[经验]一种可能引发KERNEL_SECURITY_CHECK_FAILURE蓝屏的编码方式

Tesla.Angela 发表于 2017-10-31 20:14:18

早在XP时代，写驱动代码没什么限制，一些人在调用PsSetCreateProcessNotify之类的函数的时，喜欢把回调函数指向一片可以执行的BUFFER。
但是到了WIN10时代，就没这出戏唱啦。当系统检查到系统回调（类似CreateProcessNotify、CreateThreadNotify）的地址不在代码地址分段的时候，就会引发这个蓝屏。
测试：在任意WIN64系统上，你把『驱动里任意一个函数的地址』、『任意NonPagedPool类型地址』『任意PagedPool类型地址』分别打印一下，你会发现地址的区别是非常明显的，它们不在同一个4GB里。
由于这个变化，导致我教程里一个做法就需要修改了：**** Hidden Message *****补充知识：AMD64地址划分（来自MIAMD.H）。/*++

Virtual Memory Layout on the AMD64 is:

            +------------------------------------+
0000000000000000 | User mode addresses - 8tb minus 64k|
            |                                  |
            |                                  |
000007FFFFFEFFFF |                                  | MM_HIGHEST_USER_ADDRESS
            +------------------------------------+
000007FFFFFF0000 | 64k No Access Region             | MM_USER_PROBE_ADDRESS
000007FFFFFFFFFF |                                  |
            +------------------------------------+

                              .
            +------------------------------------+
FFFF080000000000 | Start of System space          | MM_SYSTEM_RANGE_START
            +------------------------------------+
FFFFF68000000000 | 512gb four level page table map. | PTE_BASE
            +------------------------------------+
FFFFF70000000000 | HyperSpace - working set lists | HYPER_SPACE
            | and per process memory management|
            | structures mapped in this 512gb |
            | region.                         | HYPER_SPACE_END
            +------------------------------------+ MM_WORKING_SET_END
FFFFF78000000000 | Shared system page             | KI_USER_SHARED_DATA
            +------------------------------------+
FFFFF78000001000 | The system cache working set    | MM_SYSTEM_CACHE_WORKING_SET
            | information resides in this    |
            | 512gb-4k region.                |
            |                                  |
            +------------------------------------+
                              .
                              .
Note the ranges below are sign extended for > 43 bits and therefore
can be used with interlocked slists.The system address space above is NOT.
                              .
                              .
            +------------------------------------+
FFFFF80000000000 |                                  | MM_KSEG0_BASE
            | Mappings initialized by the loader.| MM_KSEG2_BASE
            +------------------------------------+
FFFFF90000000000 | win32k.sys                      |
            |                                  |
            | Hydra configurations have session|
            | data structures here.          |
            |                                  |
            | This is a 512gb region.          |
            +------------------------------------+
            |                                  | MM_SYSTEM_SPACE_START
FFFFF98000000000 | System cache resides here.       | MM_SYSTEM_CACHE_START
            |Kernel mode access only.       |
            |1tb.                            |
            |                                  | MM_SYSTEM_CACHE_END
            +------------------------------------+
FFFFFA8000000000 | Start of paged system area.    | MM_PAGED_POOL_START
            |Kernel mode access only.       |
            |128gb.                         |
            +------------------------------------+
            | System mapped views start just |
            | after paged pool.Default is    |
            | 104MB, can be registry-overridden. |
            | 8GB maximum.                   |
            |                                  |
            +------------------------------------+
FFFFFAA000000000 | System PTE pool.                | MM_LOWEST_NONPAGED_SYSTEM_START
            |Kernel mode access only.       |
            |128gb.                         |
            +------------------------------------+
FFFFFAC000000000 | NonPaged pool.                   | MM_NON_PAGED_POOL_START
            |Kernel mode access only.       |
            |128gb.                         |
            |                                  |
FFFFFADFFFFFFFFF |NonPaged System area          | MM_NONPAGED_POOL_END
            +------------------------------------+
                              .
                              .
                              .
                              .
            +------------------------------------+
FFFFFFFF80000000 |                                  |
            | Reserved for the HAL. 2gb.       |
FFFFFFFFFFFFFFFF |                                  | MM_SYSTEM_SPACE_END
            +------------------------------------+

--*/

CleanLove 发表于 2017-10-31 20:19:35

沙发~谢谢分享~~

3207145141 发表于 2017-10-31 20:19:48

学习一下.

zjr230506 发表于 2017-10-31 20:21:08

WIN10屁事越来越多

brucep555 发表于 2017-10-31 20:29:31

顶一顶

liwen930723 发表于 2017-10-31 20:32:14

最近刚好遇到这个蓝屏代码，我来看看是不是这个原因

flac 发表于 2017-10-31 21:42:41

感谢分享，学习新知识

NOW刘 发表于 2017-10-31 22:19:54

还是看看了=-=

黄枫叶 发表于 2017-10-31 23:45:03

看看

basketwill 发表于 2017-11-1 10:53:24

学习了

hanfengyuxue 发表于 2017-11-1 14:50:37

WIN10越来越难搞

hzqst 发表于 2017-11-1 19:42:16

找个空隙插jmp做中转就好了

kz丶cn 发表于 2017-11-2 09:23:20

哇~这让我想起了beep~

chaos4 发表于 2017-12-2 02:38:01

回复看看..

sc12345 发表于 2018-1-1 20:53:59

谢谢楼主分享！

tea524 发表于 2018-1-24 11:50:58

谢谢楼主

nightstalkerx 发表于 2018-1-26 12:30:07

学习一下

337505993 发表于 2018-6-30 00:46:44

学习~~~~~~~~~~~~~~~~

neticafe 发表于 2018-10-12 15:45:38

学习一下.补充能量

bj6688 发表于 2019-5-15 20:10:44

win10 怎么能替换系统文件.

lpmjknj 发表于 2020-7-27 15:52:21

学习一下

819773925 发表于 2022-1-24 11:43:45

看看是啥黑科技

yxxyyf 发表于 2022-2-25 19:30:36

啥东东

yxxxxxxx 发表于 2022-10-18 20:36:56

学习

2254649642 发表于 2022-10-18 21:27:59

来看看那

sheriwvg 发表于 2023-5-11 09:52:08

谢谢楼主

Undefined 发表于 2024-2-16 14:01:04

学习一下补充内容

页: [1]

紫水晶编程技术论坛 - 努力打造成全国最好的编程论坛's Archiver

[经验]一种可能引发KERNEL_SECURITY_CHECK_FAILURE蓝屏的编码方式