search

everdox / InfinityHook

Hook system calls, context switches, page faults and more.
2.42k stars 498 forks source link

Unloading the driver probabilistically occurs bugcheck. #9

Closed SpriteOvO closed 5 years ago

SpriteOvO commented 5 years ago

After I repeatedly load and unload the driver, I get a bugcheck with code 0xCE.

[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.

[!] infinityhook: Unloading... BYE!
[+] infinityhook: Loaded.
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x000000ce
                       (0xFFFFF8009EFD11AB,0x0000000000000010,0xFFFFF8009EFD11AB,0x0000000000000000)

Driver at fault: kinfinityhook.sys.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 16299 x64 target at (Sun Jul 28 07:32:08.851 2019 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
...............................................
Loading unloaded module list
................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck CE, {fffff8009efd11ab, 10, fffff8009efd11ab, 0}

Probably caused by : kinfinityhook.sys ( kinfinityhook+11ab )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
0010:fffff800`9f7ffc60 cc              int     3
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: fffff8009efd11ab, memory referenced
Arg2: 0000000000000010, value 0 = read operation, 1 = write operation
Arg3: fffff8009efd11ab, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000000, Mm internal code.

Debugging Details:
------------------

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 fffff8009efd11ab 

FAULTING_IP: 
kinfinityhook+11ab
0010:fffff800`9efd11ab ??              ???

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xCE

PROCESS_NAME:  DeviceCensus.e

CURRENT_IRQL:  2

TRAP_FRAME:  ffffa58467b877f0 -- (.trap 0xffffa58467b877f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffa88ae8c8b370
rdx=ffffa88aec8f36c0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8009efd11ab rsp=ffffa58467b87980 rbp=ffffa58467b87b00
 r8=ffffa88aec8f36c0  r9=ffff93015e4c0180 r10=fffff8009fa2fb00
r11=ffffa88ae8c8b370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
<Unloaded_kinfinityhook.sys>+0x11ab:
0010:fffff800`9efd11ab ??              ???
Resetting default scope

IP_MODULE_UNLOADED: 
kinfinityhook+11ab
0010:fffff800`9efd11ab ??              ???

LAST_CONTROL_TRANSFER:  from fffff8009f895782 to fffff8009f7ffc60

STACK_TEXT:  
ffffa584`67b86da8 fffff800`9f895782 : fffff800`9efd11ab ffffa88a`ebba0480 ffffa584`67b86f10 fffff800`9f7c0760 : nt!RtlpBreakWithStatusInstruction
ffffa584`67b86db0 fffff800`9f895007 : 00000000`00000003 ffffa584`67b86f10 fffff800`9f808010 ffffa584`67b87470 : nt!KiBugCheckDebugBreak+0x12
ffffa584`67b86e10 fffff800`9f7fa1e7 : 00000000`00000040 ffffa88a`ec8f3880 00000000`00000000 fffff800`9fb98a48 : nt!KeBugCheck2+0x937
ffffa584`67b87530 fffff800`9f839409 : 00000000`00000050 fffff800`9efd11ab 00000000`00000010 ffffa584`67b877f0 : nt!KeBugCheckEx+0x107
ffffa584`67b87570 fffff800`9f705777 : 00000000`00000010 fffff800`9efd11ab ffffa584`67b877f0 ffffa584`67b87710 : nt!MiSystemFault+0x1167e9
ffffa584`67b87610 fffff800`9f803c72 : ffffa88a`e8047dd0 ffffa584`67b877a8 00000000`00000000 ffffa584`67b87838 : nt!MmAccessFault+0xae7
ffffa584`67b877f0 fffff800`9efd11ab : 00000000`00000000 00007ffd`5c443900 fffff800`00000f4d ffffa584`656e6f4e : nt!KiPageFault+0x132
ffffa584`67b87980 00000000`00000000 : 00007ffd`5c443900 fffff800`00000f4d ffffa584`656e6f4e 00000000`00000000 : <Unloaded_kinfinityhook.sys>+0x11ab

STACK_COMMAND:  kb

FOLLOWUP_IP: 
kinfinityhook+11ab
0010:fffff800`9efd11ab ??              ???

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  kinfinityhook+11ab

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: kinfinityhook

IMAGE_NAME:  kinfinityhook.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  X64_0xCE_kinfinityhook+11ab

BUCKET_ID:  X64_0xCE_kinfinityhook+11ab

Followup: MachineOwner
---------

I found through ida that kinfinityhook+0x11ab points to add rsp, 78h in DetourNtCreateFile. image

So I guess it may be that after the driver is unloaded, DetourNtCreateFile isn't done yet. Perhaps you should add a mutex to the SyscallStub and DetourNtCreateFile and DriverUnload routines. Thanks for reading.

nmulasmajic commented 5 years ago

Use the proof of concept as is. It's not production ready code. It just implements a very simplistic hook.

Your suggestion should work fine and make it safer to use in real world scenarios. I don't think we will add it to this demo though.