[Microwave89]

hi m5home!
While attempting to monitor the behavior of a PoC test of mine (a file which calls NtOpenProcess and NtGetNextThread) I experienced a BAD_POOL_CALLER BSOD.
The problem occurred while having the "Process Create & Exit", "Thread Create & Exit", and "Get Process & Thread Handle" options checked.
Although I tried to reproduce the crash I did not experience another, even when 30 min trying slightly different
workflows (still with only the above options) of using the behavior monitor.

However, I noticed a small bug which might have lead to this issue:
Initially, the status was "Monitor All Processes", however, since I only wanted to monitor my executable I tried to use the "Add PID(s) By Name" button
after which the monitor stated that I need to switch to "Monitor Specified Processes" status.
When I did I could enter the executable name (running already) and start monitoring.
If I afterwards clicked on "Clear Current Settings" (monitor was turned off) it deleted the PID and reset the status to "Monitor All Processes".
Thereafter, I was still able to retrieve a PID by name and to enter it.
Say, the "Add PID(s) By Name" button was still enabled and worked, thus I had a program state which you
initially (when switching to the tab "Behavior Monitor") managed to avoid.
Then I could even turn on the monitoring and it monitored either the process or all processes what I can't say for certain.

Another issue I noticed, is that I never saw any process/thread create/exit notifications of my process, but maybe that is correct
and it works only if the process starts or exits other processes.

Below, I have inserted a basic bugcheck analysis of WinDbg.
Additionally, I can provide you with a 660 MB dump file if you require further informations.

Code: Select all

Microsoft (R) Windows Debugger Version 10.0.10240.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16463.amd64fre.th1.150819-1946
Machine Name:
Kernel base = 0xfffff802`4d28a000 PsLoadedModuleList = 0xfffff802`4d5af030
Debug session time: Sun Sep 13 17:30:29.408 2015 (UTC + 2:00)
System Uptime: 0 days 0:53:54.444
Loading Kernel Symbols
.............................................................Page 10fd7a not present in the dump file. Type ".hh dbgerr004" for details
..
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`5885f018).  Type ".hh dbgerr001" for details
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1254, 7c91a280, ffffe0007c91a290}

*** ERROR: Module load completed but symbols could not be loaded for WIN64AST.sys
Page 11edae not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : WIN64AST.sys ( WIN64AST+60a3 )

Followup:     MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001254, (reserved)
Arg3: 000000007c91a280, Memory contents of the pool block
Arg4: ffffe0007c91a290, Address of the block of pool being deallocated

Debugging Details:
------------------

Page 11edae not present in the dump file. Type ".hh dbgerr004" for details

SYSTEM_SKU:  System SKU#

SYSTEM_VERSION:  1.0

BIOS_DATE:  02/06/12

BASEBOARD_PRODUCT:  Mac-F42D86C8

BASEBOARD_VERSION:  Proto

BUGCHECK_P1: 7

BUGCHECK_P2: 1254

BUGCHECK_P3: 7c91a280

BUGCHECK_P4: ffffe0007c91a290

POOL_ADDRESS:  ffffe0007c91a290 Nonpaged pool

BUGCHECK_STR:  0xc2_7

CPU_COUNT: 2

CPU_MHZ: ae2

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: 6

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  rtsectiontest.

CURRENT_IRQL:  0

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8024d4fdf05 to fffff8024d3d8240

STACK_TEXT:  
ffffd000`74840878 fffff802`4d4fdf05 : 00000000`000000c2 00000000`00000007 00000000`00001254 00000000`7c91a280 : nt!KeBugCheckEx
ffffd000`74840880 fffff800`e56f60a3 : ffffc001`645e4c20 00000000`0000001b ffffe000`7deb6701 00000000`0000007f : nt!ExFreePool+0x23d
ffffd000`74840960 fffff800`e56fc758 : fffff800`00000110 00000000`00000000 ffffffff`80001054 ffffe000`7deb6780 : WIN64AST+0x60a3
ffffd000`748409e0 fffff802`4d743e87 : ffffe000`7deb6780 fffff802`4d5e7418 00000000`00000001 ffffe000`7defc080 : WIN64AST+0xc758
ffffd000`74840a20 fffff802`4d7445d8 : ffffe000`7defc660 ffffd000`74840bd9 00000000`00000000 00000000`00000001 : nt!PspExitProcess+0x18b
ffffd000`74840a70 fffff802`4d72b32a : 00000000`c000001c ffffd000`74840b01 00007ff7`5885d000 ffffe000`7deb6780 : nt!PspExitThread+0x5b8
ffffd000`74840b70 fffff802`4d3e2863 : 00000000`00000efb 00000000`00000001 ffffe000`7defc080 ffffd000`74840cc0 : nt!NtTerminateProcess+0x11a
ffffd000`74840c40 00007ff9`ddd137ba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000033`2729f758 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`ddd137ba


STACK_COMMAND:  kb

FOLLOWUP_IP: 
WIN64AST+60a3
fffff800`e56f60a3 33d2            xor     edx,edx

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  WIN64AST+60a3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WIN64AST

IMAGE_NAME:  WIN64AST.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55bdb697

BUCKET_ID_FUNC_OFFSET:  60a3

FAILURE_BUCKET_ID:  0xc2_7_VRF_WIN64AST!Unknown_Function

BUCKET_ID:  0xc2_7_VRF_WIN64AST!Unknown_Function

PRIMARY_PROBLEM_CLASS:  0xc2_7_VRF_WIN64AST!Unknown_Function

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_vrf_win64ast!unknown_function

FAILURE_ID_HASH:  {41f2cb66-70d6-4d38-a999-0d77fd8164c7}

Followup:     MachineOwner
---------

Best Regards

Microwave89

[m5home]

hi m5home!
While attempting to monitor the behavior of a PoC test of mine (a file which calls NtOpenProcess and NtGetNextThread) I experienced a BAD_POOL_CALLER BSOD.
The problem occurred while having the "Process Create & Exit", "Thread Create & Exit", and "Get Process & Thread Handle" options checked.
Although I tried to reproduce the crash I did not experience another, even when 30 min trying slightly different
workflows (still with only the above options) of using the behavior monitor.

However, I noticed a small bug which might have lead to this issue:
Initially, the status was "Monitor All Processes", however, since I only wanted to monitor my executable I tried to use the "Add PID(s) By Name" button
after which the monitor stated that I need to switch to "Monitor Specified Processes" status.
When I did I could enter the executable name (running already) and start monitoring.
If I afterwards clicked on "Clear Current Settings" (monitor was turned off) it deleted the PID and reset the status to "Monitor All Processes".
Thereafter, I was still able to retrieve a PID by name and to enter it.
Say, the "Add PID(s) By Name" button was still enabled and worked, thus I had a program state which you
initially (when switching to the tab "Behavior Monitor") managed to avoid.
Then I could even turn on the monitoring and it monitored either the process or all processes what I can't say for certain.

Another issue I noticed, is that I never saw any process/thread create/exit notifications of my process, but maybe that is correct
and it works only if the process starts or exits other processes.

Below, I have inserted a basic bugcheck analysis of WinDbg.
Additionally, I can provide you with a 660 MB dump file if you require further informations.

Code: Select all

Microsoft (R) Windows Debugger Version 10.0.10240.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16463.amd64fre.th1.150819-1946
Machine Name:
Kernel base = 0xfffff802`4d28a000 PsLoadedModuleList = 0xfffff802`4d5af030
Debug session time: Sun Sep 13 17:30:29.408 2015 (UTC + 2:00)
System Uptime: 0 days 0:53:54.444
Loading Kernel Symbols
.............................................................Page 10fd7a not present in the dump file. Type ".hh dbgerr004" for details
..
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`5885f018).  Type ".hh dbgerr001" for details
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1254, 7c91a280, ffffe0007c91a290}

*** ERROR: Module load completed but symbols could not be loaded for WIN64AST.sys
Page 11edae not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : WIN64AST.sys ( WIN64AST+60a3 )

Followup:     MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001254, (reserved)
Arg3: 000000007c91a280, Memory contents of the pool block
Arg4: ffffe0007c91a290, Address of the block of pool being deallocated

Debugging Details:
------------------

Page 11edae not present in the dump file. Type ".hh dbgerr004" for details

SYSTEM_SKU:  System SKU#

SYSTEM_VERSION:  1.0

BIOS_DATE:  02/06/12

BASEBOARD_PRODUCT:  Mac-F42D86C8

BASEBOARD_VERSION:  Proto

BUGCHECK_P1: 7

BUGCHECK_P2: 1254

BUGCHECK_P3: 7c91a280

BUGCHECK_P4: ffffe0007c91a290

POOL_ADDRESS:  ffffe0007c91a290 Nonpaged pool

BUGCHECK_STR:  0xc2_7

CPU_COUNT: 2

CPU_MHZ: ae2

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: 6

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  rtsectiontest.

