API tools faq
paste
cakemaker

movdqa cm bugcheck

cakemaker
May 21st, 2024 (edited)
149
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.41 KB | Science | 0 0
raw download clone embed print report
  1. Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64
  2. Copyright (c) Microsoft Corporation. All rights reserved.
  3.  
  4.  
  5. Loading Dump File [C:\Users\v.alvarez\Desktop\twitter.cpubug.dmp]
  6. Mini Kernel Dump File: Only registers and stack trace are available
  7.  
  8. Kernel base = 0xfffff806`4dc00000 PsLoadedModuleList = 0xfffff806`4e8130c0
  9. System Uptime: 0 days 1:00:58.424
  10. Loading Kernel Symbols
  11. Loading User Symbols
  12. Loading unloaded module list
  13. ...................
  14. For analysis of this file, run !analyze -v
  15.  
  16.  
  17. ################### kd> !analyze -v
  18. *******************************************************************************
  19. * *
  20. * Bugcheck Analysis *
  21. * *
  22. *******************************************************************************
  23.  
  24. IRQL_NOT_LESS_OR_EQUAL (a)
  25. An attempt was made to access a pageable (or completely invalid) address at an
  26. interrupt request level (IRQL) that is too high. This is usually
  27. caused by drivers using improper addresses.
  28. If a kernel debugger is available get the stack backtrace.
  29. Arguments:
  30. Arg1: 00007fffffff0000, memory referenced
  31. Arg2: 00000000000000ff, IRQL
  32. Arg3: 00000000000000c0, bitfield :
  33. bit 0 : value 0 = read operation, 1 = write operation
  34. bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
  35. Arg4: fffff8064df5ecf9, address which referenced memory
  36.  
  37. Debugging Details:
  38. ------------------
  39.  
  40. Unable to load image cm.sys, Win32 error 0n2
  41.  
  42. KEY_VALUES_STRING: 1
  43.  
  44. Key : Analysis.CPU.mSec
  45. Value: 2796
  46.  
  47. Key : Analysis.DebugAnalysisManager
  48. Value: Create
  49.  
  50. Key : Analysis.Elapsed.mSec
  51. Value: 7482
  52.  
  53. Key : Analysis.Init.CPU.mSec
  54. Value: 5671
  55.  
  56. Key : Analysis.Init.Elapsed.mSec
  57. Value: 217140
  58.  
  59. Key : Analysis.Memory.CommitPeak.Mb
  60. Value: 92
  61.  
  62.  
  63. FILE_IN_CAB: twitter.cpubug.dmp
  64.  
  65. DUMP_FILE_ATTRIBUTES: 0x1008
  66. Kernel Generated Triage Dump
  67.  
  68. BUGCHECK_CODE: a
  69.  
  70. BUGCHECK_P1: 7fffffff0000
  71.  
  72. BUGCHECK_P2: ff
  73.  
  74. BUGCHECK_P3: c0
  75.  
  76. BUGCHECK_P4: fffff8064df5ecf9
  77.  
  78. READ_ADDRESS: fffff8064e91d468: Unable to get MiVisibleState
  79. Unable to get NonPagedPoolStart
  80. Unable to get NonPagedPoolEnd
  81. Unable to get PagedPoolStart
  82. Unable to get PagedPoolEnd
  83. unable to get nt!MmSpecialPagesInUse
  84. 00007fffffff0000
  85.  
  86. BLACKBOXBSD: 1 (!blackboxbsd)
  87.  
  88.  
  89. BLACKBOXNTFS: 1 (!blackboxntfs)
  90.  
  91.  
  92. BLACKBOXPNP: 1 (!blackboxpnp)
  93.  
  94.  
  95. BLACKBOXWINLOGON: 1
  96.  
  97. PROCESS_NAME: xxx.exe
  98.  
  99. TRAP_FRAME: fffff8064b4f8f10 -- (.trap 0xfffff8064b4f8f10)
  100. NOTE: The trap frame does not contain all registers.
  101. Some register values may be zeroed or incorrect.
  102. rax=00007fffffff0000 rbx=0000000000000000 rcx=00007fffffff0000
  103. rdx=fffff8064b4f9258 rsi=0000000000000000 rdi=0000000000000000
  104. rip=fffff8064df5ecf9 rsp=fffff8064b4f90a0 rbp=fffff8064b4f96c0
  105. r8=0000000000040282 r9=0000000000000000 r10=fffff8064ea00038
  106. r11=fffff8064b4f91c0 r12=0000000000000000 r13=0000000000000000
  107. r14=0000000000000000 r15=0000000000000000
  108. iopl=0 nv up di ng nz na pe nc
  109. nt!RtlpxVirtualUnwind+0x419:
  110. fffff806`4df5ecf9 0fb600 movzx eax,byte ptr [rax] ds:00007fff`ffff0000=??
