Bugcheck C4 (DRIVER_VERIFIER_DETECTED_VIOLATION) #70
Comments
|
Converting a user-mode handle to kernel-mode handle would be a bad idea since it could be abused to elevate handle privileges? Driver Verifier can also be problematic because it's not designed for software drivers and additionally KProcessHacker blocks it's queries since verifier hasn't been signed with our certificate. RE: suggestions. A) IsKernelHandle is identical to ObIsKernelHandle. |
|
Hi @dmex , well it is not a conversion exactly. Is re-opening the handle in kernel mode to do the check and close it. There is no security issues because the driver is not sending the duplicated handle to user mode. |
|
just wanted to be sure since "convert the user-mode handle to kernel-mode" can have a different meaning to "re-opening the handle in kernel mode to do the check" 😉 I'm going to close this since we're replacing the driver and this issue is no longer a problem with new version 👍 |
|
Glad to hear about a new version. Excellent job. Kind regards. |
|
MS finally fixed one of the pdb security flaws: |
|
Hi @dmex I'm a bit lost about relationship between the pdb vulnerability and user/kernel mode handle conversion. Regards. |
|
@mxmauro You asked me to include pdb files with the releases in addition to the handle conversion?
|
Hi, I have verifier enabled in some virtual machines and
KProcessHackerdriver triggers bugcheck C4 becauseZwQueryObjectis called with a usermode handle, in my case, when querying forObjectTypeInformation.Because
ObQueryTypeInfois not exported, the fix can be to useObReferenceObjectByHandleandObOpenObjectByPointerto convert the user-mode handle to kernel-mode.BTW: Two suggestions:
a) Replace
IsKernelHandlewith a call toObIsKernelHandle.b) Include .pdb files in binary distributions.
Regards,
Mauro.
The text was updated successfully, but these errors were encountered: