Home > Enterprise >  Why do I get a DoubleFault when I set a break point on IA32_LSTAR MSR for SYSCALL on windows 64 bit
Why do I get a DoubleFault when I set a break point on IA32_LSTAR MSR for SYSCALL on windows 64 bit

Time:11-28

TLDR: Why can you set a break point at windows kernel .text section but not on the KVAS section?

So afaik IA32_LSTAR is supposed to hold the address of KiSystemCall64/KiSystemCall64Shadow, so right before a syscall was made on ntdll I dumped it, and set a breakpoint on it (KiSystemCall64Shadow) upon tracing with p on windbg I get a bugcheck(DOUBLE_FAULT), why is that?

I should mention that this whole process was inside a VM so I could kernel-debug the application

output of !analyze -v

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
BUGCHECK_CODE:  7f

BUGCHECK_P1: 8

BUGCHECK_P2: ffff8c81d09dce50

BUGCHECK_P3: 66011c9020

BUGCHECK_P4: fffff80216a05000

BAD_STACK_POINTER:  ffff8c81d09dc558

PROCESS_NAME:  notepad.exe

SYMBOL_NAME:  nt!KiDoubleFaultAbort 2c3

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

Call stack:

kd> k
 # Child-SP          RetAddr               Call Site
00 ffffbb81`a9bdc558 fffff803`80112b12     nt!DbgBreakPointWithStatus
01 ffffbb81`a9bdc560 fffff803`801120f6     nt!KiBugCheckDebugBreak 0x12
02 ffffbb81`a9bdc5c0 fffff803`7fff72b7     nt!KeBugCheck2 0x946
03 ffffbb81`a9bdccd0 fffff803`80009169     nt!KeBugCheckEx 0x107
04 ffffbb81`a9bdcd10 fffff803`80003f83     nt!KiBugCheckDispatch 0x69
05 ffffbb81`a9bdce50 fffff803`80005000     nt!KiDoubleFaultAbort 0x2c3
06 000000b9`51479010 fffff803`80005000     nt!KiPageFault
07 000000b9`51479040 fffff803`80005000     nt!KiPageFault
08 000000b9`51479070 fffff803`80005000     nt!KiPageFault
09 000000b9`514790a0 fffff803`80005000     nt!KiPageFault
0a 000000b9`514790d0 fffff803`80005000     nt!KiPageFault
0b 000000b9`51479100 fffff803`80005000     nt!KiPageFault
0c 000000b9`51479130 fffff803`80005000     nt!KiPageFault
0d 000000b9`51479160 fffff803`80005000     nt!KiPageFault
0e 000000b9`51479190 fffff803`80005000     nt!KiPageFault
0f 000000b9`514791c0 fffff803`80005000     nt!KiPageFault
10 000000b9`514791f0 fffff803`80005000     nt!KiPageFault
11 000000b9`51479220 fffff803`80005000     nt!KiPageFault
12 000000b9`51479250 fffff803`80005000     nt!KiPageFault
13 000000b9`51479280 fffff803`80005000     nt!KiPageFault
14 000000b9`514792b0 fffff803`80005000     nt!KiPageFault
15 000000b9`514792e0 fffff803`80005000     nt!KiPageFault
16 000000b9`51479310 fffff803`80005000     nt!KiPageFault
17 000000b9`51479340 fffff803`80005000     nt!KiPageFault
18 000000b9`51479370 fffff803`80005000     nt!KiPageFault
19 000000b9`514793a0 fffff803`80005000     nt!KiPageFault
1a 000000b9`514793d0 fffff803`80005000     nt!KiPageFault
1b 000000b9`51479400 fffff803`80005000     nt!KiPageFault
1c 000000b9`51479430 fffff803`80005000     nt!KiPageFault
1d 000000b9`51479460 fffff803`80005000     nt!KiPageFault
1e 000000b9`51479490 fffff803`80005000     nt!KiPageFault
1f 000000b9`514794c0 fffff803`80005000     nt!KiPageFault
20 000000b9`514794f0 fffff803`80005000     nt!KiPageFault
21 000000b9`51479520 fffff803`80005000     nt!KiPageFault
22 000000b9`51479550 fffff803`80005000     nt!KiPageFault
