Giters

mrexodia / TitanHide

Hiding kernel-driver for x86/x64.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PAGE_FAULT_IN_NONPAGED_AREA on Windows 10 x64(19042)

0xE0-rng opened this issue · comments

commented

Hi might be my fault, so I am still investigating. Maybe this is useful for future people who run into the same issue.

  • freshly installed windows 10 pro on a VM with EFI enabled
  • used EfiGuard to patch the kernel and disable DSE
  • compiled TitanHide for x64 sucessfully

However once attempting to start the service, Windows freezes and I get a PAGE_FAULT_IN_NONPAGED_AREA in the kernel log.
I am not sure what the issue could be, but I will continue to investigate and update this report.

MEMORY.DMP


Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`1401f000 PsLoadedModuleList = 0xfffff807`14c49490
Debug session time: Thu Mar 25 02:29:54.479 2021 (UTC - 7:00)
System Uptime: 0 days 5:18:09.713
Loading Kernel Symbols
...............................................................
................................................................
....................................
Loading User Symbols

Loading unloaded module list
......................
For analysis of this file, run !analyze -v
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffff8071416d000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8071441d426, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 2

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-GH9U662

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 9

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 69

    Key  : Analysis.System
    Value: CreateObject


VIRTUAL_MACHINE:  VirtualBox

BUGCHECK_CODE:  50

BUGCHECK_P1: fffff8071416d000

BUGCHECK_P2: 0

BUGCHECK_P3: fffff8071441d426

BUGCHECK_P4: 0

READ_ADDRESS:  fffff8071416d000 

MM_INTERNAL_CODE:  0

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

TRAP_FRAME:  ffff858fcc8ca610 -- (.trap 0xffff858fcc8ca610)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000001045ff3 rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8071441d426 rsp=ffff858fcc8ca7a8 rbp=ffff858fcc8ca800
 r8=0000000000000005  r9=ffff858fcc8ca7e8 r10=ffffaa043d400160
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!RtlCompareMemory+0x36:
fffff807`1441d426 f348a7          repe cmps qword ptr [rsi],qword ptr [rdi]
Resetting default scope

STACK_TEXT:  
ffff858f`cc8ca368 fffff807`1443ddb1 : 00000000`00000050 fffff807`1416d000 00000000`00000000 ffff858f`cc8ca610 : nt!KeBugCheckEx
ffff858f`cc8ca370 fffff807`1422b960 : 00000000`00000114 00000000`00000000 ffff858f`cc8ca690 00000000`00000000 : nt!MiSystemFault+0x1f45a1
ffff858f`cc8ca470 fffff807`14422d5e : 00000000`0014c0c8 fffff807`1441b6a5 fffff807`1401f000 fffff807`14416cb5 : nt!MmAccessFault+0x400
ffff858f`cc8ca610 fffff807`1441d426 : fffff807`1b6a47d0 fffff807`1401f000 fffff807`1b6a2d9d 00000000`00000000 : nt!KiPageFault+0x35e
ffff858f`cc8ca7a8 fffff807`1b6a2d9d : 00000000`00000000 fffff807`0000bda8 fffff807`1b6a47d0 00000000`00000000 : nt!RtlCompareMemory+0x36
ffff858f`cc8ca7c0 fffff807`1b6a2a6f : 00000000`00000000 ffffaa04`44bb3bc0 00000000`00000000 00000000`00000000 : TitanHide!SSDTfind+0x79 [C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp @ 45] 
ffff858f`cc8ca810 fffff807`1b6a3b8c : 00000000`00000000 ffffaa04`428e53d0 00000000`001ef000 00000000`001ee320 : TitanHide!SSDT::GetFunctionAddress+0x17 [C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp @ 75] 
ffff858f`cc8ca840 fffff807`1b6a3551 : ffffaa04`44bb3a70 00000000`00000000 ffff858f`cc8ca930 fffff807`1437a41c : TitanHide!Undocumented::UndocumentedInit+0x22c [C:\Users\User\source\repos\TitanHide\TitanHide\undocumented.cpp @ 385] 
ffff858f`cc8ca880 fffff807`1b729020 : 00000000`00000000 ffffaa04`3df25000 00000000`00000002 ffffffff`800011e0 : TitanHide!DriverEntry+0x75 [C:\Users\User\source\repos\TitanHide\TitanHide\TitanHide.cpp @ 90] 
ffff858f`cc8ca8d0 fffff807`1477a644 : ffffaa04`3df25000 00000000`00000000 ffffaa04`44bb3a70 00000000`00000000 : TitanHide!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmode\gs_support.c @ 117] 
ffff858f`cc8ca900 fffff807`1474547d : 00000000`00000014 00000000`00000000 00000000`00000000 00000000`00001000 : nt!PnpCallDriverEntry+0x4c
ffff858f`cc8ca960 fffff807`1478a967 : 00000000`00000000 00000000`00000000 fffff807`14d44440 ffffaa04`42602050 : nt!IopLoadDriver+0x4e5
ffff858f`cc8cab30 fffff807`14244975 : ffffaa04`00000000 ffffffff`800011e0 ffffaa04`47b4c040 ffffaa04`00000000 : nt!IopLoadUnloadDriver+0x57
ffff858f`cc8cab70 fffff807`14336e85 : ffffaa04`47b4c040 00000000`00000080 ffffaa04`3d85b040 06b2b19a`0002bebd : nt!ExpWorkerThread+0x105
ffff858f`cc8cac10 fffff807`1441c2a8 : ffffe681`b81ce180 ffffaa04`47b4c040 fffff807`14336e30 80044016`82004018 : nt!PspSystemThreadStartup+0x55
ffff858f`cc8cac60 00000000`00000000 : ffff858f`cc8cb000 ffff858f`cc8c5000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


