BSOD when shutdown on Win8 x64 (using KPP Destroyer for disable patchguard)
lynnux opened this issue · comments
I use KPP Destroyer to disable patchguard on win8 x64, it seem patched nt!MiValidateSectionCreate:
orignal:
PAGE:000000014038B326 E8 15 FC FF FF call SeValidateImageHeader
PAGE:000000014038B32B 8B F8 mov edi, eax
PAGE:000000014038B32D 3D 2D 01 00 00 cmp eax, 12Dh
PAGE:000000014038B332 0F 84 6F 5B 1A 00 jz loc_140530EA7
PAGE:000000014038B338
PAGE:000000014038B338 loc_14038B338: ; CODE XREF: MiValidateSectionCreate+2BE�j
PAGE:000000014038B338 ; MiValidateSectionCreate+560�j ...
PAGE:000000014038B338 4C 3B AC 24 80 00 00 00 cmp r13, [rsp+188h+var_108]
patched:
fffff802`03da2326 e815fcffff call nt!SeValidateImageHeader (fffff802`03da1f40)
fffff802`03da232b 90 nop
fffff802`03da232c 90 nop
fffff802`03da232d 90 nop
fffff802`03da232e 90 nop
fffff802`03da232f 90 nop
fffff802`03da2330 90 nop
fffff802`03da2331 90 nop
fffff802`03da2332 90 nop
fffff802`03da2333 90 nop
fffff802`03da2334 90 nop
fffff802`03da2335 90 nop
fffff802`03da2336 90 nop
fffff802`03da2337 90 nop
fffff802`03da2338 4c3bac2480000000 cmp r13,qword ptr [rsp+80h]
you can see, there are many nops, which count is 13 > 12, the FindCaveAddress
will find the address as the CaveAddress. So after hook, BSOD will comes when calling nt!MiValidateSectionCreate.
So I suggest FindCaveAddress
not use nop area to hook.
It's easy to reproduce BSOD when shutdown.
Actually, only one cave are all nops, the other caves are all filled by 0xCC.
I firstly tried UPGDSED, but it seems require network to download symbols, my virtual machine didn't config network to work.
Shouldn't be a problem to fix UPGDSED to load symbols locally and download them from another PC...
OK, it's logged here, it maybe one reason for some guys who encountered BSOD.
@lynnux I think you can quite easily patch KPP Destroyer to patch to EB 0D
instead, but it's not open source so it's rather difficult.