Hello, i want to hook epage but i always got BSOD when do it, can you help me solve it?here my snippet:
PVOID hkMmMapIoSpace(
PHYSICAL_ADDRESS PhysicalAddress,
SIZE_T NumberOfBytes,
MEMORY_CACHING_TYPE CacheType
)
{
DbgPrint("hook mapio\n");
vcpu_vmfunc(EPTP_NORMAL, 0);
void *ret = MmMapIoSpace(PhysicalAddress, NumberOfBytes, CacheType);
vcpu_vmfunc(EPTP_EXHOOK, 0);
return ret;
}
then i hook epage after ksm ready :
RtlInitUnicodeString(&deviceLink, KSM_DOS_NAME);
if (NT_SUCCESS(status = IoCreateSymbolicLink(&deviceLink, &deviceName))) {
KSM_DEBUG_RAW("ready\n");
ksm->host_pgd = __readcr3();
ksm_hook_epage(MmMapIoSpace, hkMmMapIoSpace);
goto out;
}
then BSOD, here the log:
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 17763 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff80232e0f000 PsLoadedModuleList = 0xfffff802
3322a790
Debug session time: Fri May 3 07:22:57.372 2019 (UTC + 7:00)
System Uptime: 0 days 0:03:14.058
Loading Kernel Symbols
.....................................Page 2002ed57e too large to be in the dump file.
Page 2002efe7d too large to be in the dump file.
..........................
....Page 2002fa078 too large to be in the dump file.
............................................................
................................................................
................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000a2`fb19b018). Type ".hh dbgerr001" for details
Loading unloaded module list
.........
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc000001d, fffff8023813111c, ffff9605aba08080, 0}
Probably caused by : ksm.sys ( ksm!__vmx_vmcall+0 )
Followup: MachineOwner
1: kd> !analyze -v
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffff8023813111c, The address that the exception occurred at
Arg3: ffff9605aba08080, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
Debugging Details:
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434
SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd.
SYSTEM_PRODUCT_NAME: GT72 2QD
SYSTEM_SKU: To be filled by O.E.M.
SYSTEM_VERSION: REV:0.C
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: E1781IMS.316
BIOS_DATE: 09/23/2015
BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd.
BASEBOARD_PRODUCT: MS-1781
BASEBOARD_VERSION: REV:0.C
DUMP_TYPE: 1
BUGCHECK_P1: ffffffffc000001d
BUGCHECK_P2: fffff8023813111c
BUGCHECK_P3: ffff9605aba08080
BUGCHECK_P4: 0
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
ksm!__vmx_vmcall+0 [E:\Source\ksm\vmx.asm @ 287]
fffff802`3813111c 0f01c1 vmcall
EXCEPTION_PARAMETER1: ffff9605aba08080
BUGCHECK_STR: 0x1E_c000001d
CPU_COUNT: 8
CPU_MHZ: a86
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 47
CPU_STEPPING: 1
CPU_MICROCODE: 6,47,1,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: NVDisplay.Container.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: DESKTOP-6P18NJQ
ANALYSIS_SESSION_TIME: 05-03-2019 07:24:27.0595
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
DPC_STACK_BASE: FFFF938C8EE37FB0
LAST_CONTROL_TRANSFER: from fffff8023309d07e to fffff80232fc2730
FAILED_INSTRUCTION_ADDRESS:
ksm!__vmx_vmcall+0 [E:\Source\ksm\vmx.asm @ 287]
fffff802`3813111c 0f01c1 vmcall
STACK_TEXT:
ffff938c8ee36a38 fffff802
3309d07e : 000000000000001e ffffffff
c000001d fffff8023813111c ffff9605
aba08080 : nt!KeBugCheckEx
ffff938c8ee36a40 fffff802
32fcb222 : fffff802332f2000 fffff802