CURRENT_IRQL:  0

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8024d4fdf05 to fffff8024d3d8240

STACK_TEXT:  
ffffd000`74840878 fffff802`4d4fdf05 : 00000000`000000c2 00000000`00000007 00000000`00001254 00000000`7c91a280 : nt!KeBugCheckEx
ffffd000`74840880 fffff800`e56f60a3 : ffffc001`645e4c20 00000000`0000001b ffffe000`7deb6701 00000000`0000007f : nt!ExFreePool+0x23d
ffffd000`74840960 fffff800`e56fc758 : fffff800`00000110 00000000`00000000 ffffffff`80001054 ffffe000`7deb6780 : WIN64AST+0x60a3
ffffd000`748409e0 fffff802`4d743e87 : ffffe000`7deb6780 fffff802`4d5e7418 00000000`00000001 ffffe000`7defc080 : WIN64AST+0xc758
ffffd000`74840a20 fffff802`4d7445d8 : ffffe000`7defc660 ffffd000`74840bd9 00000000`00000000 00000000`00000001 : nt!PspExitProcess+0x18b
ffffd000`74840a70 fffff802`4d72b32a : 00000000`c000001c ffffd000`74840b01 00007ff7`5885d000 ffffe000`7deb6780 : nt!PspExitThread+0x5b8
ffffd000`74840b70 fffff802`4d3e2863 : 00000000`00000efb 00000000`00000001 ffffe000`7defc080 ffffd000`74840cc0 : nt!NtTerminateProcess+0x11a
ffffd000`74840c40 00007ff9`ddd137ba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000033`2729f758 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`ddd137ba


STACK_COMMAND:  kb

FOLLOWUP_IP: 
WIN64AST+60a3
fffff800`e56f60a3 33d2            xor     edx,edx

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  WIN64AST+60a3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WIN64AST

IMAGE_NAME:  WIN64AST.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55bdb697

BUCKET_ID_FUNC_OFFSET:  60a3

FAILURE_BUCKET_ID:  0xc2_7_VRF_WIN64AST!Unknown_Function

BUCKET_ID:  0xc2_7_VRF_WIN64AST!Unknown_Function

PRIMARY_PROBLEM_CLASS:  0xc2_7_VRF_WIN64AST!Unknown_Function

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_vrf_win64ast!unknown_function

FAILURE_ID_HASH:  {41f2cb66-70d6-4d38-a999-0d77fd8164c7}

Followup:     MachineOwner
---------

Best Regards

Microwave89

Thanks for your reply. I try to repair these bugs on next version.
The dump file cannot help me to locate the bug, because the driver file is protected by VMP, and VMP do not generate a new PDB file of protected BINARY file.
Besides, I guess WIN64AST run out of all memory, then cause BSOD.

[tcxyqs]

Good tool. Could you support WIN10 10525?

[m5home]

Good tool. Could you support WIN10 10525?

Not support any preview/beta version system.

[Microwave89]

Hi m5home,

Since I'm extensively using the behavior blocker function I noticed another BSOD that seems to be reproducible reliably.
The issue occurs if I attempt to create a process with an initial thread in it using the well known steps listed below.

NtCreateSection("csrss.exe")
NtCreateProcess
NtCreateThreadEx

Note that NtCreateProcess is supplied with a handle which is not the calling process pseudo handle but rather a notepad.exe process opened with only PROCESS_CREATE_PROCESS rights.
The issue itself is likely to be related to the remote thread creation since I get all behavior output including the process creation and before I get the message that the thread has been created the BSOD occurs.
For analyzing behavior I monitored my launcher process and notepad.exe, PID was filled using get pid by name option, monitoring was set to monitor all activity.

Below is a brief crash dump analysis.

