BSOD 0xC4_f6 in WIN7

Alex_C3 · September 18, 2019, 12:46pm

HI, all.

I wrote a function to convert the drive letter. In this function, I use the ZwQuerySymbolicLink API which caused BSOD.
The error code 0xC4_f6 means “A driver references a user-mode handle as kernel mode”. But I can’t fig out what caused this bug.
Hope you guys can give me some advice. Any word will be appreciated.

Here is my function code:
`NTSTATUS QuerySymbolicLink(
IN PUNICODE_STRING SymbolicLinkName,
OUT PUNICODE_STRING LinkTarget
)
{

OBJECT_ATTRIBUTES objAttr;
NTSTATUS status;
HANDLE symHandle;
InitializeObjectAttributes(&objAttr, SymbolicLinkName,
	OBJ_CASE_INSENSITIVE, 0, 0);

status = ZwOpenSymbolicLinkObject(&symHandle, GENERIC_READ, &objAttr);
if (!NT_SUCCESS(status))
{
	DbgPrint("open the symbolinkobj failed  ..\n");
	ZwClose(symHandle);
	return status; 
}
if (!LinkTarget->Buffer)
{
	ZwClose(symHandle);
	return STATUS_INSUFFICIENT_RESOURCES;
}

RtlZeroMemory(LinkTarget->Buffer, LinkTarget->MaximumLength);
status = ZwQuerySymbolicLinkObject(symHandle, LinkTarget, NULL);
ZwClose(symHandle);
if (!NT_SUCCESS(status))
{
	DbgPrint(" query the symbolinkObject failed  ...\n");
}
return status;

}`

Thanks a lot.

Alex_C3 · September 18, 2019, 12:47pm

here is STACK TEXT:
837c4764 84141f03 000000c4 000000f6 0000004c nt!KeBugCheckEx+0x1e
837c4784 84146766 0000004c 8cdc1030 a32bd178 nt!VerifierBugCheckIfAppropriate+0x30
837c4818 8402df7b 00000000 837c4964 837c49b4 nt!VfCheckUserHandle+0x14f
837c484c 8402de35 0000004c 00000001 85f57de8 nt!ObReferenceObjectByHandleWithTag+0x13b
837c4870 8405ad04 0000004c 00000001 85f57de8 nt!ObReferenceObjectByHandle+0x21
837c48cc 83e491ea 0000004c 837c49b4 00000000 nt!NtQuerySymbolicLinkObject+0xee
837c48cc 83e47b8d 0000004c 837c49b4 00000000 nt!KiFastCallEntry+0x12a
837c4950 a28eb915 0000004c 837c49b4 00000000 nt!ZwQuerySymbolicLinkObject+0x11

Tim_Roberts · September 18, 2019, 4:37pm

And did you read the documentation for InitializeObjectAttributes? The part where it says that you must specify OBJ_KERNEL_HANDLE if you want a kernel handle?

Alex_C3 · September 19, 2019, 2:38am

@Tim_Roberts said:
And did you read the documentation for InitializeObjectAttributes? The part where it says that you must specify OBJ_KERNEL_HANDLE if you want a kernel handle?

Yes! Your method solved the problem. Thank you so much.
But I can’t understand where caused the handle into USER MODE.
And the same driver will not lead to BSOD if I change a virtual machine. It makes me confused.

Tim_Roberts · September 19, 2019, 4:13am

I can’t understand where caused the handle into USER MODE.

APIs like ZwOpenSymbolicLinkObject are usually called by or on behalf of user-mode processes, so if you don’t specify that flag, it assumes that’s what you are doing.

Alex_C3 · September 20, 2019, 1:20am

@Tim_Roberts said:
APIs like ZwOpenSymbolicLinkObject are usually called by or on behalf of user-mode processes, so if you don’t specify that flag, it assumes that’s what you are doing.

That’s it. Thank you for your response.