Bugcheck 50

NTDEV
1

Hi there. The following code works fine but when a process is closed, I BSOD the PC ?

Even if I use try/ __try and except / __except. It looks like it crashes when Initializing OBJECT_ATTRIBUTES or when calling ZwOpenProcess…

Can you please help me, thank you.

  
NTSTATUS onExec(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create)  
 {  
 HANDLE hProcess=0;  
 NTSTATUS nRet;  
  
KdPrint( ("WILH!OnExec()!\n") );  
  
if( Create == TRUE && ParentId !=NULL && ProcessId!=NULL)   
 {  
 CLIENT_ID pClientId={0};  
  
pClientId.UniqueProcess = (HANDLE)ProcessId;  
 pClientId.UniqueThread = 0 ;  
 //OBJECT_ATTRIBUTES pObjectAttributes={0};  
 // PUNICODE_STRING name;  
 //RtlIniUnicodeString(&name,L"hProcess");  
  
//InitializeObjectAttributes(&pObjectAttributes,&name,OBJ_INHERIT | OBJ_KERNEL_HANDLE,ProcessId,NULL);  
  
nRet = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,NULL,&pClientId);  
  
if( hProcess && nRet == STATUS_SUCCESS)  
 {  
 nRet = ZwTerminateProcess(hProcess,STATUS_SUCCESS);   
 KdPrint( ("WILH!onExec: ZwTermianteProcess() returned: 0x%X\n",nRet) );  
 }  
  
if( hProcess && nRet == STATUS_SUCCESS)  
 {  
 ZwClose(hProcess);  
 }  
  
}  
 else   
 {  
 KdPrint( ("WILH!OnExec():Process terminated !\n"));  
 }  
  
return STATUS_SUCCESS;  
}

The code won’t be like that, meaning it won’t just terminate every process that starts up. I am just simply testing it.

2

xxxxx@live.com wrote:

Hi there. The following code works fine but when a process is closed, I BSOD the PC ?

Even if I use try/ __try and except / __except. It looks like it crashes when Initializing OBJECT_ATTRIBUTES or when calling ZwOpenProcess…

Can you please help me, thank you.

CLIENT_ID pClientId={0};

pClientId.UniqueProcess = (HANDLE)ProcessId;
pClientId.UniqueThread = 0 ;
//OBJECT_ATTRIBUTES pObjectAttributes={0};
// PUNICODE_STRING name;
//RtlIniUnicodeString(&name,L"hProcess");

The code you have commented out is wrong. You don’t create a
PUNICODE_STRING and pass that. Instead, you create a UNICODE_STRING and
pass the address, so Rtl can fill it in:

UNICODE_STRING name;
RtlInitUnicodeString( &name, L"hProcess" );

//InitializeObjectAttributes(&pObjectAttributes,&name,OBJ_INHERIT | OBJ_KERNEL_HANDLE,ProcessId,NULL);

Similarly, InitializeObjectAttributes wants a pointer to a
UNICODE_STRING, not a pointer to a PUNICODE_STRING.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

Thanks Tim.

I tried the code and ZwOpenProcess returns 0xC00000030…

Do you know what return code is that?

4

xxxxx@live.com wrote:

Thanks Tim.

I tried the code and ZwOpenProcess returns 0xC00000030…

Do you know what return code is that?

Grep does. STATUS_INVALID_PARAMETER_MIX. Did you read the
documentation for ZwOpenProcess? You can’t specify a name on Vista or
later.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

5

At 23:01 23/03/2011, Tim Roberts wrote:

xxxxx@live.com wrote:
> Hi there. The following code works fine but when a process is
closed, I BSOD the PC ?
>
> Even if I use try/ __try and except / __except. It looks like
it crashes when Initializing OBJECT_ATTRIBUTES or when calling ZwOpenProcess…
>
> Can you please help me, thank you.
> …
> CLIENT_ID pClientId={0};
>
> pClientId.UniqueProcess = (HANDLE)ProcessId;
> pClientId.UniqueThread = 0 ;
> //OBJECT_ATTRIBUTES
pObjectAttributes={0};
> // PUNICODE_STRING name;
> //RtlIniUnicodeString(&name,L"hProcess");

The code you have commented out is wrong. You don’t create a
PUNICODE_STRING and pass that. Instead, you create a UNICODE_STRING and
pass the address, so Rtl can fill it in:

UNICODE_STRING name;
RtlInitUnicodeString( &name, L"hProcess" );

>
//InitializeObjectAttributes(&pObjectAttributes,&name,OBJ_INHERIT |
OBJ_KERNEL_HANDLE,ProcessId,NULL);

Similarly, InitializeObjectAttributes wants a pointer to a
UNICODE_STRING, not a pointer to a PUNICODE_STRING.

All of what Tim says is wrong about the above code is true, but
there’s perhaps a more simple truth here - how the hell did this code
compile in the first place ? Did you ignore the warnings ?

Try setting -W4 or -Wall and definitely -Wx to treat warnings as
errors and perhaps that stupid compiler might do something useful for
you after all. All of the above would have been caught by the
compiler warnings.

Mark.

6

I’m not using Vista.
I tried removing CLIENT_ID before and I got 0xC0000008

Vice versa results in another bugcheck(Stop code: 0xC0000005) with parameters ( 0x805CB4Bf, 0xF7C9D95C,0x0).

^It happens as soon as I close a process in User mode…

It looks like CLIENT_ID points to nothing…

Let me see again…

7

xxxxx@live.com wrote:

I’m not using Vista.
I tried removing CLIENT_ID before and I got 0xC0000008

That’s STATUS_INVALID_HANDLE.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

8

xxxxx@live.com wrote:

Hi there. The following code works fine but when a process is closed, I BSOD the PC ?

Even if I use try/ __try and except / __except. It looks like it crashes when Initializing OBJECT_ATTRIBUTES or when calling ZwOpenProcess…

Can you please help me, thank you.

 
NTSTATUS onExec(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create)

What are you being handed here? Where is this called, and where did the
parameters come from? You seem to be stabbing in the dark without
really knowing how to get where you want to go from the position you’re
starting.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

9

^Ok, here is my whole code, don't try out as it is it will BSOD. It just did for me.

BUILD COMMAND: build -zG -Wall 4 - W x

ENVIRONMENT: WIN XP Checked

#include <ntddk.h><br><br>DRIVER_UNLOAD DriverUnload;<br><br>NTSTATUS onExec(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create);<br><br>NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)<br> {<br><br>DriverObject-&gt;DriverUnload = DriverUnload;<br><br>KdPrint( ("WILH!DriverEntry()\n") );<br><br>PsSetCreateProcessNotifyRoutine(&amp;onExec,FALSE);<br><br>return STATUS_SUCCESS;<br>}<br><br>VOID DriverUnload(PDRIVER_OBJECT DriverObject)<br>{<br><br>KdPrint( ("WILH!DriverUnload()\n") );<br><br>return PsSetCreateProcessNotifyRoutine(&amp;onExec,TRUE);<br>}<br><br>NTSTATUS onExec(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create)<br> {<br>	HANDLE hProcess;<br> NTSTATUS nRet;<br>OBJECT_ATTRIBUTES pObjectAttributes;<br>CLIENT_ID pClientId;<br>UNICODE_STRING name;<br><br>KdPrint( ("WILH!OnExec()!\n") );<br><br>if( Create == TRUE ) <br> {<br><br>pClientId.UniqueProcess = (HANDLE)ProcessId;<br> pClientId.UniqueThread = 0 ;<br><br>RtlInitUnicodeString(&amp;name,L"hProcess");<br><br>InitializeObjectAttributes(&amp;pObjectAttributes,&amp;name,OBJ_INHERIT | OBJ_KERNEL_HANDLE,ParentId,NULL);<br><br>/*<br> Here when I use pClient id( and set Object attributes to null I trap<br> But when I use both, I get the MIxed parameters error<br>*/<br><br>nRet = ZwOpenProcess(&amp;hProcess,PROCESS_ALL_ACCESS,NULL,&amp;pClientId);<br><br>KdPrint( ("WILH!onExec: ZwOpenProcess() returned: 0x%X\n",nRet) );<br> if( hProcess )<br> {<br> nRet = ZwTerminateProcess(hProcess,STATUS_SUCCESS); <br> KdPrint( ("WILH!onExec: ZwTermianteProcess() returned: 0x%X\n",nRet) );<br> }<br><br>if( hProcess )<br> {<br> ZwClose(hProcess);<br> }<br><br>}<br> else <br>	{<br> KdPrint( ("WILH!OnExec():Process terminated !\n"));<br>	}<br><br>return STATUS_SUCCESS;<br>}<br>```<br><br>It still compiles but traps when I close a process from user mode. Hmmmm any spotted errors ?</ntddk.h>
10

@Tim, I know it’s type VOID but I just wanted to use NTSTATUS to see what the routine handler returned. I was going to do it later so…yeah…

And how come it traps when Create == FALSE ?

If Create == FALSE then it’s supposed to go all the way down and do nothing, but I traps for no reason.

Maybe some registers get changed IDK… Could it be.

I’m thinking of trying this
__asm
{
XOR ESI,ESI
XOR EBX,EBX
}

to clear out the obvious pointers (<---- But I think would traps more :D)

11

DriverUnload should not be returning any values there hehehehe… :smiley:

12

xxxxx@live.com wrote:

^Ok, here is my whole code, don’t try out as it is it will BSOD. It just did for me.

NTSTATUS onExec(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create)
{
HANDLE hProcess;
NTSTATUS nRet;
OBJECT_ATTRIBUTES pObjectAttributes;
CLIENT_ID pClientId;
UNICODE_STRING name;

KdPrint( (“WILH!OnExec()!\n”) );

if( Create == TRUE )
{

pClientId.UniqueProcess = (HANDLE)ProcessId;
pClientId.UniqueThread = 0 ;

ProcessId is already a HANDLE. You don’t need the cast here.

RtlInitUnicodeString(&name,L"hProcess");
InitializeObjectAttributes(&pObjectAttributes,&name,OBJ_INHERIT | OBJ_KERNEL_HANDLE,ParentId,NULL);

This part is clearly wrong. You are asking to open a process called
“hProcess”. There is no such process.

/*
Here when I use pClient id( and set Object attributes to null I trap
But when I use both, I get the MIxed parameters error
*/

nRet = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,NULL,&pClientId);

You’re going to have to step through this and figure why it crashes.
What does the “!analyze -v” say?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

13

@Tim, Ahhh !

I thought L"hProcess" would not do anything since I provided a handle… I’ll correct that.

Hahaha… After BSOD, the driver was left unloaded and then on startup every process created was terminated. It worked but weird. I’m still looking into it.

Oh, Ok… I think I found the problem, just like you said L"hProcess" does not exist. See I thought that was some kind of alias or unique ID…:D.

Forgive me I;m just coming from user land, this kernel land is my new place.

Thanks it works now, I’ll get back to you as I progress. You have been helpful indeed. Thank you very much.

God Bless !

14

Please note that you really need to specify OBJ_KERNEL_HANDLE when opening a kernel handle unless you are guaranteed to be in the system process. Otherwise, you’re at risk of creating a security hole as the handle can be used by the process that you’re running in (as ZwOpenProcess bypasses access checks from kernel mode requestors).

I would recommend avoiding using undocumented calls (ZwTerminateProcess) if possible. Generally, hard terminating processes is a bad idea to begin with; why do you believe that you need to do this here?

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.com
Sent: Wednesday, March 23, 2011 6:45 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Bugcheck 50

@Tim, Ahhh !

I thought L"hProcess" would not do anything since I provided a handle… I’ll correct that.

Hahaha… After BSOD, the driver was left unloaded and then on startup every process created was terminated. It worked but weird. I’m still looking into it.

Oh, Ok… I think I found the problem, just like you said L"hProcess" does not exist. See I thought that was some kind of alias or unique ID…:D.

Forgive me I;m just coming from user land, this kernel land is my new place.

Thanks it works now, I’ll get back to you as I progress. You have been helpful indeed. Thank you very much.

God Bless !

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

15

Well, I know of all of those ZwXxx hooks, I can just import the functions from Ntdll.dll itself using LoadLibrary and GetProcAddress to bypass hooks.

But I’ll take into consideration what you have just said.

Btw, how do you quote? Sorry Idk how.