-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disabling DSE with the drivers DBUtil v2.3 and v2.5 shows BSOD #41
Labels
bug
Something isn't working
Comments
Thanks this will be fixed in next version. |
hfiref0x
added a commit
that referenced
this issue
Nov 8, 2022
Added Zemana FakeAV as provider 25 (multiple CVE, e.g. CVE-2018-6606, CVE-2021-31728, CVE-2022-42045) Address issue #41 Beta 1
Compiled v1.2.7 with Visual Studio 2022 this morning and did the following tests. Successful tests:
Unsuccessful tests:
Verdict: |
Thanks for testing and reporting this bug. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi hfiref0x,
first many thanks and much respect to your hard work. It is always nice to see someone skilled releasing sources for others to learn. This is much appreciated. I myself have used your DSEFix extensively to load unsigned drivers since years. Lately I switched to KDU and got a BSOD on the DBUtil providers. The details and a potential fix follow below.
With DBUtil v2.3 driver we get a BSOD on Windows 10 and an instant reboot on Windows 7. The problem is related to the function "DbUtilWriteVirtualMemory" in the source code file "KDU-master\Source\Hamakaze\idrv\dbutil.cpp". The size of the structure which DBUtil accepts for input is increased by the following code line:
size = ALIGN_UP_BY(value, PAGE_SIZE);
Because DBUtil v2.3 uses the buffer size specified in DeviceIoControl as the size to transfer, it writes 4096 bytes to the virtual kernel address where g_CiOptions on Windows 10 and g_CiEnable on Windows 7 variable is located. Because this write occurs on read only memory we see a BSOD. We corrected this by setting the "size" variable equal to "value" in the source code like follows:
value = FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
//size = ALIGN_UP_BY(value, PAGE_SIZE);
size = value;
The same should be implemented for the function "DbUtilReadVirtualMemory", but this does not cause a BSOD, because the memory is only read and not written for 4096 bytes.
In addition we tested the DBUtil v2.5 driver, which does not even install correctly. This is related to the function "DbUtilManageFiles" in the same source code file. This function first unpacks the driver to the program directory and afterwards extracts the INF and CAT files to the TEMP directory. Therefore the INF can not find the driver and the installation does not work. We also patched this with the following code change:
//cch = supExpandEnvironmentStrings(L"%temp%\\", szFileName, MAX_PATH);
lstrcpy(szFileName, Context->DriverFileName);
lpEnd = wcsrchr(szFileName, '\\');
*(lpEnd + 1) = 0;
//if (cch == 0 || cch > MAX_PATH) {
// SetLastError(ERROR_NOT_ENOUGH_MEMORY);
//}
//else {
We should implement this patch two times for the install and the uninstall part of this function. If we would only apply the 2nd unpacking patch, we can see that the driver DBUtil v2.5 does also cause a BSOD for the same reason as DBUtil v2.3 driver. Therefore the 1st patch does also solve the problem with DBUtil v2.5. After all patches are applied we can change DSE successfully with both providers.
I have attached a fixed and already patched source code file with comments. I hope that helps in fixing the little DBUtil bug.
KDU_dbutil_patched.zip
Keep the amazing stuff coming!
Greets Kai Schtrom
The text was updated successfully, but these errors were encountered: