-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite-Loop #15
Comments
I have a question, why do you set CycleProfiling 1? |
@Waterman178 Line 173 in cc698e7
|
What's the use of you setting it to 1 |
@Waterman178 I am just getting started with this library, the code I posted is basically the ExHook example written by @can1357 from the github page with only the Initialization code moved to a function and the ability to initialize on a process without loading the driver several times. I did not modify the part where CycleProfiling is set. |
Could you show me the exact result you are getting on the baremetal machine? Also does the original ExHook work fine on the same machine? |
@Waterman178 CylceProfiling set to 1 without the pointer being appropriately set in the _ETHREAD structure generates a #PF on exit-to-usermode. |
which pointer in ETHREAD? |
_ETHREAD.Tcb.ThreadCounters |
Hi, this is the DbgPrints it spams out:
The normal ExHook you provided works. but i am not sure that the problem is in my code, because the exact same binaries work on the Virtual Machine. |
ok just tested a bit more, seems like every real computer stucks in a loop with that code, while the same binaries work on all virtual machines i tested it on. So it even makes a difference if you have the exact same OS bare metal or Virtual |
@can1357 I seem to have the same issues across my machines (amd & intel). Also tested on a Xeon Processor Machine |
Hey guys, I'm a little busy as I'm working on the presentation for ByePg and some personal projects right now, so I apologise for my late responses. As far as I got from this thread some sample code works on Virtual Machines but not on Baremetal?
@arannothc:
@ everyone:
Thanks! |
@can1357 yes i tried ExHook without any modifications |
for 1032 i just used it as like a "own syscall" since it is unused. i will try later with a valid call. i will upload the project |
ExHook works perfectly in vmware guest, but same issue with my bare metal machine (AMD Ryzen 1800X with Windows 10 20H1 buildnum 19041.388), It get me triple fault in about 2~5 seconds after loading ExHook. tested ExceptionHookingDemo again with 8c16t processor bare metal machine got only 3 exceptions displayed in dbgview. It looks like some of the processors hang up at KiCheckForFreezeExecution when dispatching fault. btw, I made uninitialization/unload routine for ByePg and load/unload ExceptionHookingDemo for multiple times. as the load times increase, less and less cores get exception handled, and finally the whole system hang up at the 4th attempt. |
Hello, i did some testing with the library, it seems good so far, altough i have a little error.
I modified the ExHook like this, the reason is, that the given sample can only activate on processes which are already running. so i moved the code for activation to the
"InitTarget" Function, which works so far. on the main i activate it on a process ("activator.exe") trough which i can then send a command (syscall 1032) once i want it to activate on another process ("notepad.exe").
the whole thing works on my cloudvm running windows server datacenter 2019 1809 build. But when i test on my bare metal pc's (win10 pro/home 1803/1909) on none of them it works completely it initializes successfully on the activator.exe but when that thing sends the 1032 syscall it gets stuck forever in the kernel code spamming the dbgprintf of the Systemwideexceptionhandler and Sysexitintercept.
The text was updated successfully, but these errors were encountered: