fjfc
Advanced Cheater
![]() Reputation: 0
Joined: 21 Sep 2006
Posts: 91
|
 Posted: Wed Dec 08, 2010 2:21 am Post subject: BSOD Working with SSDT |
 |
|
Hey guys, i'm trying to hook some ssdt functions but i'm getting BSOD, the code:
| Quote: | BOOL initializeDriver(){
NtUserFindWindowEx_callnumber = 0x17A;
/* Try to find SDT Shadow table. */
QuerySDTShadow();
if(KeServiceDescriptorTableShadow){
DbgPrint("SDT Shadow table found and set! proceeding with driver load process.\n");
/*Set the original functions*/
OldNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber];
if(OldNtUserFindWindowEx)
DbgPrint("bababa\n");
return true;
}else
return false;
} |
i can guarantee the KeServiceDescriptorTableShadow is set properly, i checked it with CE.
the line causing BSOD is that:
| Quote: | | OldNtUserFindWindowEx=(NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow->ServiceTable[NtUserFindWindowEx_callnumber]; |
BSOD is PAGE_FAULT_IN_NONPAGED_AREA (50). When i surround the line with cli and sti i get IRQL_LESS_THAN_OR_NOT_EQUALS.
I'm running XP SP3.
WinDbg Log:
| Quote: | Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Dec 8 06:05:33.328 2010 (UTC - 2:00)
System Uptime: 0 days 0:02:24.938
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {bf99a2e8, 0, f7b23652, 2}
Probably caused by : FzeBypass.sys ( FzeBypass!initializeDriver+92 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bf99a2e8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f7b23652, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
------------------
READ_ADDRESS: bf99a2e8
FAULTING_IP:
FzeBypass!initializeDriver+92 [c:\documents and settings\administrator\desktop\new bypass\functions.c @ 25]
f7b23652 8b0c82 mov ecx,dword ptr [edx+eax*4]
MM_INTERNAL_CODE: 2
IMAGE_NAME: FzeBypass.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4cff3c44
MODULE_NAME: FzeBypass
FAULTING_MODULE: f7b23000 FzeBypass
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
TRAP_FRAME: f7a54bf8 -- (.trap 0xfffffffff7a54bf8)
ErrCode = 00000000
eax=0000017a ebx=00000000 ecx=8055c6d0 edx=bf999d00 esi=e22d6474 edi=85f6e030
eip=f7b23652 esp=f7a54c6c ebp=f7a54c6c iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
FzeBypass!initializeDriver+0x92:
f7b23652 8b0c82 mov ecx,dword ptr [edx+eax*4] ds:0023:bf99a2e8=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8052037a to 804f9f43
STACK_TEXT:
f7a54b78 8052037a 00000050 bf99a2e8 00000000 nt!KeBugCheckEx+0x1b
f7a54be0 80544588 00000000 bf99a2e8 00000000 nt!MmAccessFault+0x9a8
f7a54be0 f7b23652 00000000 bf99a2e8 00000000 nt!KiTrap0E+0xd0
f7a54c6c f7b23518 00220020 f7b23cd0 00000000 FzeBypass!initializeDriver+0x92 [c:\documents and settings\administrator\desktop\new bypass\functions.c @ 25]
f7a54c84 80581377 85f6e030 86201000 00000000 FzeBypass!DriverEntry+0x88 [c:\documents and settings\administrator\desktop\new bypass\bypass.c @ 45]
f7a54d54 80581487 80000464 00000001 00000000 nt!IopLoadDriver+0x66d
f7a54d7c 8053877d 80000464 00000000 865c23c8 nt!IopLoadUnloadDriver+0x45
f7a54dac 805cff70 f70a8cf4 00000000 00000000 nt!ExpWorkerThread+0xef
f7a54ddc 805460ee 8053868e 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
FzeBypass!initializeDriver+92 [c:\documents and settings\administrator\desktop\new bypass\functions.c @ 25]
f7b23652 8b0c82 mov ecx,dword ptr [edx+eax*4]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: FzeBypass!initializeDriver+92
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_FzeBypass!initializeDriver+92
BUCKET_ID: 0x50_FzeBypass!initializeDriver+92
Followup: MachineOwner
---------
|
why the hell cant i read the address i'm pointing at? i checked bf99a2e8 and its a valid address...
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
