-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bugcheck C4 (DRIVER_VERIFIER_DETECTED_VIOLATION) #70
Comments
Converting a user-mode handle to kernel-mode handle would be a bad idea since it could be abused to elevate handle privileges? Driver Verifier can also be problematic because it's not designed for software drivers and additionally KProcessHacker blocks it's queries since verifier hasn't been signed with our certificate. RE: suggestions. A) IsKernelHandle is identical to ObIsKernelHandle. |
Hi @dmex , well it is not a conversion exactly. Is re-opening the handle in kernel mode to do the check and close it. There is no security issues because the driver is not sending the duplicated handle to user mode. |
just wanted to be sure since "convert the user-mode handle to kernel-mode" can have a different meaning to "re-opening the handle in kernel mode to do the check" 😉 I'm going to close this since we're replacing the driver and this issue is no longer a problem with new version 👍 |
Glad to hear about a new version. Excellent job. Kind regards. |
MS finally fixed one of the pdb security flaws: |
Hi @dmex I'm a bit lost about relationship between the pdb vulnerability and user/kernel mode handle conversion. Regards. |
@mxmauro You asked me to include pdb files with the releases in addition to the handle conversion?
|
Hi, I have verifier enabled in some virtual machines and
KProcessHacker
driver triggers bugcheck C4 becauseZwQueryObject
is called with a usermode handle, in my case, when querying forObjectTypeInformation
.Because
ObQueryTypeInfo
is not exported, the fix can be to useObReferenceObjectByHandle
andObOpenObjectByPointer
to convert the user-mode handle to kernel-mode.BTW: Two suggestions:
a) Replace
IsKernelHandle
with a call toObIsKernelHandle
.b) Include .pdb files in binary distributions.
Regards,
Mauro.
The text was updated successfully, but these errors were encountered: