search

wbenny / hvpp

hvpp is a lightweight Intel x64/VT-x hypervisor written in C++ focused primarily on virtualization of already running operating system
MIT License
1.12k stars 221 forks source link

Strange BSOD with multiple shadowed pages #23

Open celtic1990 opened 5 years ago

celtic1990 commented 5 years ago

Hi guys. I am having weird issue I wonder if anyone else have experience. Sorry for my poor English.

I am making multiple hook on Kernel function. Hook is work OK. I am make multiple shadow page and all is work OK. But when I am try to hide certain combination of page, BSOD with KERNEL_SECURITY_CHECK_FAILURE and no idea why.

From my Debug Output: dbg

The combination of last 2 are causing BSOD. Other combination OK. But 3 and 4 in picture together make BSOD. But all Debug addresses look normal to me? I am not understanding why they cannot work together.

@wbenny Can you advice me master? 👍 🥇

wbenny commented 5 years ago

Hi, can you share dump/pdb or at least crash stack trace?

celtic1990 commented 5 years ago

Hello sorry for slow....holiday with family :) This is my crash dump. I don't understand why is crashing sometimes with some combination, other times OK. So weird. I'm just using basic array for multiple page and check address to return correct page. I am crash without making hook even. I create ReadAligned and ExecuteAligned pages same way as you are. Then I do mp::ipi_call to initialize same way as you are. That is all I do to make this BSOD.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack
    extents for the thread.
Arg2: ffffde0b94ea4870, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffde0b94ea47c8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER:  HP

SYSTEM_PRODUCT_NAME:  860-010

SYSTEM_SKU:  M9Z94AA#ABA

SYSTEM_VERSION:  1.04

BIOS_VENDOR:  AMI

BIOS_VERSION:  A0.07

BIOS_DATE:  10/26/2015

BASEBOARD_MANUFACTURER:  HP

BASEBOARD_PRODUCT:  2B4B

BASEBOARD_VERSION:  1.04

DUMP_TYPE:  1

BUGCHECK_P1: 4

BUGCHECK_P2: ffffde0b94ea4870

BUGCHECK_P3: ffffde0b94ea47c8

BUGCHECK_P4: 0

TRAP_FRAME:  cccccccccccccccc -- (.trap 0xcccccccccccccccc)
Unable to read trap frame at cccccccc`cccccccc

EXCEPTION_RECORD:  cccccccccccccccc -- (.exr 0xcccccccccccccccc)
Cannot read Exception record @ cccccccccccccccc

CPU_COUNT: 8

CPU_MHZ: d50

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: C2'00000000 (cache) C2'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

BUGCHECK_STR:  0x139

PROCESS_NAME:  taskhostw.exe

CURRENT_IRQL:  e

DEFAULT_BUCKET_ID:  FAIL_FAST_INCORRECT_STACK

WATSON_BKT_EVENT:  BEX

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000004

ANALYSIS_SESSION_HOST:  ADMIN

ANALYSIS_SESSION_TIME:  12-23-2018 11:37:55.0907

ANALYSIS_VERSION: 10.0.17763.1 amd64fre

BAD_STACK_POINTER:  ffffde0b94ea4548

LAST_CONTROL_TRANSFER:  from fffff803f224ac69 to fffff803f223a0a0

STACK_TEXT:  
ffffde0b`94ea4548 fffff803`f224ac69 : 00000000`00000139 00000000`00000004 ffffde0b`94ea4870 ffffde0b`94ea47c8 : nt!KeBugCheckEx
ffffde0b`94ea4550 fffff803`f224b010 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : nt!KiBugCheckDispatch+0x69
ffffde0b`94ea4690 fffff803`f224961f : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : nt!KiFastFailDispatch+0xd0
ffffde0b`94ea4870 fffff803`f227c077 : ffffde0b`94ea5150 ffffde0b`94ea5150 cccccccc`cccccccc cccccccc`cccccccc : nt!KiRaiseSecurityCheckFailure+0x2df
ffffde0b`94ea4a00 fffff803`f214e770 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`00000003 cccccccc`cccccccc : nt!RtlpGetStackLimits+0x12c017
ffffde0b`94ea4a30 fffff803`f2150613 : ffffde0b`94ea5908 ffffde0b`94ea5650 ffffde0b`94ea5908 ffffde0b`94ea5ee9 : nt!RtlDispatchException+0x70
ffffde0b`94ea5120 fffff803`f224ad42 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : nt!KiDispatchException+0x1f3
ffffde0b`94ea57d0 fffff803`f22453d2 : fffff803`9a706de0 ffffde0b`94ea59d8 ffffde0b`94ea5ee9 fffff803`9a706de0 : nt!KiExceptionDispatch+0xc2
ffffde0b`94ea59b0 fffff803`9a6f18a3 : fffff803`9a6f15f9 00000000`00000000 00000000`02a009e3 ffffde0b`94ecf64a : nt!KiBreakpointTrap+0x2d2
ffffde0b`94ea5b40 fffff803`9a6f15f9 : 00000000`00000000 00000000`02a009e3 ffffde0b`94ecf64a ffffde0b`94ea5c49 : hvppdrv+0x18a3
ffffde0b`94ea5b48 fffff803`9a700dbd : ffffde0b`94ead000 00000000`02a00000 ffffde0b`94ea5e01 fffff803`f20ae733 : hvppdrv+0x15f9
ffffde0b`94ea5b78 fffff803`9a701a87 : ffffde0b`94ead000 00000000`02a00000 00000000`02a00000 00000001`fc560000 : hvppdrv+0x10dbd
ffffde0b`94ea5c08 fffff803`9a6f3556 : ffffde0b`94ead000 00000000`02a00000 00000000`02a00000 00000000`02b4f000 : hvppdrv+0x11a87
ffffde0b`94ea5c38 fffff803`9a6f7bc6 : ffffde0b`94eaf210 ffffde0b`94e9e000 cccccccc`cccccccc cccccccc`cccccccc : hvppdrv+0x3556
ffffde0b`94ea5de8 fffff803`9a6f19b6 : ffffde0b`94eaf210 ffffde0b`94e9e000 cccccccc`cccccccc cccccccc`cccccccc : hvppdrv+0x7bc6
ffffde0b`94ea5e38 fffff803`9a6f1b8e : ffffde0b`94ea5f28 ffffde0b`94eaf210 cccccccc`00000002 cccccccc`cccccccc : hvppdrv+0x19b6
ffffde0b`94ea5e78 fffff803`9a6f1ea5 : ffffde0b`94eaf210 ffffde0b`94ea5f28 00000000`00006800 00000000`00000246 : hvppdrv+0x1b8e
ffffde0b`94ea5ec8 fffff803`9a6f2881 : ffffde0b`94eaf210 ffffde0b`94ea5f28 cccccccc`00006820 00000000`00000246 : hvppdrv+0x1ea5
ffffde0b`94ea5f08 fffff803`9a702978 : ffffde0b`94eaf000 ffffde0b`94e9e000 cccccccc`cccccccc cccccccc`cccccccc : hvppdrv+0x2881
ffffde0b`94ea5f48 fffff803`9a705f32 : ffffde0b`94e9e000 00000000`00000002 ffffde0b`94ea6000 fffff803`9a704e59 : hvppdrv+0x12978
ffffde0b`94ea5fb8 fffff803`9a701fef : fffff803`9a6f8027 ffffde0b`94eaf000 bfebfbff`7ffafbff 00000000`00000007 : hvppdrv+0x15f32
ffff8180`5bbd5d58 fffff803`9a6f8027 : ffffde0b`94eaf000 bfebfbff`7ffafbff 00000000`00000007 ffffde0b`94e9e000 : hvppdrv+0x11fef
ffff8180`5bbd5d60 fffff803`9a6f7dad : ffffde0b`94e26000 00000000`00000000 00000000`00000000 00000000`00000000 : hvppdrv+0x8027
ffff8180`5bbd5d90 fffff803`9a6f7c85 : 00000000`00000000 fffff084`e97725d8 00000000`00000246 fffff803`f2005fc2 : hvppdrv+0x7dad
ffff8180`5bbd5de0 fffff803`9a705067 : fffff084`e97725d8 00000000`00000091 ffff8180`00000002 ffff8180`5bbd5e80 : hvppdrv+0x7c85
ffff8180`5bbd5e10 fffff803`9a704ff5 : 00000000`00000000 fffff084`e9772558 00000000`00000000 00000000`00000000 : hvppdrv+0x15067
ffff8180`5bbd5e70 fffff803`f21fbdee : fffff084`e9772558 00000000`00000000 00000000`00000000 00000000`00000000 : hvppdrv+0x14ff5
ffff8180`5bbd5ea0 fffff803`f21983b5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIpiGenericCallTarget+0x1e
ffff8180`5bbd5ed0 fffff803`f2240cb0 : 80000002`cb961867 00000000`00000001 fffff401`11acba18 00000000`ffffffff : nt!KiIpiProcessRequests+0x2e5
ffff8180`5bbd5fb0 fffff803`f2240a18 : fffff084`ec976eb0 00000000`00000000 00000000`00000000 00000000`c0000503 : nt!KiIpiInterruptSubDispatch+0x80
fffff084`ec976c40 fffff803`f20db56a : ffffde0b`8ea0d580 ffffde0b`8ea0d640 fffff47a`0088d658 0a000001`fedef867 : nt!KiIpiInterrupt+0x2d8
fffff084`ec976dd0 fffff803`f255888b : 00000000`00000000 ffffde0b`00000000 ffffde0b`8eaf0440 fffff803`f258b942 : nt!MiDecommitPages+0x7fa
fffff084`ec977800 fffff803`f2557ec9 : 00000000`00000000 ffffde0b`8eb7a9c0 00000000`00014000 ffffde0b`8eaf0440 : nt!MiDecommitRegion+0x6b
fffff084`ec977870 fffff803`f2557bdb : fffff084`ec9779a8 00000000`00003a98 00000223`4f5a3010 00000000`7ffe0386 : nt!MmFreeVirtualMemory+0x2b9
fffff084`ec9779a0 fffff803`f224a743 : ffffde0b`8eaf0440 ffffde0b`8a2e2e00 000000d1`8c6ffb48 fffff084`ec977a80 : nt!NtFreeVirtualMemory+0x8b
fffff084`ec977a00 00007ffb`85dfad64 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000d1`8c6ff858 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`85dfad64

THREAD_SHA1_HASH_MOD_FUNC:  d9e6bd216827dbd9b81dc0cf3f5e9b41e9d60c89

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  40d318a4b8897ea1c245269f5c869830f0a39350

THREAD_SHA1_HASH_MOD:  85c614d6cc2e66c6e3f56d530daa7e2e8df77bae

FOLLOWUP_IP: 
hvppdrv+18a3
fffff803`9a6f18a3 c3              ret

FAULT_INSTR_CODE:  ccccccc3

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  hvppdrv+18a3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hvppdrv

IMAGE_NAME:  hvppdrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5c1f7228

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  18a3

FAILURE_BUCKET_ID:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_hvppdrv!unknown_function

BUCKET_ID:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_hvppdrv!unknown_function

PRIMARY_PROBLEM_CLASS:  0x139_MISSING_GSFRAME_STACKPTR_ERROR_hvppdrv!unknown_function

TARGET_TIME:  2018-12-23T11:31:58.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-12-13 22:53:05

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  15c9

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_missing_gsframe_stackptr_error_hvppdrv!unknown_function

FAILURE_ID_HASH:  {8b137560-657b-d427-f4ef-878942e298a1}
celtic1990 commented 5 years ago

@wbenny If you would like re-create this on Windows10 can shadow in kernel NtCreateFile and NtQueryValueKey same time and it should make BSOD. NtQueryValueKey not export it is index 0x17 of SSDT in Windows10. I can upload project with my change if you wish. Sorry for annoy I am just wish to learn why. =)

ddkwork commented 5 years ago

you can try gbhv

seeker25 commented 5 years ago

gbhv doesn't even seem to run for me, just immediately bluescreens.

Not trying to be smug, but I tried it out honestly. HyperPlatform / Ddimon seemed to work pretty good though.