  111. Resetting default scope
  112.  
  113. STACK_TEXT:
  114. fffff806`4b4f8dc8 fffff806`4e027da9 : nt!KeBugCheckEx
  115. fffff806`4b4f8dd0 fffff806`4e023434 : nt!KiBugCheckDispatch+0x69
  116. fffff806`4b4f8f10 fffff806`4df5ecf9 : nt!KiPageFault+0x474
  117. fffff806`4b4f90a0 fffff806`4df5ce35 : nt!RtlpxVirtualUnwind+0x419
  118. fffff806`4b4f9160 fffff806`4de74ebe : nt!RtlDispatchException+0x215
  119. fffff806`4b4f98d0 fffff806`4e013902 : nt!KiDispatchException+0x1ae
  120. fffff806`4b4f9fb0 fffff806`4e0138d0 : nt!KxExceptionDispatchOnExceptionStack+0x12
  121. fffffe0d`f4def098 fffff806`4e027ef5 : nt!KiExceptionDispatchOnExceptionStackContinue
  122. fffffe0d`f4def0a0 fffff806`4e022f83 : nt!KiExceptionDispatch+0x135
  123. fffffe0d`f4def280 ffffba00`62fa9215 : nt!KiGeneralProtectionFault+0x343
  124. fffffe0d`f4def418 ffffba00`62fa8000 : 0xffffba00`62fa9215
  125. fffffe0d`f4def420 fffff806`4ce02415 : 0xffffba00`62fa8000
  126. fffffe0d`f4def428 fffffe0d`f4def3f8 : cm+0x2415
  127. fffffe0d`f4def430 00000000`00040282 : 0xfffffe0d`f4def3f8
  128. fffffe0d`f4def438 fffff806`4ce03f91 : 0x40282
  129. fffffe0d`f4def440 00000000`00000000 : cm+0x3f91
  130.  
  131.  
  132. SYMBOL_NAME: cm+2415
  133.  
  134. MODULE_NAME: cm
  135.  
  136. IMAGE_NAME: cm.sys
  137.  
  138. STACK_COMMAND: .cxr; .ecxr ; kb
  139.  
  140. BUCKET_ID_FUNC_OFFSET: 2415
  141.  
  142. FAILURE_BUCKET_ID: AV_cm!unknown_function
  143.  
  144. OSPLATFORM_TYPE: x64
  145.  
  146. OSNAME: Windows 10
  147.  
  148. FAILURE_ID_HASH: {d4618ce6-e641-5b70-2af6-81a116836538}
  149.  
  150. Followup: MachineOwner
  151. ---------
  152.  
  153.  
  154. ################### kd> .trap 0xfffff8064b4f8f10
  155. NOTE: The trap frame does not contain all registers.
  156. Some register values may be zeroed or incorrect.
  157. rax=00007fffffff0000 rbx=0000000000000000 rcx=00007fffffff0000
  158. rdx=fffff8064b4f9258 rsi=0000000000000000 rdi=0000000000000000
  159. rip=fffff8064df5ecf9 rsp=fffff8064b4f90a0 rbp=fffff8064b4f96c0
  160. r8=0000000000040282 r9=0000000000000000 r10=fffff8064ea00038
  161. r11=fffff8064b4f91c0 r12=0000000000000000 r13=0000000000000000
  162. r14=0000000000000000 r15=0000000000000000
  163. iopl=0 nv up di ng nz na pe nc
  164. nt!RtlpxVirtualUnwind+0x419:
  165. fffff806`4df5ecf9 0fb600 movzx eax,byte ptr [rax] ds:00007fff`ffff0000=??
  166.  
  167. ################### kd> ub . L10
  168. nt!RtlpxVirtualUnwind+0x3df:
  169. fffff806`4df5ecbf 54 push rsp
  170. fffff806`4df5ecc0 2470 and al,70h
  171. fffff806`4df5ecc2 488b1a mov rbx,qword ptr [rdx]
  172. fffff806`4df5ecc5 48895c2468 mov qword ptr [rsp+68h],rbx
  173. fffff806`4df5ecca 48b8fffffeffff7f0000 mov rax,7FFFFFFEFFFFh
  174. fffff806`4df5ecd4 483bf0 cmp rsi,rax
  175. fffff806`4df5ecd7 7723 ja nt!RtlpxVirtualUnwind+0x41c (fffff806`4df5ecfc)
  176. fffff806`4df5ecd9 f6c303 test bl,3
  177. fffff806`4df5ecdc 7406 je nt!RtlpxVirtualUnwind+0x404 (fffff806`4df5ece4)
  178. fffff806`4df5ecde e85d246a00 call nt!ExRaiseDatatypeMisalignment (fffff806`4e601140)
  179. fffff806`4df5ece3 cc int 3
  180. fffff806`4df5ece4 488bc3 mov rax,rbx
  181. fffff806`4df5ece7 48b90000ffffff7f0000 mov rcx,7FFFFFFF0000h
  182. fffff806`4df5ecf1 483bd9 cmp rbx,rcx
  183. fffff806`4df5ecf4 480f43c1 cmovae rax,rcx
  184. fffff806`4df5ecf8 90 nop
  185. ################### kd> u . L5
  186. nt!RtlpxVirtualUnwind+0x419:
  187. fffff806`4df5ecf9 0fb600 movzx eax,byte ptr [rax]
  188. fffff806`4df5ecfc eb05 jmp nt!RtlpxVirtualUnwind+0x423 (fffff806`4df5ed03)
  189. fffff806`4df5ecfe e90dcd0e00 jmp nt!RtlpxVirtualUnwind+0xed130 (fffff806`4e04ba10)
  190. fffff806`4df5ed03 488b8c2408010000 mov rcx,qword ptr [rsp+108h]
  191. fffff806`4df5ed0b 488b01 mov rax,qword ptr [rcx]
  192.  
  193. ################### kd> .cxr
  194. Resetting default scope
  195.  
  196. ################### kd> k
  197. # Child-SP RetAddr Call Site
  198. 00 fffff806`4b4f8dc8 fffff806`4e027da9 nt!KeBugCheckEx
  199. 01 fffff806`4b4f8dd0 fffff806`4e023434 nt!KiBugCheckDispatch+0x69
  200. 02 fffff806`4b4f8f10 fffff806`4df5ecf9 nt!KiPageFault+0x474
  201. 03 fffff806`4b4f90a0 fffff806`4df5ce35 nt!RtlpxVirtualUnwind+0x419
  202. 04 fffff806`4b4f9160 fffff806`4de74ebe nt!RtlDispatchException+0x215
  203. 05 fffff806`4b4f98d0 fffff806`4e013902 nt!KiDispatchException+0x1ae
  204. 06 fffff806`4b4f9fb0 fffff806`4e0138d0 nt!KxExceptionDispatchOnExceptionStack+0x12
  205. 07 fffffe0d`f4def098 fffff806`4e027ef5 nt!KiExceptionDispatchOnExceptionStackContinue
  206. 08 fffffe0d`f4def0a0 fffff806`4e022f83 nt!KiExceptionDispatch+0x135
  207. 09 fffffe0d`f4def280 ffffba00`62fa9215 nt!KiGeneralProtectionFault+0x343
  208. 0a fffffe0d`f4def418 ffffba00`62fa8000 0xffffba00`62fa9215
  209. 0b fffffe0d`f4def420 fffff806`4ce02415 0xffffba00`62fa8000
  210. 0c fffffe0d`f4def428 fffffe0d`f4def3f8 cm+0x2415
  211. 0d fffffe0d`f4def430 00000000`00040282 0xfffffe0d`f4def3f8
  212. 0e fffffe0d`f4def438 fffff806`4ce03f91 0x40282
  213. 0f fffffe0d`f4def440 00000000`00000000 cm+0x3f91
  214.  
  215. ###################
  216. # Bring in non-volatile registers, more info than from the .trap command.
  217. ################### kd> .frame /c /r 3
  218. 03 fffff806`4b4f90a0 fffff806`4df5ce35 nt!RtlpxVirtualUnwind+0x419
  219. rax=00007fffffff0000 rbx=fffffe0df4def438 rcx=00007fffffff0000
  220. rdx=fffff8064b4f9258 rsi=0000000000040282 rdi=0000000000000000
  221. rip=fffff8064df5ecf9 rsp=fffff8064b4f90a0 rbp=fffff8064b4f96c0
  222. r8=0000000000040282 r9=0000000000000000 r10=fffff8064ea00038
  223. r11=fffff8064b4f91c0 r12=0000000000040282 r13=fffff8064ce00000
  224. r14=0000000000000001 r15=fffff8064ce00000
  225. iopl=0 nv up di ng nz na pe nc
  226. cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040082
  227. nt!RtlpxVirtualUnwind+0x419:
  228. fffff806`4df5ecf9 0fb600 movzx eax,byte ptr [rax] ds:002b:00007fff`ffff0000=??
  229.  
  230. ###################
  231. # Here I've checked disasm of nt!RtlpxVirtualUnwind and its declaration somewhere on Github, just to make sure everything is in order.
  232.  
  233. ################### kd> dps @rsp+e0 L1
  234. fffff806`4b4f9180 fffff806`4b4f91c0
  235. # That's "ContextRecord" arg to RtlpxVirtualUnwind func, checks out with r11 in trap frame above.
  236.  
  237. ################### kd> .cxr @r11
  238. rax=ffffffffc0000005 rbx=0000000000000000 rcx=fffff8064b4f91c0
  239. rdx=fffff8064b4f8ec0 rsi=00007fffffff0000 rdi=00000000000035d0
  240. rip=0000000000040282 rsp=fffffe0df4def438 rbp=0000000000300000
  241. r8=fffff8064b4f8ee0 r9=fffff8064b4f8950 r10=0000000000000018
  242. r11=fffff8064b4f9130 r12=fffff8064cf843a0 r13=0000000000000001
  243. r14=0000000000001200 r15=0000000001000000
  244. iopl=0 nv up di ng nz na po nc
  245. cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050086
  246. 00000000`00040282 ?? ???
  247.  
  248. # Function RtlDispatchException repeatedly invokes RtlpxVirtualUnwind to perform unwinding (with virtual CONTEXT on the stack of RtlDispatchException).
  249. # Somehow it came to situatuion where virtual RIP == 40282, and that checks out with R8 "ControlPC" argument for RtlpxVirtualUnwind. Note CS==10, so it's still ring0 code. Just virtual RIP is wrong (it actually looks like eflags), so likely unwinding information is broken/invalid.
  250. # If you examine code of RtlpxVirtualUnwind leading to final exception, you'll see function checks RIP to determine cpu mode, which is unusual (and feels wrong). So having RIP==40282, func assumes cpu mode was ring3, and so it proceeds to sanitize virtual RSP, and also tries to dereference it (in tryblock).
  251. # Original virtual RSP was regular ring0 stack address, so it got sanitized to userprobe region (7FFF`FFFF`0000 on this system). Since that region is never accessible, further probe-dereference caused Page Fault. That dereference was done in try-except block, but KiPageFault made no attempt to invoke exception dispatcher, but rather bugchecked system right away. That's because interrupts were disabled at that time (bugcheck params show IRQL is FF, and EFLAGS also have cleared bit9) - so taking pagefault was not an option.
  252.  
  253. ###################
  254. ----------------------------------------------------------------------------------------------------
  255. # Here I've switched to full kernel dump, coz minidump didn't contain instructions at shellcode-like region.
  256.  
