SharpGhosting icon indicating copy to clipboard operation
SharpGhosting copied to clipboard
verified publisher icon Wra7h

VM crashes immediately

Open CaledoniaProject opened this issue 4 years ago • 1 comments

The program crashes the kernel somehow, it triggers immediate BSOD on Windows 2016:

screenshot 2022-01-20 at 8 38 48 AM

CaledoniaProject avatar Jan 20 '22 00:01 CaledoniaProject

Interesting


Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\011922-5656-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 14393 MP (2 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 14393.1794.amd64fre.rs1_release.171008-1615
Machine Name:
Kernel base = 0xfffff803`76c1e000 PsLoadedModuleList = 0xfffff803`76f1c040
Debug session time: Wed Jan 19 16:38:44.582 2022 (UTC - 8:00)
System Uptime: 0 days 0:13:05.096
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
Loading unloaded module list
........
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff803770d3c58, Address of the instruction which caused the bugcheck
Arg3: ffffc480abca2810, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for win32k.sys

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 2

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on WIN-LNHNKR4KJUL

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 15

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 65

    Key  : Analysis.System
    Value: CreateObject


VIRTUAL_MACHINE:  VMware

BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff803770d3c58

BUGCHECK_P3: ffffc480abca2810

BUGCHECK_P4: 0

CONTEXT:  ffffc480abca2810 -- (.cxr 0xffffc480abca2810)
rax=0000000000000200 rbx=00000000000000a0 rcx=0000000000000000
rdx=ffff878029c42080 rsi=ffff878029c42080 rdi=0000000000000000
rip=fffff803770d3c58 rsp=ffffc480abca3210 rbp=ffffc480abca3310
 r8=ffffae0bfacd406f  r9=ffffae0bfacd4060 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffff878029c42080
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!PspInitializeFullProcessImageName+0x3c:
fffff803`770d3c58 488b81a8000000  mov     rax,qword ptr [rcx+0A8h] ds:002b:00000000`000000a8=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  SharpGhosting.exe

STACK_TEXT:  
ffffc480`abca3210 fffff803`7705e95f : 00000000`000000a0 ffffc480`abca3b80 00000000`000000a0 00000000`00000000 : nt!PspInitializeFullProcessImageName+0x3c
ffffc480`abca33a0 fffff803`770ee99c : 00000000`00000000 ffffc480`abca3b80 00000000`00000010 ffff8780`2ab7f200 : nt!PspAllocateProcess+0xbf7
ffffc480`abca3790 fffff803`770ee77d : ffff8628`8788812f ffff8780`2ab7f2a0 00000000`00008000 00000000`00000770 : nt!PspCreateProcess+0x218
ffffc480`abca3a40 fffff803`76d78493 : fffff5fa`fd600000 fffff5fa`fd7eb000 ffff8628`87888b8f 00000000`00000000 : nt!NtCreateProcessEx+0x75
ffffc480`abca3a90 00007ffb`8e6d6a44 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0039e748 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`8e6d6a44


SYMBOL_NAME:  nt!PspInitializeFullProcessImageName+3c

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.14393.1794

STACK_COMMAND:  .cxr 0xffffc480abca2810 ; kb

BUCKET_ID_FUNC_OFFSET:  3c

FAILURE_BUCKET_ID:  0x3B_c0000005_nt!PspInitializeFullProcessImageName

OS_VERSION:  10.0.14393.1794

BUILDLAB_STR:  rs1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {49044646-1d26-88e0-7470-3979b2e77780}

Followup:     MachineOwner
---------

CaledoniaProject avatar Jan 20 '22 00:01 CaledoniaProject