FAULTING_SOURCE_LINE:  C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp

FAULTING_SOURCE_FILE:  C:\Users\User\source\repos\TitanHide\TitanHide\ssdt.cpp

FAULTING_SOURCE_LINE_NUMBER:  45

FAULTING_SOURCE_CODE:  
    41:         bool found = false;
    42:         ULONG KiSSSOffset;
    43:         for(KiSSSOffset = 0; KiSSSOffset < kernelSize - signatureSize; KiSSSOffset++)
    44:         {
>   45:             if(RtlCompareMemory(((unsigned char*)kernelBase + KiSSSOffset), KiSystemServiceStartPattern, signatureSize) == signatureSize)
    46:             {
    47:                 found = true;
    48:                 break;
    49:             }
    50:         }


SYMBOL_NAME:  TitanHide!SSDTfind+79

MODULE_NAME: TitanHide

IMAGE_NAME:  TitanHide.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  79

FAILURE_BUCKET_ID:  AV_R_INVALID_TitanHide!SSDTfind

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {1ef56748-c8e8-8a36-05ec-c231bfb01fd2}

Followup:     MachineOwner
---------

image

commented

Just checked 17763. Works without issue. 😄
Maybe I will look into why this is an issue at a later point, happy that it works for now.

image

commented

I can't reproduce this on 10.0.19042.867.

Looking at your crash dump, I've got an idea of what may be happening. The invalid address being accessed is 0xfffff8071416d000, which is 0x14e000 past the kernel base of 0xfffff8071401f000. Looking at ntoskrnl.exe v10.0.19042.867 this makes sense: 0x14e000 is the virtual address of the first pageable section. And if that section (GFIDS) was paged out, that would explain the BSOD.

Looking at older kernels, this was not an issue because the section containing the pattern to search for (.text) was always the first section. But it seems that in 10.0.19041/19042.0, the kernel now has .text coming after two pageable sections. This doesn't really explain why it isn't crashing for me, but this should really be fixed regardless. I'll commit a fix for this soonish so you can check if that fixes the BSOD.

commented

I think this should be fixed in b6033e0, can you verify?

