FindCaveAddress bug

Question

Kwansy98 opened this issue 2 years ago · 2 comments

Not all memory of ntoskrnl.exe readable, maybe use MmIsAddressValid to verify before read. My test win10 vm kernel version is 10.0.19041.1741


// bug fix simple way
if (!MmIsAddressValid(Code + i))
{
	j = 0;
	continue;
}

Answer 1 · 2022-09-06T16:35:32.000Z

How is it a bug in TitanHide if another driver copies a function and then calls this function with an invalid address?

Answer 2 · 2022-09-07T02:41:17.000Z

I didn't read the previous code carefully, range is the section of NtFunction(which is always readable) instead of whole ntoskrnl.exe, my mistake :(