@Tim_Roberts said:
Wbat could this be caused by?
It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.
I think you’ll have to look at the assembly code to figure out what the code is doing.
UPDATE:
Now I am getting the nt header without any undocumented function:
`
if (((PIMAGE_DOS_HEADER)base)->e_magic == IMAGE_DOS_SIGNATURE) {
NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);
if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
DbgPrint(“invalid PE header\n”);
return STATUS_NOT_FOUND;
//BSOD time!!!
}
}
`
but it still does blue screen of death!
Does that mean ntoskrnl is protected or something?
Crash info:
`
g_KernelBase : FFFFF8017F200000
Access violation - code c0000005 (!!! second chance !!!)
ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]
kd> !analyze -v
… Retry sending the same data packet for 64 times.
The transport connection between host kernel debugger and target Windows seems lost.
please try resync with target, recycle the host debugger, or reboot the target Windows.
Connected to Windows 10 18362 x64 target at (Wed Apr 1 19:36:47.138 2020 (UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols
…
…
…
Loading User Symbols
…
Loading unloaded module list
…
Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: kdmapper.exe
FAULTING_IP:
+0
ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]
FOLLOWUP_IP:
+0
ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]
BUGCHECK_STR: ACCESS_VIOLATION
READ_ADDRESS: 0000000000ab703c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000ab703c
CPU_COUNT: 1
CPU_MHZ: e09
CPU_VENDOR: AuthenticAMD
CPU_FAMILY: 17
CPU_MODEL: 11
CPU_STEPPING: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: DESKTOP-53H48PG
ANALYSIS_SESSION_TIME: 04-01-2020 19:36:48.0476
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
LAST_CONTROL_TRANSFER: from 0000000000000000 to ffff9605c50e7a71
STACK_TEXT:
ffff838d1f995800 00000000
00000000 : ffff96050000c120 ffff838d
1f995958 ffff838d1f995780 ffffe68a
2ea18f00 : 0xffff9605`c50e7a71
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function
BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function
PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function
TARGET_TIME: 2020-04-01T23:33:06.000Z
OSBUILD: 18362
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 784
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 234d
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:access_violation_analysis_inconclusive!unknown_function
FAILURE_ID_HASH: {6636647e-3e69-7cc5-6dd1-dcc0ae3c99be}
Followup: MachineOwner