search

Air14 / HyperHide

Hypervisor based anti anti debug plugin for x64dbg
MIT License
1.23k stars 279 forks source link

BOSD hv::vmread(GUEST_LDTR_SELECTOR); #13

Closed gamegrd closed 3 years ago

gamegrd commented 3 years ago 


Microsoft (R) Windows Debugger Version 10.0.22000.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`72800000 PsLoadedModuleList = 0xfffff806`7342a190
Debug session time: Fri Aug 27 16:09:05.529 2021 (UTC + 8:00)
System Uptime: 0 days 0:05:00.392
Loading Kernel Symbols
...............................................................
.........Page 403808 not present in the dump file. Type ".hh dbgerr004" for details
.......................................................
................................................................
............
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01291018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000014ffd0a, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8067d13d64c, address which referenced memory

Debugging Details:
------------------

Unable to load image \??\D:\Debugger\xgDebuger\airhv.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2187

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 9408

    Key  : Analysis.Init.CPU.mSec
    Value: 2312

    Key  : Analysis.Init.Elapsed.mSec
    Value: 15751

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 105

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

BUGCHECK_CODE:  d1

BUGCHECK_P1: 14ffd0a

BUGCHECK_P2: ff

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8067d13d64c

READ_ADDRESS:  00000000014ffd0a 

ADDITIONAL_DEBUG_TEXT:  The trap occurred when interrupts are disabled on the target.

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  xcoronahost.xem

TRAP_FRAME:  ffffe30835072cc0 -- (.trap 0xffffe30835072cc0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000014ffd0a
rdx=0000000000005658 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8067d13d64c rsp=ffffe30835072e50 rbp=00000000f344c014
 r8=0000000000e8b86f  r9=0000000000000000 r10=0000000000000000
r11=000000000111e250 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di ng nz na po nc
airhv!vmexit_ldtr_access_handler+0xbc:
fffff806`7d13d64c 488901          mov     qword ptr [rcx],rax ds:00000000`014ffd0a=????????????????
Resetting default scope

BAD_STACK_POINTER:  ffffe30835072b78

STACK_TEXT:  
ffffe308`35072b78 fffff806`72c09169     : 00000000`0000000a 00000000`014ffd0a 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
ffffe308`35072b80 fffff806`72c05469     : 1336d8ff`fff8067d ae6000ff`fff8067d 000040ff`fff80672 ae584a00`00000000 : nt!KiBugCheckDispatch+0x69
ffffe308`35072cc0 fffff806`7d13d64c     : 00000000`0000080c fffff806`7d13ce77 ffffe308`35072ff8 fffff806`7d13d331 : nt!KiPageFault+0x469
ffffe308`35072e50 fffff806`7d13dac8     : ffffe308`28913a70 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_ldtr_access_handler+0xbc [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 228] 
ffffe308`35072ec0 fffff806`7d13139c     : ffffe308`35072f20 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_handler+0xe8 [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 1439] 
ffffe308`35072f00 ffffe308`35072f20     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmm_entrypoint+0x4c [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\asm\vm_context.asm @ 60] 
ffffe308`35072f08 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffe308`35072f20

FAULTING_SOURCE_LINE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp

FAULTING_SOURCE_FILE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp

FAULTING_SOURCE_LINE_NUMBER:  228

FAULTING_SOURCE_CODE:  
   224:     {
   225:         // SLDT
   226:         case 0:
   227:         {
>  228:             *linear_address = hv::vmread(GUEST_LDTR_SELECTOR);
   229: 
   230:             break;
   231:         }
   232: 
   233:         // STR

SYMBOL_NAME:  airhv!vmexit_ldtr_access_handler+bc

MODULE_NAME: airhv

IMAGE_NAME:  airhv.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  bc

FAILURE_BUCKET_ID:  DISABLED_INTERRUPT_FAULT_STACKPTR_ERROR_airhv!vmexit_ldtr_access_handler

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {d9cba956-7904-06a1-f790-6a47973b5789}

Followup:     MachineOwner
---------

}...
Air14 commented 3 years ago

Hi Did you use precompiled binaries or did you compile it by your self?

gamegrd commented 3 years ago

I compiled it and the precompiled binaries BOSD too DRIVER_IRQL_NOT_LESS_OR_EQUAL

gamegrd commented 3 years ago

I have tested several times and 100% BOSD

The Crash dump file: https://github.com/gamegrd/BOSD_DUMPS


FAULTING_SOURCE_CODE:  
   224:     {
   225:         // SLDT
   226:         case 0:
   227:         {
>  228:             *linear_address = hv::vmread(GUEST_LDTR_SELECTOR);
   229: 
   230:             break;
   231:         }
   232: 
   233:         // STR
}···
Air14 commented 3 years ago

It's impossible that this crash occured with pre compiled binaries because pre compiled airhv doesn't have descriptor table exiting feature turned on. And if you want to compile airhv by yourself select "release_minimal" or "debug_minimal" configuration profile in visual studio.

gamegrd commented 3 years ago

It's impossible that this crash occured with pre compiled binaries because pre compiled airhv doesn't have descriptor table exiting feature turned on. And if you want to compile airhv by yourself select "release_minimal" or "debug_minimal" configuration profile in visual studio.

Thanks, I choose debug_minimal and compiled airhv, everything is ok now .