Crash when trying to manual map protected driver

Issues related to VMProtect
Posts: 1
Joined: Wed Jun 10, 2020 3:36 pm

Crash when trying to manual map protected driver

Postby samtulach » Wed Jun 10, 2020 3:47 pm


I have protected my standard driver just fine. I am trying to manual map other driver through the first one. The issue is that when protecting the driver that I am trying to manual map, I always get access violation (it works flawlessly without protection).

I want to note that I am passing null parameters to the drivers entry point since they are not needed by the mapped driver. Here is the crash dump:

Code: Select all

1: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

An exception happened while executing a system service routine.
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: ffffd4025236e222, Address of the instruction which caused the bugcheck
Arg3: ffffc98afeaade70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:


    Key  : Analysis.CPU.Sec
    Value: 2

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-LOGEV4U

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 2

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 67

    Key  : Analysis.System
    Value: CreateObject



BUGCHECK_P1: c0000005

BUGCHECK_P2: ffffd4025236e222

BUGCHECK_P3: ffffc98afeaade70


CONTEXT:  ffffc98afeaade70 -- (.cxr 0xffffc98afeaade70)
rax=ffffc98afeaa000f rbx=ffffd402586d9080 rcx=000000000000dead
rdx=0000000000000000 rsi=00000001401fa5b7 rdi=ffffd4025236e215
rip=ffffd4025236e222 rsp=ffffc98afeaae870 rbp=ffffc98afeaaeb80
 r8=000000ee3774f898  r9=00000001401fa5b7 r10=0000000000000000
r11=ffffc98afeaae9f0 r12=000000ee3774fc68 r13=0000000000000000
r14=fffff800528f13a0 r15=00007ffbba52d650
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
ffffd402`5236e222 8b06            mov     eax,dword ptr [rsi] ds:002b:00000001`401fa5b7=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)


PROCESS_NAME:  kdmapper.exe

ffffc98a`feaad568 fffff800`525ef929 : 00000000`0000003b 00000000`c0000005 ffffd402`5236e222 ffffc98a`feaade70 : nt!KeBugCheckEx
ffffc98a`feaad570 fffff800`525eed7c : ffffc98a`feaae638 fffff800`522e68e0 ffffc98a`feaad760 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffc98a`feaad6b0 fffff800`525e68df : fffff800`525eed00 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceHandler+0x7c
ffffc98a`feaad6f0 fffff800`52432fb7 : ffffc98a`feaadc60 00000000`00000000 ffffc98a`feaaea20 fffff800`525ef348 : nt!RtlpExecuteHandlerForException+0xf
ffffc98a`feaad720 fffff800`5247b226 : ffffc98a`feaae638 ffffc98a`feaae370 ffffc98a`feaae638 ffffd402`5236e215 : nt!RtlDispatchException+0x297
ffffc98a`feaade40 fffff800`525efa6c : ffffc98a`feaae760 00000000`00001000 ffffc98a`feaae6e0 ffff8000`00000000 : nt!KiDispatchException+0x186
ffffc98a`feaae500 fffff800`525ebc03 : 00000000`00000001 00000000`c86a8004 00000000`00000000 fffff800`5251be57 : nt!KiExceptionDispatch+0x12c
ffffc98a`feaae6e0 ffffd402`5236e222 : ffffd402`59452be0 ffffd402`5683d060 00000000`00000003 00000000`00000000 : nt!KiPageFault+0x443
ffffc98a`feaae870 ffffd402`59452be0 : ffffd402`5683d060 00000000`00000003 00000000`00000000 ffffd402`59452be0 : 0xffffd402`5236e222
ffffc98a`feaae878 ffffd402`5683d060 : 00000000`00000003 00000000`00000000 ffffd402`59452be0 ffff6910`0444b0dc : 0xffffd402`59452be0
ffffc98a`feaae880 00000000`00000003 : 00000000`00000000 ffffd402`59452be0 ffff6910`0444b0dc 00000000`00000001 : 0xffffd402`5683d060
ffffc98a`feaae888 00000000`00000000 : ffffd402`59452be0 ffff6910`0444b0dc 00000000`00000001 ffffd402`55b20de8 : 0x3

SYMBOL_NAME:  nt!KiSystemServiceHandler+7c


IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .thread ; .cxr ; kb


FAILURE_BUCKET_ID:  0x3B_c0000005_nt!KiSystemServiceHandler

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release


OSNAME:  Windows 10

FAILURE_ID_HASH:  {d011f1c6-81ea-e5f8-2759-49ec2e253107}

Followup:     MachineOwner

1: kd> u 0xffffd402`59452be0
ffffd402`59452be0 0500d80000      add     eax,0D800h
ffffd402`59452be5 0000            add     byte ptr [rax],al
ffffd402`59452be7 0060d0          add     byte ptr [rax-30h],ah
ffffd402`59452bea 835602d4        adc     dword ptr [rsi+2],0FFFFFFD4h
ffffd402`59452bee ff              ???
ffffd402`59452bef ff00            inc     dword ptr [rax]
ffffd402`59452bf1 0000            add     byte ptr [rax],al
ffffd402`59452bf3 0000            add     byte ptr [rax],al
1: kd> u ffffd4025236e222
ffffd402`5236e222 8b06            mov     eax,dword ptr [rsi]
ffffd402`5236e224 4881c604000000  add     rsi,4
ffffd402`5236e22b 41f7c2e1738f21  test    r10d,218F73E1h
ffffd402`5236e232 4133c1          xor     eax,r9d
ffffd402`5236e235 4184db          test    r11b,bl
ffffd402`5236e238 41f7c5022c9927  test    r13d,27992C02h
ffffd402`5236e23f f9              stc
ffffd402`5236e240 05de4cd507      add     eax,7D54CDEh

Does VMProtect access the driver object or registry path in the entry point? If so can I somehow disable that? If not what can be the problem? I have a suspicion it might be my import handling, but the imports are resolved just fine on pretty complex drivers.

Site Admin
Posts: 1876
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg

Re: Crash when trying to manual map protected driver

Postby Admin » Sat Jun 13, 2020 5:12 am

It seems that your code for manual mapping has a bug.