Further 1903 Compatibility Issues

Question

Further 1903 Compatibility Issues

h33p opened this issue 5 years ago · comments

It appears that on Windows 10 version 1903 the export table of the kernel is not parseable. This is a serious issue that breaks initialization process.

During boot:

Using Mode: MODE_EXTERNAL
PML4:   1ad000  | KernelEntry:  fffff8047e2ca9a0
Kernel Base:    fffff8047d800000 (2e00000)
ntHeader64:     0x7fffb5b67248  1
ParseExportTable: 994dd8 - 992000 + b64 * 4 > 177bb
ParseExportTable: 0
PsInitialSystemProcess: fffff8047dd6f3a0 (336f3a0)
System (PID 4): ffffd7846aa79040 (471c79040)
NT Version:     1000
NT Build:       18362
Process List:
0004    System
0174    smss.exe

After boot:

Using Mode: MODE_EXTERNAL
PML4:   1ad000  | KernelEntry:  fffff8047e2ca9a0
Kernel Base:    fffff8049265a000 (82e00000)
ntHeader64:     0x7ffca86f40d8  1
ParseExportTable: 1 - 992000 + 8091d510 * 4 > 177bb
ParseExportTable: 4
Initialization error: 5

Notice the kernel base changing. There might be a workaround inside the security settings, but that is far from ideal.

fatalis · Answer 1 · Wed Jul 31 2019 21:59:13 GMT+0800 (China Standard Time)

This is occurring for me on one of my 1809 VMs

PML4:   1aa000  | KernelEntry:  fffff80168419e80
Kernel Base:    fffff8016849e000 (249d000)
PsInitialSystemProcess: fffff801689e12e0 (29e02e0)
System (PID 4): ffff938dace4c040 (3e24c040)
NT Version:     1000

->

PML4:   1aa000  | KernelEntry:  fffff8016c09ee80
Kernel Base:    fffff8016b614000 (2000000)
-------------------- InitializeContext error 5 --------------------

EDIT: starts working again with the new Kernel Base after a while randomly:

PML4:   1aa000  | KernelEntry:  fffff8016c09ee80
Kernel Base:    fffff8016b614000 (2000000)
PsInitialSystemProcess: fffff8016bb572e0 (25432e0)
System (PID 4): ffffbc0d8205d080 (3d45d080)
NT Version:     1000

btw I'm working on implementing page enumeration via VAD tree traversal and should have a PR soon

Auri · Answer 2 · Fri Aug 02 2019 19:36:50 GMT+0800 (China Standard Time)

Apparently the initialization process would find false matches of the kernel base. It is rather interesting though, as WinDbg sees the false matches as unmapped memory. It is an issue I will have to look into. In 0daf4d3 I have adjusted the search process to prioritize megabyte aligned pages before going through the regular ones. This solves initialization for me, but from what I can tell the correct kernel base might be in a 4k sized page. We might have to return to this to find more reliable code signatures, but closing for now.