I tried your gitl on the currently latest Windows version (gitl.exe load) and it continues to cause a BSOD. Are you aware of some new features / measures of MS prohibiting your approach of hooking NtTraceEvent to evady Sysmon / ETW events?
When getting a first view on the MEMORY.DMP the following details are shown by (!analyze -v):
nt!KeBugCheckEx:
fffff807`7c5fce40 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8d0d`59622740=0000000000000139
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000003d, Type of memory safety violation
Arg2: ffff8d0d59622a60, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8d0d596229b8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
Page fd68 not present in the dump file. Type ".hh dbgerr004" for details
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3140
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 6265
Key : Analysis.Init.CPU.mSec
Value: 608
Key : Analysis.Init.Elapsed.mSec
Value: 41059
Key : Analysis.Memory.CommitPeak.Mb
Value: 82
Key : FailFast.Name
Value: ETW_CORRUPTION
Key : FailFast.Type
Value: 61
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 139
BUGCHECK_P1: 3d
BUGCHECK_P2: ffff8d0d59622a60
BUGCHECK_P3: ffff8d0d596229b8
BUGCHECK_P4: 0
TRAP_FRAME: ffff8d0d59622a60 -- (.trap 0xffff8d0d59622a60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9a8ed138649c rbx=0000000000000000 rcx=000000000000003d
rdx=0000000000000018 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077c61e6f6 rsp=ffff8d0d59622bf0 rbp=00000000000000c0
r8=0000000000000002 r9=0000000000001000 r10=0000000000000000
r11=ffff8d0d59622de8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!EtwpReserveTraceBuffer+0x20f696:
fffff807`7c61e6f6 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffff8d0d596229b8 -- (.exr 0xffff8d0d596229b8)
ExceptionAddress: fffff8077c61e6f6 (nt!EtwpReserveTraceBuffer+0x000000000020f696)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000003d
Subcode: 0x3d FAST_FAIL_ETW_CORRUPTION
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000003d
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffff8d0d`59622738 fffff807`7c60ed69 : 00000000`00000139 00000000`0000003d ffff8d0d`59622a60 ffff8d0d`596229b8 : nt!KeBugCheckEx
ffff8d0d`59622740 fffff807`7c60f190 : 00000000`00000000 00000000`00000002 ffff9a8e`d6d1b080 fffff807`7c90c565 : nt!KiBugCheckDispatch+0x69
ffff8d0d`59622880 fffff807`7c60d523 : 00000000`23010900 00000000`2f44990e 00007fff`573d9810 00007fff`5a9acc10 : nt!KiFastFailDispatch+0xd0
ffff8d0d`59622a60 fffff807`7c61e6f6 : 00000000`00000000 fffff807`7c467ace ffff9a8e`d6d1b080 ffff8d0d`59622ca0 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8d0d`59622bf0 fffff807`7c40f799 : 00000000`00000000 00000000`00000001 ffff8d0d`59622cf0 00000000`00000001 : nt!EtwpReserveTraceBuffer+0x20f696
ffff8d0d`59622c80 fffff807`7c4afd3d : 00000000`0000000c ffff9a8e`d1a5e000 00000000`00501802 ffff8d0d`00000001 : nt!EtwpLogKernelEvent+0x1e9
ffff8d0d`59622d30 fffff807`7c7ab7b0 : ffff8ad0`42daa010 ffff8aaa`3625df10 ffff8d0d`59622ec0 00000000`00501802 : nt!EtwTraceSiloKernelEvent+0x99
ffff8d0d`59622d90 fffff807`7c60eccc : ffff9a8e`d6d1b080 00000000`0ec5e8fc ffff8aaa`357d0f34 ffff8aaa`00501802 : nt!PerfInfoLogSysCallEntry+0x70
ffff8d0d`59622df0 00007fff`582514a4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x297
00000000`0ec5e078 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`582514a4
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_3d_nt!KiFastFailDispatch
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {5afad1eb-92dc-6d7d-cecb-2e29d36aec95}
Followup: MachineOwner
---------
Hi @bats3c,
I tried your gitl on the currently latest Windows version (
gitl.exe load
) and it continues to cause a BSOD. Are you aware of some new features / measures of MS prohibiting your approach of hookingNtTraceEvent
to evady Sysmon / ETW events?When getting a first view on the MEMORY.DMP the following details are shown by (
!analyze -v
):