Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Why does RtlImageNtHeader cause a BSOD?

jguo5258jguo5258 Member Posts: 28

Hello,

I want to get the nt header for ntoskrnl. To do that, I must use rtlImageNtHeader, an undocumented function. I found out that a access violation is being caused at rtlImageNtHeader + 0x2d. What could this be caused by? I verified the correct base address of Ntoskrnl.

here is the code:
`PVOID base = getKernelBase(NULL);

if (!base)
{
    DbgPrint("base address not found!\n");
    return STATUS_NOT_FOUND;
}  //pretty much always succeeds



PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base); // this is the BSOD`

thanks,

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,578

    Wbat could this be caused by?

    It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.

    I think you'll have to look at the assembly code to figure out what the code is doing.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • jguo5258jguo5258 Member Posts: 28

    @Tim_Roberts said:

    Wbat could this be caused by?

    It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.

    I think you'll have to look at the assembly code to figure out what the code is doing.

    UPDATE:

    Now I am getting PE header without using undocumented function. However, my code still causes BSOD.
    Does that mean Ntoskrnl is protected or something?

    My code for getting PE header:


    Crash info:

    ```

    g_KernelBase : FFFFF8017F200000
    Access violation - code c0000005 (!!! second chance !!!)
    ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]
    kd> !analyze -v
    ... Retry sending the same data packet for 64 times.
    The transport connection between host kernel debugger and target Windows seems lost.
    please try resync with target, recycle the host debugger, or reboot the target Windows.
    Connected to Windows 10 18362 x64 target at (Wed Apr 1 19:36:47.138 2020 (UTC - 4:00)), ptr64 TRUE
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .......................................
    Loading User Symbols
    ...................
    Loading unloaded module list
    ........


    • *
    • Bugcheck Analysis *
    • *

    Unknown bugcheck code (0)
    Unknown bugcheck description
    Arguments:
    Arg1: 0000000000000000
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000

    Debugging Details:

    KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read
    

    PROCESSES_ANALYSIS: 1

    SERVICE_ANALYSIS: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 0

    BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

    DUMP_TYPE: 0

    BUGCHECK_P1: 0

    BUGCHECK_P2: 0

    BUGCHECK_P3: 0

    BUGCHECK_P4: 0

    PROCESS_NAME: kdmapper.exe

    FAULTING_IP:
    +0
    ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]

    FOLLOWUP_IP:
    +0
    ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]

    BUGCHECK_STR: ACCESS_VIOLATION

    READ_ADDRESS: 0000000000ab703c

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: 0000000000ab703c

    CPU_COUNT: 1

    CPU_MHZ: e09

    CPU_VENDOR: AuthenticAMD

    CPU_FAMILY: 17

    CPU_MODEL: 11

    CPU_STEPPING: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: DESKTOP-53H48PG

    ANALYSIS_SESSION_TIME: 04-01-2020 19:36:48.0476

    ANALYSIS_VERSION: 10.0.18362.1 amd64fre

    LAST_CONTROL_TRANSFER: from 0000000000000000 to ffff9605c50e7a71

    STACK_TEXT:
    ffff838d1f995800 0000000000000000 : ffff96050000c120 ffff838d1f995958 ffff838d1f995780 ffffe68a2ea18f00 : 0xffff9605`c50e7a71

    SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME: Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    STACK_COMMAND: .thread ; .cxr ; kb

    FAILURE_BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    TARGET_TIME: 2020-04-01T23:33:06.000Z

    OSBUILD: 18362

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 784

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: unknown_date

    BUILDDATESTAMP_STR: 190318-1202

    BUILDLAB_STR: 19h1_release

    BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202

    ANALYSIS_SESSION_ELAPSED_TIME: 234d

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:access_violation_analysis_inconclusive!unknown_function

    FAILURE_ID_HASH: {6636647e-3e69-7cc5-6dd1-dcc0ae3c99be}

    Followup: MachineOwner
    ---------```

  • jguo5258jguo5258 Member Posts: 28

    @Tim_Roberts said:

    Wbat could this be caused by?

    It could be caused by using an undocumented and unsupported API. They never promised those APIs would keep working.