23 000000b9`51479580 fffff803`80005000     nt!KiPageFault
24 000000b9`514795b0 fffff803`80005000     nt!KiPageFault
25 000000b9`514795e0 fffff803`80005000     nt!KiPageFault
26 000000b9`51479610 fffff803`80005000     nt!KiPageFault
27 000000b9`51479640 fffff803`80005000     nt!KiPageFault
28 000000b9`51479670 fffff803`80005000     nt!KiPageFault
29 000000b9`514796a0 fffff803`80005000     nt!KiPageFault
2a 000000b9`514796d0 fffff803`80005000     nt!KiPageFault
2b 000000b9`51479700 fffff803`80005000     nt!KiPageFault
2c 000000b9`51479730 fffff803`80005000     nt!KiPageFault
2d 000000b9`51479760 fffff803`80005000     nt!KiPageFault
2e 000000b9`51479790 fffff803`80005000     nt!KiPageFault
2f 000000b9`514797c0 fffff803`80005000     nt!KiPageFault
30 000000b9`514797f0 fffff803`80005000     nt!KiPageFault
31 000000b9`51479820 fffff803`80005000     nt!KiPageFault
32 000000b9`51479850 fffff803`80005000     nt!KiPageFault
33 000000b9`51479880 fffff803`80005000     nt!KiPageFault
34 000000b9`514798b0 fffff803`80005000     nt!KiPageFault
35 000000b9`514798e0 fffff803`80005000     nt!KiPageFault
36 000000b9`51479910 fffff803`80005000     nt!KiPageFault
37 000000b9`51479940 fffff803`80005000     nt!KiPageFault
38 000000b9`51479970 fffff803`80005000     nt!KiPageFault
39 000000b9`514799a0 fffff803`80005000     nt!KiPageFault
3a 000000b9`514799d0 fffff803`80005000     nt!KiPageFault
3b 000000b9`51479a00 fffff803`80005000     nt!KiPageFault
3c 000000b9`51479a30 fffff803`80005000     nt!KiPageFault
3d 000000b9`51479a60 fffff803`80005000     nt!KiPageFault
3e 000000b9`51479a90 fffff803`80005000     nt!KiPageFault
3f 000000b9`51479ac0 fffff803`80005000     nt!KiPageFault
40 000000b9`51479af0 fffff803`80005000     nt!KiPageFault
41 000000b9`51479b20 fffff803`80005000     nt!KiPageFault
42 000000b9`51479b50 fffff803`80005000     nt!KiPageFault
43 000000b9`51479b80 fffff803`80005000     nt!KiPageFault
44 000000b9`51479bb0 fffff803`80005000     nt!KiPageFault
45 000000b9`51479be0 fffff803`80005000     nt!KiPageFault
46 000000b9`51479c10 fffff803`80005000     nt!KiPageFault
47 000000b9`51479c40 fffff803`80005000     nt!KiPageFault
48 000000b9`51479c70 fffff803`80005000     nt!KiPageFault
49 000000b9`51479ca0 fffff803`80005000     nt!KiPageFault
4a 000000b9`51479cd0 fffff803`80005000     nt!KiPageFault
4b 000000b9`51479d00 fffff803`80005000     nt!KiPageFault
4c 000000b9`51479d30 fffff803`80005000     nt!KiPageFault
4d 000000b9`51479d60 fffff803`80005000     nt!KiPageFault
4e 000000b9`51479d90 fffff803`80005000     nt!KiPageFault
4f 000000b9`51479dc0 fffff803`80005000     nt!KiPageFault
50 000000b9`51479df0 fffff803`80005000     nt!KiPageFault
51 000000b9`51479e20 fffff803`80005000     nt!KiPageFault
52 000000b9`51479e50 fffff803`80005000     nt!KiPageFault
53 000000b9`51479e80 fffff803`80005000     nt!KiPageFault
54 000000b9`51479eb0 fffff803`80005000     nt!KiPageFault
55 000000b9`51479ee0 fffff803`80005000     nt!KiPageFault
56 000000b9`51479f10 fffff803`80005000     nt!KiPageFault
57 000000b9`51479f40 fffff803`80005000     nt!KiPageFault
58 000000b9`51479f70 fffff803`80005000     nt!KiPageFault
59 000000b9`51479fa0 fffff803`80005000     nt!KiPageFault
