Hello everyone. My plan is get full image path of IOCTL sender from its pid. Like Process A send IOCTL to device (DriverObject->MajorFunction[IRP_MJ_CREATE] = IoCTLCreateClose;)
Driver get Process PID (pid = IoGetRequestorProcessId(Irp)
Driver open process handle :
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
cid.UniqueProcess = (HANDLE)pid;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
if (!NT_SUCCESS(status) && hProcess == NULL)
{
DbgPrint("Error zwopen\n");
}
DbgPrint("%p\n", hProcess); //not null
then I call status = ZwQueryInformationProcess(hProcess, 27, NULL, 0, &returnLen); and get BSOD all of those occur when Driver verifier is active but if i turn off drive verifier it works without problem.
Complete function:
NTSTATUS IoCTLCreateClose(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION ioStack = NULL;
ULONG pid = 0;
UCHAR data[2048] = { 0 };
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES oa = { 0 };
CLIENT_ID cid = { 0 };
ULONG returnLen = 0;
UNREFERENCED_PARAMETER(pDeviceObject);
ioStack = IoGetCurrentIrpStackLocation(Irp);
pid = IoGetRequestorProcessId(Irp);
DbgPrint("PID is %d\n", pid);
//CalculateHASH(pid);
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
cid.UniqueProcess = (HANDLE)pid;
cid.UniqueThread = (HANDLE)0;
status = ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &oa, &cid);
if (!NT_SUCCESS(status) && hProcess == NULL)
{
DbgPrint("Error zwopen\n");
}
DbgPrint("%p\n", hProcess);
status = ZwQueryInformationProcess(hProcess, 27, NULL, 0, &returnLen);
DbgPrint("%d\n", KeGetCurrentIrql()); //always 0
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
DUMP:
-
* -
Bugcheck Analysis * -
*
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000000a0, Handle value being referenced.
Arg3: ffffb78f15421080, Address of the current process.
Arg4: fffff80649761238, Address inside the driver that is performing the incorrect reference.
Debugging Details:
*** WARNING: Unable to verify checksum for MainApp.exe
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
DUMP_TYPE: 0
BUGCHECK_P1: f6
BUGCHECK_P2: a0
BUGCHECK_P3: ffffb78f15421080
BUGCHECK_P4: fffff80649761238
BUGCHECK_STR: 0xc4_f6
CPU_COUNT: 2
CPU_MHZ: e6b
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3c
CPU_STEPPING: 3
CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 27’00000000 (cache) 27’00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: MainApp.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: DESKTOP-IC3B92P
ANALYSIS_SESSION_TIME: 08-08-2020 14:45:14.0286
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
LAST_CONTROL_TRANSFER: from fffff8064a163922 to fffff8064a084210
STACK_TEXT:
ffff800b1c313538 fffff8064a163922 : 00000000000000f6 0000000000000003 ffff800b1c3136a0 fffff80649fcbb70 : nt!DbgBreakPointWithStatus
ffff800b1c313540 fffff8064a163017 : 0000000000000003 ffff800b1c3136a0 fffff8064a090a60 00000000000000c4 : nt!KiBugCheckDebugBreak+0x12
ffff800b1c3135a0 fffff8064a07c4c7 : 0000000000000000 ffff800b1c313f30 000000000000000d 0000000000000008 : nt!KeBugCheck2+0x947
ffff800b1c313ca0 fffff8064a82a6e3 : 00000000000000c4 00000000000000f6 00000000000000a0 ffffb78f15421080 : nt!KeBugCheckEx+0x107
ffff800b1c313ce0 fffff8064a833838 : ffffb78f15421080 0000000000000008 fffff80649761200 0000000000000005 : nt!VerifierBugCheckIfAppropriate+0xdf
ffff800b1c313d20 fffff8064a6735ad : 0000000000000000 ffffb78f120c9380 00000000000000a0 ffff800b1c314bc0 : nt!VfCheckUserHandle+0x1d4
ffff800b1c313e10 fffff8064a4bfe61 : ffffb78f15421080 ffff800b00001000 ffffb78f120c9380 fffff8064a810800 : nt!ObpReferenceObjectByHandleWithTag+0x1a9d8d
ffff800b1c313ea0 fffff8064a4a807b : ffff800b1c314000 ffff800b1c314500 ffff800b1c314000 0000000000000000 : nt!ObReferenceObjectByHandleWithTag+0x31
