Sanctum EDR process/thread enumeration crashdump analysis

1. # Sanctum EDR process/thread enumeration crashdump analysis.
2.  
3. ## Links
4. https://github.com/0xflux/Sanctum/tree/main/crashdmp
5. https://github.com/0xflux/Sanctum/commit/80611184c10262193d14077ea9144e1899be53b8
6. https://x.com/sixtyvividtails/status/1931449604156920261
7.  
8. ## Analysis
9. Microsoft (R) Windows Debugger Version 10.0.27553.1004 AMD64
10. Copyright (c) Microsoft Corporation. All rights reserved.
11.  
12.  
13. Loading Dump File [C:\stuff\analysis\dumps\6E73FC25-5CAF-4678-B594-270CA255FAE6\060725-11406-01.dmp]
14. Mini Kernel Dump File: Only registers and stack trace are available
15.  
16. Windows 10 Kernel Version 26100 MP (12 procs) Free x64
17. Product: WinNt, suite: TerminalServer SingleUserTS
18. Kernel base = 0xfffff802`cdc00000 PsLoadedModuleList = 0xfffff802`ceaf4770
19. Debug session time: Sat Jun 7 13:56:29.699 2025 (UTC - 7:00)
20. System Uptime: 0 days 3:52:37.985
21.  
22.  
23. For analysis of this file, run !analyze -v
24. nt!KeBugCheckEx:
25. fffff802`ce0b8b00 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff607`c4792120=0000000000000050
26.  
27.  
28. ✨✨✨✨✨✨✨✨
29. 1: kd> .sympath+ C:\stuff\analysis\dumps\6E73FC25-5CAF-4678-B594-270CA255FAE6
30.  
31. ✨✨✨✨✨✨✨✨
32. 1: kd> !analyze -v
33. *******************************************************************************
34. * *
35. * Bugcheck Analysis *
36. * *
37. *******************************************************************************
38.  
39. PAGE_FAULT_IN_NONPAGED_AREA (50)
40. Invalid system memory was referenced. This cannot be protected by try-except.
41. Typically the address is just plain bad or it is pointing at freed memory.
42. Arguments:
43. Arg1: fffffffffffffa8b, memory referenced.
44. Arg2: 0000000000000000, X64: bit 0 set if the fault was due to a not-present PTE.
45. bit 1 is set if the fault was due to a write, clear if a read.
46. bit 3 is set if the processor decided the fault was due to a corrupted PTE.
47. bit 4 is set if the fault was due to attempted execute of a no-execute PTE.
48. - ARM64: bit 1 is set if the fault was due to a write, clear if a read.
49. bit 3 is set if the fault was due to attempted execute of a no-execute PTE.
50. Arg3: fffff8026410aeb8, If non-zero, the instruction address which referenced the bad memory
51. address.
52. Arg4: 0000000000000002, (reserved)
53.  
54. Debugging Details:
55. ------------------
56.  
57. KEY_VALUES_STRING: 1
58. Key : AV.Type
59. Value: Read
60. Key : Analysis.CPU.mSec
61. Value: 5624
62. Key : Analysis.Elapsed.mSec
63. Value: 5625
64. Key : Analysis.IO.Other.Mb
65. Value: 2
66. Key : Analysis.IO.Read.Mb
67. Value: 1
68. Key : Analysis.IO.Write.Mb
69. Value: 0
70. Key : Analysis.Memory.CommitPeak.Mb
71. Value: 131
72. Key : Bugcheck.Code.LegacyAPI
73. Value: 0x50
74. Key : Bugcheck.Code.TargetModel
75. Value: 0x50
76. Key : Dump.Attributes.AsUlong
77. Value: 20008
78. Key : Dump.Attributes.KernelGeneratedTriageDump
79. Value: 1
80. Key : Failure.Bucket
81. Value: AV_R_(null)_sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls
82. Key : Failure.Hash
83. Value: {4faa5bf0-adf1-10af-ad55-e0dd0fdacc12}
84. Key : Hypervisor.Enlightenments.ValueHex
85. Value: 10fbe4
86.  
87.  
