Blue Screen of Death before fuzzing

[Vulmatch]

Hi @jchoi2022 ,

I encountered the BSoD problem when enter this command: python C:\Launcher\hooker32.py

I am sure the testing VM windows version matches the dll being statically analyzed. They are both Windows 17134.1 32bit. At first I used your provided dlls for 17134.1 but failed. Then I tried to extract the dlls directly from the windows system in the VM and modified the script accordingly but still failed at this stage.

[Vulmatch]

I also tested on Windows 10 18362.30 build. The same error occur. After investigation, I found the root cause is line 120 in Poison.cpp: *(PCHAR)exAllocAddr = '\xe9'; This line introduces a "attempted_write_to_readonly_memory" error in core dump. I checked the offset generated in VersionConst.h, it seems that all the offset (exallocatepoolwithtag, _KeServiceDescriptorTableShadow, and syscall num have no error.) Still working on the solution.

[Vulmatch]

Problem solved. I added those lines before line 120 in Poison.cpp:

_asm { cli; push eax; mov eax, cr0; //mov uAttr, eax; and eax, 0xFFFEFFFF; // CR0 16 BIT = 0 mov cr0, eax; pop eax; };

These lines enables write permissions to the ExAllocatePoolWithTag memory.

[jchoi2022]

Hi, I'm sorry for the late reply, I was really busy for a while.

Thank you for reporting and solving this issue. I could not observe this symptom in my environment, but it seems my implementation for heap memory poisoning indeed has some unstable points. I may have to consider disabling the memory poisoning functionality by default.

Anyway, thank you again for reporting the issue! I will leave the issue open until I make the decision and update the code.