PAGE_FAULT_IN_NONPAGED_AREA on Windows 10 x64(19042)
0xE0-rng opened this issue · comments
Hi might be my fault, so I am still investigating. Maybe this is useful for future people who run into the same issue.
- freshly installed windows 10 pro on a VM with EFI enabled
- used EfiGuard to patch the kernel and disable DSE
- compiled TitanHide for x64 sucessfully
However once attempting to start the service, Windows freezes and I get a PAGE_FAULT_IN_NONPAGED_AREA
in the kernel log.
I am not sure what the issue could be, but I will continue to investigate and update this report.
MEMORY.DMP
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`1401f000 PsLoadedModuleList = 0xfffff807`14c49490
Debug session time: Thu Mar 25 02:29:54.479 2021 (UTC - 7:00)
System Uptime: 0 days 5:18:09.713
Loading Kernel Symbols
...............................................................
................................................................
....................................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffff8071416d000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8071441d426, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-GH9U662
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 9
Key : Analysis.Memory.CommitPeak.Mb
Value: 69
Key : Analysis.System
Value: CreateObject
VIRTUAL_MACHINE: VirtualBox
BUGCHECK_CODE: 50
BUGCHECK_P1: fffff8071416d000
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8071441d426
BUGCHECK_P4: 0
READ_ADDRESS: fffff8071416d000
MM_INTERNAL_CODE: 0
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: System
TRAP_FRAME: ffff858fcc8ca610 -- (.trap 0xffff858fcc8ca610)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000001045ff3 rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8071441d426 rsp=ffff858fcc8ca7a8 rbp=ffff858fcc8ca800
r8=0000000000000005 r9=ffff858fcc8ca7e8 r10=ffffaa043d400160
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!RtlCompareMemory+0x36:
fffff807`1441d426 f348a7 repe cmps qword ptr [rsi],qword ptr [rdi]
Resetting default scope
STACK_TEXT:
ffff858f`cc8ca368 fffff807`1443ddb1 : 00000000`00000050 fffff807`1416d000 00000000`00000000 ffff858f`cc8ca610 : nt!KeBugCheckEx
ffff858f`cc8ca370 fffff807`1422b960 : 00000000`00000114 00000000`00000000 ffff858f`cc8ca690 00000000`00000000 : nt!MiSystemFault+0x1f45a1
ffff858f`cc8ca470 fffff807`14422d5e : 00000000`0014c0c8 fffff807`1441b6a5 fffff807`1401f000 fffff807`14416cb5 : nt!MmAccessFault+0x400
ffff858f`cc8ca610 fffff807`1441d426 : fffff807`1b6a47d0 fffff807`1401f000 fffff807`1b6a2d9d 00000000`00000000 : nt!KiPageFault+0x35e
ffff858f`cc8ca7a8 fffff807`1b6a2d9d : 00000000`00000000 fffff807`0000bda8 fffff807`1b6a47d0 00000000`00000000 : nt!RtlCompareMemory+0x36
ffff858f`cc8ca7c0 fffff807`1b6a2a6f : 00000000`00000000 ffffaa04`44bb3bc0 00000000`00000000 00000000`00000000 : TitanHide!SSDTfind+0x79 [C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp @ 45]
ffff858f`cc8ca810 fffff807`1b6a3b8c : 00000000`00000000 ffffaa04`428e53d0 00000000`001ef000 00000000`001ee320 : TitanHide!SSDT::GetFunctionAddress+0x17 [C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp @ 75]
ffff858f`cc8ca840 fffff807`1b6a3551 : ffffaa04`44bb3a70 00000000`00000000 ffff858f`cc8ca930 fffff807`1437a41c : TitanHide!Undocumented::UndocumentedInit+0x22c [C:\Users\User\source\repos\TitanHide\TitanHide\undocumented.cpp @ 385]
ffff858f`cc8ca880 fffff807`1b729020 : 00000000`00000000 ffffaa04`3df25000 00000000`00000002 ffffffff`800011e0 : TitanHide!DriverEntry+0x75 [C:\Users\User\source\repos\TitanHide\TitanHide\TitanHide.cpp @ 90]
ffff858f`cc8ca8d0 fffff807`1477a644 : ffffaa04`3df25000 00000000`00000000 ffffaa04`44bb3a70 00000000`00000000 : TitanHide!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117]
ffff858f`cc8ca900 fffff807`1474547d : 00000000`00000014 00000000`00000000 00000000`00000000 00000000`00001000 : nt!PnpCallDriverEntry+0x4c
ffff858f`cc8ca960 fffff807`1478a967 : 00000000`00000000 00000000`00000000 fffff807`14d44440 ffffaa04`42602050 : nt!IopLoadDriver+0x4e5
ffff858f`cc8cab30 fffff807`14244975 : ffffaa04`00000000 ffffffff`800011e0 ffffaa04`47b4c040 ffffaa04`00000000 : nt!IopLoadUnloadDriver+0x57
ffff858f`cc8cab70 fffff807`14336e85 : ffffaa04`47b4c040 00000000`00000080 ffffaa04`3d85b040 06b2b19a`0002bebd : nt!ExpWorkerThread+0x105
ffff858f`cc8cac10 fffff807`1441c2a8 : ffffe681`b81ce180 ffffaa04`47b4c040 fffff807`14336e30 80044016`82004018 : nt!PspSystemThreadStartup+0x55
ffff858f`cc8cac60 00000000`00000000 : ffff858f`cc8cb000 ffff858f`cc8c5000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
FAULTING_SOURCE_LINE: C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp
FAULTING_SOURCE_FILE: C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp
FAULTING_SOURCE_LINE_NUMBER: 45
FAULTING_SOURCE_CODE:
41: bool found = false;
42: ULONG KiSSSOffset;
43: for(KiSSSOffset = 0; KiSSSOffset < kernelSize - signatureSize; KiSSSOffset++)
44: {
> 45: if(RtlCompareMemory(((unsigned char*)kernelBase + KiSSSOffset), KiSystemServiceStartPattern, signatureSize) == signatureSize)
46: {
47: found = true;
48: break;
49: }
50: }
SYMBOL_NAME: TitanHide!SSDTfind+79
MODULE_NAME: TitanHide
IMAGE_NAME: TitanHide.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 79
FAILURE_BUCKET_ID: AV_R_INVALID_TitanHide!SSDTfind
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {1ef56748-c8e8-8a36-05ec-c231bfb01fd2}
Followup: MachineOwner
---------
I can't reproduce this on 10.0.19042.867.