  257. ################### kd> .cxr
  258. Resetting default scope
  259. ################### kd> k
  260. # Child-SP RetAddr Call Site
  261. 00 fffff807`3acaadc8 fffff807`37c27da9 nt!KeBugCheckEx
  262. 01 fffff807`3acaadd0 fffff807`37c23434 nt!KiBugCheckDispatch+0x69
  263. 02 fffff807`3acaaf10 fffff807`37b5ecf9 nt!KiPageFault+0x474
  264. 03 fffff807`3acab0a0 fffff807`37b5ce35 nt!RtlpxVirtualUnwind+0x419
  265. 04 fffff807`3acab160 fffff807`37a74ebe nt!RtlDispatchException+0x215
  266. 05 fffff807`3acab8d0 fffff807`37c13902 nt!KiDispatchException+0x1ae
  267. 06 fffff807`3acabfb0 fffff807`37c138d0 nt!KxExceptionDispatchOnExceptionStack+0x12
  268. 07 fffff988`20ac70b8 fffff807`37c27ef5 nt!KiExceptionDispatchOnExceptionStackContinue
  269. 08 fffff988`20ac70c0 fffff807`37c22f83 nt!KiExceptionDispatch+0x135
  270. 09 fffff988`20ac72a0 ffffc780`21740215 nt!KiGeneralProtectionFault+0x343
  271. 0a fffff988`20ac7438 ffffc780`2173f000 0xffffc780`21740215
  272. 0b fffff988`20ac7440 fffff807`64a72415 0xffffc780`2173f000
  273. 0c fffff988`20ac7448 fffff988`20ac7418 cm+0x2415
  274. 0d fffff988`20ac7450 00000000`00040282 0xfffff988`20ac7418
  275. 0e fffff988`20ac7458 fffff807`64a73ef9 0x40282
  276. 0f fffff988`20ac7460 fffff807`64a738b0 cm+0x3ef9
  277. 10 fffff988`20ac75e0 fffff807`37b14d95 cm+0x38b0
  278. 11 fffff988`20ac7620 fffff807`37fcd140 nt!IofCallDriver+0x55
  279. 12 fffff988`20ac7660 fffff807`37fcc1d0 nt!IopSynchronousServiceTail+0x1d0
  280. 13 fffff988`20ac7710 fffff807`37fcb2a6 nt!IopXxxControlFile+0x700
  281. 14 fffff988`20ac7900 fffff807`37c274e5 nt!NtDeviceIoControlFile+0x56
  282. 15 fffff988`20ac7970 00007ffe`e378f4d4 nt!KiSystemServiceCopyEnd+0x25
  283. 16 000000cf`92d4f618 00000000`00000000 0x00007ffe`e378f4d4
  284.  
  285. ################### kd> .trap fffff988`20ac72a0
  286. NOTE: The trap frame does not contain all registers.
  287. Some register values may be zeroed or incorrect.
  288. rax=00000000000179b8 rbx=0000000000000000 rcx=ffffc780217569b8
  289. rdx=0000000000000010 rsi=0000000000000000 rdi=0000000000000000
  290. rip=ffffc78021740215 rsp=fffff98820ac7438 rbp=0000000000300000
  291. r8=ffff83023a2a9f00 r9=ffff83023a2a9f88 r10=0000000000000001
  292. r11=ffffc78021740200 r12=0000000000000000 r13=0000000000000000
  293. r14=0000000000000000 r15=0000000000000000
  294. iopl=0 nv up di ng nz na po nc
  295. ffffc780`21740215 660f7f01 movdqa xmmword ptr [rcx],xmm0 ds:ffffc780`217569b8=00000000000000000000000000000000
  296.  
  297. ################### kd> .cxr
  298. ################### kd> .frame /c /r a
  299. 0a fffff988`20ac7438 ffffc780`2173f000 0xffffc780`21740215
  300. rax=00000000000179b8 rbx=0000000000000000 rcx=ffffc780217569b8
  301. rdx=0000000000000010 rsi=00007fffffff0000 rdi=00000000000035d0
  302. rip=ffffc78021740215 rsp=fffff98820ac7438 rbp=0000000000300000
  303. r8=ffff83023a2a9f00 r9=ffff83023a2a9f88 r10=0000000000000001
  304. r11=ffffc78021740200 r12=fffff80764bf43a0 r13=0000000000000001
  305. r14=0000000000001200 r15=0000000001000000
  306. iopl=0 nv up di ng nz na pe nc
  307. cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040082
  308. ffffc780`21740215 660f7f01 movdqa xmmword ptr [rcx],xmm0 ds:002b:ffffc780`217569b8=00000000000000000000000000000000
  309.  
  310. # So the initial #GP exception is due to unaligned "movdqa" access.
  311.  
  312.  
  313. >Let's find out the source of offending code.
  314. ################### kd> u .-15
  315. ffffc780`21740200 4881e900120000 sub rcx,1200h
  316. ffffc780`21740207 48b8b879010000000000 mov rax,179B8h
  317. ffffc780`21740211 51 push rcx
  318. ffffc780`21740212 4803c8 add rcx,rax
  319. ffffc780`21740215 660f7f01 movdqa xmmword ptr [rcx],xmm0
  320. ffffc780`21740219 59 pop rcx
  321. ffffc780`2174021a 66480f6ec1 movq xmm0,rcx
  322. ffffc780`2174021f 51 push rcx
  323. ################### kd> u . L4
  324. ffffc780`21740215 660f7f01 movdqa xmmword ptr [rcx],xmm0
  325. ffffc780`21740219 59 pop rcx
  326. ffffc780`2174021a 66480f6ec1 movq xmm0,rcx
  327. ffffc780`2174021f 51 push rcx
  328.  
  329. ################### kd> ? @rcx-179b8
  330. Evaluate expression: -62121845723136 = ffffc780`2173f000
  331.  
  332. ################### kd> lma .
  333. Browse full module list
  334. start end module name
  335. ################### kd> !pool . 2
  336. Pool page ffffc780217569b8 region is Unknown
  337. ffffc78021756000 is not a valid large pool allocation, checking large session pool...
  338. Unable to read large session pool table (Session data is not present in mini and kernel-only dumps)
  339. ffffc78021756000 is not valid pool. Checking for freed (or corrupt) pool
  340. Address ffffc78021756000 could not be read. It may be a freed, invalid or paged out page
  341.  
  342.  
  343. # No dice with `lm` and `!pool`, let's check stack.
  344. ################### kd> dps @rsp L4
  345. fffff988`20ac7438 ffffc780`2173f000
  346. fffff988`20ac7440 fffff807`64a72415 cm+0x2415
  347. fffff988`20ac7448 fffff988`20ac7418
  348. fffff988`20ac7450 00000000`00040282
  349.  
  350. ################### kd> ub cm+0x2415 L8
  351. cm+0x23f5:
  352. fffff807`64a723f5 8991b8f1ffff mov dword ptr [rcx-0E48h],edx
  353. fffff807`64a723fb 8cea mov edx,gs
  354. fffff807`64a723fd 8991bcf1ffff mov dword ptr [rcx-0E44h],edx
  355. fffff807`64a72403 8cd2 mov edx,ss
  356. fffff807`64a72405 8991b0f1ffff mov dword ptr [rcx-0E50h],edx
  357. fffff807`64a7240b 8cca mov edx,cs
  358. fffff807`64a7240d 8991acf1ffff mov dword ptr [rcx-0E54h],edx
  359. fffff807`64a72413 ffd1 call rcx
  360. ################### kd> u cm+0x2415 L2
  361. cm+0x2415:
  362. fffff807`64a72415 4881c100120000 add rcx,1200h
  363. fffff807`64a7241c 488b916cf1ffff mov rdx,qword ptr [rcx-0E94h]
  364.  
  365. ################### kd> u .-15 L2
  366. ffffc780`21740200 4881e900120000 sub rcx,1200h
  367. ffffc780`21740207 48b8b879010000000000 mov rax,179B8h
  368. ################### kd> db .-15 L10
  369. ffffc780`21740200 48 81 e9 00 12 00 00 48-b8 b8 79 01 00 00 00 00 H......H..y.....
  370. ################### kd> s -b cm L100000 48 81 e9 00 12 00 00 48 b8 b8 79 01
  371. fffff807`64a76340 48 81 e9 00 12 00 00 48-b8 b8 79 01 00 00 00 00 H......H..y.....
  372. ################### kd> ? fffff807`64a76340 - cm
  373. Evaluate expression: 25408 = 00000000`00006340
  374.  
  375. ################### kd> !dh cm
  376. ...
  377. SECTION HEADER #4
  378. .data name
  379. 6000 virtual address
  380. XXXX00 size of raw data
  381. ...
  382.  
  383. # Code from shellcode-like region also present in `cm` driver at offset 6340, in ".data" section.
  384.  
  385.  
  386. ###################
  387. So the case is solved. General Protection exception happened due to unaligned access with "movdqa" instruction, situated in shellcode-like region. Offending shellcode was invoked from the "cm" driver, and that shellcode also present in the driver's ".data" section.
  388. Windows attempt to dispatch #GP exception resulted in #PF exception on invalid virtual RSP dereference in RtlpxVirtualUnwind. Invalid virtual RSP came to be due to absense of unwinding information in the shellcode. Since interrupts were disabled during "movdqa" instruction execution (and thus also during page fault), Windows Page Fault handler triggered appropriate bugcheck.
  389.  
  390. What I would consider to solve the issue:
  391. 1) Align important shellcode regions. The safest x86/64 min alignment whatsoever is 0x40.
  392. 2) Alternatively, use "movdqu" instead of "movdqa". Their performance is basically the same for modern CPUs anyway.
  393. 3) If exceptions are expected to propagate across shellcode funcs, they ought to be structured as leaf functions (i.e. no change to RSP or non-volatile regs, no other func invocations).
  394.  
  395.  
Tags: PF Driver GP bugcheck unwinding RtlpxVirtualUnwind movdqa
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!