1

Closed

EasyHook64Drv.sys and TestDriver64.sys crash on windows 7 x64

description

  1. download Easy Hook source code 2.6
  2. open EasyHookSys.sln with VS2008 and build for x64 Debug.
  3. copy EasyHook64Drv.sys and TestDriver64.sys to Windows 7 64Bit OS on VMWare.
  4. install EasyHook64Drv.sys with SRVINSTW.EXE and start the service.
  5. install TestDriver64.sys with SRVINSTW.EXE and start the service.
then BSoD, reason is "An attempt was made to write to read-only memory".
PS: I haven't changed any code.

When I check the call stack in WinDbg
a. the call stack is:
0: kd> kn
# Child-SP RetAddr Call Site
00 fffff88002ff4d98 fffff800029c36d2 nt!DbgBreakPointWithStatus
01 fffff88002ff4da0 fffff800029c4a98 nt!KiBugCheckDebugBreak+0x12
02 fffff88002ff4e00 fffff800028ce004 nt!KeBugCheck2+0xcf8
03 fffff88002ff54d0 fffff8000294cdb2 nt!KeBugCheckEx+0x104
04 fffff88002ff5510 fffff800028cbfee nt! ?? ::FNODOBFM::string'+0x4244e
05 fffff880
02ff5670 fffff880039d094c nt!KiPageFault+0x16e
06 fffff880
02ff5800 fffff880039d83d1 EasyHook64Drv!LhInstallHook+0x55c [f:\tools\program\driver\easyhooksourcecode26\drivershared\localhook\install.c @ 345]
07 fffff880
02ff5890 fffff880039d8e3c TestDriver64!RunTestSuite+0x91 [f:\tools\program\driver\easyhooksourcecode26\examples\testdriver\testsuite.c @ 50]
08 fffff880
02ff5940 fffff80002cb5477 TestDriver64!DriverEntry+0x9c [f:\tools\program\driver\easyhooksourcecode26\examples\testdriver\main.c @ 63]
09 fffff880
02ff59a0 fffff80002cb5875 nt!IopLoadDriver+0xa07
0a fffff880
02ff5c70 fffff800028db161 nt!IopLoadUnloadDriver+0x55
0b fffff880
02ff5cb0 fffff80002b71166 nt!ExpWorkerThread+0x111
0c fffff880
02ff5d40 fffff800028ac486 nt!PspSystemThreadStartup+0x5a
0d fffff880
02ff5d80 00000000`00000000 nt!KxStartSystemThread+0x16

b. the error code is( instal.c, line345 ):
((ULONGLONG)(Hook->TargetProc + 0)) = AtomicCache_x64;

Please help me.
Thanks.
Closed Aug 15, 2015 at 7:59 AM by spazzarama

comments

fishjam wrote Aug 14, 2013 at 1:41 AM

I know the reason that crash at line345.
Need enable code writable by call WPOFFx64().
The function of WPOFFx64 is:
KIRQL WPOFFx64()
{
KIRQL irql= KeRaiseIrqlToDpcLevel();
UINT64 cr0=__readcr0();
cr0 &= ~0x10000; 
__writecr0(cr0);
//_disable();
return irql;
}

fishjam wrote Aug 14, 2013 at 1:43 AM

But it still crash because the jumper address is wrong.
1: kd> u fffff8000284c99c
nt!KeCancelTimer:
fffff800
0284c99c 48b89842df0080faffff mov rax,0FFFFFA8000DF4298h <== Address is wrong
fffff800`0284c9a6 ffe0 jmp rax

spazzarama wrote Feb 15, 2014 at 12:15 PM

This is a problem with the RIP address relocation. This has been fixed in changeset 73837

wrote Aug 15, 2015 at 7:51 AM

spazzarama wrote Aug 15, 2015 at 7:58 AM

The RIP address relocation issue has been fixed for sometime.

** Closed by spazzarama 8/14/2015 11:51 PM

wrote Aug 15, 2015 at 7:58 AM

wrote Aug 15, 2015 at 7:58 AM

wrote Aug 15, 2015 at 7:59 AM