PCIEScreamer BSOD on mount

[cizzac]

Hey, keep BSOD'ing with the error code "PAGE_FAULT_IN_NONPAGED_AREA" upon trying to mount live memory. Using the latest version of dokany (tried previous versions aswell). Some times it works for a few seconds, but most of the time I instantly BSOD. Happens with both "pcileech.exe mount -device dump.raw -cr3 0x1ab002", and ""pcileech.exe mount -device dump.raw".

This happens to the attacker computer, not the victim. Attacker using win10 and victim on win10. Tried a secondary computer with win10 and tried to use the target computer as both victim and attacker.

It "works" (doesn't BSOD) on some dumps, but it won't find the proc system or it will result in this error; "VMM: vmm.c!VmmTlbPageTableVerify: BAD PT PAGE at PA: 0x1ab000" when running "pcileech.exe mount -device dump.raw -cr3 0x1ab002 -vv", and it won't find any procs.

I use the following command when dumping: "pcileech.exe dump -v -force -max 0x46effffff -out dump.raw"

Any idea what could be causing it? Also wanna add, freaking awesome work you've put into this, managed to get everything else working besides this!

[ufrisk]

• I'm aware of the BAD PT PAGE problem. I had to add sanity checks in the code to avoid trying to interpret non page-table pages (frequently happens in memory dumps since dumps take a while to acquire and tables may change during that time). Sometimes those checks get too stringent and PCILeech is unable to locate the process list. I have to tune this one better.

The BSOD problem isn't supposed to happen. It indicates a severe bug in the Dokany driver. It may be that a bug in PCILeech triggers the Dokany bug though; but PCILeech, as a user mode program, should not be able to bluescreen a computer.

Which version of Windows are you running? Which version of Dokany are you running? Any special Windows settings (such as Hyper-V, Credential Guard, Device Guard with Kernel Code Integrity enabled) that I should know about?

Also, is the BSOD problem dump specific? i.e. only some dumps are triggering it, or is it a general problem?

[cizzac]

I am running Dokany 1.1.0.2000, Windows 10 pro on version 1709 (build 16299.309). I do have Hyper-V enabled on the victim computer, will try with it off. The state of device guard was "not configured". Testsigning is off.

I have tried ~5 dumps, atleast 3 have resulted in e BSOD, the others I encounter the BAD PT PAGE problem and it wont display or find any processes, but will mount fine with live memory (sometimes this works for a while, other times it will BSOD very quickly). I have only managed to make it work and with a mounted proc system working once, but have then gotten a BSOD after ~30 sec. It may have worked more than once, but if so, resulted in an immediate BSOD.

[ufrisk]

I asked about the computer running PCILeech (the victim computers setup isn't very interesting), sorry for not being clear about this.

The error occurs when using a dump file as well?

[cizzac]

Sorry for not making myself clear aswell. Both the host and victim is configured the exact same, except the victim had Hyper-V enabled.

It happens when using dumps, and when just trying to do "pcileech mount -max 0x46effffff".

EDIT: Seems to have been caused by Kaspersky, which I should have foreseen.. Sorry about that. Really appreciate the help though