Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


dbvm_switchToKernelMode freeze/bsod on win10 (18363)

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM
View previous topic :: View next topic  
Author Message
ntint
Newbie cheater
Reputation: 0

Joined: 29 May 2017
Posts: 11

PostPosted: Fri Apr 17, 2020 9:54 am    Post subject: dbvm_switchToKernelMode freeze/bsod on win10 (18363) Reply with quote

Hi.

First of all, everything works fine on win7 (even when running on a guest vm in vmware). But on win10 (18363), I got the following problem:

KernelAlloc64->dbvm_kernelalloc->dbvm_switchToKernelMode->vmcall->vmcallSupported_intel will freeze/bsod the system.

I also tried dbvm_testSwitchToKernel, same problem. There are several other vmcalls before this, all of these work fine. So it looks like it's not a general vmcall problem, but specific to dbvm_switchToKernelMode.

DBVM loads successfully on all cores and the general functionality seems to be working fine. It's only that dbvm_switchToKernelMode causes problems. But I really need this functionality.

Some additional info:
When I set a breakpoint (remote kernel debugger) on the vmcall cpu instruction inside vmcallSupported_intel, I can single-step it (although it steps over the dbvm handler), if it's any other command than switchToKernelMode. If it's switchToKernelMode, the system freezes/bsods when executing the vmcall instruction. I also don't get any message in the debugger.

If I also set a breakpoint on dbvm_localIntHandler_entry (I'm not even sure if it would be possible, since I guess that interrupts aren't allowed when this is called), the breakpoint doesn't hit before the system freezes/bsods.

So I guess it's a problem inside the dbvm switchToKernelMode handler. But I don't know how to debug this.

Any suggestions on how to fix this? I'd greaty appreciate it Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Fri Apr 17, 2020 5:03 pm    Post subject: Reply with quote

windows 10 uses a config where usermode memory may not be executed by kernelmode. (SMEP, SMAP) (it's two bits in CR4)
You can disable it , quickly execute the alloc and then restore and hope patchguard didn't see it

or you can use the new vmcall: VMCALL_KERNELMODE(0x100) and VMCALL_USERMODE (0x101)
these change the flags as well, and does what dbvm_switchToKernelMode does (note that it must be finished by VMCALL_USERMODE )


----

And i'm wondering. how did you load DBVM?
at boottime or afterwards using ce's runtime launcher ?

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ntint
Newbie cheater
Reputation: 0

Joined: 29 May 2017
Posts: 11

PostPosted: Sat Apr 18, 2020 7:51 am    Post subject: Reply with quote

Hi.

Thanks for the answer! I'm using ce runtime launcher to load dbvm.

So, since I couldn't find any prototype in the ce pascal source on how to do VMCALL_KERNELMODE and VMCALL_USERMODE, I tried to figure it out myself.

If I get it correctly, everything that follows a VMCALL_KERNELMODE will get executed in ring0 until a VMCALL_USERMODE call, right?

I tried the following:

Code:

procedure dbvm_kernelMode(cs: word);
var vmcallinfo: packed record
  structsize: dword;
  level2pass: dword;
  command: dword;
  cs: dword;
end;
begin
  vmcallinfo. structsize:=sizeof(vmcallinfo);
  vmcallinfo. level2pass:=vmx_password2;
  vmcallinfo. command:=100;      // VMCALL_KERNELMODE
  vmcallinfo. cs:=cs;
  vmcall(@vmcallinfo,vmx_password1);
end;

procedure dbvm_userMode();
var vmcallinfo: packed record
  structsize: dword;
  level2pass: dword;
  command: dword;
end;
begin
  vmcallinfo. structsize:=sizeof(vmcallinfo);
  vmcallinfo. level2pass:=vmx_password2;
  vmcallinfo. command:=101;      // VMCALL_USERMODE
  vmcall(@vmcallinfo,vmx_password1);
end;

function dbvm_testSwitchToKernelmode: integer;
begin
  dbvm_kernelMode($10);
  result:=1;
  dbvm_userMode();
end;

function dbvm_kernelalloc(size: dword): pointer;
begin
  setupKernelFunctionList;
  dbvm_kernelMode($10);
  result:=ExAllocatePool(0, size);
  dbvm_userMode();
end;



dbvm_testSwitchToKernelmode neither crashes on win7 nor on win10. But dbvm_kernelalloc crashes on both win7 and win10. So I guess I'm doing something wrong here. Any suggestions would be appreciated Smile
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sun Apr 19, 2020 11:18 am    Post subject: Reply with quote

not sure, currently elbow deep in an AMD trying to get something to work, but perhaps the BSOD info in memory.dmp might help if you load it into windbg


perhaps the CS limit of 0xFFFFF is the issue ?

