search

HoShiMin / Kernel-Bridge

Windows kernel hacking framework, driver template, hypervisor and API written on C++
GNU General Public License v3.0
1.67k stars 385 forks source link

Hypervisor random BSOD IRQL_NOT_LESS_OR_EQUAL #62

Open 1337331 opened 4 days ago

1337331 commented 4 days ago

Windows 11 23H2 - OS Build 22631.4169 BSOD appears in about 2 hours

Tips for collapsed BSOD info ```yaml IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00007fffffff0000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff80727c81b39, address which referenced memory Debugging Details: KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 1046 Key : Analysis.Elapsed.mSec Value: 2107 Key : Analysis.IO.Other.Mb Value: 27 Key : Analysis.IO.Read.Mb Value: 0 Key : Analysis.IO.Write.Mb Value: 30 Key : Analysis.Init.CPU.mSec Value: 140 Key : Analysis.Init.Elapsed.mSec Value: 27254 Key : Analysis.Memory.CommitPeak.Mb Value: 98 Key : Bugcheck.Code.LegacyAPI Value: 0xa Key : Bugcheck.Code.TargetModel Value: 0xa Key : Failure.Bucket Value: AV_nt!RtlpxVirtualUnwind Key : Failure.Hash Value: {90caf8d4-a034-a257-3599-d8f696fd9681} Key : WER.OS.Branch Value: ni_release Key : WER.OS.Version Value: 10.0.22621.1 BUGCHECK_CODE: a BUGCHECK_P1: 7fffffff0000 BUGCHECK_P2: 2 BUGCHECK_P3: 0 BUGCHECK_P4: fffff80727c81b39 FILE_IN_CAB: 100724-16937-01.dmp FAULTING_THREAD: ffff900d3a9ac040 READ_ADDRESS: fffff8072871d470: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd unable to get nt!MmSpecialPagesInUse 00007fffffff0000 BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 CUSTOMER_CRASH_COUNT: 1 PROCESS_NAME: System TRAP_FRAME: ffffb600829a4b60 -- (.trap 0xffffb600829a4b60) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=00007fffffff0000 rbx=0000000000000000 rcx=00007fffffff0000 rdx=ffffb600829a4ea8 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80727c81b39 rsp=ffffb600829a4cf0 rbp=ffffb600829a5310 r8=0000000000000000 r9=0000000000000000 r10=fffff80728800038 r11=ffffb600829a4e10 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc nt!RtlpxVirtualUnwind+0x419: fffff807`27c81b39 0fb600 movzx eax,byte ptr [rax] ds:00007fff`ffff0000=?? Resetting default scope STACK_TEXT: ffffb600`829a4a18 fffff807`27e2bf29 : 00000000`0000000a 00007fff`ffff0000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx ffffb600`829a4a20 fffff807`27e27389 : fffffd87`00000286 fffffd87`09b7f1d0 fffff807`27dc0018 fffff807`27ae8c88 : nt!KiBugCheckDispatch+0x69 ffffb600`829a4b60 fffff807`27c81b39 : ffffb600`829a5310 fffff807`27c69fd5 00000000`00000000 fffff807`27dd21cb : nt!KiPageFault+0x489 ffffb600`829a4cf0 fffff807`27c7fc75 : ffffb600`829a5f88 ffffb600`829a5d38 00000000`00000000 00000000`00000000 : nt!RtlpxVirtualUnwind+0x419 ffffb600`829a4db0 fffff807`27d628ee : ffffffff`ffffffff ffffb600`829a5de0 ffffb600`829a5de0 ffffb600`829a5550 : nt!RtlDispatchException+0x215 ffffb600`829a5520 fffff807`27e2c07c : 00800800`00000000 ffd00094`ffffb06e 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x1ae ffffb600`829a5c00 fffff807`27e26ed8 : 00000000`00000000 00000000`00000000 ffffb600`82985180 00000000`00000000 : nt!KiExceptionDispatch+0x13c ffffb600`829a5de0 ffff900d`5302b59d : fffff807`27aed860 ffffb600`829a6fb0 fffff807`27c69fd5 ffffb600`829a59f0 : nt!KiGeneralProtectionFault+0x358 ffffb600`829a5f70 fffff807`27aed860 : ffffb600`829a6fb0 fffff807`27c69fd5 ffffb600`829a59f0 fffff807`27cf34c4 : 0xffff900d`5302b59d ffffb600`829a5f78 ffffb600`829a6fb0 : fffff807`27c69fd5 ffffb600`829a59f0 fffff807`27cf34c4 fffff807`27ab5b60 : nt!setjmpexused (nt+0xed860) ffffb600`829a5f80 fffff807`27c69fd5 : ffffb600`829a59f0 fffff807`27cf34c4 fffff807`27ab5b60 ffffb600`829a67a0 : 0xffffb600`829a6fb0 ffffb600`829a5f88 00000000`00000000 : ffffb600`829a6238 fffff807`27a00000 ffffb600`829a6730 fffffd87`09b7eed8 : nt!MiFastLockLeafPageTable+0x385 SYMBOL_NAME: nt!RtlpxVirtualUnwind+419 MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe IMAGE_VERSION: 10.0.22621.4169 STACK_COMMAND: .process /r /p 0xfffff80728749f40; .thread 0xffff900d3a9ac040 ; kb BUCKET_ID_FUNC_OFFSET: 419 FAILURE_BUCKET_ID: AV_nt!RtlpxVirtualUnwind OS_VERSION: 10.0.22621.1 BUILDLAB_STR: ni_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {90caf8d4-a034-a257-3599-d8f696fd9681} Followup: MachineOwner ```
Nitr0-G commented 4 days ago

Did you run it on a virtual machine or on your own? Do you have amd or intel? Which hypervisor is the problem on?

1337331 commented 3 days ago

Did you run it on a virtual machine or on your own? Do you have amd or intel? Which hypervisor is the problem on?

Thank you for such a quick response. I run it on host, Intel i9-13900HX CPU. When I call KbVmmEnableand just wait a few hours on the desktop then IRQL_NOT_LESS_OR_EQUAL I will still keep testing it and interception work for me.

Related: https://github.com/HoShiMin/Kernel-Bridge/blob/44b130690c5af5c0eb93d54c435087ffad4c79ab/Kernel-Bridge/API/Hypervisor.cpp#L1311

may be useful: https://www.unknowncheats.me/forum/anti-cheat-bypass/616775-x64-stack-unwinding.html