search

jonomango / hv

Lightweight Intel VT-x Hypervisor.
MIT License
363 stars 77 forks source link

Windows 10 21H2 BSOD #8

Closed thewolfram closed 1 year ago

thewolfram commented 1 year ago

Hey, I'm getting bsod while manual mapping with kdmapper. When I mmap driver with debug setting I get "SYSTEM_SERVICE_EXCEPTION" and when I mmap release version I get "KMODE_EXCEPTION_NOT_HANDLED". I have a MSI laptop with i5-10500H onboard and virtualization enabled in bios.

jonomango commented 1 year ago

Hi, are you using the latest commit? Also if you could provide the MEMORY.DMP file that Windows generates, that would be very helpful.

jonomango commented 1 year ago

It could also be the case that kdmapper passes non-null values for the driver parameter, causing this check to succeed and cause the BSOD.

thewolfram commented 1 year ago

Hi, are you using the latest commit? Also if you could provide the MEMORY.DMP file that Windows generates, that would be very helpful.

Yeah sure, generated from WinDbg. I'm using latest commit, just downloaded

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\me\Desktop\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`0d600000 PsLoadedModuleList = 0xfffff807`0e22a2b0
Debug session time: Thu Dec  1 19:42:56.445 2022 (UTC + 3:00)
System Uptime: 0 days 0:11:00.185
Loading Kernel Symbols
...............................................................
....Page 119b2d not present in the dump file. Type ".hh dbgerr004" for details
............................................................
................................................................
.....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 0000009f`0786a018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.......
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: ffffda8341b6a5ed, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 2

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-R8J0U1O

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 45

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 69

    Key  : Analysis.System
    Value: CreateObject

BUGCHECK_CODE:  1e

BUGCHECK_P1: ffffffffc0000096

BUGCHECK_P2: ffffda8341b6a5ed

BUGCHECK_P3: 0

BUGCHECK_P4: 0

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  kdmapper.exe

STACK_TEXT:  
ffffa10f`435f6e68 fffff807`0da3f495 : 00000000`0000001e ffffffff`c0000096 ffffda83`41b6a5ed 00000000`00000000 : nt!KeBugCheckEx
ffffa10f`435f6e70 fffff807`0da0d46c : ffffa10f`435f75a9 fffff807`0d8eccfe ffffda83`45400000 fffff807`0d91cd80 : nt!KiDispatchException+0x1c8fa5
ffffa10f`435f7530 fffff807`0da08a5a : ffffa300`3454b340 fffff807`0da01506 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0x12c
ffffa10f`435f7710 ffffda83`41b6a5ed : 00000000`00000002 ffffa10f`435f7930 00000000`00000000 00000000`00000002 : nt!KiGeneralProtectionFault+0x31a
ffffa10f`435f78a0 00000000`00000002 : ffffa10f`435f7930 00000000`00000000 00000000`00000002 00000000`00003027 : 0xffffda83`41b6a5ed
ffffa10f`435f78a8 ffffa10f`435f7930 : 00000000`00000000 00000000`00000002 00000000`00003027 00000000`00000000 : 0x2
ffffa10f`435f78b0 00000000`00000000 : 00000000`00000002 00000000`00003027 00000000`00000000 00000000`00000000 : 0xffffa10f`435f7930

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

STACK_COMMAND:  .thread ; .cxr ; kb

FAILURE_BUCKET_ID:  ZEROED_STACK_0x1E_c0000096

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {0be1d879-706d-f2da-824b-4e86d0f4a0c4}

Followup:     MachineOwner
---------
thewolfram commented 1 year ago

It could also be the case that kdmapper passes non-null values for the driver parameter, causing this check to succeed and cause the BSOD.

Commented this out, but still makes no sense. I will try to load the driver through cmd

thewolfram commented 1 year ago

Still makes no sense when I start driver with "sc start"

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\me\Desktop\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`4d400000 PsLoadedModuleList = 0xfffff806`4e02a2b0
Debug session time: Thu Dec  1 20:12:02.114 2022 (UTC + 3:00)
System Uptime: 0 days 0:03:52.850
Loading Kernel Symbols
...............................................................
....Page 11842d not present in the dump file. Type ".hh dbgerr004" for details
............................................................
................................................................
.....................
Loading User Symbols

Loading unloaded module list
.......
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: fffff806c96845ed, The address that the exception occurred at
Arg3: fffffd82f547f468, Exception Record Address
Arg4: fffffd82f547eca0, Context Record Address

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-R8J0U1O

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 4

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 74

    Key  : Analysis.System
    Value: CreateObject

BUGCHECK_CODE:  7e

BUGCHECK_P1: ffffffffc0000096

BUGCHECK_P2: fffff806c96845ed

BUGCHECK_P3: fffffd82f547f468

BUGCHECK_P4: fffffd82f547eca0

EXCEPTION_RECORD:  fffffd82f547f468 -- (.exr 0xfffffd82f547f468)
ExceptionAddress: fffff806c96845ed (hv!hv::cache_cpu_data+0x0000000000000024)
   ExceptionCode: c0000096
  ExceptionFlags: 00000000
NumberParameters: 0

CONTEXT:  fffffd82f547eca0 -- (.cxr 0xfffffd82f547eca0)
rax=0000000000000027 rbx=0000000000000000 rcx=0000000000000486
rdx=0000000000000000 rsi=ffffab8a449eacd0 rdi=ffffab8a47a90000
rip=fffff806c96845ed rsp=fffffd82f547f6a0 rbp=fffffd82f547f6f9
 r8=0000000000000000  r9=0000000000000000 r10=00000000040402ff
r11=0000000000000000 r12=ffffc30386df4fd0 r13=ffffffff8000520c
r14=0000000000000000 r15=ffffab8a415c2e30
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040246
hv!hv::cache_cpu_data+0x24 [inlined in hv!hv::virtualize_cpu+0x59]:
fffff806`c96845ed 0f32            rdmsr
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000096 - {          }                              .

EXCEPTION_CODE_STR:  c0000096

EXCEPTION_STR:  0xc0000096

STACK_TEXT:  
fffffd82`f547f6a0 fffff806`c9682ab9 : fffff806`c9685840 00000000`00000000 00000000`00000000 00000000`00000000 : hv!hv::virtualize_cpu+0x59 [C:\Users\me\Desktop\hv-main\hv\vcpu.cpp @ 333] 
fffffd82`f547f760 fffff806`c9683619 : ffffab8a`415c2e30 ffffab8a`3f6f9000 ffffab8a`4245c860 00000000`00000100 : hv!hv::start+0xe9 [C:\Users\me\Desktop\hv-main\hv\hv.cpp @ 125] 
fffffd82`f547f790 fffff806`4db66bfc : ffffab8a`3f6f9000 00000000`00000000 ffffab8a`415c2e30 00000000`00000000 : hv!driver_entry+0x39 [C:\Users\me\Desktop\hv-main\hv\main.cpp @ 30] 
fffffd82`f547f800 fffff806`4db3238d : 00000000`0000001c 00000000`00000000 00000000`00000000 00000000`00001000 : nt!PnpCallDriverEntry+0x4c
fffffd82`f547f860 fffff806`4db77697 : 00000000`00000000 00000000`00000000 fffff806`4e125440 00000000`00000000 : nt!IopLoadDriver+0x4e5
fffffd82`f547fa30 fffff806`4d652b65 : ffffab8a`00000000 ffffffff`8000520c ffffab8a`40da0040 ffffab8a`00000000 : nt!IopLoadUnloadDriver+0x57
fffffd82`f547fa70 fffff806`4d671d25 : ffffab8a`40da0040 00000000`00000080 ffffab8a`2ead40c0 000fa46f`b19bbfff : nt!ExpWorkerThread+0x105
fffffd82`f547fb10 fffff806`4d801f08 : ffffd600`fe7ec180 ffffab8a`40da0040 fffff806`4d671cd0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffd82`f547fb60 00000000`00000000 : fffffd82`f5480000 fffffd82`f5479000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28

FAULTING_SOURCE_LINE:  C:\Users\me\Desktop\hv-main\hv\vcpu.cpp

FAULTING_SOURCE_FILE:  C:\Users\me\Desktop\hv-main\hv\vcpu.cpp

FAULTING_SOURCE_LINE_NUMBER:  333

FAULTING_SOURCE_CODE:  
    21:   __cpuid(reinterpret_cast<int*>(&cpuid_80000008), 0x80000008);
    22: 
    23:   cached.max_phys_addr = cpuid_80000008.eax.number_of_physical_address_bits;
    24: 
>   25:   cached.vmx_cr0_fixed0 = __readmsr(IA32_VMX_CR0_FIXED0);
    26:   cached.vmx_cr0_fixed1 = __readmsr(IA32_VMX_CR0_FIXED1);
    27:   cached.vmx_cr4_fixed0 = __readmsr(IA32_VMX_CR4_FIXED0);
    28:   cached.vmx_cr4_fixed1 = __readmsr(IA32_VMX_CR4_FIXED1);
    29: 
    30:   cpuid_eax_0d_ecx_00 cpuid_0d;

SYMBOL_NAME:  hv!hv::virtualize_cpu+59

MODULE_NAME: hv

IMAGE_NAME:  hv.sys

STACK_COMMAND:  .cxr 0xfffffd82f547eca0 ; kb

BUCKET_ID_FUNC_OFFSET:  59

FAILURE_BUCKET_ID:  AV_hv!hv::virtualize_cpu

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4ae397e8-5926-0bd9-fb19-cda38eff6d10}

Followup:     MachineOwner
---------
jonomango commented 1 year ago

That's actually very helpful info. It shows the region that caused the exception. I'll take a look at it when I get home.

jonomango commented 1 year ago

Interesting. Are you sure that VMX is supported by your CPU? The exception seems to be caused by this line which indicates that CPUID.01H:ECX.[5] is 0. I'm checking for that here but that gets called after the MSR gets read, which is something I'll have to fix.

Try this code out somewhere and see if it gives you 1 or 0 (I haven't tested this out so be warned ๐Ÿ˜›).

cpuid_eax_01 cpuid_01;
__cpuid(reinterpret_cast<int*>(&cpuid_01), 0x01);
DbgPrint("VMX: %i\n", cpuid_01.cpuid_feature_information_ecx.virtual_machine_extensions);
thewolfram commented 1 year ago

Interesting. Are you sure that VMX is supported by your CPU? The exception seems to be caused by this line which indicates that CPUID.01H:ECX.[5] is 0. I'm checking for that here but that gets called after the MSR gets read, which is something I'll have to fix.

Try this code out somewhere and see if it gives you 1 or 0 (I haven't tested this out so be warned ๐Ÿ˜›).

cpuid_eax_01 cpuid_01;
__cpuid(reinterpret_cast<int*>(&cpuid_01), 0x01);
DbgPrint("VMX: %i\n", cpuid_01.cpuid_feature_information_ecx.virtual_machine_extensions);

Let me check. Like I said my CPU is a desktop Intel i5-10500H. I double checked in BIOS that I have Intel virtualization enabled.

thewolfram commented 1 year ago

Interesting. Are you sure that VMX is supported by your CPU? The exception seems to be caused by this line which indicates that CPUID.01H:ECX.[5] is 0. I'm checking for that here but that gets called after the MSR gets read, which is something I'll have to fix.

Try this code out somewhere and see if it gives you 1 or 0 (I haven't tested this out so be warned ๐Ÿ˜›).

cpuid_eax_01 cpuid_01;
__cpuid(reinterpret_cast<int*>(&cpuid_01), 0x01);
DbgPrint("VMX: %i\n", cpuid_01.cpuid_feature_information_ecx.virtual_machine_extensions);

Interesting... image

thewolfram commented 1 year ago

Inked20221201_225403 I have no idea what's wrong with it

jonomango commented 1 year ago

That is super weird. An i5-10500H should support VMX as far as Iโ€™m awareโ€ฆ Have you had any luck loading other Vt-x hypervisors? Maybe try HyperDbg and see if that works?

thewolfram commented 1 year ago

That is super weird. An i5-10500H should support VMX as far as Iโ€™m awareโ€ฆ Have you had any luck loading other Vt-x hypervisors? Maybe try HyperDbg and see if that works?

Yeah let me test it

jonomango commented 1 year ago

I just pushed https://github.com/jonomango/hv/commit/16ea072fb2826a81c32131a85640ff755eaeb39c which should prevent the BSOD when VMX isn't supported. It still doesn't fix your original issue but it'll prevent crashes I guess...

thewolfram commented 1 year ago

I just pushed 16ea072 which should prevent the BSOD when VMX isn't supported. It still doesn't fix your original issue but it'll prevent crashes I guess...

image I tried everything on the internet to disable this VBS, but nothing helps me lol

jonomango commented 1 year ago

Not sure if this will help, but check to see if Hyper-V is disabled.

thewolfram commented 1 year ago

Not sure if this will help, but check to see if Hyper-V is disabled.

Everything is disabled image

jonomango commented 1 year ago

I guess at this point... buy a new CPU? ๐Ÿ˜…

thewolfram commented 1 year ago

I guess at this point... buy a new CPU? ๐Ÿ˜…

Yeah but there are 2 problems I have a laptop so I can't just upgrade my CPU Some time ago I used p2c (you know the name of it), and they're using Intel virtualization and hypervisor to bypass AC and it was working perfectly on my laptop

jonomango commented 1 year ago

I disabled vmx in bios and only left VT-d, now it says this image

Wait what? This looks correct for if VMX was disabled in BIOS... Its weird that CPUID.01H:ECX.[5] now reports 1 when it wasn't before...

thewolfram commented 1 year ago

I disabled vmx in bios and only left VT-d, now it says this image

Wait what? This looks correct for if VMX was disabled in BIOS... Its weird that CPUID.01H:ECX.[5] now reports 1 when it wasn't before...

I accidentally deleted, sorry

thewolfram commented 1 year ago

Yeah, I have no fucking idea what the hell is wrong with this CPU or with this laptop...

jonomango commented 1 year ago

Try enabling VMX and disabling VT-d... eventually it'll work, right?

thewolfram commented 1 year ago

Try enabling VMX and disabling VT-d... eventually it'll work, right?

Yeah, it finally worked ๐Ÿ˜„ I actually got tired of this shit, and I appreciate your time you spent to help me, thank you so much!