88. BUGCHECK_CODE: 50
89. BUGCHECK_P1: fffffffffffffa8b
90. BUGCHECK_P2: 0
91. BUGCHECK_P3: fffff8026410aeb8
92. BUGCHECK_P4: 2
93.  
94. FILE_IN_CAB: 060725-11406-01.dmp
95. VIRTUAL_MACHINE: HyperV
96. DUMP_FILE_ATTRIBUTES: 0x20008
97. Kernel Generated Triage Dump
98.  
99. READ_ADDRESS: Unable to get NonPagedPoolStart
100. Unable to get NonPagedPoolEnd
101. Unable to get PagedPoolStart
102. Unable to get PagedPoolEnd
103. fffffffffffffa8b
104.  
105. MM_INTERNAL_CODE: 2
106. IMAGE_NAME: sanctum.sys
107. MODULE_NAME: sanctum
108. FAULTING_MODULE: fffff802640d0000 sanctum
109. BLACKBOXBSD: 1 (!blackboxbsd)
110. BLACKBOXNTFS: 1 (!blackboxntfs)
111. BLACKBOXPNP: 1 (!blackboxpnp)
112. BLACKBOXWINLOGON: 1
113. CUSTOMER_CRASH_COUNT: 1
114. PROCESS_NAME: System
115.  
116. TRAP_FRAME: fffff607c4792380 -- (.trap 0xfffff607c4792380)
117. NOTE: The trap frame does not contain all registers.
118. Some register values may be zeroed or incorrect.
119. rax=fffffffffffffa88 rbx=0000000000000000 rcx=fffffffffffffa88
120. rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
121. rip=fffff8026410aeb8 rsp=fffff607c4792510 rbp=fffff607c47958c0
122. r8=ffffe58b2efb5a50 r9=00000000000000c2 r10=ffffe58b2d100140
123. r11=ffff8481d4b83000 r12=0000000000000000 r13=0000000000000000
124. r14=0000000000000000 r15=0000000000000000
125. iopl=0 nv up ei pl zr na po nc
126. sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x28:
127. fffff802`6410aeb8 8a4003 mov al,byte ptr [rax+3] ds:ffffffff`fffffa8b=??
128. Resetting default scope
129.  
130. STACK_TEXT:
131. fffff607`c4792118 fffff802`cdf80bb5 : 00000000`00000050 ffffffff`fffffa8b 00000000`00000000 fffff607`c4792380 : nt!KeBugCheckEx
132. fffff607`c4792120 fffff802`cde2daaf : ffffffff`fffffa8b 00000000`00001000 00000000`00000002 fffff802`cdc00000 : nt!MiSystemFault+0x735
133. fffff607`c4792210 fffff802`ce2821cb : 00000020`7f9e908e fffff607`c4792400 00000020`7f9e9097 00001acf`af9dafc6 : nt!MmAccessFault+0x2ff
134. fffff607`c4792380 fffff802`6410aeb8 : fffff802`6410f260 fffff607`c47926f0 ffffe58b`389940c0 ffffe58b`386460c0 : nt!KiPageFault+0x38b
135. fffff607`c4792510 fffff802`6410ab86 : fffff802`cee01d40 00000000`007916d2 fffff802`ce67066e fffff802`cdc00000 : sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x28 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 174]
136. fffff607`c4792560 fffff802`64109d05 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x356 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 322]
137. fffff607`c4792830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : sanctum!sanctum::alt_syscalls::AltSyscalls::initialise_for_system+0x7c5 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 161]
138.  
139.  
140. FAULTING_SOURCE_LINE: C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs
141. FAULTING_SOURCE_FILE: C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs
142. FAULTING_SOURCE_LINE_NUMBER: 174
143. FAULTING_SOURCE_CODE:
144. No source found for 'C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs'
145. SYMBOL_NAME: sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+28
146. STACK_COMMAND: .cxr; .ecxr ; kb
147. BUCKET_ID_FUNC_OFFSET: 28
148. FAILURE_BUCKET_ID: AV_R_(null)_sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls
149. OSPLATFORM_TYPE: x64
150. OSNAME: Windows 10
151. FAILURE_ID_HASH: {4faa5bf0-adf1-10af-ad55-e0dd0fdacc12}
152.  
