search

asamy / ksm

A fast, hackable and simple x64 VT-x hypervisor for Windows and Linux. Builtin userspace sandbox and introspection engine.
https://asamy.github.io/ksm/
GNU General Public License v2.0
826 stars 181 forks source link

BSOD in Win10 1809 #30

Open Yang-zhiyuan opened 5 years ago

Yang-zhiyuan commented 5 years ago

step: 1.build ksm.sys and ksm_um.exe 2.create service and start 3.run ksm_um.exe

below is windbg log.

please help me, thank you so much!!!

ksm: CPU 3: check_dynamic_pgtables: PXE: FFFFBBDDEEF77000 PPE FFFFBBDDEEE00000 PDE FFFFBBDDC0000000 PTE FFFFBB8000000000 ksm: CPU 3: check_dynamic_pgtables: Addr 0x1DA8440 0x1DA8440 ksm: CPU 3: DriverEntry: We're mapped at FFFFF80032D80000 (size: 61440 bytes (60 KB), on 15 pages) ksm: CPU 3: ksm_init: EPT/VPID caps: 0x00000F0106714141 ksm: CPU 3: ksm_init: 9 physical memory ranges ksm: CPU 3: ksm_init: Range: 0x0000000000001000 -> 0x00000000000A0000 ksm: CPU 3: ksm_init: Range: 0x0000000000100000 -> 0x000000000E367000 ksm: CPU 3: ksm_init: Range: 0x000000000E3B2000 -> 0x000000000E4D5000 ksm: CPU 3: ksm_init: Range: 0x000000000E504000 -> 0x000000000E58D000 ksm: CPU 3: ksm_init: Range: 0x000000000E5AC000 -> 0x000000000EF42000 ksm: CPU 3: ksm_init: Range: 0x000000000EF4B000 -> 0x000000000EF5E000 ksm: CPU 3: ksm_init: Range: 0x000000000EF64000 -> 0x000000000EF74000 ksm: CPU 3: ksm_init: Range: 0x000000000EF79000 -> 0x000000000FEE8000 ksm: CPU 3: ksm_init: Range: 0x000000000FF78000 -> 0x0000000080000000 ksm: CPU 3: ksm_init: 18 MTRR ranges (0 default type) ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000000000 -> 0x0000000000010000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000010000 -> 0x0000000000020000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000020000 -> 0x0000000000030000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000030000 -> 0x0000000000040000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000040000 -> 0x0000000000050000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000050000 -> 0x0000000000060000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000060000 -> 0x0000000000070000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000070000 -> 0x0000000000080000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000080000 -> 0x0000000000084000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000084000 -> 0x0000000000088000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000088000 -> 0x000000000008C000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x000000000008C000 -> 0x0000000000090000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000090000 -> 0x0000000000094000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000094000 -> 0x0000000000098000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000098000 -> 0x000000000009C000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x000000000009C000 -> 0x00000000000A0000 fixed: 1 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x0000000000000000 -> 0x0000001000000000 fixed: 0 type: 6 ksm: CPU 3: ksm_init: MTRR Range: 0x00000000C0000000 -> 0x0000000100000000 fixed: 0 type: 0 ksm: CPU 3: DriverEntry: ready ksm: CPU 3: DriverEntry: ret: 0x00000000 ksm: CPU 3: DriverDispatch: open from ksm_um.exe ksm: CPU 3: DriverDispatch: ksm_um.exe: IOCTL: 0x8008E008 of length: 0 ksm: CPU 2: ksm_init_cpu: NisSrv.exe: Started: 1 ksm: CPU 3: ksm_init_cpu: NisSrv.exe: Started: 1 ksm: CPU 0: __ksm_init_cpu: ksm_um.exe: Started: 1 ksm: CPU 1: __ksm_init_cpu: NisSrv.exe: Started: 1 KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x0000007f (0x0000000000000008,0xFFFFCE01F4C09F50,0x0000000000000001,0xFFFFF80032D810E9)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 10 17763 x64 target at (Tue May 14 13:46:21.028 2019 (UTC + 8:00)), ptr64 TRUE Loading Kernel Symbols ................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols.

............................... ................................................................ .................................................... Loading User Symbols ..... Loading unloaded module list ............ Loading Wow64 Symbols ............................................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols.

.... ................................................................ ...............................

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, ffffce01f4c09f50, 1, fffff80032d810e9}

"C:\Windows\System32\KERNELBASE.dll" was not found in the image list. Debugger will attempt to load "C:\Windows\System32\KERNELBASE.dll" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll) for more reliable results.Base address and size overrides can be given as .reload =,. Probably caused by : ksm.sys ( ksm!__vmx_entrypoint+72 )

Followup: MachineOwner

nt!DbgBreakPointWithStatus: fffff800`2ddbd0a0 cc int 3 3: kd> !analyze -v

UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a portion of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT Arg2: ffffce01f4c09f50 Arg3: 0000000000000001 Arg4: fffff80032d810e9

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434

DUMP_TYPE: 0

BUGCHECK_P1: 8

BUGCHECK_P2: ffffce01f4c09f50

BUGCHECK_P3: 1

BUGCHECK_P4: fffff80032d810e9

BUGCHECK_STR: 0x7f_8

BAD_STACK_POINTER: ffffce01f4c09648

CPU_COUNT: 4

CPU_MHZ: 8a0

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: a

CPU_MICROCODE: 6,9e,a,0 (F,M,S,R) SIG: 84'00000000 (cache) 84'00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: OneDrive.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: DESKTOP-M522AG6

ANALYSIS_SESSION_TIME: 05-14-2019 13:49:24.0341

ANALYSIS_VERSION: 10.0.17763.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff8002de92cf2 to fffff8002ddbd0a0

STACK_TEXT:
ffffce01f4c09648 fffff8002de92cf2 : 0000000000000008 0000000000000003 ffffce01f4c097b0 fffff8002dd5d060 : nt!DbgBreakPointWithStatus ffffce01f4c09650 fffff8002de92477 : 0000000000000003 ffffce01f4c097b0 fffff8002ddc9460 000000000000007f : nt!KiBugCheckDebugBreak+0x12 ffffce01f4c096b0 fffff8002ddb5547 : 0000000000000000 0000000000000000 000000000006362c 0000000000000000 : nt!KeBugCheck2+0x957 ffffce01f4c09dd0 fffff8002ddc6c69 : 000000000000007f 0000000000000008 ffffce01f4c09f50 0000000000000001 : nt!KeBugCheckEx+0x107 ffffce01f4c09e10 fffff8002ddc1ca8 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69 ffffce01f4c09f50 fffff80032d810e9 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDoubleFaultAbort+0x2a8 0000000000000001 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ksm!__vmx_entrypoint+0x72 [C:\Users\Documents\Code\OpenSource\ksm\vmx.asm @ 266]

THREAD_SHA1_HASH_MOD_FUNC: 6b58434ef1ddf4f30217c266c8d33bb2905704d5

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 42bbe0a8c5964c1490f9e75da735695266e806e4

THREAD_SHA1_HASH_MOD: 93e457b14469d1689dc46086e4e788eb4343ae51

FOLLOWUP_IP: ksm!__vmx_entrypoint+72 [C:\Users\Documents\Code\OpenSource\ksm\vmx.asm @ 266] fffff800`32d810e9 50 push rax

FAULT_INSTR_CODE: c3519d50

FAULTING_SOURCE_LINE: C:\Users\Documents\Code\OpenSource\ksm\vmx.asm

FAULTING_SOURCE_FILE: C:\Users\Documents\Code\OpenSource\ksm\vmx.asm

FAULTING_SOURCE_LINE_NUMBER: 266

FAULTING_SOURCE_CODE:
262: 263: ; Give them their stack pointer 264: mov rsp, rdx 265:

266: push rax 267: popfq ; eflags to indicate success 268: 269: push rcx ; return address (rip + instr len) 270: ret 271:

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: ksm!__vmx_entrypoint+72

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ksm

IMAGE_NAME: ksm.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5cda55e5

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 72

FAILURE_BUCKET_ID: 0x7f_8_STACKPTR_ERROR_ksm!__vmx_entrypoint

BUCKET_ID: 0x7f_8_STACKPTR_ERROR_ksm!__vmx_entrypoint

PRIMARY_PROBLEM_CLASS: 0x7f_8_STACKPTR_ERROR_ksm!__vmx_entrypoint

TARGET_TIME: 2019-05-14T05:46:19.000Z

OSBUILD: 17763

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 180914-1434

BUILDLAB_STR: rs5_release

BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME: 933

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x7f_8_stackptr_error_ksm!__vmx_entrypoint

FAILURE_ID_HASH: {e54130eb-8cc9-b505-6b94-54fc35ddda77}

Followup: MachineOwner