what cause BSOD ?

#5916 by R00tKit
Wed Apr 13, 2011 9:10 am

hi

i use flowing code to attach to our process for dumping purpose

but it show BSOD? IRQL_NOT_LESS_OR_EQUAL

i call Dump(pid) in DriverEntry

Code: Select all

PEPROCESS ep=NULL;

	NTSTATUS ret;
	KAPC_STATE *ka_state=NULL;
	
	ret=PsLookupProcessByProcessId((HANDLE)pid,&ep);

     if(!NT_SUCCESS(ret))
	 {
          //ERR DISPLAY TBD
		 DbgPrint("error 1");
          return ret;
     }

	 

	 ka_state=(KAPC_STATE*)ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),'trak');
	 
	 if(!ka_state)
	 {
		 DbgPrint(" ka_state is null");
		 return ;

	 }
	 else  KeStackAttachProcess(&ep,ka_state);


	
	DbgPrint("Calling process name is: %s\n", PsGetProcessImageFileName(PsGetCurrentProcess()));

  
	DbgPrint("ok");
	KeUnstackDetachProcess(ka_state);
	 ExFreePool(ka_state);

	  ObDereferenceObject(ep);

Fatal System Error: 0x0000000a
(0x00000000,0x00000002,0x00000001,0x804F74E9)

i debug it with windbg

FAULTING_SOURCE_CODE:
89: KeStackAttachProcess(&ep,ka_state);
90:
91:
92:
> 93: DbgPrint("Calling process name is: %s\n", PsGetProcessImageFileName(PsGetCurrentProcess()));
94:
95:
96: DbgPrint("ok");
97: KeUnstackDetachProcess(ka_state);
98: ExFreePool(ka_state);

what can do? and clear line 93 code dont solve BSOD problem!

Last edited by R00tKit on Wed Apr 13, 2011 11:47 am, edited 1 time in total.

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: what cause BSOD ?

#5920 by EP_X0FF
Wed Apr 13, 2011 11:10 am

From where did you copy-pasted this ugly piece of crappy code?

wtf is that?

if(PASSIVE_LEVEL != KeGetCurrentIrql())

This function runs on IRQL < DISPATCH_LEVEL. Are you calling it from ISR? No.

NTSTATUS Dump(UINT32 pid)

return 0xffffffff ;

what is that? If it declared as NTSTATUS then please return NTSTATUS not unknown bs.

MSDN wrote:If the call to PsLookupProcessByProcessId is successful, PsLookupProcessByProcessId increases the reference count on the object returned in the Process parameter. Consequently, when a driver has completed using the Process parameter, the driver must call ObDereferenceObject to dereference the Process parameter received from the PsLookupProcessByProcessId routine.

ka_state

and what if it's NULL?

PsGetProcessImageFileName

Returns EPROCESS->ImageFileName, what is the deep sense in switching context to get data from kernel mode object?

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: what cause BSOD ?

#5923 by R00tKit
Wed Apr 13, 2011 11:52 am

thanks

code changed !

i find code from http://www.codeproject.com/KB/system/Ri ... play=Print

and it is only for proof
change process context is not my idea

GamingMasteR:

1- ExAcquireRundownProtection on target process to avoid termination while reading it's VM .
2- Attach the current thread to the context of the target process using "KeStackAttachProcess" , now you can access the target process VM from current thread .
3- Divide memory-to-read into pieces of length PAGE_SIZE and check if it's resident , use "ProbeForRead" wrapped by __try/__except .
4- RtlCopyMemory from process VM into system buffer .
5- KeUnstackDetachProcess .
6- RtlCopyMemory from system buffer to our process buffer and free system buffer .
7- ExReleaseRundownProtection .
add your own protection & assertion macros like checking for valid addresses, parameters, access violation .. etc

so how can solve BSOD?

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: what cause BSOD ?

