Hello everyone. My plan is get full image path of IOCTL sender from its pid. Like Process A send IOCTL to device (DriverObject->MajorFunction[IRP_MJ_CREATE] = IoCTLCreateClose;)
Driver get Process PID (pid = IoGetRequestorProcessId(Irp)
Driver open process handle :
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
cid.UniqueProcess = (HANDLE)pid;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
if (!NT_SUCCESS(status) && hProcess == NULL)
{
DbgPrint("Error zwopen\n");
}
DbgPrint("%p\n", hProcess); //not null
then I call status = ZwQueryInformationProcess(hProcess, 27, NULL, 0, &returnLen); and get BSOD all of those occur when Driver verifier is active but if i turn off drive verifier it works without problem.
Complete function:
NTSTATUS IoCTLCreateClose(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION ioStack = NULL;
ULONG pid = 0;
UCHAR data[2048] = { 0 };
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = { 0 };
CLIENT_ID cid = { 0 };
ULONG returnLen = 0;
UNREFERENCED_PARAMETER(pDeviceObject);
ioStack = IoGetCurrentIrpStackLocation(Irp);
pid = IoGetRequestorProcessId(Irp);
DbgPrint("PID is %d\n", pid);
//CalculateHASH(pid);
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
cid.UniqueProcess = (HANDLE)pid;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
if (!NT_SUCCESS(status) && hProcess == NULL)
{
DbgPrint("Error zwopen\n");
}
DbgPrint("%p\n", hProcess);
status = ZwQueryInformationProcess(hProcess, 27, NULL, 0, &returnLen);
DbgPrint("%d\n", KeGetCurrentIrql()); //always 0
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
DUMP:
-
*
-
Bugcheck Analysis *
-
*
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000000a0, Handle value being referenced.
Arg3: ffffb78f15421080, Address of the current process.
Arg4: fffff80649761238, Address inside the driver that is performing the incorrect reference.
Debugging Details:
*** WARNING: Unable to verify checksum for MainApp.exe
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
DUMP_TYPE: 0
BUGCHECK_P1: f6
BUGCHECK_P2: a0
BUGCHECK_P3: ffffb78f15421080
BUGCHECK_P4: fffff80649761238
BUGCHECK_STR: 0xc4_f6
CPU_COUNT: 2
CPU_MHZ: e6b
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3c
CPU_STEPPING: 3
CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 27’00000000 (cache) 27’00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: MainApp.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: DESKTOP-IC3B92P
ANALYSIS_SESSION_TIME: 08-08-2020 14:45:14.0286
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
LAST_CONTROL_TRANSFER: from fffff8064a163922 to fffff8064a084210
STACK_TEXT:
ffff800b1c313538 fffff806
4a163922 : 00000000000000f6 00000000
00000003 ffff800b1c3136a0 fffff806
49fcbb70 : nt!DbgBreakPointWithStatus
ffff800b1c313540 fffff806
4a163017 : 0000000000000003 ffff800b
1c3136a0 fffff8064a090a60 00000000
000000c4 : nt!KiBugCheckDebugBreak+0x12
ffff800b1c3135a0 fffff806
4a07c4c7 : 0000000000000000 ffff800b
1c313f30 000000000000000d 00000000
00000008 : nt!KeBugCheck2+0x947
ffff800b1c313ca0 fffff806
4a82a6e3 : 00000000000000c4 00000000
000000f6 00000000000000a0 ffffb78f
15421080 : nt!KeBugCheckEx+0x107
ffff800b1c313ce0 fffff806
4a833838 : ffffb78f15421080 00000000
00000008 fffff80649761200 00000000
00000005 : nt!VerifierBugCheckIfAppropriate+0xdf
ffff800b1c313d20 fffff806
4a6735ad : 0000000000000000 ffffb78f
120c9380 00000000000000a0 ffff800b
1c314bc0 : nt!VfCheckUserHandle+0x1d4
ffff800b1c313e10 fffff806
4a4bfe61 : ffffb78f15421080 ffff800b
00001000 ffffb78f120c9380 fffff806
4a810800 : nt!ObpReferenceObjectByHandleWithTag+0x1a9d8d
ffff800b1c313ea0 fffff806
4a4a807b : ffff800b1c314000 ffff800b
1c314500 ffff800b1c314000 00000000
00000000 : nt!ObReferenceObjectByHandleWithTag+0x31
ffff800b1c313ef0 fffff806
