[WIN10 20H2] PatchGuard蓝屏分析

PatchGuard蓝屏分析

Baklib
狐白 最后一次编辑 接近 3 年前
286
******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_STRUCTURE_CORRUPTION (109) This bugcheck is generated when the kernel detects that critical kernel code or data have been corrupted. There are generally three causes for a corruption: 1) A driver has inadvertently or deliberately modified critical kernel code or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx 2) A developer attempted to set a normal kernel breakpoint using a kernel debugger that was not attached when the system was booted. Normal breakpoints, "bp", can only be set if the debugger is attached at boot time. Hardware breakpoints, "ba", can be set at any time. 3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data. Arguments: Arg1: a39ff5d9d6d8d546, Reserved Arg2: b3b70260295711ee, Reserved Arg3: fffff8031261c540, Failure type dependent information Arg4: 0000000000000000, Type of corrupted region, can be 0 : A generic data region 1 : Modification of a function or .pdata 2 : A processor IDT 3 : A processor GDT 4 : Type 1 process list corruption 5 : Type 2 process list corruption 6 : Debug routine modification 7 : Critical MSR modification 8 : Object type 9 : A processor IVT a : Modification of a system service function b : A generic session data region c : Modification of a session function or .pdata d : Modification of an import table e : Modification of a session import table f : Ps Win32 callout modification 10 : Debug switch routine modification 11 : IRP allocator modification 12 : Driver call dispatcher modification 13 : IRP completion dispatcher modification 14 : IRP deallocator modification 15 : A processor control register 16 : Critical floating point control register modification 17 : Local APIC modification 18 : Kernel notification callout modification 19 : Loaded module list modification 1a : Type 3 process list corruption 1b : Type 4 process list corruption 1c : Driver object corruption 1d : Executive callback object modification 1e : Modification of module padding 1f : Modification of a protected process 20 : A generic data region 21 : A page hash mismatch 22 : A session page hash mismatch 23 : Load config directory modification 24 : Inverted function table modification 25 : Session configuration modification 26 : An extended processor control register 27 : Type 1 pool corruption 28 : Type 2 pool corruption 29 : Type 3 pool corruption 2a : Type 4 pool corruption 2b : Modification of a function or .pdata 2c : Image integrity corruption 2d : Processor misconfiguration 2e : Type 5 process list corruption 2f : Process shadow corruption 30 : Retpoline code page corruption 101 : General pool corruption 102 : Modification of win32k.sys Debugging Details: ------------------

分析代码

Arg1: a39ff5d9d6d8d546, Reserved
Arg2: b3b70260295711ee, Reserved
Arg3: fffff8031261c540, Failure type dependent information
Arg4: 0000000000000000, Type of corrupted region, can be

解密数据

Arg3是pg检测到的地址 Arg1和Arg2 看起来是随机数 但其实是pg context
可以通过魔数算出来 https://github.com/tandasat/PgResarch/blob/master/109/109/109.cpp
Arg1:FFFFB6814510205E
Arg2:FFFFB6814511DDD9
Arg1就是CmpAppendDllSection  pg context解密的地址 Arg2是context的结构体
