Unload Cause BSOD

Question

Unload Cause BSOD

NoHeart2019 opened this issue 5 years ago · comments

NoHeart2019 commented 5 years ago

Question:
when i stop gbhv. it call DriverUnload, some times Event exits hanppen. then bsod.

information:
BSOD before:
windbg print:
Unknown exit reason! An exit was made but no handler was configured to handle it. Reason: 0x20()+0x39:(VMX_EXIT_REASON_EXECUTE_WRMSR )
fffff800`a98925f9 488b442438 mov rax,qword ptr [rsp+38h]

!analyze -v

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: fffff800a98913ec, The address that the exception occurred at
Arg3: ffffd000e8f9f508, Exception Record Address
Arg4: ffffd000e8f9ed20, Context Record Address

FOLLOWUP_IP:
gbhv!ArchDisableVmxe+2c [e:\gbhv-master\gbhv\arch.c @ 100]
fffff800`a98913ec 0f22e0 mov cr4,rax

Windbg code location:

FAULTING_SOURCE_CODE:
96: // Enable the bit
97: Register.VmxEnable = 0;
98:
99: // Write it back to cr4

100: __writecr4(Register.Flags);
101: }
102:

Hope
How to locate this problem. Can you provide some ideas?

Gbps · Answer 1 · Mon Apr 22 2019 13:29:02 GMT+0800 (China Standard Time)

Unloading is not currently working in the released version. What you are seeing is due to the fact that the driverunload function cannot disable vmx because it itself is running in the guest OS. To disable vmx, the driver must forcibly exit to the root mode then disable vmx. To resolve this, you can write a patch which, in driverunload, loads a magic constant into a register then configures an instruction (like cpuid) to cause a vmexit. During the exit handler, check the magic constant value. If that constant is matched, then cause an IPI (or GenericDPCCall) and exit vmx using the code currently in driverunload. I don't have the time to currently add this feature, but it is a known issue. In the mean time, restarting is the only true way to reload the driver. (Not much of an issue if you're using VM snapshots)

…

On Sun, Apr 21, 2019, 11:21 PM NoHeart2019 ***@***.***> wrote: Question: when i stop gbhv. it call DriverUnload, some times Event exits hanppen. then bsod. information: BSOD before: windbg print: Unknown exit reason! An exit was made but no handler was configured to handle it. Reason: 0x20()+0x39:(VMX_EXIT_REASON_EXECUTE_WRMSR ) fffff800`a98925f9 488b442438 mov rax,qword ptr [rsp+38h] !analyze -v SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000096, The exception code that was not handled Arg2: fffff800a98913ec, The address that the exception occurred at Arg3: ffffd000e8f9f508, Exception Record Address Arg4: ffffd000e8f9ed20, Context Record Address FOLLOWUP_IP: gbhv!ArchDisableVmxe+2c [e:\gbhv-master\gbhv\arch.c @ 100] fffff800`a98913ec 0f22e0 mov cr4,rax Windbg code location: FAULTING_SOURCE_CODE: 96: // Enable the bit 97: Register.VmxEnable = 0; 98: 99: // Write it back to cr4 100: __writecr4(Register.Flags); 101: } 102: Hope How to locate this problem. Can you provide some ideas? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#6>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABKZAKB3OYSQO2SU6G2NIRDPRUVMHANCNFSM4HHNEFCQ> .

NoHeart2019 · Answer 2 · Mon Apr 22 2019 13:42:13 GMT+0800 (China Standard Time)

Thanks a lot

Gbps · Answer 3 · Thu Apr 25 2019 00:14:44 GMT+0800 (China Standard Time)

Closed, see #2