    I think you'll have to look at the assembly code to figure out what the code is doing.

    UPDATE:

    Now I am getting the nt header without any undocumented function:

    `

    if (((PIMAGE_DOS_HEADER)base)->e_magic == IMAGE_DOS_SIGNATURE) {

    NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);

    if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
    DbgPrint("invalid PE header\n");
    return STATUS_NOT_FOUND;
    //BSOD time!!!
    }

    }
    `

    but it still does blue screen of death!

    Does that mean ntoskrnl is protected or something?

    Crash info:

    `

    g_KernelBase : FFFFF8017F200000
    Access violation - code c0000005 (!!! second chance !!!)
    ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]
    kd> !analyze -v
    ... Retry sending the same data packet for 64 times.
    The transport connection between host kernel debugger and target Windows seems lost.
    please try resync with target, recycle the host debugger, or reboot the target Windows.
    Connected to Windows 10 18362 x64 target at (Wed Apr 1 19:36:47.138 2020 (UTC - 4:00)), ptr64 TRUE
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .......................................
    Loading User Symbols
    ...................
    Loading unloaded module list
    ........


    • *
    • Bugcheck Analysis *
    • *

    Unknown bugcheck code (0)
    Unknown bugcheck description
    Arguments:
    Arg1: 0000000000000000
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000

    Debugging Details:

    KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read
    

    PROCESSES_ANALYSIS: 1

    SERVICE_ANALYSIS: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 0

    BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

    DUMP_TYPE: 0

    BUGCHECK_P1: 0

    BUGCHECK_P2: 0

    BUGCHECK_P3: 0

    BUGCHECK_P4: 0

    PROCESS_NAME: kdmapper.exe

    FAULTING_IP:
    +0
    ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]

    FOLLOWUP_IP:
    +0
    ffff9605`c50e7a71 4863703c movsxd rsi,dword ptr [rax+3Ch]

    BUGCHECK_STR: ACCESS_VIOLATION

    READ_ADDRESS: 0000000000ab703c

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: 0000000000ab703c

    CPU_COUNT: 1

    CPU_MHZ: e09

    CPU_VENDOR: AuthenticAMD

    CPU_FAMILY: 17

    CPU_MODEL: 11

    CPU_STEPPING: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: DESKTOP-53H48PG

    ANALYSIS_SESSION_TIME: 04-01-2020 19:36:48.0476

    ANALYSIS_VERSION: 10.0.18362.1 amd64fre

    LAST_CONTROL_TRANSFER: from 0000000000000000 to ffff9605c50e7a71

    STACK_TEXT:
    ffff838d1f995800 0000000000000000 : ffff96050000c120 ffff838d1f995958 ffff838d1f995780 ffffe68a2ea18f00 : 0xffff9605`c50e7a71

    SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME: Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    STACK_COMMAND: .thread ; .cxr ; kb

    FAILURE_BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    BUCKET_ID: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    TARGET_TIME: 2020-04-01T23:33:06.000Z

    OSBUILD: 18362

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 784

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: unknown_date

    BUILDDATESTAMP_STR: 190318-1202

    BUILDLAB_STR: 19h1_release

    BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202

    ANALYSIS_SESSION_ELAPSED_TIME: 234d

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:access_violation_analysis_inconclusive!unknown_function

    FAILURE_ID_HASH: {6636647e-3e69-7cc5-6dd1-dcc0ae3c99be}

    Followup: MachineOwner

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,578

    How did you get the image base without using an undocumented function?

    Did you look at the dump? The fault happened while reading from 0000000000ab703c. That means the value you have for "base" is 0xab7000. Right away, it should be clear that this is not a kernel address. Does your code have a stupid 32/64 problem? Have you poked around with a debugger to see if the value you want is actually present or not? That would be a HELL of a lot faster than generating a bunch of dumps and sending them to a web forum for analysis.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • SweetLowSweetLow Member Posts: 40

    How did you get the image base without using an undocumented function?

    Like picture with blonde solving geometry equation "find x" -> "here it is": PVOID base = getKernelBase(NULL); :)

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,578

    getKernelBase is not a system API. It must be a function in your code. You're sure everything it does is documented?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA