Page 1 of 1

Manual Mapped Driver Crashes

Posted: Thu Mar 16, 2017 12:48 pm
by Bennet
Hey there,
Im using VMP to Protect a Driver I manualy map into System Space from another Driver.

The Protected Driver is Protected like this:
Protected Functions:
DriverEntry: Ultra + Not Locked to License
Memory Protection: No
Import Protection: No
Pack the Output File: No
Debugger: No
Virtualization Tools: No
Taggant: No
Stip Debug Information: Yes
Stip Reloc.: No(Its disabled anyways)

1.) I check the DOS Header for the DOS Signature and the NT Header for the NT Signature, both Tests are Okay
2.) I allocate a Memory Page with MmAllocatePagesForMdl, Size: Size of the Image
3.) I unprotect the whole MDL wih PAGE_EXECUTE_READWRITE
4.) I write Fileheader into the Allocated Memory region
5.) I write every section to their position (ImageData + Section[n]->PointerToRawData gets Written to MappedArea + Section[n]->VirtualAddress)
6.) I patch the Relocations from the Relocations Data Directory
7.) I map the IAT from the Image
8.) I use RtlInsertInvertedFunctionTable to insert the Image Base with the Image Size to the PsInvertedFunctionTable
9.) I init the Security Cookie in the Mapped Driver with the Correct Algorithm
10.) I find the AddressOfEntryPoint from lpNtHeaders->OptionalHeader.AddressOfEntryPoint and Call(Without any Arguments)
11.) Here is when the Bluescreen happens, Bugcheck:

Code: Select all

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000f23f26c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000f23f2618, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

EXCEPTION_RECORD:  ffffd000f23f2618 -- (.exr 0xffffd000f23f2618)
ExceptionAddress: fffff803ce368a96 (nt! ?? ::FNODOBFM::`string'+0x0000000000007be6)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

Callstack of the Crash:

Code: Select all

ffffd000`f23f1be8 fffff803`ce3e50ba : 00000000`00000000 00000000`00000000 ffffd000`f23f1d50 fffff803`ce22a06c : nt!DbgBreakPointWithStatus
ffffd000`f23f1bf0 fffff803`ce3e49cb : 00000000`00000003 00000000`00000003 fffff803`ce35e980 00000000`00000139 : nt!KiBugCheckDebugBreak+0x12
ffffd000`f23f1c50 fffff803`ce350aa4 : ffffe001`cdfe7080 ffffe001`cf0f9638 ffffe001`cdfe61d0 00000000`00000000 : nt!KeBugCheck2+0x8ab
ffffd000`f23f2360 fffff803`ce35c4e9 : 00000000`00000139 00000000`00000003 ffffd000`f23f26c0 ffffd000`f23f2618 : nt!KeBugCheckEx+0x104
ffffd000`f23f23a0 fffff803`ce35c810 : 00000000`00000000 00000000`00000000 fffff960`003dcbf0 fffff901`4010f4dc : nt!KiBugCheckDispatch+0x69
ffffd000`f23f24e0 fffff803`ce35ba34 : fffff901`4010f458 fffff901`4010f4dc 000073d4`000000f0 fffff960`0038b170 : nt!KiFastFailDispatch+0xd0
ffffd000`f23f26c0 fffff803`ce368a96 : ffffe001`cdfe7080 ffffe001`cdfe71c0 fffff803`ce26487d ffffd000`f23f29c0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`f23f2850 fffff803`ce230f43 : 00000000`00000001 00000000`00000003 00000000`00000000 fffff901`4010e010 : nt! ?? ::FNODOBFM::`string'+0x7be6
ffffd000`f23f28d0 fffff960`00056506 : fffff901`00000003 ffffe001`cdea9ad0 fffff901`4010e010 fffff960`0000000d : nt!KeWaitForMultipleObjects+0x403
ffffd000`f23f2990 fffff901`00000003 : ffffe001`cdea9ad0 fffff901`4010e010 fffff960`0000000d fffff960`00000001 : 0xfffff960`00056506
ffffd000`f23f2998 ffffe001`cdea9ad0 : fffff901`4010e010 fffff960`0000000d fffff960`00000001 ffffd000`00000000 : 0xfffff901`00000003
ffffd000`f23f29a0 fffff901`4010e010 : fffff960`0000000d fffff960`00000001 ffffd000`00000000 00000000`00000000 : 0xffffe001`cdea9ad0
ffffd000`f23f29a8 fffff960`0000000d : fffff960`00000001 ffffd000`00000000 00000000`00000000 ffffe001`cdfe71c0 : 0xfffff901`4010e010
ffffd000`f23f29b0 fffff960`00000001 : ffffd000`00000000 00000000`00000000 ffffe001`cdfe71c0 fffff901`4010d750 : 0xfffff960`0000000d
ffffd000`f23f29b8 ffffd000`00000000 : 00000000`00000000 ffffe001`cdfe71c0 fffff901`4010d750 fffff901`4010e010 : 0xfffff960`00000001
ffffd000`f23f29c0 00000000`00000000 : ffffe001`cdfe71c0 fffff901`4010d750 fffff901`4010e010 ffffe001`cdea9ad0 : 0xffffd000`00000000

I am not sure if the BugCheck is related to Patchguard(Because of the "KERNEL_SECURITY_CHECK_FAILURE"), because it seems like the KiRaiseSecurityCheckFailure gets called from the Mapped Module,

does VMP use KiRaiseSecurityCheckFailure to Exit out if a Security Check fails?

Yours Sincerely,

Re: Manual Mapped Driver Crashes

Posted: Mon Mar 20, 2017 2:58 pm
by Admin
VMprotect doesn't use KiRaiseSecurityCheckFailure

Re: Manual Mapped Driver Crashes

Posted: Mon Apr 10, 2017 11:31 pm
by bangaladore
I unprotect the whole MDL wih PAGE_EXECUTE_READWRITE

At least with manually mapped dlls, you cannot do this. Correct me if I am wrong but before transferring context to the real entry point vmprotect validated the protections of each section.