Try adding more code to dbvm_testSwitchToKernelmode (in case the result got optimized out and put at the end), like reading out the CR3 register

And ExAllocatePool is the correct address ? If a pagefault where to happen you'd crash.

Oh, and talking about pagefault, have you already used the "Make possible" option next to kernelmode debug in CE's settings? Else the current CR3 register you're in likely will not contain the code for ExAllocatePool (you'll then need the kernelversion for your process, which DBVM can find for you using cr3 logging)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ntint
Newbie cheater
Reputation: 0

Joined: 29 May 2017
Posts: 11

PostPosted: Mon Apr 20, 2020 5:08 am    Post subject: Reply with quote

I did use the make possible option in ce settings. I'm not getting any crashdumps, since the system just freezes. I also can't set breakpoint in code that is executed inside a dbvm_kernelMode - dbvm_userMode block, so I can't really debug stuff. But I still found some interesting stuff..

First, I did the following:

Code:

function dbvm_copyMemory(destination, target: pointer; size: integer): boolean;
begin
  dbvm_kernelMode($10);
  CopyMemory(destination, target, size);
  dbvm_userMode();
  result:=true;
end;


function dbvm_testSwitchToKernelmode: integer;
var r_cr3, r_cr4, q: qword;
begin
  messagebox(0, 'dbvm_testSwitchToKernelMode', '', 0);
  setupKernelFunctionList;
  dbvm_kernelMode($10);
  asm
    mov rcx, cr3
    mov r_cr3, rcx
    mov rcx, cr4
    mov r_cr4, rcx
  end;
  dbvm_userMode();
  messagebox(0, pchar(format('cr3: %x, cr4: %x, ExAllocatePool: %x', [r_cr3, r_cr4, ExAllocatePoolAddress])), '', 0);

  dbvm_copyMemory(@q, @ExAllocatePool, sizeof(q));
  messagebox(0, pchar(format('ExAllocatePool mem: %x', [q])), '', 0);
  result:=1;
end;



It successfully reads cr3 and cr4, but dbvm_copyMemory crashes. ExAllocatePool is the correct address in ntoskrnl.exe:

https :// imgur . com/a/KOA1rvR

Note that the cr4 value from windbg is the one in usermode and the cr4 value in the messagebox is the one in kernel mode.


After that, I tried the following (read the first 8 bytes of ExAllocatePool in asm instead of using CopyMemory):

Code:

function dbvm_testSwitchToKernelmode: integer;
var r_cr3, r_cr4, q: qword;
begin
  messagebox(0, 'dbvm_testSwitchToKernelMode', '', 0);
  setupKernelFunctionList;
  dbvm_kernelMode($10);
  asm
    mov rcx, cr3
    mov r_cr3, rcx
    mov rcx, cr4
    mov r_cr4, rcx
  end;
  dbvm_userMode();
  messagebox(0, pchar(format('cr3: %x, cr4: %x, ExAllocatePool: %x', [r_cr3, r_cr4, ExAllocatePoolAddress])), '', 0);

  dbvm_kernelMode($10);
  asm
    mov rcx, ExAllocatePoolAddress
    mov rcx, qword ptr[rcx]
    mov q, rcx
  end;
  dbvm_userMode();
  messagebox(0, pchar(format('ExAllocatePool mem: %x', [q])), '', 0);
  result:=1;
end;



Now everything works fine without crashing. This leads me to the conclusion, that the involved memory functions in ntoskrnl probably explicitly check for cr4 manipulation everytime they are called. Is there a way to make dbvm fake cr4 and make it look legit during dbvm_kernelMode - dbvm_userMode?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Apr 20, 2020 6:11 am    Post subject: Reply with quote

Freeze isn't a windows thing, thats DBVM encountering an error (Like when the cpu is entering into a system reboot)
are you using the latest DBVM version from the git? and does your mainboard have a POST display (2 hex numbers) ? if so, what value does it display when frozen.

How is dbvm_copyMemory implemented? Still using VMCALL_SWITCH_TO_KERNELMODE ? or using the new VMCALL_KERNELMODE/VMCALL_USERMODE ?
Keep in mind that if called when already in kernelmode, DO NOT call these vmcalls, it's not re-entrant and doesn't keep a count of enters/leave.


Oh yes, don't forget to call swapgs before and after calling a kernel function

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
ntint
Newbie cheater
Reputation: 0

Joined: 29 May 2017
Posts: 11

PostPosted: Mon Apr 20, 2020 11:55 am    Post subject: Reply with quote

Alright, I'm doing my testing on win7 until it works there and swap to win10 after that. I'm using the latest dbvm version and my BIOS doesn't seem to have a post display. The missing swapgs was the problem. After adding swapgs after dbvm_kernelMode and before dbvm_userMode, dbvm_kernelalloc, dbvm_copyMemory and dbvm_executeDriverEntry started working. SecondaryDriverLoad now successfully stealth loads the driver. I get all the debug messages, no errors, and so on. So thanks for that! But now the next problem is dbvm_executeDispatchIoctl. My new version looks like this:

Code:

function dbvm_executeDispatchIoctl(DispatchIoctl: pointer; DriverObject: pointer; dwIoControlCode: DWORD; lpInBuffer: pointer; nInBufferSize:integer; lpOutBuffer: pointer; nOutBufferSize: integer; lpBytesReturned: pdword): BOOL;
var dispatch: TDispatchIOCTL;
begin
  dispatch:=TDispatchIOCTL(DispatchIoctl);
  dbvm_kernelMode($10);
  asm
     db $0f, $01, $f8 //swapgs
  end;
  result:=dispatch(DriverObject, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned);
  asm
     db $0f, $01, $f8 //swapgs
  end;
  dbvm_userMode();
end;



Now, when I attach to a process, IOCTL_CE_OPENPROCESS works fine. But IOCTL_CE_READMEMORY crashes with bugcheck code 0x7f (8) -> UNEXPECTED_KERNEL_MODE_TRAP (EXCEPTION_DOUBLE_FAULT):

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 80050033, 506f8, fffff80002ab285a}

Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+291 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000506f8
Arg4: fffff80002ab285a

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  calc.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80002af62e9 to fffff80002ae7ea0

STACK_TEXT: 
fffff880`02f4fe68 fffff800`02af62e9 : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000506f8 : nt!KeBugCheckEx
fffff880`02f4fe70 fffff800`02af2d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`02f4ffb0 fffff800`02ab285a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0x291
00000000`0220e5d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiAttachProcess+0x24a


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!KiDoubleFaultAbort+291
fffff800`02af2d51 90              nop

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!KiDoubleFaultAbort+291

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5e0ead5e

IMAGE_VERSION:  6.1.7601.24545

FAILURE_BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+291

BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+291

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x7f_8_nt!kidoublefaultabort+291

FAILURE_ID_HASH:  {ff85e657-4696-7830-155b-07ee888695cf}

Followup: MachineOwner
---------



It probably says calc.exe because I attached to that. The problem seems to be in KiAttachProcess.


As a side note: if I use the old dbvm_executeDispatchIoctl version that uses dbvm_switchToKernelMode instead of my new version, it works fine (on win7), even if I use my new dbvm_kernelMode and dbvm_userMode versions for the other functions (dbvm_copyMemory, dbvm_kernelalloc, dbvm_executeDriverEntry).


EDIT:
I realized that I can actually set kernel bps without problems now. The instruction inside KiAttachProcess that causes the bsod is the one that loads the pagedir of the target process:

mov cr3, rax

Does it have something to do with dbvm?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Apr 21, 2020 3:45 am    Post subject: Reply with quote

mov cr3,rax will swap out the virtual memory with that of the target process.

If your current instruction pointer is in non-kernel memory, the current instruction code will be replaced causing a crash.
Also, if your instruction IS in kernelmode, but you're giving it the usermode only CR3 , you'll crash as well (though since you said you disabled spectre protection that shouldn't be the case)

Also, when manually loading drivers, TRY/EXCEPT will not work. Any exception will BSOD you without fail. paged out memory in either the target or destination? BSOD

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites