Air14 / HyperHide

Hypervisor based anti anti debug plugin for x64dbg
MIT License
1.27k stars 293 forks source link

Crash when selecting KUserSharedData or Clear KUserSharedData #3

Closed baby0o01999 closed 3 years ago

baby0o01999 commented 3 years ago

Loading Dump File [F:\061221-52203-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

***** Path validation summary ** Response Time (ms) Location Deferred srv Symbol search path is: srv Executable search path is: Windows 10 Kernel Version 18362 MP (16 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 18362.1.amd64fre.19h1_release.190318-1202 Machine Name: Kernel base = 0xfffff8056cc00000 PsLoadedModuleList = 0xfffff8056d0432b0 Debug session time: Sat Jun 12 13:51:05.767 2021 (UTC + 11:00) System Uptime: 0 days 16:38:38.687 Loading Kernel Symbols ............................................................... ................................................................ ................................... Loading User Symbols Loading unloaded module list .................................................. For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff8056cdbc8a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa2824a02f2d0=0000000000000050 4: kd> !analyze -v


PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffba8c0b649900, memory referenced. Arg2: 0000000000000011, value 0 = read operation, 1 = write operation. Arg3: ffffba8c0b649900, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for HyperHideDrv.sys

Could not read faulting driver name

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 8

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on E5_1

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 34

Key  : Analysis.Memory.CommitPeak.Mb
Value: 70

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffba8c0b649900

BUGCHECK_P2: 11

BUGCHECK_P3: ffffba8c0b649900

BUGCHECK_P4: 2

WRITE_ADDRESS: fffff8056d16e3b0: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock unable to get nt!MmSpecialPagesInUse ffffba8c0b649900

MM_INTERNAL_CODE: 2

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: procexp64.exe

TRAP_FRAME: ffffa2824a02f570 -- (.trap 0xffffa2824a02f570) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000004025 rbx=0000000000000000 rcx=0000000fffffffff rdx=fffffc7e3f1f8000 rsi=0000000000000000 rdi=0000000000000000 rip=ffffba8c0b649900 rsp=ffffa2824a02f708 rbp=fffff805781a9ea0 r8=0000000000000001 r9=0000000000010fd4 r10=fffffffff4a68134 r11=000000000034bdea r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po nc ffffba8c0b649900 0300 add eax,dword ptr [rax] ds:0000000000004025=???????? Resetting default scope

STACK_TEXT:
ffffa2824a02f2c8 fffff8056cddfd54 : 0000000000000050 ffffba8c0b649900 0000000000000011 ffffa2824a02f570 : nt!KeBugCheckEx ffffa2824a02f2d0 fffff8056cc7aaef : 0000000000000000 0000000000000011 0000000000000000 ffffba8c0b649900 : nt!MiSystemFault+0x1d2d64 ffffa2824a02f3d0 fffff8056cdca79a : 0000000000000000 00001f8000000100 0000000000000000 fffff805781a9ebc : nt!MmAccessFault+0x34f ffffa2824a02f570 ffffba8c0b649900 : 9100000004025025 ffff82812e603000 ffffba8c003de870 000000023ff05000 : nt!KiPageFault+0x35a ffffa2824a02f708 9100000004025025 : ffff82812e603000 ffffba8c003de870 000000023ff05000 fffff805781a36c2 : 0xffffba8c0b649900 ffffa2824a02f710 ffff82812e603000 : ffffba8c003de870 000000023ff05000 fffff805781a36c2 0000000000000002 : 0x9100000004025025 ffffa2824a02f718 ffffba8c003de870 : 000000023ff05000 fffff805781a36c2 0000000000000002 000000000034be08 : 0xffff82812e603000 ffffa2824a02f720 000000023ff05000 : fffff805781a36c2 0000000000000002 000000000034be08 fffff8056cc01000 : 0xffffba8c003de870 ffffa2824a02f728 fffff805781a36c2 : 0000000000000002 000000000034be08 fffff8056cc01000 ffffba8c0b649900 : 0x000000023ff05000 ffffa2824a02f730 0000000000000002 : 000000000034be08 fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 : HyperHideDrv+0x36c2 ffffa2824a02f738 000000000034be08 : fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c : 0x2 ffffa2824a02f740 fffff8056cc01000 : ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 : 0x34be08 ffffa2824a02f748 ffffba8c0b649900 : fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 : nt!SeConvertSecurityDescriptorToStringSecurityDescriptor+0xfffffffffffffff0 ffffa2824a02f750 fffff805781ac2b0 : fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 0000000000000000 : 0xffffba8c0b649900 ffffa2824a02f758 fffff8056ccdc92c : ffffba8c08e71eb0 0000000000000002 0000000000000000 0000000000000000 : HyperHideDrv+0xc2b0 ffffa2824a02f760 fffff805781a1e10 : ffffba8c003de870 ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 : nt!KeAcquireGuardedMutex+0x1c ffffa2824a02f790 ffffba8c003de870 : ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 : HyperHideDrv+0x1e10 ffffa2824a02f798 ffffba8c0dc8e380 : ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 0000000000000000 : 0xffffba8c003de870 ffffa2824a02f7a0 ffffba8c08e71eb0 : fffff8056cf503a9 0000000000000000 0000000000000000 0000000000000000 : 0xffffba8c0dc8e380 ffffa2824a02f7a8 fffff8056cf503a9 : 0000000000000000 0000000000000000 0000000000000000 fffff805781a1489 : 0xffffba8c08e71eb0 ffffa2824a02f7b0 fffff8056cc31cc9 : ffffba8c08e71eb0 0000000000000001 0000000000000001 000000000000020c : nt!_guard_retpoline_exit_indirect_rax+0x9 ffffa2824a02f800 fffff8056d1eb6c5 : ffffa2824a02fb80 ffffba8c08e71eb0 0000000000000001 ffffba8c0b70d690 : nt!IofCallDriver+0x59 ffffa2824a02f840 fffff8056d1eb01a : ffffba8c08e71eb0 ffffa2824a02fb80 000000000022240c ffffa2824a02fb80 : nt!IopSynchronousServiceTail+0x1a5 ffffa2824a02f8e0 fffff8056d1eaa36 : ba8c0d9ed5b0ffed 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x5ca ffffa2824a02fa20 fffff8056cdcdf98 : 0000000000000001 ffffa2824a02fb00 0000000000000000 ffffa2824a02fa00 : nt!NtDeviceIoControlFile+0x56 ffffa2824a02fa90 00007ffeb4bdc144 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28 000000c7ab4ff758 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`b4bdc144

SYMBOL_NAME: HyperHideDrv+36c2

MODULE_NAME: HyperHideDrv

IMAGE_NAME: HyperHideDrv.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 36c2

FAILURE_BUCKET_ID: AV_INVALID_HyperHideDrv!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {d37c959a-417f-c891-0472-d90c19d031fc}

Followup: MachineOwner

Air14 commented 3 years ago

Fixed in HyperHide_2021-06-13