- BSOD upon inject

[evo15]

HHi, i was having issues using this injection method. I tried to implement this into my own driver, when i map the driver (MY OWN DRIVER) with your GhostMapperUM i get bsod upon i call the inject function ERROR CODE: kmode_exception_not_handled (dump_stornvme.sys). Hooking.dll is located at C:\ to make sure... I tried mapping it into mdl memory with standart kdmapper and just normal mapping with kdmapper and i get the bsod error : KERNEL_MODE_HEAP_CORRUPTION I also tried to do it with your driver but your driver instant bsods me upon mapping it. the only value i pass from usermode to the driver is just the args->processID nothing else, maybe wrong pid vallue gets passed to it? I don't think so, but you might smell the problem. Thanks in upfront mate...

Btw, i lost access to my old discord so i cannot contact you have sent a friend request this is how i just impemented it (pasted) ->

case Request::Inject2: {

        printf("[*] trying to inject dll to target process\n");
        PEPROCESS Process;
        NTSTATUS status;
        void* shellcode_address{ };
        size_t shellcode_size = sizeof(load_dll_shellcode);
        ULONG   TargetPid = args->processID;

        ProcAttach attach(TargetPid);

        if (!attach.IsAttached())
        {
            printf("[*] failed to attach to %d\n", TargetPid);
            //  return STATUS_INVALID_PARAMETER;
        }
        // allocate memory for  apc func
        status = ZwAllocateVirtualMemory(NtCurrentProcess(), &shellcode_address, 0, &shellcode_size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READ);
        if (!NT_SUCCESS(status))
        {
            printf("[*] faild to allocate memory for apc function\n");
            //  return status;
        }
        // map another mapping with RW protection so we can write the function to the allocation 
        auto mdl = IoAllocateMdl(
            shellcode_address,
            shellcode_size,
            false,
            false,
            nullptr
        );
        if (!mdl)
        {
            printf("[*] failed to allocate mdl\n");
            ZwFreeVirtualMemory(NtCurrentProcess(), &shellcode_address, &shellcode_size, MEM_RELEASE);
            //  return STATUS_INSUFFICIENT_RESOURCES;
        }
        MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
        auto mapped_address = MmMapLockedPagesSpecifyCache(
            mdl,
            KernelMode,
            MmNonCached,
            nullptr,
            false,
            NormalPagePriority
        );
        if (!mapped_address) {
            printf("[*] failed to create another mapping for address\n");
            MmUnlockPages(mdl);
            IoFreeMdl(mdl);
            ZwFreeVirtualMemory(NtCurrentProcess(), &shellcode_address, &shellcode_size, MEM_RELEASE);
            //  return STATUS_INSUFFICIENT_RESOURCES;
        }
        status = MmProtectMdlSystemAddress(
            mdl,
            PAGE_READWRITE
        );

        if (!NT_SUCCESS(status)) {
            printf("[*] failed to set mdl protection\n");
            MmUnmapLockedPages(mapped_address, mdl);
            MmUnlockPages(mdl);
            IoFreeMdl(mdl);
            ZwFreeVirtualMemory(NtCurrentProcess(), &shellcode_address, &shellcode_size, MEM_RELEASE);
            //  return UNSU;
        }

        // copy shellcode to target process  

        memcpy_s(mapped_address, sizeof(load_dll_shellcode), load_dll_shellcode, sizeof(load_dll_shellcode));
        MmUnmapLockedPages(mapped_address, mdl);
        MmUnlockPages(mdl);
        IoFreeMdl(mdl);

        // find target thread 
        ProcessInfo process_info;
        PKTHREAD target_thread;
        status = get_process_info_by_pid(TargetPid, &process_info);
        if (!NT_SUCCESS(status))
        {
            printf("[*] failed getting process information\n");
            ZwFreeVirtualMemory(NtCurrentProcess(), &shellcode_address, &shellcode_size, MEM_RELEASE);
            //return STATUS_UNSUCCESSFUL;
        }
        for (size_t i = 0; i < process_info.number_of_threads; i++) {
            if (!NT_SUCCESS(PsLookupThreadByThreadId((HANDLE)process_info.threads_id[i], &target_thread))) {
                printf("[*] failed looking up thread\n");
                ExFreePool(process_info.threads_id);
                //  return STATUS_UNSUCCESSFUL;
            }

            // check alertable flag in kthread
            PULONG KthreadFlags = reinterpret_cast<PULONG>(reinterpret_cast<ULONG_PTR>(target_thread) + KTHREAD_FLAGS_OFFSET);
            bool Alertable = ((*KthreadFlags >> ALERTABLE_BIT) & 1) != 0;
            if (Alertable)
            {
                printf("[*] found alertable thread\n");

                // queue apc to the first thread we find 
                if (QueueUserApc(target_thread, shellcode_address))
                    DbgPrint("[*] successfully queued apc to target thread\n");

                ObDereferenceObject(target_thread);
                break;
            }
            ObDereferenceObject(target_thread);
        }

        ExFreePool(process_info.threads_id);
        return STATUS_SUCCESS;
        break;

    }

💯

[0mWindyBug]

do you do anything outside your driver entry in your mapped driver ? it seems like you are using an IOCTL? did you make sure to comment out the RestoreOriginalDriver call in GhostMapperUM? read the readme again if you haven’t

[evo15]

do you do anything outside your driver entry in your mapped driver ? it seems like you are using an IOCTL? did you make sure to comment out the RestoreOriginalDriver call in GhostMapperUM? read the readme again if you haven’t

No your mapper works perfect, and actually its a data pointer driver, so every function besides the injection works perfect, i just wanted to try out this injection method im on 22h2 windows 10 probably one of the latest versions

[evo15]

Just to make sure i also mapped it with kdmaper normally and i also wrote the bsod error code, btw thanks trying to help 🙏