search

bats3c / Ghost-In-The-Logs

Evade sysmon and windows event logging
https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
MIT License
609 stars 115 forks source link

BSOD on Win 10 21H1 #3

Open who1smrrobot opened 3 years ago

who1smrrobot commented 3 years ago

Hi @bats3c,

I tried your gitl on the currently latest Windows version (gitl.exe load) and it continues to cause a BSOD. Are you aware of some new features / measures of MS prohibiting your approach of hooking NtTraceEvent to evady Sysmon / ETW events?

When getting a first view on the MEMORY.DMP the following details are shown by (!analyze -v):

nt!KeBugCheckEx:
fffff807`7c5fce40 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffff8d0d`59622740=0000000000000139
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000003d, Type of memory safety violation
Arg2: ffff8d0d59622a60, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8d0d596229b8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

Page fd68 not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 3140

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 6265

    Key  : Analysis.Init.CPU.mSec
    Value: 608

    Key  : Analysis.Init.Elapsed.mSec
    Value: 41059

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 82

    Key  : FailFast.Name
    Value: ETW_CORRUPTION

    Key  : FailFast.Type
    Value: 61

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

VIRTUAL_MACHINE:  VMware

BUGCHECK_CODE:  139

BUGCHECK_P1: 3d

BUGCHECK_P2: ffff8d0d59622a60

BUGCHECK_P3: ffff8d0d596229b8

BUGCHECK_P4: 0

TRAP_FRAME:  ffff8d0d59622a60 -- (.trap 0xffff8d0d59622a60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9a8ed138649c rbx=0000000000000000 rcx=000000000000003d
rdx=0000000000000018 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077c61e6f6 rsp=ffff8d0d59622bf0 rbp=00000000000000c0
 r8=0000000000000002  r9=0000000000001000 r10=0000000000000000
r11=ffff8d0d59622de8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!EtwpReserveTraceBuffer+0x20f696:
fffff807`7c61e6f6 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffff8d0d596229b8 -- (.exr 0xffff8d0d596229b8)
ExceptionAddress: fffff8077c61e6f6 (nt!EtwpReserveTraceBuffer+0x000000000020f696)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 000000000000003d
Subcode: 0x3d FAST_FAIL_ETW_CORRUPTION 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  000000000000003d

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffff8d0d`59622738 fffff807`7c60ed69     : 00000000`00000139 00000000`0000003d ffff8d0d`59622a60 ffff8d0d`596229b8 : nt!KeBugCheckEx
ffff8d0d`59622740 fffff807`7c60f190     : 00000000`00000000 00000000`00000002 ffff9a8e`d6d1b080 fffff807`7c90c565 : nt!KiBugCheckDispatch+0x69
ffff8d0d`59622880 fffff807`7c60d523     : 00000000`23010900 00000000`2f44990e 00007fff`573d9810 00007fff`5a9acc10 : nt!KiFastFailDispatch+0xd0
ffff8d0d`59622a60 fffff807`7c61e6f6     : 00000000`00000000 fffff807`7c467ace ffff9a8e`d6d1b080 ffff8d0d`59622ca0 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8d0d`59622bf0 fffff807`7c40f799     : 00000000`00000000 00000000`00000001 ffff8d0d`59622cf0 00000000`00000001 : nt!EtwpReserveTraceBuffer+0x20f696
ffff8d0d`59622c80 fffff807`7c4afd3d     : 00000000`0000000c ffff9a8e`d1a5e000 00000000`00501802 ffff8d0d`00000001 : nt!EtwpLogKernelEvent+0x1e9
ffff8d0d`59622d30 fffff807`7c7ab7b0     : ffff8ad0`42daa010 ffff8aaa`3625df10 ffff8d0d`59622ec0 00000000`00501802 : nt!EtwTraceSiloKernelEvent+0x99
ffff8d0d`59622d90 fffff807`7c60eccc     : ffff9a8e`d6d1b080 00000000`0ec5e8fc ffff8aaa`357d0f34 ffff8aaa`00501802 : nt!PerfInfoLogSysCallEntry+0x70
ffff8d0d`59622df0 00007fff`582514a4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x297
00000000`0ec5e078 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`582514a4

SYMBOL_NAME:  nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_3d_nt!KiFastFailDispatch

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {5afad1eb-92dc-6d7d-cecb-2e29d36aec95}

Followup:     MachineOwner
---------
bats3c commented 3 years ago

Yeh I'm aware of this. It's due to the patch guard bypass that gitl uses not working on 21H1.

I'm planning on implementing a new bypass when I find the time.