153. Followup: MachineOwner
154. ---------
155.  
156.  
157. ✨✨✨✨✨✨✨✨
158. 1: kd> .trap 0xfffff607c4792380
159. NOTE: The trap frame does not contain all registers.
160. Some register values may be zeroed or incorrect.
161. rax=fffffffffffffa88 rbx=0000000000000000 rcx=fffffffffffffa88
162. rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
163. rip=fffff8026410aeb8 rsp=fffff607c4792510 rbp=fffff607c47958c0
164. r8=ffffe58b2efb5a50 r9=00000000000000c2 r10=ffffe58b2d100140
165. r11=ffff8481d4b83000 r12=0000000000000000 r13=0000000000000000
166. r14=0000000000000000 r15=0000000000000000
167. iopl=0 nv up ei pl zr na po nc
168. sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x28:
169. fffff802`6410aeb8 8a4003 mov al,byte ptr [rax+3] ds:ffffffff`fffffa8b=?? 💥💥💥
170.  
171.  
172. ✨✨✨✨✨✨✨✨
173. 1: kd> k
174. *** Stack trace for last set context - .thread/.cxr resets it
175. # Child-SP RetAddr Call Site
176. 00 fffff607`c4792510 fffff802`6410ab86 sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x28 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 174]
177. 01 fffff607`c4792560 fffff802`64109d05 sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x356 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 322]
178. 02 fffff607`c4792830 fffff802`640d1b59 sanctum!sanctum::alt_syscalls::AltSyscalls::initialise_for_system+0x7c5 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 161]
179. 03 fffff607`c4795440 fffff802`640d155e sanctum!sanctum::initialise_sanctum+0x19 [C:\Users\ian\git\sanctum\driver\src\lib.rs @ 126]
180. 04 fffff607`c4795660 fffff802`ce5aef08 sanctum!sanctum::driver_entry+0x12e [C:\Users\ian\git\sanctum\driver\src\lib.rs @ 114]
181. 05 fffff607`c4795770 fffff802`ce5ad0d2 nt!PnpCallDriverEntry+0x54
182. 06 fffff607`c47957c0 fffff802`ce641b7b nt!IopLoadDriver+0x6c6
183. 07 fffff607`c4795990 fffff802`cdf09e32 nt!IopLoadUnloadDriver+0x7b
184. 08 fffff607`c4795a00 fffff802`ce05904a nt!ExpWorkerThread+0x1b2
185. 09 fffff607`c4795bb0 fffff802`ce2741c4 nt!PspSystemThreadStartup+0x5a
186. 0a fffff607`c4795c00 00000000`00000000 nt!KiStartSystemThread+0x34
187.  
188.  
189. ✨✨✨✨✨✨✨✨
190. 1: kd> ub .
191. sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x9 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 165]:
192. fffff802`6410ae99 80e201 and dl,1
193. fffff802`6410ae9c 88542437 mov byte ptr [rsp+37h],dl
194. fffff802`6410aea0 48894c2438 mov qword ptr [rsp+38h],rcx
195. fffff802`6410aea5 e85661fcff call sanctum!core::ptr::mut_ptr::impl$0::is_null<wdk_mutex::grt::Grt> (fffff802`640d1000)
196. fffff802`6410aeaa a801 test al,1
197. fffff802`6410aeac 7513 jne sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x31 (fffff802`6410aec1)
198. fffff802`6410aeae 488b442428 mov rax,qword ptr [rsp+28h] 🌽🌽🌽
199. fffff802`6410aeb3 4889442440 mov qword ptr [rsp+40h],rax 🛤️🛤️🛤️
200. 1: kd> u .
201. sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x28 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 174]:
202. fffff802`6410aeb8 8a4003 mov al,byte ptr [rax+3] 💥💥💥 🛰️🛰️🛰️
203. fffff802`6410aebb 2404 and al,4 🛰️🛰️🛰️
204. fffff802`6410aebd 3c04 cmp al,4
205. fffff802`6410aebf 7505 jne sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x36 (fffff802`6410aec6)
206. fffff802`6410aec1 4883c448 add rsp,48h
207. fffff802`6410aec5 c3 ret
208. fffff802`6410aec6 8a442437 mov al,byte ptr [rsp+37h]
209. fffff802`6410aeca 2401 and al,1
210.  