32e0f000 0005be3c00a6e000 00000000
0010001f : nt!KiFatalExceptionHandler+0x22
ffff938c8ee36a80 fffff802
32f24240 : ffff938c8ee370d0 00000000
00000000 ffff938c8ee36ff0 00000000
00000000 : nt!RtlpExecuteHandlerForException+0x12
ffff938c8ee36ab0 fffff802
32e31ac4 : ffff938c8ee379e8 ffff938c
8ee37730 ffff938c8ee379e8 ffff938c
93bdf630 : nt!RtlDispatchException+0x430
ffff938c8ee37200 fffff802
32fd3f42 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiDispatchException+0x144
ffff938c8ee378b0 fffff802
32fce78e : ffff960500000000 ffffad00
8836af08 0000000000000000 fffff802
32ef68af : nt!KiExceptionDispatch+0xc2
ffff938c8ee37a90 fffff802
3813111c : fffff802381312ba 00000000
00400a02 0000000000000000 00000000
00000000 : nt!KiInvalidOpcodeFault+0x30e
ffff938c8ee37c28 fffff802
381312ba : 0000000000400a02 00000000
00000000 0000000000000000 ffffad00
88367f90 : ksm!__vmx_vmcall [E:\Source\ksm\vmx.asm @ 287]
ffff938c8ee37c30 fffff802
32e88577 : ffffad0088367f80 ffff9605
a0bbb000 ffff938c8ee37d60 00000000
00000000 : ksm!__percpu___do_hook_page+0x1a [e:\source\ksm\epage.c @ 95]
ffff938c8ee37c60 fffff802
32e87bbe : ffffad0088365180 00000000
00000000 0000000000000002 00000000
00000004 : nt!KiExecuteAllDpcs+0x2e7
ffff938c8ee37da0 fffff802
32fc9595 : 0000000000000000 ffffad00
88365180 ffff938c90617b40 00000000
00000000 : nt!KiRetireDpcList+0x1ae
ffff938c8ee37fb0 fffff802
32fc9380 : 0000000000000102 00000000
00000000 00007ffad95897f0 00000000
00000560 : nt!KxRetireDpcList+0x5
ffff938c90617a90 fffff802
32fc8a6c : ffff9605aba08080 000000a2
fbffca98 ffff938c90617a98 ffff9605
aba7fc60 : nt!KiDispatchInterruptContinue
ffff938c90617ac0 00007ffa
d970995d : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiDpcInterrupt+0x2dc
000000a2fbffd470 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffa`d970995d
THREAD_SHA1_HASH_MOD_FUNC: a8a9c7b3fbf112c4a80644be074a7883be953ef0
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 93e92b7c547e03d379abd7930fd410f934b1f49c
THREAD_SHA1_HASH_MOD: 390a9432c7ea7ec685200dfa4bb581b24db674b6
FOLLOWUP_IP:
ksm!__vmx_vmcall+0 [E:\Source\ksm\vmx.asm @ 287]
fffff802`3813111c 0f01c1 vmcall
FAULT_INSTR_CODE: fc1010f
FAULTING_SOURCE_LINE: E:\Source\ksm\vmx.asm
FAULTING_SOURCE_FILE: E:\Source\ksm\vmx.asm
FAULTING_SOURCE_LINE_NUMBER: 287
FAULTING_SOURCE_CODE:
283: hlt ; not reached
284: jmp do_hlt
285: __vmx_entrypoint ENDP
286:
287: __vmx_vmcall PROC
288: ; assumes:
289: ; rcx = hypercall
290: ; rdx = data
291: vmcall
292: setna al
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: ksm!__vmx_vmcall+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ksm
IMAGE_NAME: ksm.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5ccb89d0
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: 0x1E_c000001d_BAD_IP_ksm!__vmx_vmcall
BUCKET_ID: 0x1E_c000001d_BAD_IP_ksm!__vmx_vmcall
PRIMARY_PROBLEM_CLASS: 0x1E_c000001d_BAD_IP_ksm!__vmx_vmcall
TARGET_TIME: 2019-05-03T00:22:57.000Z
OSBUILD: 17763
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2005-12-02 14:58:59
BUILDDATESTAMP_STR: 180914-1434
BUILDLAB_STR: rs5_release
BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434
ANALYSIS_SESSION_ELAPSED_TIME: 1031
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x1e_c000001d_bad_ip_ksm!__vmx_vmcall
FAILURE_ID_HASH: {dad81c61-e5b3-d117-68a0-fb68d4438f5e}
Followup: MachineOwner