4a08dc15 : ffff820c0edf6060 00000000
000015b8 0000000000000000 00000000
00000000 : nt!NtQueryInformationProcess+0x84b
ffff800b1c3148e0 fffff806
4a0801e0 : fffff8064a84499a ffff800b
1c314c40 fffff80649fcbbbc 00000000
000015b8 : nt!KiSystemServiceCopyEnd+0x25
ffff800b1c314ae8 fffff806
4a84499a : ffff800b1c314c40 fffff806
49fcbbbc 00000000000015b8 ffffb78f
198f49f0 : nt!KiServiceLinkage
ffff800b1c314af0 fffff806
49761238 : 00000000000015b8 ffff800b
1c314c40 ffffb78f198f49f0 00000000
00000000 : nt!VfZwQueryInformationProcess+0x6a
ffff800b1c314b40 fffff806
4a0397aa : ffffb78f18f66ea0 fffff806
4a82aa5c ffffb78f1929dbb0 ffffb78f
00000001 : IOCTLSecureChannel_MD5_!IoCTLCreateClose+0x108 [D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c @ 189]
ffff800b1c3153e0 fffff806
4a81f0a9 : ffffb78f18f66ea0 ffffb78f
198f49f0 ffffb78f00000010 ffff800b
1c315468 : nt!IopfCallDriver+0x56
ffff800b1c315420 fffff806
4a0d8b65 : fffff8064a4be325 ffff800b
1c315760 ffff800b1c3156d0 ffffb78f
1929dbb0 : nt!IovCallDriver+0x275
ffff800b1c315460 fffff806
49f52f94 : 0000000000000000 00000000
0012019f ffffb78f18f66fb8 fffff806
49f53753 : nt!IofCallDriver+0x184ce5
ffff800b1c3154a0 fffff806
4a4bea1b : ffff800b1c315760 fffff806
4a4be325 ffff800b1c3156d0 ffffb78f
193bcad0 : nt!IoCallDriverWithTracing+0x34
ffff800b1c3154f0 fffff806
4a4c59ef : ffffb78f198f49f0 ffffb78f
198f4925 ffffb78f197a59a0 ffff820c
07e0dd01 : nt!IopParseDevice+0x62b
ffff800b1c315660 fffff806
4a4c3e51 : ffffb78f197a5900 ffff800b
1c3158a8 0000000000000040 ffffb78f
120db2a0 : nt!ObpLookupObjectName+0x78f
ffff800b1c315820 fffff806
4a50b680 : 0000000000000001 000000d4
9d0ffc58 0000000000000001 00000000
00000000 : nt!ObOpenObjectByNameEx+0x201
ffff800b1c315960 fffff806
4a50ae49 : 000000d49d0ffc00 ffffb78f
c0100080 000000d49d0ffc58 000000d4
9d0ffc18 : nt!IopCreateFile+0x820
ffff800b1c315a00 fffff806
4a08dc15 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!NtCreateFile+0x79
ffff800b1c315a90 00007ffe
ccadcb14 : 00007ffec7bf12f9 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
000000d49d0ffa88 00007ffe
c7bf12f9 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!NtCreateFile+0x14
000000d49d0ffa90 00007ffe
ca324544 : 0000000000000004 00000000
c0000000 0000023c9bc90350 00000000
00000000 : apphelp!InsHook_NtCreateFile+0x169
000000d49d0ffb90 00007ffe
ca324236 : 0000000000000000 00007ff6
2661105d 0000000000000000 0000023c
9bca0b30 : KERNELBASE!CreateFileInternal+0x2f4
000000d49d0ffd00 00007ff6
266110ba : 00007ff626612250 00000000
000015b8 0000023c9bca0b30 00007ffe
ca321e20 : KERNELBASE!CreateFileW+0x66
000000d49d0ffd60 00007ff6
26611324 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : MainApp+0x10ba
000000d49d0ffdb0 00007ffe
cc037bd4 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : MainApp+0x1324
000000d49d0ffdf0 00007ffe
ccaace51 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000d49d0ffe20 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: e70ab98a97a795206f80f8374b669f21a2e34dc5
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3b27e8324244ba302dab6510d34f22f89b9a2ba0
THREAD_SHA1_HASH_MOD: 77513cf490e79169a3d23d3a15afafea18be83bb
FOLLOWUP_IP:
IOCTLSecureChannel_MD5_!IoCTLCreateClose+108 [D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c @ 189]
fffff806`49761238 8bd8 mov ebx,eax
FAULT_INSTR_CODE: 43dd88b
FAULTING_SOURCE_LINE: D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c
FAULTING_SOURCE_FILE: D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c
FAULTING_SOURCE_LINE_NUMBER: 189
FAULTING_SOURCE_CODE:
185:
186: DbgPrint(“%p\n”, hProcess);
187:
188:
189: status = ZwQueryInformationProcess(hProcess, 27, NULL, 0, &returnLen);
190:
191:
192: DbgPrint(“%d\n”, KeGetCurrentIrql()); //always 0
193:
194: