-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug Check in hooking NtProtectVirtualMemory & NtMapViewOfSection #13
Comments
Ii seems that the BSOD is caused just if the OS boot in non-kernel-debug mode. |
Hey, can you share any of those information? or, stack trace on the bug check.
Also, please check if DriverVerifier is applied to any drivers. |
@tandasat Okay, these files have been uploaded to Microsoft OneDrive: https://1drv.ms/f/s!ApQpgQkWR0QOi7g5IXa7c0agVIFEYw
I just modified ddi_mon.cpp file by adding some functions about SSDT and 2 entries for g_ddimonp_hook_targets array. The stack trace on the bug check is:
Thank you! |
I have set none of the drivers into DriverVerifier before, it keeps the default configuration. |
Thank you for collecting files. I have downloaded them. I will find time to look into it. |
tandasat/HyperPlatform#4 |
It’s true that HyperPlatform is not compatible with DriverVerifier but the issue is unrelated to DriverVerifier if I understand this correctly. |
@leeqwind Sorry for taking very time. I had a chance to touch DdiMon code recently and tried to reproduce the issue by running DdiMon with the patch on two Win7 VMs for some time. However, I have not been unable to see the issue. Few things to ask you:
The uploaded dump file shows that all registers (including CR3 and segment selectors) are all zero. I cannot think of how this could happen if the dump file is not broken (indeed the file looks valid). My suspicion is that you hit some VMware bug related to nested virtualization. |
I close this since it has been 3 weeks without update. Please re-open the issue if it still relevant. |
Hey! I met a bug check (DRIVER_VERIFIER_DETECTED_VIOLATION) when hooking NtProtectVirtualMemory & NtMapViewOfSection APIs. I tested it in Windows 7 SP1 x64, and hooked NtProtectVirtualMemory by its SSDT index (77) hardcode in the source code. It didn't cause BSOD at once, but several minutes later, it happened.
It won't cause BSOD either if I hook any of them alone. I don't know if there are some other APIs can result in such a condition.
The text was updated successfully, but these errors were encountered: