search

mrexodia / TitanHide

Hiding kernel-driver for x86/x64.
MIT License
2.12k stars 421 forks source link

BSOD after unload driver when verifier enabled #24

Closed lynnux closed 7 years ago

lynnux commented 7 years ago

I used the code for SSDT hook in my project, BSOD after unload driver when verifier enabled windbg !analyze -v show:

DRIVER_VERIFIER_DETECTED_VIOLATION (c4) A device driver attempting to corrupt the system has been caught. This is because the driver was specified in the registry as being suspect (by the administrator) and the kernel has enabled substantial checking of this driver. If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will be among the most commonly seen crashes. Arguments: Arg1: 00000060, A driver has forgotten to free its pool allocations prior to unloading. Arg2: 00000000, paged bytes Arg3: 00000288, nonpaged bytes, Arg4: 00000012, total # of (paged+nonpaged) allocations that weren't freed. To get the name of the driver at fault, type dp ViBadDriver l1; dS @$p Then type !verifier 3 drivername.sys for info on the allocations that were leaked that caused the bugcheck.

!verifier 3 xxx.sys show:

0x831d4fd8 0x00000024 EDIH 0xbaa30155 xxx!RtlAllocateMemory

Seems on x86, SSDT::Hook called RtlAllocateMemory, but SSDT::Unhook forgot to free it. X64 version using Hooklib::Hook and Hooklib::Unhook seems OK (I'v not tested x64 version).

Maybe fixed by this:

     if(free)
         Hooklib::Unhook(hHook, true);
 #else
-    UNREFERENCED_PARAMETER(free);
+    if (free)
+        RtlFreeMemory(hHook);
 #endif
 }
mrexodia commented 7 years ago

Thanks I added a fix, could you try it again?

lynnux commented 7 years ago

@mrexodia, a little improvement: Since the project use VS 2013 to compile, the code can use C++11. There are many Nt* functions not need declaration in undocumented.h/cpp, for example:

static HOOK hNtSetContextThread = 0;
NTSTATUS NTAPI HookNtSetContextThread(IN HANDLE ThreadHandle, IN PCONTEXT ThreadContext)
{
    return ((decltype(HookNtSetContextThread)*)(hNtSetContextThread->SSDTaddress))(ThreadHandle, ThreadContext);
}
mrexodia commented 7 years ago

Might be interesting, could you send a pull request to update those maybe? On Thu, 29 Jun 2017 at 07:59, lynnux notifications@github.com wrote:

@mrexodia https://github.com/mrexodia, a little improvement: Since the project use VS 2013 to compile, the code can use C++11. There are many Nt* functions not need declaration in undocumented.h/cpp, for example:

static HOOK hNtSetContextThread = 0; NTSTATUS NTAPI HookNtSetContextThread(IN HANDLE ThreadHandle, IN PCONTEXT ThreadContext) { return ((decltype(HookNtSetContextThread)*)(hNtSetContextThread->SSDTold))(ThreadHandle, ThreadContext); }

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/mrexodia/TitanHide/issues/24#issuecomment-311870224, or mute the thread https://github.com/notifications/unsubscribe-auth/ACWCmaITSlmxY1S5PAfznuwFcqU2pE75ks5sIz1QgaJpZM4OIydY .