5a 000000b9`51479fd0 fffff803`80005000     nt!KiPageFault
5b 000000b9`5147a000 fffff803`80005000     nt!KiPageFault
5c 000000b9`5147a030 fffff803`80005000     nt!KiPageFault
5d 000000b9`5147a060 fffff803`80005000     nt!KiPageFault
5e 000000b9`5147a090 fffff803`80005000     nt!KiPageFault
5f 000000b9`5147a0c0 fffff803`80005000     nt!KiPageFault
60 000000b9`5147a0f0 fffff803`80005000     nt!KiPageFault
61 000000b9`5147a120 fffff803`80005000     nt!KiPageFault
62 000000b9`5147a150 fffff803`80005000     nt!KiPageFault
63 000000b9`5147a180 fffff803`80005000     nt!KiPageFault
64 000000b9`5147a1b0 fffff803`80005000     nt!KiPageFault
65 000000b9`5147a1e0 fffff803`80005000     nt!KiPageFault
66 000000b9`5147a210 fffff803`80005000     nt!KiPageFault
67 000000b9`5147a240 fffff803`80005000     nt!KiPageFault
68 000000b9`5147a270 fffff803`80005000     nt!KiPageFault
69 000000b9`5147a2a0 fffff803`80005000     nt!KiPageFault
6a 000000b9`5147a2d0 fffff803`80005000     nt!KiPageFault
6b 000000b9`5147a300 fffff803`80005000     nt!KiPageFault
6c 000000b9`5147a330 fffff803`80005000     nt!KiPageFault
6d 000000b9`5147a360 fffff803`80005000     nt!KiPageFault
6e 000000b9`5147a390 fffff803`80005000     nt!KiPageFault
6f 000000b9`5147a3c0 fffff803`80005000     nt!KiPageFault
70 000000b9`5147a3f0 fffff803`80005000     nt!KiPageFault
71 000000b9`5147a420 fffff803`80005000     nt!KiPageFault
72 000000b9`5147a450 fffff803`80005000     nt!KiPageFault
73 000000b9`5147a480 fffff803`80005000     nt!KiPageFault
74 000000b9`5147a4b0 fffff803`80005000     nt!KiPageFault
75 000000b9`5147a4e0 fffff803`80005000     nt!KiPageFault
76 000000b9`5147a510 fffff803`80005000     nt!KiPageFault
77 000000b9`5147a540 fffff803`80005000     nt!KiPageFault
78 000000b9`5147a570 fffff803`80005000     nt!KiPageFault
79 000000b9`5147a5a0 fffff803`80005000     nt!KiPageFault
7a 000000b9`5147a5d0 fffff803`80005000     nt!KiPageFault
7b 000000b9`5147a600 fffff803`80005000     nt!KiPageFault
7c 000000b9`5147a630 fffff803`80005000     nt!KiPageFault
7d 000000b9`5147a660 fffff803`80005000     nt!KiPageFault
7e 000000b9`5147a690 fffff803`80005000     nt!KiPageFault
7f 000000b9`5147a6c0 fffff803`80005000     nt!KiPageFault
80 000000b9`5147a6f0 fffff803`80005000     nt!KiPageFault
81 000000b9`5147a720 fffff803`80005000     nt!KiPageFault
82 000000b9`5147a750 fffff803`80005000     nt!KiPageFault
83 000000b9`5147a780 fffff803`80005000     nt!KiPageFault
84 000000b9`5147a7b0 fffff803`80005000     nt!KiPageFault
85 000000b9`5147a7e0 fffff803`80005000     nt!KiPageFault
86 000000b9`5147a810 fffff803`80005000     nt!KiPageFault
87 000000b9`5147a840 fffff803`80005000     nt!KiPageFault
88 000000b9`5147a870 fffff803`80005000     nt!KiPageFault
89 000000b9`5147a8a0 fffff803`80005000     nt!KiPageFault
8a 000000b9`5147a8d0 fffff803`80005000     nt!KiPageFault
8b 000000b9`5147a900 fffff803`80005000     nt!KiPageFault
8c 000000b9`5147a930 fffff803`80005000     nt!KiPageFault
8d 000000b9`5147a960 fffff803`80005000     nt!KiPageFault
8e 000000b9`5147a990 fffff803`80005000     nt!KiPageFault
8f 000000b9`5147a9c0 fffff803`80005000     nt!KiPageFault
90 000000b9`5147a9f0 fffff803`80005000     nt!KiPageFault
91 000000b9`5147aa20 fffff803`80005000     nt!KiPageFault
92 000000b9`5147aa50 fffff803`80005000     nt!KiPageFault
93 000000b9`5147aa80 fffff803`80005000     nt!KiPageFault
94 000000b9`5147aab0 fffff803`80005000     nt!KiPageFault
95 000000b9`5147aae0 fffff803`80005000     nt!KiPageFault
96 000000b9`5147ab10 fffff803`80005000     nt!KiPageFault
97 000000b9`5147ab40 fffff803`80005000     nt!KiPageFault
98 000000b9`5147ab70 fffff803`80005000     nt!KiPageFault
99 000000b9`5147aba0 fffff803`80005000     nt!KiPageFault
9a 000000b9`5147abd0 fffff803`80005000     nt!KiPageFault
9b 000000b9`5147ac00 fffff803`80005000     nt!KiPageFault
9c 000000b9`5147ac30 fffff803`80005000     nt!KiPageFault
9d 000000b9`5147ac60 fffff803`80005000     nt!KiPageFault
9e 000000b9`5147ac90 fffff803`80005000     nt!KiPageFault
9f 000000b9`5147acc0 fffff803`80005000     nt!KiPageFault
a0 000000b9`5147acf0 fffff803`80005000     nt!KiPageFault
a1 000000b9`5147ad20 fffff803`80005000     nt!KiPageFault
a2 000000b9`5147ad50 fffff803`80005000     nt!KiPageFault
a3 000000b9`5147ad80 fffff803`80005000     nt!KiPageFault
a4 000000b9`5147adb0 fffff803`80005000     nt!KiPageFault
a5 000000b9`5147ade0 fffff803`80005000     nt!KiPageFault
a6 000000b9`5147ae10 fffff803`80005000     nt!KiPageFault
a7 000000b9`5147ae40 fffff803`80005000     nt!KiPageFault
a8 000000b9`5147ae70 fffff803`80005000     nt!KiPageFault
a9 000000b9`5147aea0 fffff803`80005000     nt!KiPageFault
aa 000000b9`5147aed0 fffff803`80005000     nt!KiPageFault
ab 000000b9`5147af00 fffff803`80005000     nt!KiPageFault
ac 000000b9`5147af30 fffff803`80005000     nt!KiPageFault
ad 000000b9`5147af60 fffff803`80005000     nt!KiPageFault
ae 000000b9`5147af90 fffff803`80005000     nt!KiPageFault
af 000000b9`5147afc0 fffff803`80005000     nt!KiPageFault
b0 000000b9`5147aff0 fffff803`80005000     nt!KiPageFault
b1 000000b9`5147b020 fffff803`80005000     nt!KiPageFault
b2 000000b9`5147b050 fffff803`80005000     nt!KiPageFault
b3 000000b9`5147b080 fffff803`80005000     nt!KiPageFault
b4 000000b9`5147b0b0 fffff803`80005000     nt!KiPageFault
b5 000000b9`5147b0e0 fffff803`80005000     nt!KiPageFault
b6 000000b9`5147b110 fffff803`80005000     nt!KiPageFault
b7 000000b9`5147b140 fffff803`80005000     nt!KiPageFault
b8 000000b9`5147b170 fffff803`80005000     nt!KiPageFault
b9 000000b9`5147b1a0 fffff803`80005000     nt!KiPageFault
ba 000000b9`5147b1d0 fffff803`80005000     nt!KiPageFault
bb 000000b9`5147b200 fffff803`80005000     nt!KiPageFault
bc 000000b9`5147b230 fffff803`80005000     nt!KiPageFault
bd 000000b9`5147b260 fffff803`80005000     nt!KiPageFault
be 000000b9`5147b290 fffff803`80005000     nt!KiPageFault
bf 000000b9`5147b2c0 fffff803`80005000     nt!KiPageFault
c0 000000b9`5147b2f0 fffff803`80005000     nt!KiPageFault
c1 000000b9`5147b320 fffff803`80005000     nt!KiPageFault
c2 000000b9`5147b350 fffff803`80005000     nt!KiPageFault
c3 000000b9`5147b380 fffff803`80005000     nt!KiPageFault
c4 000000b9`5147b3b0 fffff803`80005000     nt!KiPageFault
c5 000000b9`5147b3e0 fffff803`80005000     nt!KiPageFault
c6 000000b9`5147b410 fffff803`80005000     nt!KiPageFault
c7 000000b9`5147b440 fffff803`80005000     nt!KiPageFault
c8 000000b9`5147b470 fffff803`80005000     nt!KiPageFault
c9 000000b9`5147b4a0 fffff803`80005000     nt!KiPageFault
ca 000000b9`5147b4d0 fffff803`80005000     nt!KiPageFault
cb 000000b9`5147b500 fffff803`80005000     nt!KiPageFault
cc 000000b9`5147b530 fffff803`80005000     nt!KiPageFault
cd 000000b9`5147b560 fffff803`80005000     nt!KiPageFault
ce 000000b9`5147b590 fffff803`80005000     nt!KiPageFault
cf 000000b9`5147b5c0 fffff803`80005000     nt!KiPageFault
d0 000000b9`5147b5f0 fffff803`80005000     nt!KiPageFault
d1 000000b9`5147b620 fffff803`80005000     nt!KiPageFault
d2 000000b9`5147b650 fffff803`80005000     nt!KiPageFault
d3 000000b9`5147b680 fffff803`80005000     nt!KiPageFault
d4 000000b9`5147b6b0 fffff803`80005000     nt!KiPageFault
d5 000000b9`5147b6e0 fffff803`80005000     nt!KiPageFault
d6 000000b9`5147b710 fffff803`80005000     nt!KiPageFault
d7 000000b9`5147b740 fffff803`80005000     nt!KiPageFault
d8 000000b9`5147b770 fffff803`80005000     nt!KiPageFault
d9 000000b9`5147b7a0 fffff803`80005000     nt!KiPageFault
da 000000b9`5147b7d0 fffff803`80005000     nt!KiPageFault
db 000000b9`5147b800 fffff803`80005000     nt!KiPageFault
dc 000000b9`5147b830 fffff803`80005000     nt!KiPageFault
dd 000000b9`5147b860 fffff803`80005000     nt!KiPageFault
de 000000b9`5147b890 fffff803`80005000     nt!KiPageFault
df 000000b9`5147b8c0 fffff803`80005000     nt!KiPageFault
e0 000000b9`5147b8f0 fffff803`80005000     nt!KiPageFault
e1 000000b9`5147b920 fffff803`80005000     nt!KiPageFault
e2 000000b9`5147b950 fffff803`80005000     nt!KiPageFault
e3 000000b9`5147b980 fffff803`80005000     nt!KiPageFault
e4 000000b9`5147b9b0 fffff803`80005000     nt!KiPageFault
e5 000000b9`5147b9e0 fffff803`80005000     nt!KiPageFault
e6 000000b9`5147ba10 fffff803`80005000     nt!KiPageFault
e7 000000b9`5147ba40 fffff803`80005000     nt!KiPageFault
e8 000000b9`5147ba70 fffff803`80005000     nt!KiPageFault
e9 000000b9`5147baa0 fffff803`80005000     nt!KiPageFault
ea 000000b9`5147bad0 fffff803`80005000     nt!KiPageFault
eb 000000b9`5147bb00 fffff803`80005000     nt!KiPageFault
ec 000000b9`5147bb30 fffff803`80005000     nt!KiPageFault
ed 000000b9`5147bb60 fffff803`80005000     nt!KiPageFault
ee 000000b9`5147bb90 fffff803`80005000     nt!KiPageFault
ef 000000b9`5147bbc0 fffff803`80005000     nt!KiPageFault
f0 000000b9`5147bbf0 fffff803`80005000     nt!KiPageFault
f1 000000b9`5147bc20 fffff803`80005000     nt!KiPageFault
f2 000000b9`5147bc50 fffff803`80005000     nt!KiPageFault
f3 000000b9`5147bc80 fffff803`80005000     nt!KiPageFault
f4 000000b9`5147bcb0 fffff803`80005000     nt!KiPageFault
f5 000000b9`5147bce0 fffff803`80005000     nt!KiPageFault
f6 000000b9`5147bd10 fffff803`80005000     nt!KiPageFault
f7 000000b9`5147bd40 fffff803`80005000     nt!KiPageFault
f8 000000b9`5147bd70 fffff803`80005000     nt!KiPageFault
f9 000000b9`5147bda0 fffff803`80005000     nt!KiPageFault
fa 000000b9`5147bdd0 fffff803`80005000     nt!KiPageFault
fb 000000b9`5147be00 fffff803`80005000     nt!KiPageFault
fc 000000b9`5147be30 fffff803`80005000     nt!KiPageFault
fd 000000b9`5147be60 fffff803`80005000     nt!KiPageFault
fe 000000b9`5147be90 fffff803`80005000     nt!KiPageFault
ff 000000b9`5147bec0 fffff803`80005000     nt!KiPageFault

