BSOD in x64 kernel mode driver

Bruno_Guimaraes · October 2, 2016, 12:56pm

I am trying to create a log file with a x64 kernel mode driver. When my code go to scancodelogs procedure BSOD happens and I dont know what are wrong in my scancodelog procedure. Where is my error in code below:
.DATA
UniString db ‘\DosDevices\C:\log’,0
prbx dq 0
status dd 0

IO_STATUS_BLOCK struct
Status dq 0
Pointer dq 0
Information dq 0
IO_STATUS_BLOCK ends

UNICODE_STRING struct
Length_ WORD 0
MaximumLength WORD 0
DWORD 0
Buffer QWORD 0
UNICODE_STRING ends

OBJECT_ATTRIBUTES struct
Length_ DQ 0
RootDirectory DQ 0
ObjectName DQ 0 ;ptr UNICODE_STRING
Attributes DQ 0
SecurityDescriptor DQ 0
SecurityQualityOfService DQ 0
OBJECT_ATTRIBUTES ends

oa OBJECT_ATTRIBUTES <>
Directory UNICODE_STRING <>
isb IO_STATUS_BLOCK <>

Data db 0
SCANCODES db 512 dup (0)
filehandle dq 0
i dd 0
Scancode db 0
Counter dq 0

scancodelogs proc
lea rdx, [UniString]
lea rcx, [Directory]
call qword ptr [RtlInitUnicodeString]
mov rax,sizeof OBJECT_ATTRIBUTES
mov oa.Length_,rax
lea rax,[Directory]
mov oa.ObjectName,rax
mov rax,240h
mov oa.Attributes,rax
mov dword ptr [rsp+50h], 0
mov qword ptr [rsp+48h], 0
mov dword ptr [rsp+40h], 20h
mov dword ptr [rsp+38h], 5h
mov dword ptr [rsp+30h], 0
mov dword ptr [rsp+28h], 80h
mov qword ptr [rsp+20h], 0
lea r9,[isb]
lea r8,[oa]
mov edx,40000000h
lea rcx,[filehandle]
call qword ptr [ZwCreateFile]
mov qword ptr [rsp+40h], 0
mov qword ptr [rsp+38h], 0
mov dword ptr [rsp+30h], 10h
lea rax, [SCANCODES]
mov qword ptr [rsp+28h], rax
lea rax, [isb]
mov qword ptr [rsp+20h], rax
xor r9d, r9d
xor r8d, r8d
xor edx, edx
mov rcx, filehandle
call qword ptr [ZwWriteFile]
mov rcx, filehandle
call qword ptr [ZwClose]
ret
scancodelogs endp

Slava_Imameev · October 2, 2016, 3:17pm

I don’t see the stack space being reserved for the procedure and released before ret instruction. The volatile registers(if any) also were not saved and were not restored.

The stack reservation should look like
alloc_stack (sizeof MyFrame)
OR
sub rsp, sizeof MyFrame

The stack deallocation is
add rsp, sizeof MyFrame

Bruno_Guimaraes · October 3, 2016, 9:37am

I already solve the problem of BSOD but my driver dont create the log file with ZwCreateFile. I think the problem is in OBJECT_ATTRIBUTES structure or in another parameter to ZWCreateFile. Please help me!

Scott_Noone_OSR · October 3, 2016, 7:26pm

Checking the return value of ZwCreateFile would be useful. Also, writing it in C would also probably help…

-scott
OSR
@OSRDrivers