d58 fffff803`9a6f8027 : ffffde0b`94eaf000 bfebfbff`7ffafbff 00000000`00000007 ffffde0b`94e9e000 : hvppdrv+0x11fef
ffff8180`5bbd5d60 fffff803`9a6f7dad : ffffde0b`94e26000 00000000`00000000 00000000`00000000 00000000`00000000 : hvppdrv+0x8027
ffff8180`5bbd5d90 fffff803`9a6f7c85 : 00000000`00000000 fffff084`e97725d8 00000000`00000246 fffff803`f2005fc2 : hvppdrv+0x7dad
ffff8180`5bbd5de0 fffff803`9a705067 : fffff084`e97725d8 00000000`00000091 ffff8180`00000002 ffff8180`5bbd5e80 : hvppdrv+0x7c85
ffff8180`5bbd5e10 fffff803`9a704ff5 : 00000000`00000000 fffff084`e9772558 00000000`00000000 00000000`00000000 : hvppdrv+0x15067
ffff8180`5bbd5e70 fffff803`f21fbdee : fffff084`e9772558 00000000`00000000 00000000`00000000 00000000`00000000 : hvppdrv+0x14ff5
ffff8180`5bbd5ea0 fffff803`f21983b5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIpiGenericCallTarget+0x1e
ffff8180`5bbd5ed0 fffff803`f2240cb0 : 80000002`cb961867 00000000`00000001 fffff401`11acba18 00000000`ffffffff : nt!KiIpiProcessRequests+0x2e5
ffff8180`5bbd5fb0 fffff803`f2240a18 : fffff084`ec976eb0 00000000`00000000 00000000`00000000 00000000`c0000503 : nt!KiIpiInterruptSubDispatch+0x80
fffff084`ec976c40 fffff803`f20db56a : ffffde0b`8ea0d580 ffffde0b`8ea0d640 fffff47a`0088d658 0a000001`fedef867 : nt!KiIpiInterrupt+0x2d8
fffff084`ec976dd0 fffff803`f255888b : 00000000`00000000 ffffde0b`00000000 ffffde0b`8eaf0440 fffff803`f258b942 : nt!MiDecommitPages+0x7fa
fffff084`ec977800 fffff803`f2557ec9 : 00000000`00000000 ffffde0b`8eb7a9c0 00000000`00014000 ffffde0b`8eaf0440 : nt!MiDecommitRegion+0x6b
fffff084`ec977870 fffff803`f2557bdb : fffff084`ec9779a8 00000000`00003a98 00000223`4f5a3010 00000000`7ffe0386 : nt!MmFreeVirtualMemory+0x2b9
fffff084`ec9779a0 fffff803`f224a743 : ffffde0b`8eaf0440 ffffde0b`8a2e2e00 000000d1`8c6ffb48 fffff084`ec977a80 : nt!NtFreeVirtualMemory+0x8b
fffff084`ec977a00 00007ffb`85dfad64 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000d1`8c6ff858 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`85dfad64


THREAD_SHA1_HASH_MOD_FUNC:  d9e6bd216827dbd9b81dc0cf3f5e9b41e9d60c89

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  40d318a4b8897ea1c245269f5c869830f0a39350

THREAD_SHA1_HASH_MOD:  85c614d6cc2e66c6e3f56d530daa7e2e8df77bae

FOLLOWUP_IP: 
hvppdrv+18a3
fffff803`9a6f18a3 c3              ret

FAULT_INSTR_CODE:  ccccccc3

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  hvppdrv+18a3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hvppdrv

IMAGE_NAME:  hvppdrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5c1f7228

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  18a3

FAILURE_BUCKET_ID:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_hvppdrv!unknown_function

BUCKET_ID:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_hvppdrv!unknown_function

PRIMARY_PROBLEM_CLASS:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_hvppdrv!unknown_function

TARGET_TIME:  2018-12-23T11:31:58.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-12-13 22:53:05

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  15c9

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_missing_gsframe_stackptr_error_hvppdrv!unknown_function

FAILURE_ID_HASH:  {8b137560-657b-d427-f4ef-878942e298a1}

@celtic1990
Copy link
Author

celtic1990 commented Dec 24, 2018
edited
Loading

@wbenny If you would like re-create this on Windows10 can shadow in kernel NtCreateFile and NtQueryValueKey same time and it should make BSOD. NtQueryValueKey not export it is index 0x17 of SSDT in Windows10. I can upload project with my change if you wish. Sorry for annoy I am just wish to learn why. =)

@ddkwork
Copy link

ddkwork commented Mar 5, 2019

you can try gbhv

@seeker25
Copy link

seeker25 commented Aug 31, 2019
edited
Loading

gbhv doesn't even seem to run for me, just immediately bluescreens.

Not trying to be smug, but I tried it out honestly. HyperPlatform / Ddimon seemed to work pretty good though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@seeker25 @wbenny @ddkwork @celtic1990