Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BSOD when ksm_hook_epage #29

Open
YangKi1902 opened this issue May 3, 2019 · 2 comments
Open

BSOD when ksm_hook_epage #29

YangKi1902 opened this issue May 3, 2019 · 2 comments

Comments

@YangKi1902
Copy link

YangKi1902 commented May 3, 2019
edited
Loading

Hello, i want to hook epage but i always got BSOD when do it, can you help me solve it?here my snippet:

PVOID hkMmMapIoSpace(
PHYSICAL_ADDRESS PhysicalAddress,
SIZE_T NumberOfBytes,
MEMORY_CACHING_TYPE CacheType
)
{
DbgPrint("hook mapio\n");
vcpu_vmfunc(EPTP_NORMAL, 0);
void *ret = MmMapIoSpace(PhysicalAddress, NumberOfBytes, CacheType);
vcpu_vmfunc(EPTP_EXHOOK, 0);
return ret;
}

then i hook epage after ksm ready :

RtlInitUnicodeString(&deviceLink, KSM_DOS_NAME);
if (NT_SUCCESS(status = IoCreateSymbolicLink(&deviceLink, &deviceName))) {
KSM_DEBUG_RAW("ready\n");
ksm->host_pgd = __readcr3();
ksm_hook_epage(MmMapIoSpace, hkMmMapIoSpace);
goto out;
}

then BSOD, here the log:

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 17763 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff80232e0f000 PsLoadedModuleList = 0xfffff8023322a790
Debug session time: Fri May 3 07:22:57.372 2019 (UTC + 7:00)
System Uptime: 0 days 0:03:14.058
Loading Kernel Symbols
.....................................Page 2002ed57e too large to be in the dump file.
Page 2002efe7d too large to be in the dump file.
..........................
....Page 2002fa078 too large to be in the dump file.
............................................................
................................................................
................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000a2`fb19b018). Type ".hh dbgerr001" for details
Loading unloaded module list
.........

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc000001d, fffff8023813111c, ffff9605aba08080, 0}

Probably caused by : ksm.sys ( ksm!__vmx_vmcall+0 )

Followup: MachineOwner

1: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffff8023813111c, The address that the exception occurred at
Arg3: ffff9605aba08080, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd.

SYSTEM_PRODUCT_NAME: GT72 2QD

SYSTEM_SKU: To be filled by O.E.M.

SYSTEM_VERSION: REV:0.C

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: E1781IMS.316

BIOS_DATE: 09/23/2015

BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd.

BASEBOARD_PRODUCT: MS-1781

BASEBOARD_VERSION: REV:0.C

DUMP_TYPE: 1

BUGCHECK_P1: ffffffffc000001d

BUGCHECK_P2: fffff8023813111c

BUGCHECK_P3: ffff9605aba08080

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.

FAULTING_IP:
ksm!__vmx_vmcall+0 [E:\Source\ksm\vmx.asm @ 287]
fffff802`3813111c 0f01c1 vmcall

EXCEPTION_PARAMETER1: ffff9605aba08080

BUGCHECK_STR: 0x1E_c000001d

CPU_COUNT: 8

CPU_MHZ: a86

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 47

CPU_STEPPING: 1

CPU_MICROCODE: 6,47,1,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: NVDisplay.Container.exe

CURRENT_IRQL: 2

ANALYSIS_SESSION_HOST: DESKTOP-6P18NJQ

ANALYSIS_SESSION_TIME: 05-03-2019 07:24:27.0595

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

DPC_STACK_BASE: FFFF938C8EE37FB0

LAST_CONTROL_TRANSFER: from fffff8023309d07e to fffff80232fc2730

FAILED_INSTRUCTION_ADDRESS:
ksm!__vmx_vmcall+0 [E:\Source\ksm\vmx.asm @ 287]
fffff802`3813111c 0f01c1 vmcall

