首页
社区
课程
招聘
[求助]hook idt triplefault
发表于: 2020-4-23 00:04 3122

[求助]hook idt triplefault

2020-4-23 00:04
3122
我把所有cpu的所有idt 全部hook ,过一会就triplefault   
经过反复测试  只要不hook KiNmiInterrupt  非常稳定 
只要hook KiNmiInterrupt ,过一会就三重错误 
谁知道为什么?

我把vmware选项设置收集完整调试信息
vmss2core.exe  -W debug.guest debug.vmem

用windbg分析 dump文件
每次都是 Bug Check 0x80: NMI_HARDWARE_FAILURE
只要不hook  idt 2号中断 其他所有中断全部 hook 不会出现这个bugcheck
hook  KiNmiInterrupt 过一段时间百分百挂

VMware Workstation 不可恢复错误: (vcpu-2)
vcpu-2:ASSERT vmcore/vmm/cpu/segment.c:554 bugNr=19580
That assertion is configured to fail whenever the virtual machine's CPU encounters a triple-fault.  
日志文件位于“E:\虚拟机\win7\vmware.log”中。  
您可以请求支持。  
要收集数据提交给 VMware 技术支持,请选择“帮助”菜单中的“收集支持数据”。
也可以直接在 Workstation 文件夹中运行“vm-support”脚本。
我们将根据您的技术支持权利做出回应

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 80, {4f4454, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*** ERROR: Module load completed but symbols could not be loaded for HDAudBus.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mshtml.dll - 

"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
Probably caused by : HDAudBus.sys ( HDAudBus+3bf5 )

Followup: MachineOwner
---------

0: kd> r
rax=0000000000000002 rbx=fffff8000400ce80 rcx=fffff8000400cec0
rdx=0000000000000400 rsi=0000000000000000 rdi=fffff800054d8e70
rip=fffff80003f49804 rsp=fffff800054d8be0 rbp=000000000000000f
 r8=fffff880009f7340  r9=0000000000000030 r10=fffff880009f7340
r11=fffff800054d8d30 r12=fffff800054d8d30 r13=000000000c29fd20
r14=000000000000000f r15=0000000075292450
iopl=0         nv up di pl zr na po nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00000046
nt!KiFreezeTargetExecution+0x1e5:
fffff800`03f49804 4022c5          and     al,bpl
0: kd> kb
RetAddr           : Args to Child                                                           : Call Site
fffff800`03f49a5f : fffff800`054d8e70 fffff800`054d8d30 fffff800`0400ce80 00000000`00000000 : nt!KiFreezeTargetExecution+0x1e5
fffff800`03e97982 : fffffa80`024cb848 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiProcessNMI+0x2f
fffff800`03e977e3 : 00000000`00000000 00000000`00000000 00000000`0000ffff 00000000`00000002 : nt!KxNmiInterrupt+0x82
fffff880`057c9bf5 : fffff880`057ca21f fffff880`04ddd103 00000000`0000001c fffff800`00000004 : nt!KiNmiInterruptStart+0x163
fffff880`057ca21f : fffff880`04ddd103 00000000`0000001c fffff800`00000004 ffffffff`ffffff04 : HDAudBus+0x3bf5
fffff800`03e96279 : fffffa80`024cb840 fffffa80`02ee3000 fffffa80`024cb840 fffff800`0440bb7f : HDAudBus+0x421f
fffff800`03e96058 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiScanInterruptObjectList+0x69
fffff800`03e9cf40 : fffff800`03ee6453 fffff800`03e96ba0 fffff800`03e96c0c fffffa80`04114b60 : nt!KiChainedDispatch+0x128
fffff800`03ee6453 : fffff800`03e96ba0 fffff800`03e96c0c fffffa80`04114b60 00000000`76f711e0 : nt!KiDispatchInterrupt
fffff800`03e96c0c : fffffa80`04114b60 00000000`76f711e0 00000000`7ef31000 00000000`00000020 : nt!KiDpcInterruptBypass+0x13
00000000`718ebb91 : 7193cab0`0a149c98 93f4381a`0f0165d0 0dedce08`00000000 0a149c98`7161a26e : nt!KiInterruptDispatchNoLock+0x1fc
7193cab0`0a149c98 : 93f4381a`0f0165d0 0dedce08`00000000 0a149c98`7161a26e 00000002`80010423 : mshtml!Ordinal104+0x6b5f2
93f4381a`0f0165d0 : 0dedce08`00000000 0a149c98`7161a26e 00000002`80010423 0dedced0`00000002 : 0x7193cab0`0a149c98
0dedce08`00000000 : 0a149c98`7161a26e 00000002`80010423 0dedced0`00000002 0dedcee0`0f003d10 : 0x93f4381a`0f0165d0
0a149c98`7161a26e : 00000002`80010423 0dedced0`00000002 0dedcee0`0f003d10 80010423`0f235b88 : 0xdedce08`00000000
00000002`80010423 : 0dedced0`00000002 0dedcee0`0f003d10 80010423`0f235b88 08f6c2b8`08f88248 : 0xa149c98`7161a26e
0dedced0`00000002 : 0dedcee0`0f003d10 80010423`0f235b88 08f6c2b8`08f88248 08f71948`00000000 : 0x2`80010423
0dedcee0`0f003d10 : 80010423`0f235b88 08f6c2b8`08f88248 08f71948`00000000 7161a1b9`0dedce44 : 0xdedced0`00000002
80010423`0f235b88 : 08f6c2b8`08f88248 08f71948`00000000 7161a1b9`0dedce44 80010423`08f88248 : 0xdedcee0`0f003d10




*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 80, {4f4454, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for hal.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mpengine.dll - 
Probably caused by : ntkrnlmp.exe ( nt!KiFreezeTargetExecution+1df )

Followup: MachineOwner
---------

0: kd> r
rax=0000000000000002 rbx=fffff8000400ce80 rcx=fffff8000400cec0
rdx=0000000000000400 rsi=0000000000000000 rdi=fffff800054d8e70
rip=fffff80003f497fe rsp=fffff800054d8be0 rbp=000000000000000f
 r8=fffff880009f7340  r9=0000000000000030 r10=fffff880009f7340
r11=fffff800054d8d30 r12=fffff800054d8d30 r13=00000136c89cd465
r14=000000000000000f r15=00000000053a7830
iopl=0         nv up di pl zr na po nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00000046
nt!KiFreezeTargetExecution+0x1df:
fffff800`03f497fe 8b8304210000    mov     eax,dword ptr [rbx+2104h] ds:002b:fffff800`0400ef84=00000002
0: kd> kb
RetAddr           : Args to Child                                                           : Call Site
fffff800`03f49a5f : fffff800`054d8e70 fffff800`054d8d30 fffff800`0400ce80 00000000`00000000 : nt!KiFreezeTargetExecution+0x1df
fffff800`03e97982 : 00000000`74483501 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiProcessNMI+0x2f
fffff800`03e977e3 : 00000000`00126858 00000000`00000000 00000000`00126870 00000000`002eaf80 : nt!KxNmiInterrupt+0x82
fffff800`04421a7b : fffff800`03ee6315 00000000`00000002 00000000`00000000 00000000`04f9ff97 : nt!KiNmiInterruptStart+0x163
fffff800`03ee6315 : 00000000`00000002 00000000`00000000 00000000`04f9ff97 00000000`0000ffff : hal!HalProcessorIdle+0x2ab
00000000`74434a29 : 00000000`053a7b60 00000000`74483501 00000000`053a7bb8 00000000`053a78e0 : nt!KiDpcInterrupt+0xc5
00000000`053a7b60 : 00000000`74483501 00000000`053a7bb8 00000000`053a78e0 00000000`003d0000 : mpengine+0x4a29
00000000`74483501 : 00000000`053a7bb8 00000000`053a78e0 00000000`003d0000 00000000`74487643 : 0x53a7b60
00000000`053a7bb8 : 00000000`053a78e0 00000000`003d0000 00000000`74487643 00000000`053a7b70 : mpengine+0x53501
00000000`053a78e0 : 00000000`003d0000 00000000`74487643 00000000`053a7b70 00000000`000000e3 : 0x53a7bb8
00000000`003d0000 : 00000000`74487643 00000000`053a7b70 00000000`000000e3 00000000`00000000 : 0x53a78e0
00000000`74487643 : 00000000`053a7b70 00000000`000000e3 00000000`00000000 00000000`74434ec2 : 0x3d0000
00000000`053a7b70 : 00000000`000000e3 00000000`00000000 00000000`74434ec2 00000000`053a7b88 : mpengine+0x57643
00000000`000000e3 : 00000000`00000000 00000000`74434ec2 00000000`053a7b88 00000000`00000000 : 0x53a7b70
00000000`00000000 : 00000000`74434ec2 00000000`053a7b88 00000000`00000000 00000000`053a7b90 : 0xe3



*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 80, {4f4454, 0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ADVAPI32.dll - 
*** WARNING: Unable to verify checksum for hardwareDemo.exe
Probably caused by : ntkrnlmp.exe ( nt!KiFreezeTargetExecution+1dd )

Followup: MachineOwner
---------

0: kd> r
rax=0000000000000002 rbx=fffff8000400ce80 rcx=fffff8000400cec0
rdx=0000000000000400 rsi=0000000000000000 rdi=fffff800054d8e70
rip=fffff80003f497fc rsp=fffff800054d8be0 rbp=000000000000000f
 r8=fffff880009f7340  r9=0000000000000030 r10=fffff880009f7340
r11=fffff800054d8d30 r12=fffff800054d8d30 r13=00000246c097933d
r14=000000000000000f r15=0000000000000000
iopl=0         nv up di pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000046
nt!KiFreezeTargetExecution+0x1dd:
fffff800`03f497fc f390            pause
0: kd> kb
RetAddr           : Args to Child                                                           : Call Site
fffff800`03f49a5f : fffff800`054d8e70 fffff800`054d8d30 fffff800`0400ce80 00000000`00000000 : nt!KiFreezeTargetExecution+0x1dd
fffff800`03e97982 : fffff8a0`06ff0f2c 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiProcessNMI+0x2f
fffff800`03e977e3 : 00000000`00000000 000007fe`fe3c3930 00000000`00000000 00000000`00000000 : nt!KxNmiInterrupt+0x82
fffff800`03e913c0 : fffff800`03eb50d7 00000000`00000012 fffff8a0`022529e2 00000000`63e9570a : nt!KiNmiInterruptStart+0x163
fffff800`03eb50d7 : 00000000`00000012 fffff8a0`022529e2 00000000`63e9570a ffff66d3`2fd4000e : nt!memcmp+0x30
fffff800`03ead06b : 00000000`00020019 00000000`00000000 fffff8a0`06ff0a90 fffff880`04168398 : nt!SepMandatoryIntegrityCheck+0xf7
fffff800`03eb5472 : 00000000`00000000 fffffa80`036e1570 fffff8a0`06317ca8 fffffa80`0385fb90 : nt!SeAccessCheckWithHint+0x3fb
fffff800`04166fc1 : 00000000`00000001 fffff8a0`059ff8b4 fffff8a0`06317ca8 fffff800`04193dbb : nt!SeAccessCheck+0x62
fffff800`04168e49 : 00000000`00000000 00000000`00000000 fffff8a0`06317ca8 fffff8a0`0634da70 : nt!CmpCheckKeyBodyAccess+0x151
fffff800`04164996 : fffff8a0`c0000022 fffff8a0`022c4458 fffff8a0`00348010 fffffa80`036e1570 : nt!CmpDoOpen+0x319
fffff800`04194d38 : fffffa80`036e1728 fffffa80`00000001 fffffa80`036e1570 fffff880`00000101 : nt!CmpParseKey+0x496
fffff800`04195f56 : 00000000`00000024 fffffa80`036e1570 00000000`00000000 fffffa80`018ed900 : nt!ObpLookupObjectName+0x588
fffff800`0416982c : 00000000`03277400 00000000`00000000 fffff8a0`02e1de01 fffff880`062b1b1c : nt!ObOpenObjectByName+0x306
fffff800`0416bc9f : 00000000`00126590 fffff880`00020019 00000000`00126618 00000000`00000000 : nt!CmOpenKey+0x28a
fffff800`03e998d3 : fffffa80`039d5660 fffff880`04168b60 00000000`00000000 00000000`00126b20 : nt!NtOpenKeyEx+0xf
00000000`778d226a : 00000000`77774172 00000000`001268a0 00000000`00000000 00000000`02fe8070 : nt!KiSystemServiceCopyEnd+0x13






[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2020-4-24 05:36 被gdgdgdg编辑 ,原因:
收藏
免费 1
支持
分享
最新回复 (12)
雪    币: 248
活跃值: (3789)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
怎么判断是三重错误?
hook nmi做啥?
2020-4-23 08:27
0
雪    币: 914
活跃值: (2468)
能力值: ( LV5,RANK:68 )
在线值:
发帖
回帖
粉丝
3
试试ipi下操作呢
2020-4-23 08:32
0
雪    币: 259
活跃值: (283)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
过PG?
2020-4-23 09:08
0
雪    币: 248
活跃值: (3789)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
ZwCopyAll 过PG?
可是PG蓝屏并不会触发三重错误
最后于 2020-4-23 11:11 被luskyc编辑 ,原因:
2020-4-23 11:10
0
雪    币: 362
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
@yy虫子yy 虚拟机挂了,发生错误,导致虚拟 CPU 进入关闭状态。如果虚拟机外部发生此错误,则可能已导致物理计算机重新启动 
vmware.log 写着TripleFault  hook  所有idt iret syscall sysret  vt 解决 硬件断点占坑
最后于 2020-4-23 16:23 被gdgdgdg编辑 ,原因: aa
2020-4-23 16:22
0
雪    币: 248
活跃值: (3789)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
nmi属于不可屏蔽中断
意思就是说cpu必须放下手头的工作来处理nmi,这个处理过程也是连贯的
而这时如果发生VM-Exit将会打断nmi
从而导致cpu发生错误并进入关闭状态
2020-4-24 07:09
0
雪    币: 362
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
8
@yy虫子yy   我在idt 的hook函数里面执行cpuid 让vmware强制发生vmexit
 KiNmiInterrupt  可以正常调用没有炸
2020-4-24 07:42
0
雪    币: 259
活跃值: (283)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
HDAudBus.sys你加载好 看看哪里的问题 他提示问题出在这个驱动 不是ntoskrnl
2020-4-24 08:05
0
雪    币: 362
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
10
@ZwCopyAll 出错位置随机的  正常运行一段时间后  某一次nmi中断就挂了
2020-4-24 08:17
0
雪    币: 248
活跃值: (3789)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
gdgdgdg @yy虫子yy 我在idt 的hook函数里面执行cpuid 让vmware强制发生vmexit KiNmiInterrupt 可以正常调用没有炸
发生VM-Exit后,处于VMM中,当然可以正常nmi
2020-4-24 08:19
0
雪    币: 362
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
12
yy虫子yy 发生VM-Exit后,处于VMM中,当然可以正常nmi
@yy虫子yy  这是在nmi中断处理函数 内部执行cpuid发生vmexit
2020-4-24 08:27
0
雪    币: 38
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
不是PG 的问题 是 这个函数调用次数太多的问题 需要 处理别的线程 调用  
2020-7-20 09:23
0
游客
登录 | 注册 方可回帖
返回
//