-
-
未解决 [求助]vmware虚拟机windbg双机调试测试模式下运行驱动修改cr0wp位必蓝屏 223雪币
-
发表于: 2026-1-7 06:13
-
我是windows内核驱动圈萌新,读写wp位蓝屏,可以稳定复现。
问过ai,也在搜索引擎里搜不到解决方案,特来求助。
代码如下
KIRQL inline_hook_manager::wp_bit_off()
{
//DbgBreakPoint();
////关闭CR0
auto irql = KeRaiseIrqlToDpcLevel();//关闭线程切换
UINT64 Cr0 = __readcr0();
Cr0 &= 0xfffffffffffeffff;
__writecr0(Cr0);
_disable();
return irql;
}cr0值都能读出来,单步f10跟走到__writecr0();就会蓝屏,环境VMware® Workstation 17 Pro,Windows 10 Pro, 64-bit (Build 19045.6466) 10.0.19045,bugcheckcode:
KDTARGET: Refreshing KD connection *** Fatal System Error: 0x0000007e (0xFFFFFFFFC0000096,0xFFFFF80473B5263F,0xFFFF808EFA3C7538,0xFFFFF8045D424920) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. For analysis of this file, run !analyze -v nt!DbgBreakPointWithStatus: fffff804`58c06f80 cc int 3
0: kd> g
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x0000007e
(0xFFFFFFFFC0000096,0xFFFFF8024AA2263F,0xFFFFBD0816782538,0xFFFF8A01017FA920)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff802`3ee06f80 cc int 3
1: kd> !analyze -v
Connected to Windows 10 19041 x64 target at (Sun Jan 4 21:10:16.468 2026 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..........................................................
Loading User Symbols
Loading unloaded module list
.....Unable to enumerate user-mode unloaded modules, Win32 error 0n30
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: fffff8024aa2263f, The address that the exception occurred at
Arg3: ffffbd0816782538, Exception Record Address
Arg4: ffff8a01017fa920, Context Record Address
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1015
Key : Analysis.Elapsed.mSec
Value: 7657
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 4
Key : Analysis.IO.Write.Mb
Value: 1
Key : Analysis.Init.CPU.mSec
Value: 843
Key : Analysis.Init.Elapsed.mSec
Value: 136141
Key : Analysis.Memory.CommitPeak.Mb
Value: 73
Key : Analysis.Version.DbgEng
Value: 10.0.29482.1003
Key : Analysis.Version.Description
Value: 10.2509.29.03 amd64fre
Key : Analysis.Version.Ext
Value: 1.2509.29.3
Key : Bugcheck.Code.KiBugCheckData
Value: 0x7e
Key : Bugcheck.Code.LegacyAPI
Value: 0x7e
Key : Bugcheck.Code.TargetModel
Value: 0x7e
Key : Failure.Bucket
Value: 0x7E_C0000096_inline_hook_framework!inline_hook_manager::wp_bit_off
Key : Failure.Exception.Code
Value: 0xc0000096
Key : Failure.Exception.IP.Address
Value: 0xfffff8024aa2263f
Key : Failure.Exception.IP.Module
Value: inline_hook_framework
Key : Failure.Exception.IP.Offset
Value: 0x263f
Key : Failure.Exception.Record
Value: 0xffffbd0816782538
Key : Failure.Hash
Value: {e5b694c0-6499-05fb-b6cd-5e71ebb66b58}
Key : Faulting.IP.Type
Value: Paged
Key : Hypervisor.Enlightenments.Value
Value: 13088
Key : Hypervisor.Enlightenments.ValueHex
Value: 0x3320
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 0
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 0
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 1
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 0
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 0
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 1
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 536632
Key : Hypervisor.Flags.ValueHex
Value: 0x83038
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 0
Key : Hypervisor.RootFlags.AccessStats
Value: 0
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 0
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 0
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0
Key : Hypervisor.RootFlags.MceEnlightened
Value: 0
Key : Hypervisor.RootFlags.Nested
Value: 0
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0
Key : Hypervisor.RootFlags.Value
Value: 0
Key : Hypervisor.RootFlags.ValueHex
Value: 0x0
Key : SecureKernel.HalpHvciEnabled
Value: 0
Key : Stack.Pointer
Value: PRCBException
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 7e
BUGCHECK_P1: ffffffffc0000096
BUGCHECK_P2: fffff8024aa2263f
BUGCHECK_P3: ffffbd0816782538
BUGCHECK_P4: ffff8a01017fa920
FAULTING_THREAD: ffffbe07deb4c080
EXCEPTION_RECORD: ffffbd0816782538 -- (.exr 0xffffbd0816782538)
ExceptionAddress: fffff8024aa2263f (inline_hook_framework!inline_hook_manager::wp_bit_off+0x000000000000002f)
ExceptionCode: c0000096
ExceptionFlags: 00000000
NumberParameters: 0
CONTEXT: ffff8a01017fa920 -- (.cxr 0xffff8a01017fa920)
rax=0000000080040033 rbx=ffffbe07e3c34000 rcx=0000000000000000
rdx=ffffbd0816782770 rsi=fffff8024aa2423e rdi=ffffbe07de50301e
rip=fffff8024aa2263f rsp=ffffbd0816782770 rbp=ffffbd0816782a20
r8=0000000000000012 r9=fffff8024aa24230 r10=0000000000001001
r11=0000000000000002 r12=ffffd20a17444f50 r13=ffffffff800026c8
r14=0000000000000000 r15=ffffbe07e3b15e30
iopl=0 nv up ei ng nz na pe cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050283
inline_hook_framework!inline_hook_manager::wp_bit_off+0x2f:
fffff802`4aa2263f 0f22c0 mov cr0,rax
Resetting default scope
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000096 - { }
EXCEPTION_CODE_STR: c0000096
EXCEPTION_STR: 0xc0000096
IP_IN_PAGED_CODE:
inline_hook_framework!inline_hook_manager::wp_bit_off+2f [C:\Users\Administrator\source\repos\lab1-inline_hook_framework\inline_hook_framework\inline_hook.cpp @ 15]
fffff802`4aa2263f 0f22c0 mov cr0,rax
STACK_TEXT:
ffffbd08`16782770 fffff802`4aa225c1 : ffffbe07`de503000 fffff802`4aa24230 00000000`00000012 fffff802`4aa24230 : inline_hook_framework!inline_hook_manager::wp_bit_off+0x2f [C:\Users\Administrator\source\repos\lab1-inline_hook_framework\inline_hook_framework\inline_hook.cpp @ 15]
ffffbd08`167827b0 fffff802`4aa211f7 : ffffbe07`de503000 fffff802`4aa24230 fffff802`4aa21000 00000000`00002710 : inline_hook_framework!inline_hook_manager::inline_hook+0x181 [C:\Users\Administrator\source\repos\lab1-inline_hook_framework\inline_hook_framework\inline_hook.cpp @ 57]