Code: Select all

Microsoft (R) Windows Debugger Version 10.0.10240.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16545.amd64fre.th1.150930-1750
Machine Name:
Kernel base = 0xfffff802`1e416000 PsLoadedModuleList = 0xfffff802`1e73b070
Debug session time: Fri Nov  6 13:46:53.558 2015 (UTC + 1:00)
System Uptime: 0 days 0:04:58.603
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`8c4dd018).  Type ".hh dbgerr001" for details
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff8021e8f07f1, ffffd00073fd5470, 0}

*** ERROR: Module load completed but symbols could not be loaded for WIN64AST.sys
Page 112ce1 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : WIN64AST.sys ( WIN64AST+1416 )

Followup:     MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8021e8f07f1, Address of the instruction which caused the bugcheck
Arg3: ffffd00073fd5470, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

Page 112ce1 not present in the dump file. Type ".hh dbgerr004" for details

SYSTEM_SKU:  System SKU#

SYSTEM_VERSION:  1.0

BIOS_DATE:  02/06/12

BASEBOARD_PRODUCT:  Mac-F42D86C8

BASEBOARD_VERSION:  Proto

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8021e8f07f1

BUGCHECK_P3: ffffd00073fd5470

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP: 
nt!RtlUnicodeStringToAnsiString+31
fffff802`1e8f07f1 0fb702          movzx   eax,word ptr [rdx]

CONTEXT:  ffffd00073fd5470 -- (.cxr 0xffffd00073fd5470)
rax=0000000000000f28 rbx=0000000000000000 rcx=ffffd00073fd5f10
rdx=0000000000000000 rsi=0000000000000001 rdi=ffffd00073fd5f10
rip=fffff8021e8f07f1 rsp=ffffd00073fd5e90 rbp=ffffe0005c783780
 r8=0000000000000001  r9=fffff78000000008 r10=7fffe0005ca8f358
r11=0000000000000000 r12=ffffe0005b3f2630 r13=0000000000000040
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!RtlUnicodeStringToAnsiString+0x31:
fffff802`1e8f07f1 0fb702          movzx   eax,word ptr [rdx] ds:002b:00000000`00000000=????
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: ae2

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: 6

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  protproctest.e

CURRENT_IRQL:  0

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

LAST_CONTROL_TRANSFER:  from fffff80087f01416 to fffff8021e8f07f1

STACK_TEXT:  
ffffd000`73fd5e90 fffff800`87f01416 : ffffd000`73fd5f10 fffff800`89290d90 ffffe000`5b3f2601 ffffe000`5c924130 : nt!RtlUnicodeStringToAnsiString+0x31
ffffd000`73fd5ef0 fffff800`87f0c6ea : fffff800`8931eb60 ffff102d`00000000 00000000`00000000 ffffd000`73fd6000 : WIN64AST+0x1416
ffffd000`73fd5f30 fffff802`1e8b6107 : 00000000`00000007 ffffd000`73fd6290 fffff802`1e773458 ffffe000`5c924130 : WIN64AST+0xc6ea
ffffd000`73fd5f70 fffff802`1e8b3330 : ffffe000`5c70f800 00000000`00000000 ffffe000`58d57c01 ffffd000`73fd61f0 : nt!PspInsertThread+0x8b7
ffffd000`73fd6190 fffff802`1e8b2f19 : 00000000`00000000 ffffd000`73fd65f0 00000000`00000000 00000000`00000011 : nt!PspCreateThread+0x288
ffffd000`73fd6450 fffff802`1e56e963 : ffffe000`5c70f800 fffff802`1e846b2d ffffd000`73fd6be8 00000000`00000000 : nt!NtCreateThreadEx+0x201
ffffd000`73fd6bd0 00007ff9`1395402a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
0000009a`cb46fc28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`1395402a


FOLLOWUP_IP: 
WIN64AST+1416
fffff800`87f01416 4c8b5c2428      mov     r11,qword ptr [rsp+28h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  WIN64AST+1416

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WIN64AST

IMAGE_NAME:  WIN64AST.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55bdb697

STACK_COMMAND:  .cxr 0xffffd00073fd5470 ; kb

BUCKET_ID_FUNC_OFFSET:  1416

FAILURE_BUCKET_ID:  0x3B_VRF_WIN64AST!Unknown_Function

BUCKET_ID:  0x3B_VRF_WIN64AST!Unknown_Function

PRIMARY_PROBLEM_CLASS:  0x3B_VRF_WIN64AST!Unknown_Function

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x3b_vrf_win64ast!unknown_function

FAILURE_ID_HASH:  {2c9a3243-5ccd-a6ab-8b95-480bdb2ea5ef}

Followup:     MachineOwner
---------

I won't provide you with a .dmp file due to VMProtect as you mentioned above.

I further noticed some cut operator names like e.g. "taskhostw.e" so there might as well be a string handling problem which might also be related to my computer's crash.

And I can't see any modules being displayed if I create a csrss.exe process with two csrss.exe and four ntdll.dll mapped in it, and then go to the process tab and view the csrss.exe process modules.
The initial thread is being displayed and the virtual memory view of your tool shows the different ntdlls.
Although that is not a common use case it might still hide malicious code from your tool by just overwriting one of the csrss.exe ntdlls with arbitrary code and exploiting that it is not being displayed...
I was thus not able to scan for patches or EAT/IAT hooks it just displayed that there weren't any modifications although the code successfully executed.


However, I'm looking forward to soon see a new version of your tool!


Kind regards,

Microwave89

[m5home]

Hi m5home,

Since I'm extensively using the behavior blocker function I noticed another BSOD that seems to be reproducible reliably.
The issue occurs if I attempt to create a process with an initial thread in it using the well known steps listed below.

NtCreateSection("csrss.exe")
NtCreateProcess
NtCreateThreadEx

Note that NtCreateProcess is supplied with a handle which is not the calling process pseudo handle but rather a notepad.exe process opened with only PROCESS_CREATE_PROCESS rights.
The issue itself is likely to be related to the remote thread creation since I get all behavior output including the process creation and before I get the message that the thread has been created the BSOD occurs.
For analyzing behavior I monitored my launcher process and notepad.exe, PID was filled using get pid by name option, monitoring was set to monitor all activity.

Below is a brief crash dump analysis.

Code: Select all

Microsoft (R) Windows Debugger Version 10.0.10240.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16545.amd64fre.th1.150930-1750
Machine Name:
Kernel base = 0xfffff802`1e416000 PsLoadedModuleList = 0xfffff802`1e73b070
Debug session time: Fri Nov  6 13:46:53.558 2015 (UTC + 1:00)
System Uptime: 0 days 0:04:58.603
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`8c4dd018).  Type ".hh dbgerr001" for details
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff8021e8f07f1, ffffd00073fd5470, 0}

*** ERROR: Module load completed but symbols could not be loaded for WIN64AST.sys
Page 112ce1 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : WIN64AST.sys ( WIN64AST+1416 )

Followup:     MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8021e8f07f1, Address of the instruction which caused the bugcheck
Arg3: ffffd00073fd5470, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

Page 112ce1 not present in the dump file. Type ".hh dbgerr004" for details

SYSTEM_SKU:  System SKU#

SYSTEM_VERSION:  1.0

BIOS_DATE:  02/06/12

BASEBOARD_PRODUCT:  Mac-F42D86C8

BASEBOARD_VERSION:  Proto

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8021e8f07f1

BUGCHECK_P3: ffffd00073fd5470

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP: 
nt!RtlUnicodeStringToAnsiString+31
fffff802`1e8f07f1 0fb702          movzx   eax,word ptr [rdx]

CONTEXT:  ffffd00073fd5470 -- (.cxr 0xffffd00073fd5470)
rax=0000000000000f28 rbx=0000000000000000 rcx=ffffd00073fd5f10
rdx=0000000000000000 rsi=0000000000000001 rdi=ffffd00073fd5f10
rip=fffff8021e8f07f1 rsp=ffffd00073fd5e90 rbp=ffffe0005c783780
 r8=0000000000000001  r9=fffff78000000008 r10=7fffe0005ca8f358
r11=0000000000000000 r12=ffffe0005b3f2630 r13=0000000000000040
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!RtlUnicodeStringToAnsiString+0x31:
fffff802`1e8f07f1 0fb702          movzx   eax,word ptr [rdx] ds:002b:00000000`00000000=????
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: ae2

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: 6

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  protproctest.e

CURRENT_IRQL:  0

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

LAST_CONTROL_TRANSFER:  from fffff80087f01416 to fffff8021e8f07f1

STACK_TEXT:  
ffffd000`73fd5e90 fffff800`87f01416 : ffffd000`73fd5f10 fffff800`89290d90 ffffe000`5b3f2601 ffffe000`5c924130 : nt!RtlUnicodeStringToAnsiString+0x31
ffffd000`73fd5ef0 fffff800`87f0c6ea : fffff800`8931eb60 ffff102d`00000000 00000000`00000000 ffffd000`73fd6000 : WIN64AST+0x1416
ffffd000`73fd5f30 fffff802`1e8b6107 : 00000000`00000007 ffffd000`73fd6290 fffff802`1e773458 ffffe000`5c924130 : WIN64AST+0xc6ea
ffffd000`73fd5f70 fffff802`1e8b3330 : ffffe000`5c70f800 00000000`00000000 ffffe000`58d57c01 ffffd000`73fd61f0 : nt!PspInsertThread+0x8b7
ffffd000`73fd6190 fffff802`1e8b2f19 : 00000000`00000000 ffffd000`73fd65f0 00000000`00000000 00000000`00000011 : nt!PspCreateThread+0x288
ffffd000`73fd6450 fffff802`1e56e963 : ffffe000`5c70f800 fffff802`1e846b2d ffffd000`73fd6be8 00000000`00000000 : nt!NtCreateThreadEx+0x201
ffffd000`73fd6bd0 00007ff9`1395402a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
0000009a`cb46fc28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`1395402a


FOLLOWUP_IP: 
WIN64AST+1416
fffff800`87f01416 4c8b5c2428      mov     r11,qword ptr [rsp+28h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  WIN64AST+1416

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WIN64AST

IMAGE_NAME:  WIN64AST.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55bdb697

STACK_COMMAND:  .cxr 0xffffd00073fd5470 ; kb

BUCKET_ID_FUNC_OFFSET:  1416

FAILURE_BUCKET_ID:  0x3B_VRF_WIN64AST!Unknown_Function

BUCKET_ID:  0x3B_VRF_WIN64AST!Unknown_Function

PRIMARY_PROBLEM_CLASS:  0x3B_VRF_WIN64AST!Unknown_Function

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x3b_vrf_win64ast!unknown_function

FAILURE_ID_HASH:  {2c9a3243-5ccd-a6ab-8b95-480bdb2ea5ef}

Followup:     MachineOwner
---------

I won't provide you with a .dmp file due to VMProtect as you mentioned above.

I further noticed some cut operator names like e.g. "taskhostw.e" so there might as well be a string handling problem which might also be related to my computer's crash.

And I can't see any modules being displayed if I create a csrss.exe process with two csrss.exe and four ntdll.dll mapped in it, and then go to the process tab and view the csrss.exe process modules.
The initial thread is being displayed and the virtual memory view of your tool shows the different ntdlls.
Although that is not a common use case it might still hide malicious code from your tool by just overwriting one of the csrss.exe ntdlls with arbitrary code and exploiting that it is not being displayed...
I was thus not able to scan for patches or EAT/IAT hooks it just displayed that there weren't any modifications although the code successfully executed.


However, I'm looking forward to soon see a new version of your tool!


Kind regards,

Microwave89

Thank you for your feedback.

[m5home]

WIN64AST 1.10 BETA6 - Support WIN10-10586

Download URLs:
http://pan.baidu.com/s/1dEeXaTz
http://pan.baidu.com/s/1c1eZdfi (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)

[Al2x]

Hi !


I'm sorry to disturb you

I'm french , please excuse my english :lol:

So, i start WIN64ASP i have that : http://prntscr.com/asbwsu

So i double click and i have that when i load a driver : http://prntscr.com/asbxl3
My friend, is work and me not..


So, my friend tell me Windows 10 - 10500 don't work Kernel.
And my friend have W10 - 10200


So, if i download W7, kernel work?

[yong9885]

hi! m5home how to got VIP?

[m5home]

WIN64AST 1.10 BETA7 - Support WIN10-14393

Download URLs:
http://pan.baidu.com/s/1nvRfOdr
http://pan.baidu.com/s/1nvPJXxv (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)