Looking at your crash dump, I've got an idea of what may be happening. The invalid address being accessed is 0xfffff8071416d000
, which is 0x14e000
past the kernel base of 0xfffff8071401f000
. Looking at ntoskrnl.exe
v10.0.19042.867 this makes sense: 0x14e000
is the virtual address of the first pageable section. And if that section (GFIDS
) was paged out, that would explain the BSOD.
Looking at older kernels, this was not an issue because the section containing the pattern to search for (.text
) was always the first section. But it seems that in 10.0.19041/19042.0, the kernel now has .text
coming after two pageable sections. This doesn't really explain why it isn't crashing for me, but this should really be fixed regardless. I'll commit a fix for this soonish so you can check if that fixes the BSOD.
Hey,
many thanks for the quick fix and detailed explaination! (and sorry for the delayed response)
I did not try your ApVeyor artifacts but compiled from source.
However I can confirm that the fix is working on 19042.867
!
Thanks for providing such an amazing project and maintaining it!
Log if relevant for others
[TITANHIDE] FileSize of ntdll.dll is 001EE320!
[TITANHIDE] UndocumentedInit() was successful!
[TITANHIDE] Found CrossThreadFlags at offset +0x0510. 'HideFromDebugger' will be stripped from running threads in target processes.
[TITANHIDE] Device \Device\TitanHide created successfully!
[TITANHIDE] Symbolic link \DosDevices\TitanHide->\Device\TitanHide created!
[TITANHIDE] Range: 0xFFFFF8015A0CB270-0xFFFFF8016A0CB26F
[TITANHIDE] CodeStart: 0xFFFFF8015A5C9000, CodeSize: 0x3C4800
[TITANHIDE] Range: 0xFFFFF8015A5C9000-0xFFFFF8015A98D800
[TITANHIDE] CaveAddress: 0xFFFFF8015A5C9000
[TITANHIDE] hook(0xFFFFF8015A5C9000, 0xFFFFF8015FE51830)
[TITANHIDE] SSDThook(NtQueryInformationProcess:0x0000000005138201, 0x0000000004FDD901)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5C93A3
[TITANHIDE] hook(0xFFFFF8015A5C93A3, 0xFFFFF8015FE519C0)
[TITANHIDE] SSDThook(NtQueryInformationThread:0x0000000005485701, 0x0000000004FE1331)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CA861
[TITANHIDE] hook(0xFFFFF8015A5CA861, 0xFFFFF8015FE51BB0)
[TITANHIDE] SSDThook(NtQueryObject:0x0000000005112E01, 0x0000000004FF5F11)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CB903
[TITANHIDE] hook(0xFFFFF8015A5CB903, 0xFFFFF8015FE51D70)
[TITANHIDE] SSDThook(NtQuerySystemInformation:0x00000000051D9700, 0x0000000005006930)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CC0E4
[TITANHIDE] hook(0xFFFFF8015A5CC0E4, 0xFFFFF8015FE51EF0)
[TITANHIDE] SSDThook(NtSetInformationThread:0x0000000005337800, 0x000000000500E740)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CCB04
[TITANHIDE] hook(0xFFFFF8015A5CCB04, 0xFFFFF8015FE513D0)
[TITANHIDE] SSDThook(NtClose:0x0000000005646000, 0x0000000005018940)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CCC8F
[TITANHIDE] hook(0xFFFFF8015A5CCC8F, 0xFFFFF8015FE515B0)
[TITANHIDE] SSDThook(NtDuplicateObject:0x0000000005555203, 0x000000000501A1F3)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CCDFB
[TITANHIDE] hook(0xFFFFF8015A5CCDFB, 0xFFFFF801Q5FE516A0)
[TITANHIDE] SSDThook(NtGetContextThread:0x00000000061FC300, 0x000000000501B8B0)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CDF7E
[TITANHIDE] hook(0xFFFFF8015A5CDF7E, 0xFFFFF8015FE51E10)
[TITANHIDE] SSDThook(NtSetContextThread:0x00000000083EAF00, 0x000000000502D0E0)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CF0F2
[TITANHIDE] hook(0xFFFFF8015A5CF0F2, 0xFFFFF8015FE52070)
[TITANHIDE] SSDThook(NtSystemDebugControl:0x0000000006F1C902, 0x000000000503E822)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CF3A1
[TITANHIDE] hook(0xFFFFF8015A5CF3A1, 0xFFFFF8015FE51520)
[TITANHIDE] SSDThook(NtCreateThreadEx:0x00000000063F4007, 0x0000000005041317)
[TITANHIDE] Hooks::Initialize() hooked 11 functions