zer0m0n icon indicating copy to clipboard operation
zer0m0n copied to clipboard
verified publisher icon conix-security

getKernelBase() - SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

Open GameProtect opened this issue 11 years ago • 4 comments

Hi coinx-security !, I'am developing process protecting driver / software i want to try your project on Win 8.1

When driver called : getKernelBase() function, windows giving BDOS with: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

Any fix? Thanks

GameProtect avatar Aug 13 '14 10:08 GameProtect

Hi, thanks for the bug report !

We actually did not test on Win 8.1, regarding the bugcheck code, I think the "pSystemModule = &pSystemModuleInformation->Modules[0]; / imgBaseAddr = pSystemModule->Base;" are involved (access violation, but no idea why). We'll check this ASAP (not sure when, and I'm pretty sure we'll encounter other bugs...) :]

Anyway, for (stable and patchguard-proof) process protection software, maybe you should use ObRegisterCallbacks along with OB_OPERATION_HANDLE_CREATE flag to filter handle opening on processes you want to protect ?

Cheers, Adrien

0x00-lol avatar Aug 13 '14 12:08 0x00-lol

Hi 0x0ach, Thanks for reply, i will use callbacks so i want to try System Service Descriptor Table hook.. Cheers, Efe

GameProtect avatar Aug 13 '14 15:08 GameProtect

Hi, we don't support windows 8.1 but I have an idea on what causes the bugcheck. In getKernelBase() function we use ZwQuerySystemInformation() and according to the documentation : http://msdn.microsoft.com/en-us/library/windows/desktop/ms725506%28v=vs.85%29.aspx, this function is not avalaible in Windows 8.

A quick fix would be to parse the loaded modules through the PEB, you can write x64 asm in a driver code that way : http://geekswithblogs.net/kernelmode/archive/2008/03/07/120340.aspx

Cheers, Nicolas

angelkillah avatar Aug 19 '14 09:08 angelkillah

Nicolas, can u give me skype or facebook adress i have some question about protecting process

GameProtect avatar Aug 19 '14 12:08 GameProtect