binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Wrong argument propagation in windows kernel binary

Open monotonik-guy opened this issue 3 weeks ago • 1 comments

Version and Platform (required):

  • Binary Ninja Version: [e.g. 5.3.8651-dev]
  • Edition: Non-Commercial
  • OS: Windows
  • OS Version: 11 26200
  • CPU Architecture: x64

Bug Description: I'm testing dev BN with ntoskrnl.exe, but found that issue with propagating wrong @zmm0/@zmm1/@zmm2 args still happen here. Most functions have wrong params in zmm1/zmm2 and returning to zmm0/zmm1/zmm2 registers for some reason, but actually they not.

All zmm parameters just passed further as parameters to callees. I even tried to build graph, with hope finding root of all calls, but failed, it just mess. Top nodes if you need:

  "top_nodes_by_incoming_edges": [
    {
      "address": "0x1406998a0",
      "name": "__security_check_cookie",
      "callers": 2037,
      "callees": 1
    },
    {
      "address": "0x140b630f0",
      "name": "ExAllocatePool2",
      "callers": 1164,
      "callees": 10
    },
    {
      "address": "0x140b63cd0",
      "name": "ExFreePoolWithTag",
      "callers": 936,
      "callees": 26
    },
    {
      "address": "0x1404f6880",
      "name": "KeBugCheckEx",
      "callers": 728,
      "callees": 1
    },
    {
      "address": "0x1402cb760",
      "name": "KeAbPreAcquire",
      "callers": 686,
      "callees": 3
    },
    {
      "address": "0x1402e7c10",
      "name": "ExReleaseRundownProtection",
      "callers": 565,
      "callees": 1
    },
    {
      "address": "0x1406b1cc0",
      "name": "KiServiceInternal",
      "callers": 489,
      "callees": 1
    },
    {
      "address": "0x1404ee818",
      "name": "KiLowerIrqlProcessIrqlFlags",
      "callers": 390,
      "callees": 1
    },
    {
      "address": "0x14025f330",
      "name": "HvlNotifyLongSpinWait",
      "callers": 335,
      "callees": 1
    },
    {
      "address": "0x140271c30",
      "name": "KeAcquireSpinLockRaiseToDpc",
      "callers": 301,
      "callees": 2
    },
    {
      "address": "0x14037f6d0",
      "name": "ExAcquireSpinLockExclusive",
      "callers": 282,
      "callees": 3
    },
    {
      "address": "0x140badb00",
      "name": "KxIsrLinkageShadow",
      "callers": 256,
      "callees": 1
    },
    {
      "address": "0x140415eb0",
      "name": "_tlgWriteTransfer_EtwWriteTransfer",
      "callers": 242,
      "callees": 1
    },
    {
      "address": "0x140274cd0",
      "name": "EtwWriteEx",
      "callers": 215,
      "callees": 1
    },
    {
      "address": "0x140275890",
      "name": "ObfDereferenceObjectWithTag",
      "callers": 206,
      "callees": 7
    },
    {
      "address": "0x140275b60",
      "name": "EtwWrite",
      "callers": 191,
      "callees": 1
    },
    {
      "address": "0x140841f10",
      "name": "ObReferenceObjectByHandle",
      "callers": 186,
      "callees": 1
    },
    {
      "address": "0x1402cccf0",
      "name": "KeWaitForSingleObject",
      "callers": 181,
      "callees": 16
    },
    {
      "address": "0x1402cc450",
      "name": "KeAbPostRelease",
      "callers": 180,
      "callees": 3
    },
    {
      "address": "0x1402986b0",
      "name": "KeSetEvent",
      "callers": 175,
      "callees": 5
    }
  ]

Important note, I used customized platform, without sysv convention, but and with it I had issue (but also incorrect convention resolving).

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Go to RtlGetImageBaseAndLoadConfig for example
  2. See error

Screenshots/Video Recording: Image

Binary: Binary ninja portal: vision omega nests sagely

monotonik-guy avatar Nov 20 '25 23:11 monotonik-guy