ffffbd08`16782850 fffff802`4aa26020 : ffffbe07`e3b15e30 ffffbe07`e3c34000 ffffbe07`e3c34000 fffff802`3f3b418e : inline_hook_framework!DriverEntry+0x37 [C:\Users\Administrator\source\repos\lab1-inline_hook_framework\inline_hook_framework\DriverMain.cpp @ 89]
ffffbd08`16782890 fffff802`3f16fff0 : ffffbe07`e3c34000 00000000`00000000 00000000`00000000 ffffbd08`16782a20 : inline_hook_framework!GsDriverEntry+0x20 [minkernel\tools\gs_support\kmodefastfail\gs_driverentry.c @ 47]
ffffbd08`167828c0 fffff802`3f13d10d : 00000000`0000002c 00000000`00000000 00000000`00000000 00000000`00001000 : nt!PnpCallDriverEntry+0x4c
ffffbd08`16782920 fffff802`3f180697 : 00000000`00000000 00000000`00000000 fffff802`3f725440 00000000`00000000 : nt!IopLoadDriver+0x4e5
ffffbd08`16782af0 fffff802`3ec418f5 : ffffbe07`00000000 ffffffff`800026c8 ffffbe07`deb4c080 00000000`00000000 : nt!IopLoadUnloadDriver+0x57
ffffbd08`16782b30 fffff802`3ed5d6e5 : ffffbe07`deb4c080 00000000`00000080 ffffbe07`dea7d080 00000000`00000000 : nt!ExpWorkerThread+0x105
ffffbd08`16782bd0 fffff802`3ee065c8 : ffff8a01`017a8180 ffffbe07`deb4c080 fffff802`3ed5d690 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffbd08`16782c20 00000000`00000000 : ffffbd08`16783000 ffffbd08`1677c000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
FAULTING_SOURCE_LINE: C:\Users\Administrator\source\repos\lab1-inline_hook_framework\inline_hook_framework\inline_hook.cpp
FAULTING_SOURCE_FILE: C:\Users\Administrator\source\repos\lab1-inline_hook_framework\inline_hook_framework\inline_hook.cpp
FAULTING_SOURCE_LINE_NUMBER: 15
FAULTING_SOURCE_CODE:
12: auto irql = KeRaiseIrqlToDpcLevel();
13: UINT64 Cr0 = __readcr0();
14: Cr0 &= 0xfffffffffffeffff;
> 15: __writecr0(Cr0);
16: _disable();
17: return irql;
18: }
19:
20:
SYMBOL_NAME: inline_hook_framework!inline_hook_manager::wp_bit_off+2f
MODULE_NAME: inline_hook_framework
IMAGE_NAME: inline_hook_framework.sys
STACK_COMMAND: .cxr 0xffff8a01017fa920 ; kb
BUCKET_ID_FUNC_OFFSET: 2f
FAILURE_BUCKET_ID: 0x7E_C0000096_inline_hook_framework!inline_hook_manager::wp_bit_off
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {e5b694c0-6499-05fb-b6cd-5e71ebb66b58}
Followup: MachineOwner
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.虚拟机和物理机的windows安全中心->内核隔离->内存完整性均关闭,vbs基于虚拟化的安全性处于关闭状态,windows系统功能hyperv关闭,windows虚拟机监控程序平台关闭。
物理机四个是,如图。虚拟机win+r,msinfo32显示已检测到虚拟机监控程序,将不显示Hyper-V所需的功能。
[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
|
|
|---|---|
|
|
|
|
|
谢谢宝宝,我这就检查 |
|
|
还是没解决 
|
|
|
源码发出来看看 |
|
|
|
|
|
|
|
|
//h #pragma once
#include <ntifs.h>
#include <ntddk.h>
#include <intrin.h>
#define MAX_HOOK_COUNT 0x100
typedef struct _HOOK_INFO {
void* ori_func_addr;
unsigned char SavedCode[14];
}HOOK_INFO, * PHOOK_INFO;
class inline_hook_manager {
public:
bool inline_remove_hook(void* ori_func_addr);
bool inline_hook(void** ori_func_addr, void* target_func);
void* create_tramp_line(char* target_func, UINT64 break_bytes_count, char* break_bytes);
KIRQL wp_bit_off();
void wp_bit_on(KIRQL);
static inline_hook_manager* fn_get_instance();
private:
static inline_hook_manager* instance;
UINT64 m_cur_hook_count;
HOOK_INFO m_info[MAX_HOOK_COUNT];
unsigned char* m_tramp_line;
UINT64 m_tramp_line_used;
};//cpp #include "inline_hook.h"
#include "hde64.h"
inline_hook_manager* inline_hook_manager::instance;
KIRQL inline_hook_manager::wp_bit_off()
{
//DbgBreakPoint();
////关闭CR0
auto irql = KeRaiseIrqlToDpcLevel();//关闭线程切换
UINT64 Cr0 = __readcr0();
Cr0 &= 0xfffffffffffeffff;
__writecr0(Cr0);
_disable();
return irql;
}
// (对应原代码片段3)
void inline_hook_manager::wp_bit_on(KIRQL irql)
{
////开启CR0
UINT64 Cr0 = __readcr0();
Cr0 |= 0x10000;
_enable();
__writecr0(Cr0);
KeLowerIrql(irql);
}
bool inline_hook_manager::inline_hook(void** ori_func_addr, void* target_func)
{
if (m_cur_hook_count >= MAX_HOOK_COUNT) return false;
UINT64 break_byte_count = 0;
char* ori_func = (char*)ori_func_addr;
hde64s hde{ 0 };
while (break_byte_count < 14) {
hde64_disasm(ori_func + break_byte_count, &hde);
break_byte_count += hde.len;
}
auto& info = instance->m_info;
info[m_cur_hook_count].ori_func_addr = ori_func;
memcpy(info[m_cur_hook_count].SavedCode, ori_func, 14);
*ori_func_addr = create_tramp_line(ori_func, break_byte_count, ori_func);
char jmp_code[14] = { 0xff,0x25,0x00,0,0,0,0,0,0,0,0,0,0,0 };
*((ULONG64*)(&jmp_code[6])) = (ULONG64)target_func;
auto irql = wp_bit_off();
memcpy(ori_func, jmp_code, 14);
wp_bit_on(irql);
return true;
}
void* inline_hook_manager::create_tramp_line(char* target_func, UINT64 break_bytes_count, char* break_bytes)
{
const ULONG TrampLineBreakBytes = 20;
unsigned char TrampLineCode[TrampLineBreakBytes] = { //push xxx mov ret 不影响任何寄存器
0x6A, 0x00, 0x3E, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00,
0x3E, 0xC7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xC3
};
//复制绝对跳转
*((PUINT32)&TrampLineCode[6]) = (UINT32)(((uint64_t)target_func + break_bytes_count) & 0xFFFFFFFF);
*((PUINT32)&TrampLineCode[15]) = (UINT32)((((uint64_t)target_func + break_bytes_count) >> 32) & 0xFFFFFFFF);
auto& used = instance->m_tramp_line_used;
auto& tramp_line_base = instance->m_tramp_line;
//复制原先毁掉的字节
RtlCopyMemory(tramp_line_base + used, break_bytes, break_bytes_count);
RtlCopyMemory(tramp_line_base + used + break_bytes_count, TrampLineCode, sizeof(TrampLineCode));
auto ret = tramp_line_base + used;
used += TrampLineBreakBytes + break_bytes_count;
return ret;
}
inline_hook_manager* inline_hook_manager::fn_get_instance()
{
if (instance == 0) {
instance = (inline_hook_manager*)ExAllocatePoolWithTag(NonPagedPool, sizeof(inline_hook_manager), 'HOOK');
instance->m_cur_hook_count = 0;
RtlSecureZeroMemory(instance->m_info, sizeof(HOOK_INFO) * MAX_HOOK_COUNT);
instance->m_tramp_line = (unsigned char*)ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, 'Line');
instance->m_tramp_line_used = 0;
}
return instance;
} |
|
|
|
|
|
我不清楚能不能再加雪币了,如果能解决,小的在这磕头了,并有答谢! |
|
|
那个内存完整性是灰的应该是没开,环境: |
|
|
好像跟vt有关,最近再学学
 帖子删不了了,大家不要嘲讽我我之前不懂
|
|
|
用mdl了,不用wp位了,虽然说我朋友能直接在虚拟机里修改cr0,但是不重要了,我将拥护新王mdl
|
