none
Why is rtlimageNtHeader causing bsod? RRS feed

  • Question

  • Hello,

    I want to get the nt header for ntoskrnl. To do that, I must use rtlImageNtHeader, an undocumented function. I found out that a access violation is being caused at rtlImageNtHeader + 0x2d. What could this be  caused by? I verified the correct base address of Ntoskrnl.

    here is the code:

    	PVOID base = getKernelBase(NULL);
    	
    	if (!base)
    	{
    		DbgPrint("base address not found!\n");
    		return STATUS_NOT_FOUND;
    	}  //pretty much always succeeds
    
    	
    
    	PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base); // this is the BSOD

    thanks,

    Wednesday, April 1, 2020 1:34 AM

All replies

  • It depends upon the version of the OS, but I found that the header of a loaded files is quickly overwritten.   This goes back to the NT days.  What are you trying to get from the header?   There may be a better way.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, April 1, 2020 12:11 PM
  • Hello,

    Thanks for quick response!

    I am trying to access the section table of Ntoskrnl, and in order to do that, I must get the set a pointer to Nt Header and increment.

    Wednesday, April 1, 2020 10:23 PM
  • UPDATE:

    Now I am getting the nt header without any undocumented function:

    `

    if (((PIMAGE_DOS_HEADER)base)->e_magic == IMAGE_DOS_SIGNATURE) {


    NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);


    if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
    DbgPrint("invalid PE header\n");
    return STATUS_NOT_FOUND;
    //BSOD time!!!
    }

    }

    `

    but it still does blue screen of death!

    Does that mean ntoskrnl is protected or something?

    Crash info:

    `

    g_KernelBase : FFFFF8017F200000
    Access violation - code c0000005 (!!! second chance !!!)
    ffff9605`c50e7a71 4863703c        movsxd  rsi,dword ptr [rax+3Ch]
    kd> !analyze -v
    ... Retry sending the same data packet for 64 times.
    The transport connection between host kernel debugger and target Windows seems lost.
    please try resync with target, recycle the host debugger, or reboot the target Windows.
    Connected to Windows 10 18362 x64 target at (Wed Apr  1 19:36:47.138 2020 (UTC - 4:00)), ptr64 TRUE
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .......................................
    Loading User Symbols
    ...................
    Loading unloaded module list
    ........
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Unknown bugcheck code (0)
    Unknown bugcheck description
    Arguments:
    Arg1: 0000000000000000
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000

    Debugging Details:
    ------------------


    KEY_VALUES_STRING: 1

        Key  : AV.Fault
        Value: Read


    PROCESSES_ANALYSIS: 1

    SERVICE_ANALYSIS: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 0

    BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202

    DUMP_TYPE:  0

    BUGCHECK_P1: 0

    BUGCHECK_P2: 0

    BUGCHECK_P3: 0

    BUGCHECK_P4: 0

    PROCESS_NAME:  kdmapper.exe

    FAULTING_IP: 
    +0
    ffff9605`c50e7a71 4863703c        movsxd  rsi,dword ptr [rax+3Ch]

    FOLLOWUP_IP: 
    +0
    ffff9605`c50e7a71 4863703c        movsxd  rsi,dword ptr [rax+3Ch]

    BUGCHECK_STR:  ACCESS_VIOLATION

    READ_ADDRESS:  0000000000ab703c 

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE_STR:  c0000005

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  0000000000ab703c

    CPU_COUNT: 1

    CPU_MHZ: e09

    CPU_VENDOR:  AuthenticAMD

    CPU_FAMILY: 17

    CPU_MODEL: 11

    CPU_STEPPING: 0

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    CURRENT_IRQL:  0

    ANALYSIS_SESSION_HOST:  DESKTOP-53H48PG

    ANALYSIS_SESSION_TIME:  04-01-2020 19:36:48.0476

    ANALYSIS_VERSION: 10.0.18362.1 amd64fre

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to ffff9605c50e7a71

    STACK_TEXT:  
    ffff838d`1f995800 00000000`00000000 : ffff9605`0000c120 ffff838d`1f995958 ffff838d`1f995780 ffffe68a`2ea18f00 : 0xffff9605`c50e7a71


    SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME:  Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    STACK_COMMAND:  .thread ; .cxr ; kb

    FAILURE_BUCKET_ID:  ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    BUCKET_ID:  ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    PRIMARY_PROBLEM_CLASS:  ACCESS_VIOLATION_ANALYSIS_INCONCLUSIVE!unknown_function

    TARGET_TIME:  2020-04-01T23:33:06.000Z

    OSBUILD:  18362

    OSSERVICEPACK:  0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  784

    PRODUCT_TYPE:  1

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 10

    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

    OS_LOCALE:  

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  unknown_date

    BUILDDATESTAMP_STR:  190318-1202

    BUILDLAB_STR:  19h1_release

    BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202

    ANALYSIS_SESSION_ELAPSED_TIME:  234d

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:access_violation_analysis_inconclusive!unknown_function

    FAILURE_ID_HASH:  {6636647e-3e69-7cc5-6dd1-dcc0ae3c99be}

    Followup:     MachineOwner
    ---------

    `

    Wednesday, April 1, 2020 11:56 PM
  • You need to fix your symbols and analyze the dump again.  My guess would be that e_lfanew in corrupted, causing NtHeaders to point to an invalid location.

    NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)base + ((PIMAGE_DOS_HEADER)base)->e_lfanew);
    
    if (NtHeaders->Signature != IMAGE_NT_SIGNATURE


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, April 2, 2020 3:35 PM
  • If you're not willing to disassemble this to see what bollucks your code as produces, then you'll need to single-step through it in a debugger to figure out where it goes awry.

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, April 3, 2020 6:52 AM