CodePudding user response:

kernel mode interrupt entries check in which mode was interrupt - user or kernel, by checking lowest bit of CS on stack (CPL) and execute SWAPGS instruction only in case iterrupt was from user mode. otherwise in GS assume already correct value - in user mode GS point to TEB and in kernel mode to KPCR. example of

  KiDebugServiceTrapShadow
    test        byte ptr [rsp 8],1 ;; if (!(Cs & 1) )
    je          @@kernel_mode
    swapgs                         ;; only in case Cs from user mode !
    lfence
    .... ; some code
    jmp         KiDebugServiceTrap(FFFFF80527807780)
 @@kernel_mode:
    lfence
    jmp         KiDebugServiceTrap(FFFFF80527807780)

and

  KiDebugServiceTrap
    inc         qword ptr [rsp]
    cmp         word ptr [rsp 8],23h ;; Cs==23 ? this mean 32 bit code 
    jne         @@64bit
    and         dword ptr [rsp 4],0  ;; zero high 32 bit of Rip for 32 bit code
 @@64bit:
    sub         rsp,8
    push        rbp
    sub         rsp,158h
    lea         rbp,[rsp 80h]
    mov         byte ptr [rbp-55h],1
    mov         qword ptr [rbp-50h],rax
    mov         qword ptr [rbp-48h],rcx
    mov         qword ptr [rbp-40h],rdx
    mov         qword ptr [rbp-38h],r8
    mov         qword ptr [rbp-30h],r9
    mov         qword ptr [rbp-28h],r10
    mov         qword ptr [rbp-20h],r11
    test        byte ptr [rbp 0F0h],1  ;; if (Cs & 1) // (f0 80)-(158 8 8)==8 - Cs here
    jne         @@user_mode
    lfence
    test        byte ptr gs:[278h],1 ;; assume that gs -> KPCR (KPCR.BpbCpuIdle checked)