211. ✨✨✨✨✨✨✨✨
212. 1: kd> dps @rsp+40 L1 🛤️🛤️🛤️
213. fffff607`c4792550 ffffffff`fffffa88 🌋🌋🌋
214. 1: kd> dps @rsp+28 L1 🌽🌽🌽
215. fffff607`c4792538 ffffffff`fffffa88 🌋🌋🌋
216.  
217. ✨✨✨✨✨✨✨✨
218. 1: kd> dt nt!_DISPATCHER_HEADER Mi*
219. +0x003 Minimal : Pos 2, 1 Bit 🛰️🛰️🛰️
220.  
221. ✨✨✨✨✨✨✨✨
222. 1: kd> uf sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls
223. sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 165]:
224. 165 fffff802`6410ae90 4883ec48 sub rsp,48h
225. 165 fffff802`6410ae94 48894c2428 mov qword ptr [rsp+28h],rcx 🌽🌽🌽
226. 165 fffff802`6410ae99 80e201 and dl,1
227. 165 fffff802`6410ae9c 88542437 mov byte ptr [rsp+37h],dl
228.  
229. ✨✨✨✨✨✨✨✨
230. 1: kd> k3
231. # Child-SP RetAddr Call Site
232. 00 fffff607`c4792510 fffff802`6410ab86 sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls+0x28 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 174]
233. 01 fffff607`c4792560 fffff802`64109d05 sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x356 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 322]
234. 02 fffff607`c4792830 fffff802`640d1b59 sanctum!sanctum::alt_syscalls::AltSyscalls::initialise_for_system+0x7c5 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 161]
235.  
236. ✨✨✨✨✨✨✨✨
237. 1: kd> .frame /c /r 1
238. 01 fffff607`c4792560 fffff802`64109d05 sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x356 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 322]
239. rax=fffffffffffffa88 rbx=0000000000000000 rcx=fffffffffffffa88
240. rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
241. rip=fffff8026410ab86 rsp=fffff607c4792560 rbp=fffff607c47958c0
242. r8=ffffe58b2efb5a50 r9=00000000000000c2 r10=ffffe58b2d100140
243. r11=ffff8481d4b83000 r12=0000000000000000 r13=0000000000000000
244. r14=0000000000000000 r15=0000000000000000
245. iopl=0 nv up ei pl zr na po nc
246. cs=0010 ss=0018 ds=0000 es=0000 fs=0000 gs=0000 efl=00050246
247. sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x356:
248. fffff802`6410ab86 488b4c2450 mov rcx,qword ptr [rsp+50h] ss:0018:fffff607`c47925b0=fffffffffffffa88
249.  
250. ✨✨✨✨✨✨✨✨
251. 1: kd> ub .
252. sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x333 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 295]:
253. fffff802`6410ab63 480f44c1 cmove rax,rcx
254. fffff802`6410ab67 4883f800 cmp rax,0
255. fffff802`6410ab6b 7443 je sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x380 (fffff802`6410abb0)
256. fffff802`6410ab6d e99a000000 jmp sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x3dc (fffff802`6410ac0c)
257. fffff802`6410ab72 488b4c2450 mov rcx,qword ptr [rsp+50h] 🌽🌽🌽
258. fffff802`6410ab77 8a94248f000000 mov dl,byte ptr [rsp+8Fh]
259. fffff802`6410ab7e 80e201 and dl,1
260. fffff802`6410ab81 e80a030000 call sanctum!sanctum::alt_syscalls::AltSyscalls::configure_thread_for_alt_syscalls (fffff802`6410ae90)
261. 1: kd> u .
262. sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x356 [C:\Users\ian\git\sanctum\driver\src\alt_syscalls.rs @ 322]:
263. fffff802`6410ab86 488b4c2450 mov rcx,qword ptr [rsp+50h]
264. fffff802`6410ab8b e870030000 call sanctum!sanctum::alt_syscalls::AltSyscalls::configure_process_for_alt_syscalls (fffff802`6410af00)
265. fffff802`6410ab90 488b8424e8000000 mov rax,qword ptr [rsp+0E8h]
266. fffff802`6410ab98 4889442448 mov qword ptr [rsp+48h],rax
267. fffff802`6410ab9d 4883e007 and rax,7
268. fffff802`6410aba1 4883f800 cmp rax,0
269. fffff802`6410aba5 0f84af020000 je sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x62a (fffff802`6410ae5a)
270. fffff802`6410abab e9c2020000 jmp sanctum!sanctum::alt_syscalls::AltSyscalls::walk_active_processes_and_set_bits+0x642 (fffff802`6410ae72)
271.  
272. ✨✨✨✨✨✨✨✨
273. 1: kd> dps @rsp+50 L1 🌽🌽🌽
274. fffff607`c47925b0 ffffffff`fffffa88 🌋🌋🌋
275.  
276.  
277. ✨✨✨✨✨✨✨✨
278. ✨✨✨✨✨✨✨✨
279. fn walk_active_processes_and_set_bits(
280. status: AltSyscallStatus,
281. isolated_processes: Option<&[&str]>,
282. ) {
283. ...
284. let current_process = unsafe { IoGetCurrentProcess() };
285.  
286. ...
287. let head = unsafe { (current_process as *mut u8).add(ACTIVE_PROCESS_LINKS_OFFSET) } as *mut LIST_ENTRY;
288. let mut entry = unsafe { (*head).Flink };
289. while entry != head {
290. ...
291. let thread_head = unsafe { (p_e_process as *mut u8).add(THREAD_LIST_HEAD_OFFSET) } as *mut LIST_ENTRY;
292. let mut thread_entry = unsafe { (*thread_head).Flink };
293. while thread_entry != thread_head {
294. ...
295. // 🌽🌽🌽
296. let p_k_thread = unsafe { (thread_entry as *mut u8).sub(THREAD_LIST_ENTRY_OFFSET) } as *mut _KTHREAD;
297. ...
298. Self::configure_thread_for_alt_syscalls(p_k_thread, status); // 💥💥💥
299. ...
300. thread_entry = unsafe { (*thread_entry).Flink };
301. }
302. ...
303. entry = unsafe { (*entry).Flink }
304. }
305. ...
306. }
307.  
308.  
309. ✨✨✨✨✨✨✨✨
310. ✨✨✨✨✨✨✨✨
311. ✨✨✨✨✨✨✨✨
312.  
313. ## Analysis results
314. Enumerating processes and threads as done in `walk_active_processes_and_set_bits` is inherently unsafe. It's unsafe because code doesn't hold locks that protect process and thread lists (like `PspActiveProcessLock`). As a result, the OS might unlink objects from these lists and destroy them while the Sanctum module is still using these objects.
315.  
316. This appears to be exactly what happened in this case. While Sanctum was processing a thread object, that thread got destroyed, and its memory was reused for something else. Consequently, `thread_entry.Flink` was overwritten with an unrelated value (numerically close to 🌋🌋🌋, ffffffff`fffffa88). Sanctum then retrieved that unrelated value to get to the next thread, and attempted to access that "next" thread. Naturally, dereferencing "thread" at ffffffff`fffffa88 caused page fault, and subsequent bugcheck.
317.  
318. ## Suggestions
319. The proper way to enumerate processes and threads would be using `PsGetNextProcess` and `PsGetNextThread`. However, since these functions aren't exported, you might consider `ZwGetNextProcess` and `ZwGetNextThread` instead. While slightly slower, these syscalls are safe — they provide handles to actually existing processes and threads with properly adjusted refcounts, preventing objects from being destroyed during enumeration.
320.  
321. Alternative approach is to use `ZwQuerySystemInformation` with infoclasses like `SystemProcessInformation`, `SystemExtendedProcessInformation`, or `SystemFullProcessInformation`. This method has the advantage of retrieving a snapshot of all running processes through a single syscall. However, it only provides process and thread IDs (not handles nor object pointers), creating a slight race between snapshot retrieval and attempt to open a process, exacerbated by potential PID reuse. But you can mitigate this by comparing CreateTime or re-retrieving full information after you've opened the process of interest.
322.