STACK_TEXT:
ffff938c8ee36a38 fffff8023309d07e : 000000000000001e ffffffffc000001d fffff8023813111c ffff9605aba08080 : nt!KeBugCheckEx
ffff938c8ee36a40 fffff80232fcb222 : fffff802332f2000 fffff80232e0f000 0005be3c00a6e000 000000000010001f : nt!KiFatalExceptionHandler+0x22
ffff938c8ee36a80 fffff80232f24240 : ffff938c8ee370d0 0000000000000000 ffff938c8ee36ff0 0000000000000000 : nt!RtlpExecuteHandlerForException+0x12
ffff938c8ee36ab0 fffff80232e31ac4 : ffff938c8ee379e8 ffff938c8ee37730 ffff938c8ee379e8 ffff938c93bdf630 : nt!RtlDispatchException+0x430
ffff938c8ee37200 fffff80232fd3f42 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDispatchException+0x144
ffff938c8ee378b0 fffff80232fce78e : ffff960500000000 ffffad008836af08 0000000000000000 fffff80232ef68af : nt!KiExceptionDispatch+0xc2
ffff938c8ee37a90 fffff8023813111c : fffff802381312ba 0000000000400a02 0000000000000000 0000000000000000 : nt!KiInvalidOpcodeFault+0x30e
ffff938c8ee37c28 fffff802381312ba : 0000000000400a02 0000000000000000 0000000000000000 ffffad0088367f90 : ksm!__vmx_vmcall [E:\Source\ksm\vmx.asm @ 287]
ffff938c8ee37c30 fffff80232e88577 : ffffad0088367f80 ffff9605a0bbb000 ffff938c8ee37d60 0000000000000000 : ksm!__percpu___do_hook_page+0x1a [e:\source\ksm\epage.c @ 95]
ffff938c8ee37c60 fffff80232e87bbe : ffffad0088365180 0000000000000000 0000000000000002 0000000000000004 : nt!KiExecuteAllDpcs+0x2e7
ffff938c8ee37da0 fffff80232fc9595 : 0000000000000000 ffffad0088365180 ffff938c90617b40 0000000000000000 : nt!KiRetireDpcList+0x1ae
ffff938c8ee37fb0 fffff80232fc9380 : 0000000000000102 0000000000000000 00007ffad95897f0 0000000000000560 : nt!KxRetireDpcList+0x5
ffff938c90617a90 fffff80232fc8a6c : ffff9605aba08080 000000a2fbffca98 ffff938c90617a98 ffff9605aba7fc60 : nt!KiDispatchInterruptContinue
ffff938c90617ac0 00007ffad970995d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDpcInterrupt+0x2dc
000000a2fbffd470 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`d970995d

THREAD_SHA1_HASH_MOD_FUNC: a8a9c7b3fbf112c4a80644be074a7883be953ef0

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 93e92b7c547e03d379abd7930fd410f934b1f49c

THREAD_SHA1_HASH_MOD: 390a9432c7ea7ec685200dfa4bb581b24db674b6

FOLLOWUP_IP:
ksm!__vmx_vmcall+0 [E:\Source\ksm\vmx.asm @ 287]
fffff802`3813111c 0f01c1 vmcall

FAULT_INSTR_CODE: fc1010f

FAULTING_SOURCE_LINE: E:\Source\ksm\vmx.asm

FAULTING_SOURCE_FILE: E:\Source\ksm\vmx.asm

FAULTING_SOURCE_LINE_NUMBER: 287

FAULTING_SOURCE_CODE:
283: hlt ; not reached
284: jmp do_hlt
285: __vmx_entrypoint ENDP
286:

287: __vmx_vmcall PROC
288: ; assumes:
289: ; rcx = hypercall
290: ; rdx = data
291: vmcall
292: setna al

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: ksm!__vmx_vmcall+0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ksm

IMAGE_NAME: ksm.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5ccb89d0

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 0

FAILURE_BUCKET_ID: 0x1E_c000001d_BAD_IP_ksm!__vmx_vmcall

BUCKET_ID: 0x1E_c000001d_BAD_IP_ksm!__vmx_vmcall

PRIMARY_PROBLEM_CLASS: 0x1E_c000001d_BAD_IP_ksm!__vmx_vmcall

TARGET_TIME: 2019-05-03T00:22:57.000Z

OSBUILD: 17763

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2005-12-02 14:58:59

BUILDDATESTAMP_STR: 180914-1434

BUILDLAB_STR: rs5_release

BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME: 1031

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x1e_c000001d_bad_ip_ksm!__vmx_vmcall

FAILURE_ID_HASH: {dad81c61-e5b3-d117-68a0-fb68d4438f5e}

Followup: MachineOwner
@asamy
Copy link
Owner

asamy commented May 5, 2019
edited
Loading

Call ksm_subvert before, it's designed to be subverted on IOCTL not during init.

