none
kestackattachprocess and memcpy causes SYSTEM_SERVICE_EXCEPTION RRS feed

  • Question

  • help!

    kestackattachprocess is working but memcpy causes system service exception bsod.

    kestackattachprocess(targetprocss,apcstate)
    int baseaddress= psgetsectionbaseaddress(targetprocrss)
    memcpy(baseaddress+memoryoffset,source,sizeof(int))
    keunstackdetachprocess(apcstate)
    
    am i doing anything wrong? do i need to add baseaddress to the memoryoffset?

    Thursday, August 29, 2019 11:12 AM

All replies

  • Are you sure PsGetSectionBaseAddress is going to work?   That is not a documented function.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, August 29, 2019 2:59 PM
  • A lot of these functions aren't documented. but if I were to use memcpy, would I need offset + baseaddress or just the offset?
    • Edited by jguo5258 Thursday, August 29, 2019 10:33 PM
    Thursday, August 29, 2019 10:33 PM
  • If you are trying to address a specific location in the section, and assuming the PsGetSectionBaseAddress returns the beginning of the section they you need the memoryoffset.   Give us the !analyze -v from Windbg on the crash dump, so we have an idea of what is failing.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Friday, August 30, 2019 12:00 AM
  • here you go

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff804e07810d7, Address of the instruction which caused the bugcheck
    Arg3: ffffce0eacc59e00, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
    
    PROCESSES_ANALYSIS: 1
    
    SERVICE_ANALYSIS: 1
    
    STACKHASH_ANALYSIS: 1
    
    TIMELINE_ANALYSIS: 1
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 0
    
    BUILD_VERSION_STRING:  18362.1.amd64fre.19h1_release.190318-1202
    
    DUMP_TYPE:  0
    
    BUGCHECK_P1: c0000005
    
    BUGCHECK_P2: fffff804e07810d7
    
    BUGCHECK_P3: ffffce0eacc59e00
    
    BUGCHECK_P4: 0
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    FAULTING_IP: 
    kernelmoderpmwpm!DeviceCTLDispatch+d7 [C:\Users\jguo5\source\repos\kernel mode rpm wpm\kernel mode rpm wpm\Driver.c @ 171]
    fffff804`e07810d7 66890419        mov     word ptr [rcx+rbx],ax
    
    CONTEXT:  ffffce0eacc59e00 -- (.cxr 0xffffce0eacc59e00)
    rax=0000000000003333 rbx=00007ff7d6e10000 rcx=00000000000f9840
    rdx=000000000000000f rsi=0000000000000000 rdi=ffffbe0110794810
    rip=fffff804e07810d7 rsp=ffffce0eacc5a7f0 rbp=0000000000000002
     r8=0000000000000065  r9=0000000000000003 r10=0000000000000000
    r11=ffffce0eacc5a630 r12=0000000000000000 r13=0000000000000000
    r14=ffffbe0111502900 r15=ffffbe0110a437b0
    iopl=0         nv up ei ng nz na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
    kernelmoderpmwpm!DeviceCTLDispatch+0xd7:
    fffff804`e07810d7 66890419        mov     word ptr [rcx+rbx],ax ds:002b:00007ff7`d6f09840=058b
    Resetting default scope
    
    BUGCHECK_STR:  0x3B_c0000005
    
    CPU_COUNT: 1
    
    CPU_MHZ: e09
    
    CPU_VENDOR:  AuthenticAMD
    
    CPU_FAMILY: 17
    
    CPU_MODEL: 11
    
    CPU_STEPPING: 0
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    PROCESS_NAME:  MicrosoftEdge.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_SESSION_HOST:  DESKTOP-53H48PG
    
    ANALYSIS_SESSION_TIME:  08-30-2019 12:41:33.0721
    
    ANALYSIS_VERSION: 10.0.18362.1 amd64fre
    
    LAST_CONTROL_TRANSFER:  from fffff8065b631819 to fffff804e07810d7
    
    STACK_TEXT:  
    ffffce0e`acc5a7f0 fffff806`5b631819 : ffffbe01`10794810 00000000`00000001 ffffbe01`0d04c7c0 ffffbe01`10794928 : kernelmoderpmwpm!DeviceCTLDispatch+0xd7 [C:\Users\jguo5\source\repos\kernel mode rpm wpm\kernel mode rpm wpm\Driver.c @ 171] 
    ffffce0e`acc5a820 fffff806`5bbe7215 : ffffce0e`acc5ab80 ffffbe01`10794810 00000000`00000001 ffffbe01`0d04c7c0 : nt!IofCallDriver+0x59
    ffffce0e`acc5a860 fffff806`5bbe7020 : 00000000`00000000 ffffce0e`acc5ab80 ffffbe01`10794810 ffffce0e`acc5ab80 : nt!IopSynchronousServiceTail+0x1a5
    ffffce0e`acc5a900 fffff806`5bbe63f6 : 00007ffd`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc10
    ffffce0e`acc5aa20 fffff806`5b7d1515 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
    ffffce0e`acc5aa90 00007ffd`a803c144 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
    0000001d`9a9df5b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtDeviceIoControlFile+0x14
    
    
    THREAD_SHA1_HASH_MOD_FUNC:  816f62690cfd9de2d8daea276b6121da50e2d3b4
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e85b3289d6c312efaa0bc1d8ab1a4fa60291c0e4
    
    THREAD_SHA1_HASH_MOD:  ffa9adce52560d528e73f90112281834562ed68e
    
    FOLLOWUP_IP: 
    kernelmoderpmwpm!DeviceCTLDispatch+d7 [C:\Users\jguo5\source\repos\kernel mode rpm wpm\kernel mode rpm wpm\Driver.c @ 171]
    fffff804`e07810d7 66890419        mov     word ptr [rcx+rbx],ax
    
    FAULT_INSTR_CODE:  19048966
    
    FAULTING_SOURCE_LINE:  C:\Users\jguo5\source\repos\kernel mode rpm wpm\kernel mode rpm wpm\Driver.c
    
    FAULTING_SOURCE_FILE:  C:\Users\jguo5\source\repos\kernel mode rpm wpm\kernel mode rpm wpm\Driver.c
    
    FAULTING_SOURCE_LINE_NUMBER:  171
    
    FAULTING_SOURCE_CODE:  
       167: 		KeStackAttachProcess(targetProcess, state);
       168: 		DbgPrint("reached point 2");
       169: 		uintptr_t Base = PsGetProcessSectionBaseAddress(targetProcess);
       170: 		DbgPrint("reached point 3");
    >  171: 		memcpy((PVOID)(WalkSpeed + (uintptr_t)Base), pWriteDataBuffer, 3);
       172: 		DbgPrint("reached point 4");
       173: 		KeUnstackDetachProcess(state);
       174: 		DbgPrint("reached point 5");
       175: 		ExFreePool(state);
       176: 		break;
    
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  kernelmoderpmwpm!DeviceCTLDispatch+d7
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: kernelmoderpmwpm
    
    IMAGE_NAME:  kernelmoderpmwpm.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5d66a0a7
    
    STACK_COMMAND:  .cxr 0xffffce0eacc59e00 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  d7
    
    FAILURE_BUCKET_ID:  0x3B_c0000005_kernelmoderpmwpm!DeviceCTLDispatch
    
    BUCKET_ID:  0x3B_c0000005_kernelmoderpmwpm!DeviceCTLDispatch
    
    PRIMARY_PROBLEM_CLASS:  0x3B_c0000005_kernelmoderpmwpm!DeviceCTLDispatch
    
    TARGET_TIME:  2019-08-30T16:40:54.000Z
    
    OSBUILD:  18362
    
    OSSERVICEPACK:  0
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  784
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  1998-05-30 17:12:57
    
    BUILDDATESTAMP_STR:  190318-1202
    
    BUILDLAB_STR:  19h1_release
    
    BUILDOSVER_STR:  10.0.18362.1.amd64fre.19h1_release.190318-1202
    
    ANALYSIS_SESSION_ELAPSED_TIME:  1565
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0x3b_c0000005_kernelmoderpmwpm!devicectldispatch
    
    FAILURE_ID_HASH:  {f63e8fc8-9787-0c7c-40bc-b90ea8e75565}
    
    Followup:     MachineOwner
    ---------
    
    

    Friday, August 30, 2019 4:42 PM