Why does RtlImageNtHeader cause a BSOD?

Hello,

I want to get the nt header for ntoskrnl. To do that, I must use rtlImageNtHeader, an undocumented function. I found out that a access violation is being caused at rtlImageNtHeader + 0x2d. What could this be caused by? I verified the correct base address of Ntoskrnl.

here is the code:
`PVOID base = getKernelBase(NULL);

if (!base)
{
	DbgPrint("base address not found!\n");
	return STATUS_NOT_FOUND;
}  //pretty much always succeeds



PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base); // this is the BSOD`

thanks,

Wbat could this be caused by?

It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.

I think you’ll have to look at the assembly code to figure out what the code is doing.

@Tim_Roberts said:

Wbat could this be caused by?

It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.

I think you’ll have to look at the assembly code to figure out what the code is doing.

UPDATE:

Now I am getting PE header without using undocumented function. However, my code still causes BSOD.
Does that mean Ntoskrnl is protected or something?

My code for getting PE header:


if (((PIMAGE_DOS_HEADER)base)->e_magic == IMAGE_DOS_SIGNATURE) {

NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);

if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
DbgPrint("invalid PE header\n");
return STATUS_NOT_FOUND;
//BSOD time!!!
}

}

Crash info:


g_KernelBase : FFFFF8017F200000
Access violation - code c0000005 (!!! second chance !!!)
ffff9605`c50e7a71 4863703c        movsxd  rsi,dword ptr [rax+3Ch]
kd> !analyze -v
... Retry sending the same data packet for 64 times.
The transport connection between host kernel debugger and target Windows seems lost.
please try resync with target, recycle the host debugger, or reboot the target Windows.
Connected to Windows 10 18362 x64 target at (Wed Apr  1 19:36:47.138 2020 (UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
.......................................
Loading User Symbols
...................
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

DUMP_TYPE:  0

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  kdmapper.exe

FAULTING_IP: 
+0
ffff9605`c50e7a71 4863703c        movsxd  rsi,dword ptr [rax+3Ch]

FOLLOWUP_IP: 
+0
ffff9605`c50e7a71 4863703c        movsxd  rsi,dword ptr [rax+3Ch]

BUGCHECK_STR:  ACCESS_VIOLATION

READ_ADDRESS:  0000000000ab703c 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000ab703c

CPU_COUNT: 1

CPU_MHZ: e09

CPU_VENDOR:  AuthenticAMD

CPU_FAMILY: 17

CPU_MODEL: 11

CPU_STEPPING: 0

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DESKTOP-53H48PG

ANALYSIS_SESSION_TIME:  04-01-2020 19:36:48.0476

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER:  from 0000000000000000 to ffff9605c50e7a71

STACK_TEXT:  
ffff838d`1f995800 00000000`00000000 : ffff9605`0000c120 ffff838d`1f995958 ffff838d`1f995780 ffffe68a`2ea18f00 : 0xffff9605`c50e7a71

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  .thread ; .cxr ; kb

FAILURE_BUCKET_ID:  ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

BUCKET_ID:  ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

PRIMARY_PROBLEM_CLASS:  ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

TARGET_TIME:  2020-04-01T23:33:06.000Z

OSBUILD:  18362

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  190318-1202

BUILDLAB_STR:  19h1_release

BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME:  234d

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:access_violation_analysis_inconclusive!unknown_function

FAILURE_ID_HASH:  {6636647e-3e69-7cc5-6dd1-dcc0ae3c99be}

Followup:     MachineOwner
---------```

@Tim_Roberts said:

Wbat could this be caused by?

It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.

I think you’ll have to look at the assembly code to figure out what the code is doing.

UPDATE:

Now I am getting the nt header without any undocumented function:

`

if (((PIMAGE_DOS_HEADER)base)->e_magic == IMAGE_DOS_SIGNATURE) {

NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);

if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
DbgPrint(“invalid PE header\n”);
return STATUS_NOT_FOUND;
//BSOD time!!!
}

}
`

but it still does blue screen of death!

Does that mean ntoskrnl is protected or something?

Crash info:

`

g_KernelBase : FFFFF8017F200000
Access violation - code c0000005 (!!! second chance !!!)
ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]
kd> !analyze -v
… Retry sending the same data packet for 64 times.
The transport connection between host kernel debugger and target Windows seems lost.
please try resync with target, recycle the host debugger, or reboot the target Windows.
Connected to Windows 10 18362 x64 target at (Wed Apr 1 19:36:47.138 2020 (UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

KEY_VALUES_STRING: 1

Key  : AV.Fault
Value: Read

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

DUMP_TYPE: 0

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME: kdmapper.exe

FAULTING_IP:
+0
ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]

FOLLOWUP_IP:
+0
ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]

BUGCHECK_STR: ACCESS_VIOLATION

READ_ADDRESS: 0000000000ab703c

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000ab703c

CPU_COUNT: 1

CPU_MHZ: e09

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 17

CPU_MODEL: 11

CPU_STEPPING: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: DESKTOP-53H48PG

ANALYSIS_SESSION_TIME: 04-01-2020 19:36:48.0476

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER: from 0000000000000000 to ffff9605c50e7a71

STACK_TEXT:
ffff838d1f995800 0000000000000000 : ffff96050000c120 ffff838d1f995958 ffff838d1f995780 ffffe68a2ea18f00 : 0xffff9605`c50e7a71

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

TARGET_TIME: 2020-04-01T23:33:06.000Z

OSBUILD: 18362

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 190318-1202

BUILDLAB_STR: 19h1_release

BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME: 234d

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:access_violation_analysis_inconclusive!unknown_function

FAILURE_ID_HASH: {6636647e-3e69-7cc5-6dd1-dcc0ae3c99be}

Followup: MachineOwner

How did you get the image base without using an undocumented function?

Did you look at the dump? The fault happened while reading from 0000000000ab703c. That means the value you have for “base” is 0xab7000. Right away, it should be clear that this is not a kernel address. Does your code have a stupid 32/64 problem? Have you poked around with a debugger to see if the value you want is actually present or not? That would be a HELL of a lot faster than generating a bunch of dumps and sending them to a web forum for analysis.

How did you get the image base without using an undocumented function?
Like picture with blonde solving geometry equation “find x” → “here it is”: PVOID base = getKernelBase(NULL); :slight_smile:

getKernelBase is not a system API. It must be a function in your code. You’re sure everything it does is documented?