ffff800b1c313ef0 fffff8064a08dc15 : ffff820c0edf6060 00000000000015b8 0000000000000000 0000000000000000 : nt!NtQueryInformationProcess+0x84b
ffff800b1c3148e0 fffff8064a0801e0 : fffff8064a84499a ffff800b1c314c40 fffff80649fcbbbc 00000000000015b8 : nt!KiSystemServiceCopyEnd+0x25
ffff800b1c314ae8 fffff8064a84499a : ffff800b1c314c40 fffff80649fcbbbc 00000000000015b8 ffffb78f198f49f0 : nt!KiServiceLinkage
ffff800b1c314af0 fffff80649761238 : 00000000000015b8 ffff800b1c314c40 ffffb78f198f49f0 0000000000000000 : nt!VfZwQueryInformationProcess+0x6a
ffff800b1c314b40 fffff8064a0397aa : ffffb78f18f66ea0 fffff8064a82aa5c ffffb78f1929dbb0 ffffb78f00000001 : IOCTLSecureChannel_MD5_!IoCTLCreateClose+0x108 [D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c @ 189]
ffff800b1c3153e0 fffff8064a81f0a9 : ffffb78f18f66ea0 ffffb78f198f49f0 ffffb78f00000010 ffff800b1c315468 : nt!IopfCallDriver+0x56
ffff800b1c315420 fffff8064a0d8b65 : fffff8064a4be325 ffff800b1c315760 ffff800b1c3156d0 ffffb78f1929dbb0 : nt!IovCallDriver+0x275
ffff800b1c315460 fffff80649f52f94 : 0000000000000000 000000000012019f ffffb78f18f66fb8 fffff80649f53753 : nt!IofCallDriver+0x184ce5
ffff800b1c3154a0 fffff8064a4bea1b : ffff800b1c315760 fffff8064a4be325 ffff800b1c3156d0 ffffb78f193bcad0 : nt!IoCallDriverWithTracing+0x34
ffff800b1c3154f0 fffff8064a4c59ef : ffffb78f198f49f0 ffffb78f198f4925 ffffb78f197a59a0 ffff820c07e0dd01 : nt!IopParseDevice+0x62b
ffff800b1c315660 fffff8064a4c3e51 : ffffb78f197a5900 ffff800b1c3158a8 0000000000000040 ffffb78f120db2a0 : nt!ObpLookupObjectName+0x78f
ffff800b1c315820 fffff8064a50b680 : 0000000000000001 000000d49d0ffc58 0000000000000001 0000000000000000 : nt!ObOpenObjectByNameEx+0x201
ffff800b1c315960 fffff8064a50ae49 : 000000d49d0ffc00 ffffb78fc0100080 000000d49d0ffc58 000000d49d0ffc18 : nt!IopCreateFile+0x820
ffff800b1c315a00 fffff8064a08dc15 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtCreateFile+0x79
ffff800b1c315a90 00007ffeccadcb14 : 00007ffec7bf12f9 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
000000d49d0ffa88 00007ffec7bf12f9 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtCreateFile+0x14
000000d49d0ffa90 00007ffeca324544 : 0000000000000004 00000000c0000000 0000023c9bc90350 0000000000000000 : apphelp!InsHook_NtCreateFile+0x169
000000d49d0ffb90 00007ffeca324236 : 0000000000000000 00007ff62661105d 0000000000000000 0000023c9bca0b30 : KERNELBASE!CreateFileInternal+0x2f4
000000d49d0ffd00 00007ff6266110ba : 00007ff626612250 00000000000015b8 0000023c9bca0b30 00007ffeca321e20 : KERNELBASE!CreateFileW+0x66
000000d49d0ffd60 00007ff626611324 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : MainApp+0x10ba
000000d49d0ffdb0 00007ffecc037bd4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : MainApp+0x1324
000000d49d0ffdf0 00007ffeccaace51 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
000000d49d0ffe20 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: e70ab98a97a795206f80f8374b669f21a2e34dc5
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3b27e8324244ba302dab6510d34f22f89b9a2ba0
THREAD_SHA1_HASH_MOD: 77513cf490e79169a3d23d3a15afafea18be83bb
FOLLOWUP_IP:
IOCTLSecureChannel_MD5_!IoCTLCreateClose+108 [D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c @ 189]
fffff806`49761238 8bd8 mov ebx,eax
FAULT_INSTR_CODE: 43dd88b
FAULTING_SOURCE_LINE: D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c
FAULTING_SOURCE_FILE: D:\repos\IOCTLSecureChannel(MD5)\IOCTLSecureChannel(MD5)\main.c
FAULTING_SOURCE_LINE_NUMBER: 189
FAULTING_SOURCE_CODE:
185:
186: DbgPrint(“%p\n”, hProcess);
187:
188:
189: status = ZwQueryInformationProcess(hProcess, 27, NULL, 0, &returnLen);
190:
191:
192: DbgPrint(“%d\n”, KeGetCurrentIrql()); //always 0
193:
194: