Crash sometimes on hvpp stop

Question

Crash sometimes on hvpp stop

soltrac opened this issue 6 years ago · comments

https://www.dropbox.com/s/8pem9gwlsnvvj54/Crash.rar?dl=0

Here is my .sys, a mini dump (I don't know why a minidump is being generated if I have checked the memory dump) and my .pdb

the error is SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

Petr Beneš · Answer 1 · Fri Oct 05 2018 16:24:40 GMT+0800 (China Standard Time)

It asserts in lib/mm.cpp here:

    //
    // Checks for memory leaks.
    //
    hvpp_assert(page_bitmap->all_clear());

Meaning, there is some memory leak. Did you add some allocation and forgot to deallocate it?

soltrac · Answer 2 · Fri Oct 05 2018 16:44:34 GMT+0800 (China Standard Time)

I'm doing vmcalls to hook like in your example, nothing more. Maybe some modification of mine is leaving some leak around. I will check. The problem is that sometimes the process is crashing and I'm not having time to unhook so maybe that is the problem. I think that I will add a check to clean everything if a crash have happened and maybe that way I won't leave any leak.

Sorry for bothering you

soltrac · Answer 3 · Fri Oct 05 2018 18:13:52 GMT+0800 (China Standard Time)

Ok, I think the problem is the game I'm trying to debug. For some reason, they accept an hypervisor like hyperplatform but it does not like this one....and I don't understand why they detect a difference. I've changed the vmcalls codes but they still does not allow this hypervisor. Strange...

Petr Beneš · Answer 4 · Fri Oct 05 2018 18:16:19 GMT+0800 (China Standard Time)

They? What does that mean? I have no idea what you're trying to achieve or what should I imagine under "game accepts a hypervisor" :)

soltrac · Answer 5 · Fri Oct 05 2018 18:48:44 GMT+0800 (China Standard Time)

When I say "they", are the game developers. I want to debug it, but they have a strong antidebug techniques, so a hypervisor is perfect for me. The strange thing is that the game accepts hyperplatform as hypervisor but it does not accept hvpp. The game sets the computer sometimes very slow with the hypervisor activated (I think they try to exit from the vm call in a loop or something like that), sometimes just crashes their process and sometimes crashes my computer with DPC_WATCHDOG_VIOLATION BSOD.

I can use hyperplatform, but I prefer this one because I understand it better (my hypervisor knowledge is near 0).

Well...I think is not a problem of the hypervisor itself, at least, until I don't discover why hyperplatform is not giving problems and hvpp does it.

Petr Beneš · Answer 6 · Fri Oct 05 2018 19:52:41 GMT+0800 (China Standard Time)

Maybe it checks for CR4.VMXE? I don't know, I'm just guessing. There isn't much difference between hvpp and hyperplatform in terms of functionality.

Petr Beneš · Answer 7 · Sat Dec 22 2018 20:22:52 GMT+0800 (China Standard Time)

Closing for inactivity, please reopen if problem persists.