search

can1357 / ByePg

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI.
803 stars 182 forks source link

ExHook example hangs the machine (Windows 10 version 1607) #20

Closed BlackOfWorld closed 2 years ago

BlackOfWorld commented 3 years ago

Title says all. It's not the ExHook fault's, according to the debugger it's hangs the machine at https://github.com/can1357/ByePg/blob/master/ByePgLib/ByePg.cpp#L46

Any solutions/workarounds?

Verbose output:

[ByePg] Scanning for undocumented offsets...
[ByePg] Scan finished with status: OK 
[ByePg] -------------------------------
[ByePg] ntoskrnl.exe:             0xFFFFF80336C82000
[ByePg] KiHardwareTrigger:        0xFFFFF80336F88B88
[ByePg] KeBugCheck2:              0xFFFFF80336E50630
[ByePg] KiFreezeExecutionLock:    0xFFFFF80337038300
[ByePg] KiBugCheckActive:         0xFFFFF80336F88B38
[ByePg] KPRCB_Context:            +0x6280
[ByePg] KPRCB_IpiFrozen:          +0x2d08
[ByePg] KPCR_DebuggerSavedIRQL:   +0x5c98
[ByePg] -------------------------------
[ByePg] HAL callback registration status: OK 
[ByePg] -------------------------------

Here's a screenshot of windbg: image

Chips85 commented 3 years ago

Faced the same issue on Windows 10 build 1903. Any idea how to resolve this?

BlackOfWorld commented 3 years ago

Seems like this only applies to vmware with AMD cpu (for me at least)

can1357 commented 3 years ago

You cant use ByePg in combination with WinDbg due to the Hal interface being modified.

BlackOfWorld commented 3 years ago

Oh yes, I read an issue that was posted here, you're right I completely forgotten about it. It's something to do with VirtualKD I believe and not with the hal interface itself? Correct me if I'm wrong. I'll try it without VirtualKD and then without any debugging at all (I wish I could use SoftIce, but it's only for windows xp). Anyways thanks for the response!

can1357 commented 3 years ago

You're more than welcome, my apologies for the super late response, it must have got lost in my notification.

Any form of KD should break in theory so it likely won't make any difference. I'd recommend using a hypervisior debugger like VMWare GDB stub if that's an option.

BlackOfWorld commented 3 years ago

You're more than welcome, my apologies for the super late response, it must have got lost in my notification.

Any form of KD should break in theory so it likely won't make any difference. I'd recommend using a hypervisior debugger like VMWare GDB stub if that's an option.

Problem with GDB is, that it doesn't load any of my symbols without some special settings (I might look into that deeper later). I did try and get in touch with you on OSDev discord server, but you have both DMs and friend requests disabled. Again, thanks for the reply! I was starting to slowly doubt my issue will never be fixed 😄

BlackOfWorld commented 2 years ago

Closing due to inactivity and that the problem was explained and solved.