AppVeyor artifact here (there's supposed to be automated Github releases, but they aren't working...)

commented

Hey,
many thanks for the quick fix and detailed explaination! (and sorry for the delayed response)
I did not try your ApVeyor artifacts but compiled from source.
However I can confirm that the fix is working on 19042.867!

Thanks for providing such an amazing project and maintaining it!

Log if relevant for others

[TITANHIDE] FileSize of ntdll.dll is 001EE320!
[TITANHIDE] UndocumentedInit() was successful!
[TITANHIDE] Found CrossThreadFlags at offset +0x0510. 'HideFromDebugger' will be stripped from running threads in target processes.
[TITANHIDE] Device \Device\TitanHide created successfully!
[TITANHIDE] Symbolic link \DosDevices\TitanHide->\Device\TitanHide created!
[TITANHIDE] Range: 0xFFFFF8015A0CB270-0xFFFFF8016A0CB26F
[TITANHIDE] CodeStart: 0xFFFFF8015A5C9000, CodeSize: 0x3C4800
[TITANHIDE] Range: 0xFFFFF8015A5C9000-0xFFFFF8015A98D800
[TITANHIDE] CaveAddress: 0xFFFFF8015A5C9000
[TITANHIDE] hook(0xFFFFF8015A5C9000, 0xFFFFF8015FE51830)
[TITANHIDE] SSDThook(NtQueryInformationProcess:0x0000000005138201, 0x0000000004FDD901)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5C93A3
[TITANHIDE] hook(0xFFFFF8015A5C93A3, 0xFFFFF8015FE519C0)
[TITANHIDE] SSDThook(NtQueryInformationThread:0x0000000005485701, 0x0000000004FE1331)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CA861
[TITANHIDE] hook(0xFFFFF8015A5CA861, 0xFFFFF8015FE51BB0)
[TITANHIDE] SSDThook(NtQueryObject:0x0000000005112E01, 0x0000000004FF5F11)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CB903
[TITANHIDE] hook(0xFFFFF8015A5CB903, 0xFFFFF8015FE51D70)
[TITANHIDE] SSDThook(NtQuerySystemInformation:0x00000000051D9700, 0x0000000005006930)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CC0E4
[TITANHIDE] hook(0xFFFFF8015A5CC0E4, 0xFFFFF8015FE51EF0)
[TITANHIDE] SSDThook(NtSetInformationThread:0x0000000005337800, 0x000000000500E740)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CCB04
[TITANHIDE] hook(0xFFFFF8015A5CCB04, 0xFFFFF8015FE513D0)
[TITANHIDE] SSDThook(NtClose:0x0000000005646000, 0x0000000005018940)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CCC8F
[TITANHIDE] hook(0xFFFFF8015A5CCC8F, 0xFFFFF8015FE515B0)
[TITANHIDE] SSDThook(NtDuplicateObject:0x0000000005555203, 0x000000000501A1F3)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CCDFB
[TITANHIDE] hook(0xFFFFF8015A5CCDFB, 0xFFFFF801Q5FE516A0)
[TITANHIDE] SSDThook(NtGetContextThread:0x00000000061FC300, 0x000000000501B8B0)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CDF7E
[TITANHIDE] hook(0xFFFFF8015A5CDF7E, 0xFFFFF8015FE51E10)
[TITANHIDE] SSDThook(NtSetContextThread:0x00000000083EAF00, 0x000000000502D0E0)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CF0F2
[TITANHIDE] hook(0xFFFFF8015A5CF0F2, 0xFFFFF8015FE52070)
[TITANHIDE] SSDThook(NtSystemDebugControl:0x0000000006F1C902, 0x000000000503E822)
[TITANHIDE] CaveAddress: 0xFFFFF8015A5CF3A1
[TITANHIDE] hook(0xFFFFF8015A5CF3A1, 0xFFFFF8015FE51520)
[TITANHIDE] SSDThook(NtCreateThreadEx:0x00000000063F4007, 0x0000000005041317)
[TITANHIDE] Hooks::Initialize() hooked 11 functions
commented