INIT:0000000140A35190 CmpAppendDllSection proc near ; DATA XREF: .pdata:000000014012CBA0↑o INIT:0000000140A35190 ; sub_140A19EE4+2B77↑o INIT:0000000140A35190 db 2Eh INIT:0000000140A35190 2E 48 31 11 xor [rcx], rdx INIT:0000000140A35194 48 31 51 08 xor [rcx+8], rdx INIT:0000000140A35198 48 31 51 10 xor [rcx+10h], rdx INIT:0000000140A3519C 48 31 51 18 xor [rcx+18h], rdx INIT:0000000140A351A0 48 31 51 20 xor [rcx+20h], rdx INIT:0000000140A351A4 48 31 51 28 xor [rcx+28h], rdx INIT:0000000140A351A8 48 31 51 30 xor [rcx+30h], rdx INIT:0000000140A351AC 48 31 51 38 xor [rcx+38h], rdx INIT:0000000140A351B0 48 31 51 40 xor [rcx+40h], rdx INIT:0000000140A351B4 48 31 51 48 xor [rcx+48h], rdx INIT:0000000140A351B8 48 31 51 50 xor [rcx+50h], rdx INIT:0000000140A351BC 48 31 51 58 xor [rcx+58h], rdx INIT:0000000140A351C0 48 31 51 60 xor [rcx+60h], rdx INIT:0000000140A351C4 48 31 51 68 xor [rcx+68h], rdx INIT:0000000140A351C8 48 31 51 70 xor [rcx+70h], rdx INIT:0000000140A351CC 48 31 51 78 xor [rcx+78h], rdx
0: kd> u FFFFB6814510205E ffffb681`4510205e 2e483111 xor qword ptr cs:[rcx],rdx ffffb681`45102062 48315108 xor qword ptr [rcx+8],rdx ffffb681`45102066 48315110 xor qword ptr [rcx+10h],rdx ffffb681`4510206a 48315118 xor qword ptr [rcx+18h],rdx ffffb681`4510206e 48315120 xor qword ptr [rcx+20h],rdx ffffb681`45102072 48315128 xor qword ptr [rcx+28h],rdx ffffb681`45102076 48315130 xor qword ptr [rcx+30h],rdx ffffb681`4510207a 48315138 xor qword ptr [rcx+38h],rdx0: kd> dps FFFFB6814511DDD9 l200 ffffb681`4511ddd9 00000000`00000000 ffffb681`4511dde1 fffff803`1261c540 nt!KiDebugTrapOrFault ffffb681`4511dde9 6fe2c0c3`000000ad ffffb681`4511ddf1 00000000`00000001 ffffb681`4511ddf9 00000000`00000000 ffffb681`4511de01 00000000`00000000 ffffb681`4511de09 00000000`00000000 ffffb681`4511de11 fffff803`12623780 nt!KiExceptionDispatch ffffb681`4511de19 68d3953c`00000327 ffffb681`4511de21 00000000`00000001 ffffb681`4511de29 00000000`00000000 ffffb681`4511de31 00000000`00000000 ffffb681`4511de39 00000000`00000000 ffffb681`4511de41 fffff803`126ad156 nt!KiDispatchException+0x166756 ffffb681`4511de49 6f8b5d09`000001cf ffffb681`4511de51 00000000`00000001 ffffb681`4511de59 00000000`00000000 ffffb681`4511de61 00000000`00000000 ffffb681`4511de69 00000000`00000000 ffffb681`4511de71 fffff803`12546a00 nt!KiDispatchException ffffb681`4511de79 5c8e8b4b`00000556 ffffb681`4511de81 00000000`00000001 ffffb681`4511de89 00000000`00000000 ffffb681`4511de91 00000000`00000000 ffffb681`4511de99 00000000`00000000 ffffb681`4511dea1 fffff803`126ad73c nt!RtlDispatchException+0x165a3c ffffb681`4511dea9 332f7dd5`0000019e ffffb681`4511deb1 00000000`00000001 ffffb681`4511deb9 00000000`00000000 ffffb681`4511dec1 00000000`00000000 ffffb681`4511dec9 00000000`00000000 ffffb681`4511ded1 fffff803`12547d00 nt!RtlDispatchException ffffb681`4511ded9 433bf186`00000425 ffffb681`4511dee1 00000000`00000001 ffffb681`4511dee9 00000000`00000000 ffffb681`4511def1 00000000`00000000 ffffb681`4511def9 00000000`00000000 ffffb681`4511df01 fffff803`126118b0 nt!KeContextToKframes ffffb681`4511df09 0a81ae44`000000ec ffffb681`4511df11 00000000`00000001 ffffb681`4511df19 00000000`00000000 ffffb681`4511df21 00000000`00000000 ffffb681`4511df29 00000000`00000000 ffffb681`4511df31 fffff803`125f5630 nt!KiSwInterruptDispatch+0x1010 ffffb681`4511df39 7b49b0a9`0000020d ffffb681`4511df41 00000000`00000001 ffffb681`4511df49 00000000`00000000 ffffb681`4511df51 00000000`00000000 ffffb681`4511df59 00000000`00000000 ffffb681`4511df61 fffff803`12500775 nt!KeAcquireSpinLockRaiseToDpc+0x35 ffffb681`4511df69 5c91db4b`0000002b ffffb681`4511df71 00000000`00000001 ffffb681`4511df79 00000000`00000000 ffffb681`4511df81 00000000`00000000 ffffb681`4511df89 00000000`00000000 ffffb681`4511df91 fffff803`125007a0 