Any solution for protected ke memory by PG
karaba5 opened this issue · 5 comments
Hello, it is possible to avoid bsod if you want read\write protected (by PG) memory for loaded modules like ‘win32k.sys’ or ‘win32kbase.sys’ via hooking exception table like in your solution ByePg ?
If yes - can you tell what ExceptionCode is needed to ‘hook’. Or just share some code example for this.
Your example ‘ExHook’ looks closer to this solution, but it is bsod for me on 1903-1909.
Thx for attention anyway.
Depends on what you are trying to hook really. ExHook works fine for me on 1903, could you check the crash dump?
Hello, for me no bsod if remove this line https://github.com/can1357/ByePg/blob/master/ExHook/main.cpp#L126
"Depends on what you are trying to hook really", yes, i don't know what i need to hook to prevent bsod if i try read/write memory of image win32kbase.sys. (i just try to read 8 bytes of ImageBase (to test bsod or not))
This is my crash dump if i try read memory [just simple memcpy(buffer, (PVOID)module_base, 8);] for win32kbase.sys image:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff8bc67adb0000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffffd500642af469, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)--
STACK_TEXT:
ffffd303db9cd6f8 fffff8001f1e35d6 : 0000000000000050 ffff8bc67adb0000 0000000000000000 ffffd303db9cd9a0 : nt!KeBugCheckEx
ffffd303db9cd700 fffff8001f072eef : 0000000000000000 0000000000000000 0000000000000000 ffff8bc67adb0000 : nt!MiSystemFault+0x1d6866
ffffd303db9cd800 fffff8001f1cf520 : 0000000000000f4d 0000000000000000 00000000000001ad 000000000000c5c0 : nt!MmAccessFault+0x34f
ffffd303db9cd9a0 ffffd500642af469 : 0000000000000008 0000000000000000 000000000000000f fffff8001f00bbcb : nt!KiPageFault+0x360
ffffd303db9cdb30 0000000000000008 : 0000000000000000 000000000000000f fffff8001f00bbcb 0000008d0000c5c0 : 0xffffd500642af469 ffffd303db9cdb38 0000000000000000 : 000000000000000f fffff8001f00bbcb 0000008d0000c5c0 ffffab88`a9bc0000 : 0x8FAILURE_BUCKET_ID: AV_R_INVALID_IMAGE_win32kbase.sys
BUCKET_ID: AV_R_INVALID_IMAGE_win32kbase.sys
PRIMARY_PROBLEM_CLASS: AV_R_INVALID_IMAGE_win32kbase.sys
Attach to csrss.exe before reading, win32k is only mapped for processes that belong to a valid session.
Attach to csrss.exe before reading, win32k is only mapped for processes that belong to a valid session.
Thx, this is helped !
If i try modify win32k image (place hook at some function) or disable DSE (via modification CI.dll ) i get bsod after some time with error CRITICAL_STRUCTURE_CORRUPTION
It is possible hook exception for this code via ByePg ? If in FixInfinityHook change KERNEL_SECURITY_CHECK_FAILURE to CRITICAL_STRUCTURE_CORRUPTION will it bring a some positive result?
Attach to csrss.exe before reading, win32k is only mapped for processes that belong to a valid session.
Thx, this is helped !
If i try modify win32k image (place hook at some function) or disable DSE (via modification CI.dll ) i get bsod after some time with error CRITICAL_STRUCTURE_CORRUPTION
It is possible hook exception for this code via ByePg ? If in FixInfinityHook change KERNEL_SECURITY_CHECK_FAILURE to CRITICAL_STRUCTURE_CORRUPTION will it bring a some positive result?
no you can not modify protected RX page with only ByePg, you will have to add a little trick to PatchGuard pages to block PatchGuard execution.