#5924 by Alex
Wed Apr 13, 2011 12:14 pm

Definitly this is bad example. It's author don't care about basic rules:

Code: Select all

ka_state=ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),'tsak');

//should be:
ka_state=ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),'tsak');

if(ka_state) {
// buffer allocated


if ( !MmIsAddressValid((ULONG *) peb) )
{
   //ERR DISPLAY TBD
   return fADDR;
}

//should be:
if(peb != NULL && peb < MmUserProbeAddress)
{
  __try
  {
     ProboForRead(peb, sizeof(PEB), sizeof(UCHAR));
  }
  __except() {}
}
else
   // don't forget to dereference object (the process), detach process and free pool...

Please post complete and corrected code...

Add also this code:

Code: Select all

extern PUCHAR PsGetProcessImageFileName(
    IN PEPROCESS Process
);

I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

Username

Alex

Posts

268

Joined

Sun Mar 07, 2010 11:34 am

Re: what cause BSOD ?

#5925 by R00tKit
Wed Apr 13, 2011 12:26 pm

Please post complete and corrected code...

i call this function in DriverEntry:

Code: Select all

NTSTATUS Dump(UINT32  pid)
{
	PEPROCESS ep=NULL;

	NTSTATUS ret;
	KAPC_STATE *ka_state=NULL;
	
	ret=PsLookupProcessByProcessId((HANDLE)pid,&ep);

     if(!NT_SUCCESS(ret))
	 {
          //ERR DISPLAY TBD
		 DbgPrint("error 1");
          return ret;
     }

	 

	 ka_state=(KAPC_STATE*)ExAllocatePoolWithTag(NonPagedPool,sizeof(KAPC_STATE),'trak');
	 
	 if(!ka_state)
	 {
		 DbgPrint(" ka_state is null");
		 return ;

	 }
	 else  KeStackAttachProcess(&ep,ka_state);


	
	DbgPrint("Calling process name is: %s\n", PsGetProcessImageFileName(PsGetCurrentProcess()));

  
	DbgPrint("ok");
	KeUnstackDetachProcess(ka_state);
	 ExFreePool(ka_state);

	  ObDereferenceObject(ep);
    
}

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high

.trap 0xfffffffff8afdbb4
ErrCode = 00000002
eax=823c5080 ebx=f8afdc68 ecx=f8afdca8 edx=00000000 esi=823c5020 edi=823c5054
eip=804f74e9 esp=f8afdc28 ebp=f8afdc34 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!KiAttachProcess+0xb1:
804f74e9 8902 mov dword ptr [edx],eax ds:0023:00000000=????????

it result is BSOD? how fix it?
i use this code to switch context and dump our target process ! if this is not good idea so how can do it?

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: what cause BSOD ?

#5926 by EP_X0FF
Wed Apr 13, 2011 1:24 pm

You passing wrong parameters to KeStackAttachProcess.

Put that skiddie article from codeproject to recycle bin.

This BSOD and other errors are perfect example of "copy-paste" without knowledge what you do/copy-pasted.

Original crapcode looks like this

Code: Select all

KeStackAttachProcess(&(ep->Pcb),ka_state);

you doing

Code: Select all

KeStackAttachProcess(&ep,ka_state);

Where PCB is KPROCESS, so that's why & used.

You doing & for PEPROCESS, which is actually pointer to EPROCESS opaque structure. So basically you performing attach to address of variable.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: what cause BSOD ?

#5927 by Alex
Wed Apr 13, 2011 2:59 pm

Original declaration of KeStackAttachProcess is:

Code: Select all

NTKERNELAPI
VOID
KeStackAttachProcess (
    __inout PRKPROCESS PROCESS,
    __out PRKAPC_STATE ApcState
    );

but you can change it to:

Code: Select all

VOID KeStackAttachProcess(
    IN PEPROCESS Process,
    OUT PKAPC_STATE ApcState
);

It doesn't change the fact that this functions takes pointer to process object in contrast to, PsLookupProcessByProcessId which takes pointer to pointer.

I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

Username

Alex

Posts

268

Joined

Sun Mar 07, 2010 11:34 am