Critical Structure Corruption BSOD

Question

Critical Structure Corruption BSOD

nekohan69 opened this issue 2 years ago · 4 comments

I have some question,

Do I need to run '-dse 0' after using '-dse 6'?
Does CRITICAL_STRUCTURE_CORRUPTION BSOD have todo with KDU?
Do I have to do anything after using KDU, like revert back something?

I dont know how or why my pc just got BSOD sometime even after I restarted my pc, happens after i use '-dse 6' and '-map driver.sys' on kdu.

Answer 1 · 2022-07-30T02:01:41.000Z

https://github.com/hfiref0x/KDU#disclaimer

This tool assumes you know what you do. Your BSOD is caused by your actions, it has nothing to do with KDU. You decided to corrupt kernel data - here is it, you corrupted it. Changing code integrity options is not a Patchguard friendly. And I don't know what is this "driver.sys", what it does and why you load it.

You don't need to disable DSE to map drivers. This doesn't make any sense. Turning off and then mapping drivers is a compeletely unrelated to each other, -map command doesn't rely on Windows loader thus it doesn't trigger code integrity checks anyhow (except you somehow ruined everything by compiling driver with conflicting settings).

Additionally your command sequence

-dse 6
-map driver.sys

doesn't make any sense. First command actually turns ON code integrity checks, because it includes code integrity option enable flag and then you run map command which doesn't rely on Windows code integrity at all.

If you want to load your "driverless" driver (specially designed to be compatible with in memory mapping) then just use -map command.

If you want to load your "normal" driver (which doesn't have valid digital signature) then turn off DSE with -dse 0 command, load your driver normally through API or SCM, and then restore your dse state with -dse original_CI_state_value command. Where original_CI_state_value is what CI state was before you nullified it. It maybe 6 but can be everything else, depending on what your system configuration is.

When you use -dse command it prints you on a screen previous value (except when -dse command used with CheatEngine provider, it doesn't prints previous value) before writing new thus if you want to restore original value you need to use exactly this value.

[+] DSE flags (0xFFFFF80180E393B8) value: 6, new value to be written: 0, use 6 to restore
[+] DSE flags (0xFFFFF80180E393B8) value: 1, new value to be written: 0, use 1 to restore, etc

Answer 2 · 2022-07-30T04:10:38.000Z

So I just need to run -dse 0 or -dse original_CI_state_value? but how do I check my "original_CI_state_value"?

Answer 3 · 2022-07-30T12:06:10.000Z

When you use -dse command it prints you on a screen previous value (except when -dse command used with CheatEngine provider, it doesn't prints previous value) before writing new thus if you want to restore original value you need to use exactly this value.

Answer 4 · 2022-08-01T10:50:14.000Z

just figured it out thanks!