@YangKi1902
Copy link
Author

YangKi1902 commented May 5, 2019
edited
Loading

Hello, thank you for the help, im tried revert to original code andcall only ksm_subvert(disabled all features included epage hook) and got BSOD with code UNEXPECTED_KERNEL_MODE_TRAP. Im using Windows 10 1809 64 bit.

here my crash log :

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, ffffe280d0320050, 667b97dfc0, fffff8013cc910e9}

Probably caused by : ksm.sys ( ksm!__vmx_entrypoint+72 )

Followup: MachineOwner

6: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a portion of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: ffffe280d0320050
Arg3: 000000667b97dfc0
Arg4: fffff8013cc910e9

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd.

SYSTEM_PRODUCT_NAME: GT72 2QD

SYSTEM_SKU: To be filled by O.E.M.

SYSTEM_VERSION: REV:0.C

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: E1781IMS.316

BIOS_DATE: 09/23/2015

BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd.

BASEBOARD_PRODUCT: MS-1781

BASEBOARD_VERSION: REV:0.C

DUMP_TYPE: 1

BUGCHECK_P1: 8

BUGCHECK_P2: ffffe280d0320050

BUGCHECK_P3: 667b97dfc0

BUGCHECK_P4: fffff8013cc910e9

BUGCHECK_STR: 0x7f_8

TRAP_FRAME: ffffe280d0320050 -- (.trap 0xffffe280d0320050)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000177b2f254d0 rbx=0000000000000000 rcx=00000177adc5f850
rdx=000000667b97dfc0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8013cc910e9 rsp=000000667b97dfc0 rbp=000000667b97dff9
r8=000000667b97df90 r9=0000000000000008 r10=00000fff6e09dd3a
r11=4444054044451144 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
ksm!__vmx_entrypoint+0x72:
fffff801`3cc910e9 50 push rax
Resetting default scope

CPU_COUNT: 8

CPU_MHZ: a86

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 47

CPU_STEPPING: 1

CPU_MICROCODE: 6,47,1,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: dwm.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: DESKTOP-6P18NJQ

ANALYSIS_SESSION_TIME: 05-05-2019 22:03:35.0452

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

BAD_STACK_POINTER: 000000667b97dfc0

LAST_CONTROL_TRANSFER: from fffff8013d871d69 to fffff8013d8605e0

STACK_TEXT:
ffffe280d031ff08 fffff8013d871d69 : 000000000000007f 0000000000000008 ffffe280d0320050 000000667b97dfc0 : nt!KeBugCheckEx
ffffe280d031ff10 fffff8013d86cda8 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffe280d0320050 fffff8013cc910e9 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDoubleFaultAbort+0x2a8
000000667b97dfc0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ksm!__vmx_entrypoint+0x72 [E:\Source\ksm\vmx.asm @ 266]

THREAD_SHA1_HASH_MOD_FUNC: 76bf6036e3850bc1f1c3880a3d96f49d1734871f

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 33c805f8696fc28d484a99abbb9b3d0c33ccb23b

THREAD_SHA1_HASH_MOD: 4fcde6a05fca53c360ff3fc1f6d335a37fdc9cbe

FOLLOWUP_IP:
ksm!__vmx_entrypoint+72 [E:\Source\ksm\vmx.asm @ 266]
fffff801`3cc910e9 50 push rax

FAULT_INSTR_CODE: c3519d50

FAULTING_SOURCE_LINE: E:\Source\ksm\vmx.asm

FAULTING_SOURCE_FILE: E:\Source\ksm\vmx.asm

FAULTING_SOURCE_LINE_NUMBER: 266

FAULTING_SOURCE_CODE:
262:
263: ; Give them their stack pointer
264: mov rsp, rdx
265:

266: push rax
267: popfq ; eflags to indicate success
268:
269: push rcx ; return address (rip + instr len)
270: ret
271:

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: ksm!__vmx_entrypoint+72

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ksm

IMAGE_NAME: ksm.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5ccef969

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 72

FAILURE_BUCKET_ID: 0x7f_8_STACKPTR_ERROR_ksm!__vmx_entrypoint

BUCKET_ID: 0x7f_8_STACKPTR_ERROR_ksm!__vmx_entrypoint

PRIMARY_PROBLEM_CLASS: 0x7f_8_STACKPTR_ERROR_ksm!__vmx_entrypoint

TARGET_TIME: 2019-05-05T14:56:25.000Z

OSBUILD: 17763

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 180914-1434

BUILDLAB_STR: rs5_release

BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME: fde

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x7f_8_stackptr_error_ksm!__vmx_entrypoint

FAILURE_ID_HASH: {e54130eb-8cc9-b505-6b94-54fc35ddda77}

Followup: MachineOwner

if you want to download my binary and pdb :
ksm.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asamy @YangKi1902