-
-
未解决 [已解决]关于VT项目HyperBone的7E异常问题
-
发表于: 2023-6-18 00:15
-
最近在学习VT方面的知识,HyperBone是我在GitHub上看到很规范的一个项目。
驱动启动一会儿后,就会有7E的异常产生
1 | *** Fatal System Error: 0x0000007e |
然后神奇的是程序还能继续运行(不知道是不是它执行的,这时候我用windbg的analyze了),又跑到我Exit中的0号退出历程
1 2 | EXIT_REASON_EXCEPTION_NMI = 0,// Exception or non-maskable interrupt (NMI). |
然后他就正常跑,如图:
windbg分析的结果是到570行它挂掉了。
以下是windbg的输出结果,求助!求助!求助!
HyperBone: CPU 0: DriverEntry: Subverting started...
ExitHandler cnt: 1, reason: 28
ExitHandler cnt: 2, reason: 28
ExitHandler cnt: 3, reason: 28
ExitHandler cnt: 4, reason: 28
ExitHandler cnt: 5, reason: 28
ExitHandler cnt: 6, reason: 28
ExitHandler cnt: 7, reason: 28
ExitHandler cnt: 8, reason: 28
ExitHandler cnt: 9, reason: 28
ExitHandler cnt: 10, reason: 28
ExitHandler cnt: 11, reason: 28
ExitHandler cnt: 12, reason: 28
ExitHandler cnt: 13, reason: 28
ExitHandler cnt: 14, reason: 28
ExitHandler cnt: 15, reason: 28
ExitHandler cnt: 16, reason: 28
ExitHandler cnt: 17, reason: 28
ExitHandler cnt: 18, reason: 28
ExitHandler cnt: 19, reason: 28
ExitHandler cnt: 20, reason: 28
ExitHandler cnt: 21, reason: 48
ExitHandler cnt: 22, reason: 48
ExitHandler cnt: 23, reason: 48
ExitHandler cnt: 24, reason: 10
ExitHandler cnt: 25, reason: 10
ExitHandler cnt: 26, reason: 10
ExitHandler cnt: 27, reason: 10
ExitHandler cnt: 28, reason: 31
ExitHandler cnt: 29, reason: 32
ExitHandler cnt: 30, reason: 32
ExitHandler cnt: 31, reason: 32
ExitHandler cnt: 32, reason: 32
ExitHandler cnt: 33, reason: 32
ExitHandler cnt: 34, reason: 32
KDTARGET: Refreshing KD connection
* Fatal System Error: 0x0000007e
(0xFFFFFFFFC000001D,0xFFFFF80680BA35DB,0xFFFF8108B5050A28,0xFFFFF806832AF930)
ExitHandler cnt: 35, reason: 0
HyperBone: CPU 0: VmExitEvent: int3 EIP = 0xFFFFF80680C70F30
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff806 80c70f30 cc int 3
kd> !analyze -v
Connected to Windows 10 18362 x64 target at (Sat Jun 17 23:21:15.108 2023 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
..............................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.................................
................................................................
........................................................
Loading User Symbols
....................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............
Loading unloaded module list
.........
- *
- Bugcheck Analysis *
- *
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffff80680ba35db, The address that the exception occurred at
Arg3: ffff8108b5050a28, Exception Record Address
Arg4: fffff806832af930, Context Record Address
Debugging Details:
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202
DUMP_TYPE: 0
BUGCHECK_P1: ffffffffc000001d
BUGCHECK_P2: fffff80680ba35db
BUGCHECK_P3: ffff8108b5050a28
BUGCHECK_P4: fffff806832af930
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - <Unable to get error code text>
FAULTING_IP:
nt!KiFlushRangeWorker+8b
fffff806 80ba35db 66440f38826c2420 invpcid r13d,oword ptr [rsp+20h]
EXCEPTION_RECORD: ffff8108b5050a28 -- (.exr 0xffff8108b5050a28)
ExceptionAddress: fffff80680ba35db (nt!KiFlushRangeWorker+0x000000000000008b)
ExceptionCode: c000001d (Illegal instruction)
ExceptionFlags: 00000000
NumberParameters: 0
CONTEXT: fffff806832af930 -- (.cxr 0xfffff806832af930)
rax=0000000000000000 rbx=0000000000000000 rcx=ffff8400d7b7d8f0
rdx=000000000000003d rsi=ffff8400d7b7d8f0 rdi=000000000000003d
rip=fffff80680c70f55 rsp=ffff8400d7b7d8c8 rbp=ffff8400d7b7d970
r8=000000000000004d r9=0000000000000000 r10=0000000000000000
r11=ffff8400d7b7d850 r12=0000000000000000 r13=000000000000004d
r14=0000000000000080 r15=fffff80680c7c2e0
iopl=0 nv up di pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000006
nt!DebugPrint+0x15:
fffff806 80c70f55 c3 ret
Resetting default scope
CPU_COUNT: 1
CPU_MHZ: 900
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 9e
CPU_STEPPING: a