    jne         @@1
    lfence
    jmp         @@0
 @@1:
    movzx       eax,byte ptr gs:[27Ah] ;; KPCR.BpbCurrentSpecCtrl
    mov         ecx,48h
    xor         edx,edx
    wrmsr
    jmp         @@0
 @@user_mode:
    test        byte ptr [KiKvaShadow],1
    jne         @@x
    swapgs ;; !!!
 @@x:
    lfence
    mov         r10,qword ptr gs:[CurrentThread]
    mov         rcx,qword ptr gs:[CurrentThread]
    ....

so root of error - interrupt already from kernel mode, but GS value still from user mode and in this case kernel not execute SWAPGS but use current GS value (which is wrong for kernel) and point to wrong structure - as result and page fault and KiPageFault executed

here again - swapgs excuted only in case fault was from user mode

  KiPageFault
    push        rbp
    sub         rsp,158h
    lea         rbp,[rsp 80h]
    mov         byte ptr [rbp-55h],1
    mov         qword ptr [rbp-50h],rax
    mov         qword ptr [rbp-48h],rcx
    mov         qword ptr [rbp-40h],rdx
    mov         qword ptr [rbp-38h],r8
    mov         qword ptr [rbp-30h],r9
    mov         qword ptr [rbp-28h],r10
    mov         qword ptr [rbp-20h],r11
    test        byte ptr [rbp 0F0h],1     ;; if (Cs & 1) 
    jne         @@user_mode
    lfence
    test        byte ptr gs:[278h],1
    jne         FFFFF80527804B4F v
    lfence
    jmp         @@0
 @@1
    movzx       eax,byte ptr gs:[27Ah]
    mov         ecx,48h
    xor         edx,edx
    wrmsr
    jmp         @@0
 @@user_mode:
    test        byte ptr [KiKvaShadow],1
    jne         @@x
    swapgs                                ;; !! only in case fault from user mode
    lfence
    mov         r10,qword ptr gs:[CurrentThread]

as result reqursive fault (wrong memory accessed) and so on - until stack space is ended and final double fault - note that Child-SP - from user mode !! in all nt!KiPageFault - this is because syscall not switch stack to kernel and need todo this manually, and interrupt also not switch stack - becase it was already in kernel mode. and only when no space in current stack - was double fault and stack switch:

05 ffffbb81`a9bdce50 fffff803`80005000     nt!KiDoubleFaultAbort 0x2c3
06 000000b9`51479010 fffff803`80005000     nt!KiPageFault

b951479010 - this is still user mode stack value (the b951479000 obvivous end of allocated stack area) and ffffbb81a9bdce50 already kenel mode stack.

finally code for KiSystemCall64

  KiSystemCall64
    swapgs
    mov         qword ptr gs:[UserRsp],rsp
    mov         rsp,qword ptr gs:[RspBase]
    push        2Bh ;; user mode Ss
    push        qword ptr gs:[UserRsp]
    push        r11 ;; rflags
    push        33h ;; user mode Cs for 64bit code
    push        rcx ;; rip from user mode
    mov         rcx,r10
    sub         rsp,8 
    push        rbp
    sub         rsp,158h
    lea         rbp,[rsp 80h]

so first bytes - before swapgs and switch to kernel stack ( mov rsp,qword ptr gs:[RspBase] ) not valid place for bp - set breakpoint only after this instructions !

Page link:https//www.codepudding.com/Enterprise/207897.html

Prev:Web Scraping XML file that's Downloaded After Submitting Form (Python)
Next:opencv-python: how to crop image with bounding box coordinates
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding