BSOD after unload driver when verifier enabled
lynnux opened this issue · 3 comments
I used the code for SSDT hook in my project, BSOD after unload driver when verifier enabled
windbg !analyze -v show:
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000060, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: 00000000, paged bytes
Arg3: 00000288, nonpaged bytes,
Arg4: 00000012, total # of (paged+nonpaged) allocations that weren't freed.
To get the name of the driver at fault, type
dp ViBadDriver l1; dS @$p
Then type !verifier 3 drivername.sys for info on the allocations
that were leaked that caused the bugcheck.
!verifier 3 xxx.sys show:
0x831d4fd8 0x00000024 EDIH 0xbaa30155 xxx!RtlAllocateMemory
Seems on x86, SSDT::Hook called RtlAllocateMemory, but SSDT::Unhook forgot to free it. X64 version using Hooklib::Hook and Hooklib::Unhook seems OK (I'v not tested x64 version).
Maybe fixed by this:
if(free)
Hooklib::Unhook(hHook, true);
#else
- UNREFERENCED_PARAMETER(free);
+ if (free)
+ RtlFreeMemory(hHook);
#endif
}
Thanks I added a fix, could you try it again?
@mrexodia, a little improvement:
Since the project use VS 2013 to compile, the code can use C++11. There are many Nt* functions not need declaration in undocumented.h/cpp, for example:
static HOOK hNtSetContextThread = 0;
NTSTATUS NTAPI HookNtSetContextThread(IN HANDLE ThreadHandle, IN PCONTEXT ThreadContext)
{
return ((decltype(HookNtSetContextThread)*)(hNtSetContextThread->SSDTaddress))(ThreadHandle, ThreadContext);
}