CPU_MICROCODE: 6,9e,a,0 (F,M,S,R) SIG: DE'00000000 (cache) DE'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: setup.exe
CURRENT_IRQL: c
ERROR_CODE: (NTSTATUS) 0xc000001d - <Unable to get error code text>
EXCEPTION_CODE_STR: c000001d
ANALYSIS_SESSION_HOST: DESKTOP-GU3S17R
ANALYSIS_SESSION_TIME: 06-17-2023 23:21:52.0076
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
BAD_STACK_POINTER: ffff8400d7b7d8c8
LAST_CONTROL_TRANSFER: from fffff80680bc5c01 to fffff80680c70f55
FAILED_INSTRUCTION_ADDRESS:
nt!KiFlushRangeWorker+8b
fffff806 80ba35db 66440f38826c2420 invpcid r13d,oword ptr [rsp+20h]
STACK_TEXT:
ffff8400 d7b7d8c8 fffff806 80bc5c01 : 00000000 00000000 ffff8400 d7b7d8f0 00000000 00000000 00000000 00000000 : nt!DebugPrint+0x15
ffff8400 d7b7d8d0 fffff806 80bc5b10 : 00000000 00000003 00000000 00000000 ffff8400 d7b7da44 fffff806 00000003 : nt!vDbgPrintExWithPrefixInternal+0x61
ffff8400 d7b7d9d0 fffff806 862c491c : ffffbd89 00000006 00000000 00000003 fffff806 00000001 00000000 00000000 : nt!DbgPrintEx+0x30
ffff8400 d7b7da10 fffff806 862c4efd : ffff8400 d7b7dad0 00000000 00000000 fffff806 862c71b0 00000000 00000023 : HyperV_x64!VmExitEvent+0x1bc [G:\VS2019\Driver\HyperV_x64\HyperV_x64\Arch\Intel\VmxExitHandlers.c @ 570]
ffff8400 d7b7da80 00000000 00000003 : ffff8400 d7b7db30 00000000 00000000 00000000 00000000 00000000 00000000 : HyperV_x64!VmxpExitHandler+0x22d [G:\VS2019\Driver\HyperV_x64\HyperV_x64\Arch\Intel\VmxExitHandlers.c @ 191]
ffff8400 d7b7db30 ffff8400 d7b7db30 : 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 : 0x3
ffff8400 d7b7db38 00000000 00000000 : 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 : 0xffff8400 d7b7db30
THREAD_SHA1_HASH_MOD_FUNC: 2ab55b243961d61cad12d6af6f35cf5cb5e8960f
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: d9195edd8e369ca9587e7d9db454bc1db9d7e95a
THREAD_SHA1_HASH_MOD: 293a07ca8f2227e7fbd016a8af4856ffd63c0a6f
FOLLOWUP_IP:
HyperV_x64!VmExitEvent+1bc [G:\VS2019\Driver\HyperV_x64\HyperV_x64\Arch\Intel\VmxExitHandlers.c @ 570]
fffff806 862c491c eb5f jmp HyperV_x64!VmExitEvent+0x21d (fffff806 862c497d)
FAULT_INSTR_CODE: 448b5feb
FAULTING_SOURCE_LINE: G:\VS2019\Driver\HyperV_x64\HyperV_x64\Arch\Intel\VmxExitHandlers.c
FAULTING_SOURCE_FILE: G:\VS2019\Driver\HyperV_x64\HyperV_x64\Arch\Intel\VmxExitHandlers.c
FAULTING_SOURCE_LINE_NUMBER: 570
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: HyperV_x64!VmExitEvent+1bc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: HyperV_x64
IMAGE_NAME: HyperV_x64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 648dcec1
STACK_COMMAND: .cxr 0xfffff806832af930 ; kb
BUCKET_ID_FUNC_OFFSET: 1bc
FAILURE_BUCKET_ID: AV_STACKPTR_ERROR_BAD_IP_HyperV_x64!VmExitEvent
BUCKET_ID: AV_STACKPTR_ERROR_BAD_IP_HyperV_x64!VmExitEvent
PRIMARY_PROBLEM_CLASS: AV_STACKPTR_ERROR_BAD_IP_HyperV_x64!VmExitEvent
TARGET_TIME: 2023-06-17T15:20:57.000Z
OSBUILD: 18362
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 190318-1202
BUILDLAB_STR: 19h1_release
BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202
ANALYSIS_SESSION_ELAPSED_TIME: 23e4
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_stackptr_error_bad_ip_hyperv_x64!vmexitevent
FAILURE_ID_HASH: {dda8d435-ec2a-6915-1c7d-e88e1e4f2ca1}
Followup: MachineOwner
---------
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
代码里面确实 没有 CR8 MOV 的处理,也没有 LMSW 和 CLTS 的处理。 如果对应这些指令对应数值出现,那么代码应该跑到switch的 default分支,输出: 对了,我u了一下那 四个地址 第二个地址 kd> u fffff80680ba35db nt!KiFlushRangeWorker+0x8b: fffff806`80ba35db 66440f38826c2420 invpcid r13d,oword ptr [rsp+20h] fffff806`80ba35e3 0f013b invlpg [rbx] fffff806`80ba35e6 488bcb mov rcx,rbx fffff806`80ba35e9 41be00100000 mov r14d,1000h fffff806`80ba35ef 48c1e90a shr rcx,0Ah fffff806`80ba35f3 488beb mov rbp,rbx fffff806`80ba35f6 80e103 and cl,3 fffff806`80ba35f9 0fb6c1 movzx eax,cl 挂在这儿了
最后于 2023-6-18 11:37
被hr_0515编辑
,原因:
|
|
|
|
|
|
|
|
|
感谢大佬 解决了 强!!! |