nt!KeAcquireSpinLockRaiseToDpc+0x60 ffffb681`4511df99 1f9059f0`00000010 ffffb681`4511dfa1 00000000`00000001 ffffb681`4511dfa9 00000000`00000000 ffffb681`4511dfb1 00000000`00000000 ffffb681`4511dfb9 00000000`00000000 ffffb681`4511dfc1 fffff803`125007b0 nt!KeAcquireSpinLockRaiseToDpc+0x70 ffffb681`4511dfc9 0ca5599b`0000001a ffffb681`4511dfd1 00000000`00000001 ffffb681`4511dfd9 00000000`00000000 ffffb681`4511dfe1 00000000`00000000 ffffb681`4511dfe9 00000000`00000000 ffffb681`4511dff1 fffff803`12676528 nt!KeAcquireSpinLockRaiseToDpc+0x175de8 ffffb681`4511dff9 44df167d`00000053 ffffb681`4511e001 00000000`00000001 ffffb681`4511e009 00000000`00000000 ffffb681`4511e011 00000000`00000000 ffffb681`4511e019 00000000`00000000 ffffb681`4511e021 fffff803`1267657b nt!KeAcquireSpinLockRaiseToDpc+0x175e3b ffffb681`4511e029 32343665`0000004e ffffb681`4511e031 00000000`00000001 ffffb681`4511e039 00000000`00000000 ffffb681`4511e041 00000000`00000000 ffffb681`4511e049 00000000`00000000 ffffb681`4511e051 fffff803`12500740 nt!KeAcquireSpinLockRaiseToDpc ffffb681`4511e059 23c9beb2`00000035 ffffb681`4511e061 00000000`00000001 ffffb681`4511e069 00000000`00000000 ffffb681`4511e071 00000000`00000000 ffffb681`4511e079 00000000`00000000 ffffb681`4511e081 fffff803`1262f852 nt!KeReleaseSpinLock+0x12b972 ffffb681`4511e089 56cab7b3`0000009a ffffb681`4511e091 00000000`00000001 ffffb681`4511e099 00000000`00000000 ffffb681`4511e0a1 00000000`00000000 ffffb681`4511e0a9 00000000`00000000 ffffb681`4511e0b1 fffff803`12503ee0 nt!KeReleaseSpinLock ffffb681`4511e0b9 0e935e9a`0000004d ffffb681`4511e0c1 00000000`00000001 ffffb681`4511e0c9 00000000`00000000 ffffb681`4511e0d1 00000000`00000000 ffffb681`4511e0d9 00000000`00000000 ffffb681`4511e0e1 fffff803`12538980 nt!KeProcessorGroupAffinity ffffb681`4511e0e9 5f8fae91`00000034 ffffb681`4511e0f1 00000000`00000001 ffffb681`4511e0f9 00000000`00000000 ffffb681`4511e101 00000000`00000000 ffffb681`4511e109 00000000`00000000 ffffb681`4511e111 fffff803`126b1c72 nt!KeSetSystemGroupAffinityThread+0x15ef52 ffffb681`4511e119 6584fceb`000000d7 ffffb681`4511e121 00000000`00000001 ffffb681`4511e129 00000000`00000000 ffffb681`4511e131 00000000`00000000 ffffb681`4511e139 00000000`00000000 ffffb681`4511e141 fffff803`12552d20 nt!KeSetSystemGroupAffinityThread ffffb681`4511e149 36f6fe82`00000180 ffffb681`4511e151 00000000`00000001 ffffb681`4511e159 00000000`00000000 ffffb681`4511e161 00000000`00000000 ffffb681`4511e169 00000000`00000000 ffffb681`4511e171 fffff803`126b20aa nt!KeRevertToUserGroupAffinityThread+0x15ec1a ffffb681`4511e179 0b2d262b`000000d0 ffffb681`4511e181 00000000`00000001 ffffb681`4511e189 00000000`00000000 ffffb681`4511e191 00000000`00000000 ffffb681`4511e199 00000000`00000000 ffffb681`4511e1a1 fffff803`12553490 nt!KeRevertToUserGroupAffinityThread ffffb681`4511e1a9 4f2206cd`0000014b ffffb681`4511e1b1 00000000`00000001 ffffb681`4511e1b9 00000000`00000000 ffffb681`4511e1c1 00000000`00000000 ffffb681`4511e1c9 00000000`00000000 ffffb681`4511e1d1 fffff803`1247ceb0 nt!MmGetSessionIdEx ffffb681`4511e1d9 62f5b6eb`00000024 ffffb681`4511e1e1 00000000`00000001 ffffb681`4511e1e9 00000000`00000000 ffffb681`4511e1f1 00000000`00000000 ffffb681`4511e1f9 00000000`00000000 ffffb681`4511e201 fffff803`127d4f70 nt!HviIsIommuInUse+0x50 ffffb681`4511e209 535c8f26`000004e4 ffffb681`4511e211 00000000`00000001 ffffb681`4511e219 00000000`00000000 ffffb681`4511e221 00000000`00000000 ffffb681`4511e229 00000000`00000000 ffffb681`4511e231 fffff803`125f45c0 nt!KiMarkBugCheckRegions+0x3e8 ffffb681`4511e239 22e1fc85`00000050 ffffb681`4511e241 00000000`00000001 ffffb681`4511e249 00000000`00000000 ffffb681`4511e251 00000000`00000000 ffffb681`4511e259 00000000`00000000 ffffb681`4511e261 fffff803`126246c0 nt!memcpy ffffb681`4511e269 46974d51`000002aa ffffb681`4511e271 00000000`00000001 ffffb681`4511e279 00000000`00000000 ffffb681`4511e281 00000000`00000000 ffffb681`4511e289 00000000`00000000 ffffb681`4511e291 fffff803`12601cb0 nt!KiSwInterruptDispatch+0xd690 ffffb681`4511e299 39907d00`0000003e ffffb681`4511e2a1 00000000`00000001 ffffb681`4511e2a9 00000000`00000000 ffffb681`4511e2b1 00000000`00000000 ffffb681`4511e2b9 00000000`00000000 ffffb681`4511e2c1 fffff803`12480c84 nt!KiCommitThreadWait+0x54 ffffb681`4511e2c9 21b6bd66`00000118 ffffb681`4511e2d1 00000000`00000001 ffffb681`4511e2d9 00000000`00000000 ffffb681`4511e2e1 00000000`00000000 ffffb681`4511e2e9 00000000`00000000 ffffb681`4511e2f1 fffff803`12480d9c nt!KiCommitThreadWait+0x16c ffffb681`4511e2f9 6d3f2c48`00000001 ffffb681`4511e301 00000000`00000001 ffffb681`4511e309 00000000`00000000 ffffb681`4511e311 00000000`00000000 ffffb681`4511e319 00000000`00000000 ffffb681`4511e321 fffff803`12480d9d nt!KiCommitThreadWait+0x16d ffffb681`4511e329 3253ac6b`0000012f ffffb681`4511e331 00000000`00000001 ffffb681`4511e339 00000000`00000000 ffffb681`4511e341 00000000`00000000 ffffb681`4511e349 00000000`00000000 ffffb681`4511e351 fffff803`12480ecc nt!KiCommitThreadWait+0x29c ffffb681`4511e359 7a1e1f35`00000016 ffffb681`4511e361 00000000`00000001 ffffb681`4511e369 00000000`00000000 ffffb681`4511e371 00000000`00000000 ffffb681`4511e379 00000000`00000000 ffffb681`4511e381 fffff803`12480ee2 nt!KiCommitThreadWait+0x2b2 ffffb681`4511e389 462bb6f8`00000466 ffffb681`4511e391 00000000`00000001 ffffb681`4511e399 00000000`00000000 ffffb681`4511e3a1 00000000`00000000 ffffb681`4511e3a9 00000000`00000000 ffffb681`4511e3b1 fffff803`12650b6e nt!KiCommitThreadWait+0x1cff3e ffffb681`4511e3b9 57633514`0000028d ffffb681`4511e3c1 00000000`00000001 ffffb681`4511e3c9 00000000`00000000 ffffb681`4511e3d1 00000000`00000000 ffffb681`4511e3d9 00000000`00000000 ffffb681`4511e3e1 fffff803`12480c30 nt!KiCommitThreadWait ffffb681`4511e3e9 20864c99`00000054 ffffb681`4511e3f1 00000000`00000001 ffffb681`4511e3f9 00000000`00000000 ffffb681`4511e401 00000000`00000000 ffffb681`4511e409 00000000`00000000 ffffb681`4511e411 fffff803`12445635 nt!KeDelayExecutionThread+0x85 ffffb681`4511e419 024b70fe`000000c4 ffffb681`4511e421 00000000`00000001 ffffb681`4511e429 00000000`00000000 ffffb681`4511e431 00000000`00000000 ffffb681`4511e439 00000000`00000000 ffffb681`4511e441 fffff803`124456f9 nt!KeDelayExecutionThread+0x149 ffffb681`4511e449 0fab43d5`00000254 ffffb681`4511e451 00000000`00000001 ffffb681`4511e459 00000000`00000000 ffffb681`4511e461 00000000`00000000 ffffb681`4511e469 00000000`00000000 ffffb681`4511e471 fffff803`1244594d nt!KeDelayExecutionThread+0x39d ffffb681`4511e479 583af3ac`0000003c ffffb681`4511e481 00000000`00000001 ffffb681`4511e489 00000000`00000000 ffffb681`4511e491 00000000`00000000 ffffb681`4511e499 00000000`00000000 ffffb681`4511e4a1 fffff803`12445989 nt!KeDelayExecutionThread+0x3d9 ffffb681`4511e4a9 19638037`0000004f ffffb681`4511e4b1 00000000`00000001 ffffb681`4511e4b9 00000000`00000000 ffffb681`4511e4c1 00000000`00000000 ffffb681`4511e4c9 00000000`00000000 ffffb681`4511e4d1 fffff803`124459d8 nt!KeDelayExecutionThread+0x428
这个结构包含要检测的地址 大小 以及效验和
下一步就是动态找到pg context