System freezeing and after a few seconds BSOD

[soltrac]

Hi, I understand that this project is discontinued, but maybe you could help me knowing what is happening:

I'm trying to shadow ept a hook that I make to a process, but the system is freezing after a few seconds and eventually BSOD with a DPC_WATCHDOG_VIOLATION (133)

The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL or above.

The system is being crashed for that process, so I suppose they have a type of protection. The stack is the following:

STACK_TEXT: ffff9a81´f8134bc8 fffff802´cfa99495 : 00000000´00000133 00000000´00000001 00000000´00001e00 fffff802´cfceb378 : nt!KeBugCheckEx ffff9a81´f8134bd0 fffff802´cf97e37a : 0000045a´5c82173f ffff9a81´f8118180 00000000´00000282 00000000´00000000 : nt!KeAccumulateTicks+0x1187d5 ffff9a81´f8134c30 fffff802´cf81551b : 0000045a´5c81fffb 00000000´00000001 00000000´00000000 ffffd105´b4704600 : nt!KeClockInterruptNotify+0x9da ffff9a81´f8134f40 fffff802´cf9cad75 : ffffd105´b4704600 00000000´00000000 00000000´00000000 00000000´00000000 : hal!HalpTimerClockIpiRoutine+0x1b ffff9a81´f8134f70 fffff802´cfa48d4a : ffffe105´b6cbc160 ffffd105´b4704600 00000000´00000000 00000000´00000000 : nt!KiCallInterruptServiceRoutine+0xa5 ffff9a81´f8134fb0 fffff802´cfa49237 : ffffcdbd´66390ff8 ffffd105´b4704600 00000000´00000000 00000000´00000000 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea ffffe105´b6cbc0e0 fffff802´cf9af195 : 00000001´5b86f061 00000000´00000001 ffffad80´041294d0 00000000´00000000 : nt!KiInterruptDispatchNoLockNoEtw+0x37 ffffe105´b6cbc270 fffff802´cf9a28de : 00000001´5b86f061 00000000´00000000 00000000´00000000 00000000´00000000 : nt!MiConfirmPageIsZero+0x75 ffffe105´b6cbc2a0 fffff802´cf9a272a : ffffd105´ba6f3a80 00000000´00000001 00000000´00000000 00000001´5b86f061 : nt!MiWsleFree+0x18e ffffe105´b6cbc310 fffff802´cf8e56a7 : ffffbc00´00009418 00000001´5b86f000 00000001´5b86f000 00000000´01283000 : nt!MiFreeWsleList+0x19a ffffe105´b6cbc4e0 fffff802´cfd5008e : ffffe78b´00000000 ffffe105´00000001 00000000´00000001 00000000´00000001 : nt!MiSetProtectionOnSection+0x1c57 ffffe105´b6cbc850 fffff802´cfd87af7 : ffffd105´ba6f3580 ffffd105´ba6f3580 ffffe105´b6cbc9f0 ffffe105´b6cbca00 : nt!MmProtectVirtualMemory+0x3ae ffffe105´b6cbc9a0 fffff802´cfa57b43 : 00000000´00344000 00000000´07925000 ffffd105´b4703c00 ffff9a81´f8080180 : nt!NtProtectVirtualMemory+0x197 ffffe105´b6cbca90 00007ffe´6bd7a8f4 : 00000000´00000000 00000000´00000000 00000000´00000000 00000000´00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000´001ee118 00000000´00000000 : 00000000´00000000 00000000´00000000 00000000´00000000 00000000´00000000 : 0x00007ffe´6bd7a8f4

The zone that I'm shadowing is MEM_MAPPED, I don't know if that is the cause. Also, this process change the protection of their pages and my theory is that is causing the problem (my theory is that NtProtectVirtualMemory is causing a lock and when is locked, the DPC Watchdog BSOD the system), but I've hooked NtProtectVirtualMemory to see if they are touching the page that is EPT shadowed and it is not. I've VirtualLocked it also but that not helped.

As I told you, I understand this project is not maintained anymore, so if you close the issue, I will understand it.

[hzqst]

There must be someone called NtProtectVirtualMemory to change the protection of the memory range(not only the shadow page but the whole continous region) that is MEM_MAPPED. Once the protection of a mapped region is changed to writable(including RWX and RW), all it's pages will be marked as copy-on-write and like you said they are touched.

[soltrac]

But I don't get it. I have hooked on the process NtProtectVirtualMemory, and i've done this:

Console::PrintLn("NtProtectStarted"); auto res = trampolineNtProtectVirtualMemory(ProcessHandle, UnsafeBaseAddress, UnsafeNumberOfBytesToProtect, NewAccessProtection, UnsafeOldAccessProtection); Console::PrintLn("NtProtectEnded");

After this, before the system crashes, I see some NtProtectVirtualMemory calls on other modules, not the one I'm hooking, but all of them print Started and Ended, so all are finished. But the system hangs with no NtProtectStarted and of course no NtProtectEnded, that's why I don't understand why it appears on the dump. Also, I don't understand why this should hang up the system.....

[soltrac]

Well...this is ridiculous and I have no explanation...but I was using polyhook for the user mode hook and now I've changed to minhook and it is not freezing.

Now it is working.

[soltrac]

Sorry, I have to reopen this: I've been able to reproduce this issue:

If I shadow page a function, and after that I make a VirtualProtect with PAGE_NOACCESS on this page, this happens.

I've hooked on the process NtProtectVirtualMemory, but the process is not using it, so my guess is that it is using a direct syscall.

The solution I'm thinking is using something like ddimon to hook NtProtectVirtualMemory on kernel and forbid changing the PAGE there....any idea of something different?