Windows still have BugCheck in win32k!SetProcessFlags (double enter to KeAttachProcess). Can be reproduce by calling SetInformationJobObject for all jobs in system.
PROCESS_NAME: csrss.exe
STACK_TEXT:
ffffd001`dd9250b8 fffff802`fabb6f8c : 00000000`00000005 ffffe000`cb29f540 ffffe000`c58c08c0 00000000`00000001 : nt!KeBugCheckEx
ffffd001`dd9250c0 fffff960`0015c6bb : fffff901`409b3010 ffffe000`ca3b5060 00000000`00000000 fffff960`001c86dc : nt! ?? ::FNODOBFM::`string'+0x490cc
ffffd001`dd925100 fffff960`0015c8d9 : 00000000`00000001 fffff901`409b3010 ffffd001`dfe6e000 fffff802`faa32fe0 : win32k!SetProcessFlags+0x2b
ffffd001`dd925160 fffff960`0015c88b : 00000000`00000000 00000000`00000000 ffffe000`ca3b5060 ffffd001`dd9252b0 : win32k!UpdateJob+0x41
ffffd001`dd925190 fffff802`fada62b2 : ffffe000`00000000 00000000`00000000 ffffe000`c59e76d0 00000000`00000000 : win32k!UserJobCallout+0x81fab
ffffd001`dd9251c0 fffff802`fae249d8 : ffffd001`dd925418 fffff802`fadec19e ffffe000`ca3b5060 00000000`00000000 : nt!ExCallSessionCallBack+0x8e
ffffd001`dd925260 fffff802`fae5354b : 00000000`00000000 00000000`00000000 ffffd001`dd925b80 00000000`00000000 : nt!PsInvokeWin32Callout+0xa8
ffffd001`dd9252a0 fffff802`fab691b3 : 00000000`00000001 00000000`00000004 00000000`0076fdb0 00000000`0086f5e8 : nt!NtSetInformationJobObject+0x72b
ffffd001`dd925b00 00007ffa`8a2b292a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0076e2f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`8a2b292a
0: kd> dps rsp L40
ffffd001`dd9250b8 fffff802`fabb6f8c nt! ?? ::FNODOBFM::`string'+0x490cc
ffffd001`dd9250c0 00000000`00000005
ffffd001`dd9250c8 ffffe000`cb29f540
ffffd001`dd9250d0 ffffe000`c58c08c0
ffffd001`dd9250d8 00000000`00000001
ffffd001`dd9250e0 00000000`00000000
ffffd001`dd9250e8 fffff802`fad0d180 nt!KiInitialPCR+0x180
ffffd001`dd9250f0 fffff901`400ea1d0
ffffd001`dd9250f8 fffff960`0015c6bb win32k!SetProcessFlags+0x2b
ffffd001`dd925100 fffff901`409b3010
ffffd001`dd925108 ffffe000`ca3b5060
ffffd001`dd925110 00000000`00000000
ffffd001`dd925118 fffff960`001c86dc win32k!EnterCritAvoidingDitHitTestHazard+0x1c
ffffd001`dd925120 00000000`001c2c02
ffffd001`dd925128 ffffd001`dd9251c0
ffffd001`dd925130 ffffe000`ca3b5060
ffffd001`dd925138 00000000`00000000
ffffd001`dd925140 00000000`00000000
ffffd001`dd925148 00001f80`00cc0040
ffffd001`dd925150 fffff901`400ea1d0
ffffd001`dd925158 fffff960`0015c8d9 win32k!UpdateJob+0x41
ffffd001`dd925160 00000000`00000001
ffffd001`dd925168 fffff901`409b3010
ffffd001`dd925170 ffffd001`dfe6e000
ffffd001`dd925178 fffff802`faa32fe0 nt!MmAttachSession+0x74
ffffd001`dd925180 00000000`00000000
ffffd001`dd925188 fffff960`0015c88b win32k!UserJobCallout+0x81fab
ffffd001`dd925190 00000000`00000000
ffffd001`dd925198 00000000`00000000
ffffd001`dd9251a0 ffffe000`ca3b5060
ffffd001`dd9251a8 ffffd001`dd9252b0
ffffd001`dd9251b0 ffffe000`c58c08c0
ffffd001`dd9251b8 fffff802`fada62b2 nt!ExCallSessionCallBack+0x8e
ffffd001`dd9251c0 ffffe000`00000000
nt!KeAttachProcess:
fffff802`fab0dc4c 48895c2408 mov qword ptr [rsp+8],rbx
fffff802`fab0dc51 48896c2410 mov qword ptr [rsp+10h],rbp
fffff802`fab0dc56 4889742418 mov qword ptr [rsp+18h],rsi
fffff802`fab0dc5b 57 push rdi
fffff802`fab0dc5c 4883ec30 sub rsp,30h
fffff802`fab0dc60 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff802`fab0dc69 488bf1 mov rsi,rcx
fffff802`fab0dc6c 4c8b83b8000000 mov r8,qword ptr [rbx+0B8h]
fffff802`fab0dc73 4c3bc1 cmp r8,rcx
fffff802`fab0dc76 7454 je nt!KeAttachProcess+0x80 (fffff802`fab0dccc) Branch
nt!KeAttachProcess+0x2c:
fffff802`fab0dc78 8a8b42020000 mov cl,byte ptr [rbx+242h]
fffff802`fab0dc7e ba01000100 mov edx,10001h
fffff802`fab0dc83 84c9 test cl,cl
fffff802`fab0dc85 0f85e0920a00 jne nt! ?? ::FNODOBFM::`string'+0x490ab (fffff802`fabb6f6b) Branch ; jump to KeBugCheckEx
fffff802`fabb6f6b 658b04256c2f0000 mov eax,dword ptr gs:[2F6Ch]
fffff802`fabb6f73 440fb6c9 movzx r9d,cl
fffff802`fabb6f77 b905000000 mov ecx,5
fffff802`fabb6f7c 4823c2 and rax,rdx
fffff802`fabb6f7f 488bd6 mov rdx,rsi
fffff802`fabb6f82 4889442420 mov qword ptr [rsp+20h],rax
fffff802`fabb6f87 e8146afaff call nt!KeBugCheckEx (fffff802`fab5d9a0)
fffff802`fabb6f8c cc int 3
POC code which can repro. I don't have stable steps to reproduce. Just run as administrator and it's happens. I don't want continue investigate because it's does don't make sense
VOID RemoveUIRestrictionsFromJob(HANDLE hJobObject)
{
JOBOBJECT_BASIC_ACCOUNTING_INFORMATION BasicInfo = {};
BOOL Result = QueryInformationJobObject(hJobObject, JobObjectBasicAccountingInformation, &BasicInfo, sizeof(BasicInfo), NULL);
if (Result)
{
JOBOBJECT_BASIC_UI_RESTRICTIONS UIRestrictions = {};
if (QueryInformationJobObject(hJobObject, JobObjectBasicUIRestrictions, &UIRestrictions, sizeof(UIRestrictions), NULL))
{
UIRestrictions.UIRestrictionsClass = 0;
SetInformationJobObject(hJobObject, JobObjectBasicUIRestrictions, &UIRestrictions, sizeof(UIRestrictions));
}
}
}
VOID RemoveRestrictsFromJobs(VOID)
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtQuerySystemInformation");
NTSTATUS Status = STATUS_INFO_LENGTH_MISMATCH;
PSYSTEM_HANDLE_INFORMATION handleInfo;
ULONG handleInfoSize = 0x10000;
if (handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize))
{
while ((Status = NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL)) == STATUS_INFO_LENGTH_MISMATCH)
{
handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
}
}
if (!NT_SUCCESS(Status))
{
free(handleInfo);
return;
}
for (ULONG i = 0; i < handleInfo->HandleCount; i++)
{
if (handleInfo->Handles[i].ProcessId != GetCurrentProcessId())
{
if (HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, handleInfo->Handles[i].ProcessId))
{
HANDLE DupHandle = NULL;
if (DuplicateHandle(hProcess, (HANDLE)handleInfo->Handles[i].Handle, GetCurrentProcess(), &DupHandle, JOB_OBJECT_ALL_ACCESS, FALSE, 0))
{
RemoveUIRestrictionsFromJob(DupHandle);
CloseHandle(DupHandle);
}
CloseHandle(hProcess);
}
}
}
free(handleInfo);
}
Комментариев нет:
Отправить комментарий