Skip to content
This repository has been archived by the owner on Sep 29, 2020. It is now read-only.

Further 1903 Compatibility Issues #8

Closed
h33p opened this issue Jul 7, 2019 · 2 comments
Closed

Further 1903 Compatibility Issues #8

h33p opened this issue Jul 7, 2019 · 2 comments

Comments

@h33p
Copy link
Owner

h33p commented Jul 7, 2019
edited
Loading

It appears that on Windows 10 version 1903 the export table of the kernel is not parseable. This is a serious issue that breaks initialization process.

During boot:

Using Mode: MODE_EXTERNAL
PML4:   1ad000  | KernelEntry:  fffff8047e2ca9a0
Kernel Base:    fffff8047d800000 (2e00000)
ntHeader64:     0x7fffb5b67248  1
ParseExportTable: 994dd8 - 992000 + b64 * 4 > 177bb
ParseExportTable: 0
PsInitialSystemProcess: fffff8047dd6f3a0 (336f3a0)
System (PID 4): ffffd7846aa79040 (471c79040)
NT Version:     1000
NT Build:       18362
Process List:
0004    System
0174    smss.exe

After boot:

Using Mode: MODE_EXTERNAL
PML4:   1ad000  | KernelEntry:  fffff8047e2ca9a0
Kernel Base:    fffff8049265a000 (82e00000)
ntHeader64:     0x7ffca86f40d8  1
ParseExportTable: 1 - 992000 + 8091d510 * 4 > 177bb
ParseExportTable: 4
Initialization error: 5

Notice the kernel base changing. There might be a workaround inside the security settings, but that is far from ideal.
@fatalis
Copy link

fatalis commented Jul 31, 2019
edited
Loading

This is occurring for me on one of my 1809 VMs

PML4:   1aa000  | KernelEntry:  fffff80168419e80
Kernel Base:    fffff8016849e000 (249d000)
PsInitialSystemProcess: fffff801689e12e0 (29e02e0)
System (PID 4): ffff938dace4c040 (3e24c040)
NT Version:     1000

->

PML4:   1aa000  | KernelEntry:  fffff8016c09ee80
Kernel Base:    fffff8016b614000 (2000000)
-------------------- InitializeContext error 5 --------------------

EDIT: starts working again with the new Kernel Base after a while randomly:

PML4:   1aa000  | KernelEntry:  fffff8016c09ee80
Kernel Base:    fffff8016b614000 (2000000)
PsInitialSystemProcess: fffff8016bb572e0 (25432e0)
System (PID 4): ffffbc0d8205d080 (3d45d080)
NT Version:     1000

btw I'm working on implementing page enumeration via VAD tree traversal and should have a PR soon

@h33p
Copy link
Owner Author

h33p commented Aug 2, 2019

Apparently the initialization process would find false matches of the kernel base. It is rather interesting though, as WinDbg sees the false matches as unmapped memory. It is an issue I will have to look into. In 0daf4d3 I have adjusted the search process to prioritize megabyte aligned pages before going through the regular ones. This solves initialization for me, but from what I can tell the correct kernel base might be in a 4k sized page. We might have to return to this to find more reliable code signatures, but closing for now.

@h33p h33p closed this as completed Aug 2, 2019
@3216alec 3216alec mentioned this issue Nov 6, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fatalis @h33p