APC executes the remote process code. After one execution, the process crashes. Please help me

Hello HoShiMin,

While trying to modprobe kvm_amd I got the following error:

kvm_amd: SVM disabled (by BIOS) in MSR_VM_CR

Apparently my AMD Ryzen 7 PRO 4750G with Radeon Graphics disables these processor extensions by default.

I couldn't find much information regarding this, but I stumbled upon your project.

Any chance you could guide as to what SVM & MSR_VM_CR stand for? Any documentation one could get to?

Is there any example how to load unsigned drivers with that library ?

Might I be able to force all Windows network traffic through WSL2 to use IPTABLES mangle instead or in additioon to Windows Firewall?

Perhaps by "Bridging" from Windows to WSL2 and let WSL2 communicate to and from the wire using IPTABLES with ability to use IPTABLES as firewall?

Of course they work independently albeit with Nat addresses... I'd like to use one IP for all bidirectional communications enabling the IPTABLES firewall instead of Windows.... too many limitations in Windows Firewall.

Appreciate any hints or thoughts, tested or theoretical - hypothetical.

Do you know how to make the processor chew a single instruction? What function would I look at?

is there way that it can be done?

hello you，can you make a binding for vlang

Hey there,

KbReadProcessMemory fails with 158 error (ERROR_NOT_LOCKED). Driver loads without any errors.
For my project I use "User-Bridge" wrappers as standalone .cpp/.h modules.
Driver version: v1.19

BOOL status = KbReadProcessMemory(
	GetPidByName(L"process.exe"),
	Address,
	&buf,
	size
);

if (status == 0) {
	cout << GetLastError() << endl;
}

Any ideas how could be this fixed?

CppSupport

struct MyStruct1{
int a;
int b;
}
struct MyStruct2{
int a;
int b;
MyStruct1* s1;

}
auto s2 = new MyStruct2();
s2->s1 = new MyStruct1();
...
delete s2->s1; // BSOD

auto s1 = new MyStruct1();
delete s1; // Not BSOD

Hi , you can use
https://github.com/wbenny/KSOCKET
KSOCKET is windows kernel socket.
Its very easy to use.You can implement it.
But there is no usermode to use it.Its kernel only.
Just needs some wrapper.
Maybe you can do it in Kernel-Bridge

Also checkout for Linux version:
https://github.com/hbagdi/ksocket

Hello,

I've looked at the hypervisor API, however, It only starts and stops the virtualization. How is it possible to catch a CPUID instruction while the hypervisor is running and change the result values?
is this possible with the API or source code change is needed?

Mapping any driver even the simplest.

auto test = KbRtl::KbRtlMapDriverFile(L"C:\\dummy.sys", L"KBFM"); fmt::print("test {0} ", test);

Produces KbLdrImportNotResolved can someone provide me a dummy driver example or explain to me what this error means and how to fix it?

#include <ntddk.h>


extern "C" DRIVER_INITIALIZE DriverEntry;


namespace {
    UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(L"\\Device\\KBFM");
    UNICODE_STRING DeviceLink = RTL_CONSTANT_STRING(L"\\??\\KBFM");
    PDEVICE_OBJECT DeviceInstance = NULL;
}

#define IO_INCREMENT_VALUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_RECEIVE_RANDOM_BUFFER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
EXTERN_C_START



static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp);

static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject);

static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);

static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
EXTERN_C_END

extern "C" NTSTATUS NTAPI DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
) {
    UNREFERENCED_PARAMETER(RegistryPath);
    NTSTATUS Status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceInstance);

    if (!NT_SUCCESS(Status)) {
        KdPrint(("[KBFM]: IoCreateDevice Error!\r\n"));
        return Status;
    }

    Status = IoCreateSymbolicLink(&DeviceLink, &DeviceName);

    if (!NT_SUCCESS(Status)) {
        KdPrint(("[KBFM]: IoCreateSymbolicLink Error!\r\n"));
        IoDeleteDevice(DeviceInstance);
        return Status;
    }


    DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
    DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
    DriverObject->DriverUnload = reinterpret_cast<PDRIVER_UNLOAD>(UnloadDriver);

	
    return STATUS_SUCCESS;
}



static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    KdPrint(("[KBFM]: Unload routne called!\r\n"));
    IoDeleteSymbolicLink(&DeviceLink);
    IoDeleteDevice(DriverObject->DeviceObject);
    return STATUS_SUCCESS;
}


static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    KdPrint(("[KBFM]: Create called!\r\n"));
    irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    IoCompleteRequest(irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}

static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    KdPrint(("[KBFM]: Closecall called!\r\n"));
    irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    IoCompleteRequest(irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}


static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    NTSTATUS Status = STATUS_INVALID_PARAMETER;
    ULONG BytesIO = 0;

    const IO_STACK_LOCATION stack = *IoGetCurrentIrpStackLocation(Irp);
    const ULONG ControlCode = stack.Parameters.DeviceIoControl.IoControlCode;

    if (ControlCode == IO_INCREMENT_VALUE)
    {


    }
    else if (ControlCode == IO_RECEIVE_RANDOM_BUFFER)
    {

    }

    // Complete the request
    Irp->IoStatus.Status = Status;
    Irp->IoStatus.Information = BytesIO;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return Status;
}

Hello,

I tried loading the signed binaries but i get the message "a certificate was explicitly revoked by its issuer"

Hey,

if I run the test I always get the message "Unable to load driver!". I adjusted the path for the kernel-bridge.sys but the issue still persists?

Am I doing sth wrong?

Best regards!

Hello, How can I build Kernel-Bridge for x86?

This code crash compiler:

enum VMCS_FIELD_ENCODING : decltype(VMCS_COMPONENT_ENCODING::Value) {

with error:

3>C:\Sources\Kernel-Bridge\CommonTypes\VMX.h(266,6): fatal  error C1001: Internal compiler error.
3>(compiler file 'msc1.cpp', line 1576)
3> To work around this problem, try simplifying or changing the program near the locations listed above.
3>If possible please provide a repro here: https://developercommunity.visualstudio.com
3>Please choose the Technical Support command on the Visual C++
3> Help menu, or open the Technical Support help file for more information (compiling source file API\Hypervisor.cpp)
3>INTERNAL COMPILER ERROR in 'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.33.31629\bin\HostX64\x64\CL.exe'
3>    Please choose the Technical Support command on the Visual C++
3>    Help menu, or open the Technical Support help file for more information
3>KernelShells.cpp
3>cl : command line  error D8040: error creating or communicating with child process
3>Done building project "Kernel-Bridge.vcxproj" -- FAILED.

Need to change:

enum VMCS_FIELD_ENCODING : unsigned int {

I use Visual Studio 2022, Windows SDK "10.0.22621.0" and appropriate WDK.

After last update KbWriteProcessMemory get BSOD some time later "Process Locked ..."
Previously, everything worked

Hello,
I am trying to use your framework to learn kernel exploit development. The first thing I am trying to do is to get the base address of notepad++.exe but I can't seem to get it working. Do you mind showing me how to achieve this?

So far my code is:

typedef NTSTATUS(NTAPI *_NtQueryInformationProcess)(
	IN HANDLE ProcessHandle,
	ULONG ProcessInformationClass,
	OUT PVOID ProcessInformation,
	IN ULONG ProcessInformationLength,
	OUT PULONG ReturnLength OPTIONAL
	);

typedef NTSTATUS(NTAPI *_NtReadVirtualMemory)(
	IN HANDLE ProcessHandle,
	IN PVOID BaseAddress,
	OUT PVOID Buffer,
	IN SIZE_T Size,
	OUT PSIZE_T NumberOfBytesRead);

typedef NTSTATUS(NTAPI *_NtWow64ReadVirtualMemory64)(
	IN HANDLE ProcessHandle,
	IN PVOID64 BaseAddress,
	OUT PVOID Buffer,
	IN ULONG64 Size,
	OUT PULONG64 NumberOfBytesRead);

typedef struct _PROCESS_BASIC_INFORMATION_WOW64 {
	PVOID Reserved1[2];
	PVOID64 PebBaseAddress;
	PVOID Reserved2[4];
	ULONG_PTR UniqueProcessId[2];
	PVOID Reserved3[2];
} PROCESS_BASIC_INFORMATION_WOW64;

typedef struct _UNICODE_STRING_WOW64 {
	USHORT Length;
	USHORT MaximumLength;
	PVOID64 Buffer;
} UNICODE_STRING_WOW64;

... main method ...
bool driver_status = KbLoader::KbLoadAsDriver(L"C:\\Development\\Kernel-Bridge.sys");
	if (driver_status)
	{
		const wchar_t* ProcessName = L"notepad++.exe";

		ULONG pid = 1234;
		WdkTypes::HANDLE hProcess = NULL;
		KbOpenProcess(pid, &hProcess);

		BOOL wow;
		IsWow64Process(&hProcess, &wow);

		if (wow)
		{
			std::cout << "Process is 64bit" << std::endl;

			PROCESS_BASIC_INFORMATION_WOW64 pbi;
			ZeroMemory(&pbi, sizeof(pbi));

			// get process information from 64-bit world
			_NtQueryInformationProcess query = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("notepad++.exe"), "NtWow64QueryInformationProcess64");
			DWORD q = 0;
			query(&hProcess, 0, &pbi, sizeof(pbi), NULL);

			if (q != 0)
			{
				printf("NtWow64QueryInformationProcess64 failed\n");
			}
			else
			{
				std::cout << "B: " << pbi.PebBaseAddress << std::endl;
			}


		}

		KbCloseHandle(hProcess);

https://github.com/HoShiMin/Kernel-Bridge/blob/master/User-Bridge/API/User-Bridge.cpp#L507
https://github.com/HoShiMin/Kernel-Bridge/blob/master/User-Bridge/API/User-Bridge.cpp#L565

KbMapMdl and KbMapMemory funcs have UserRequestedAddress arg, but it is not passed to KB_MAP_MDL_IN Input struct.

3 errors preventing me from building Reading process memory

#include <Windows.h>
#include "WdkTypes.h"
#include "CtlTypes.h"
#include "User-Bridge.h"
int main()
{
using namespace KbLoader;
// Unloading previous loaded instance:
KbUnload();
BOOL Status = KbLoadAsFilter(
L"C:\Users\Admin\Downloads\Kernel-Bridge\x64\Release\Kernel-Bridge.sys",
L"260000" // Altitude of minifilter
);
if (!Status)
return 0; // Unable to load driver!
// Successfully loaded!
// Now you can use the User-Bridge API!
KbUnload();
return 0;
}

Error LNK2001 unresolved external symbol "int __cdecl KbLoader::KbLoadAsFilter(wchar_t const *,wchar_t const *)" (?KbLoadAsFilter@KbLoader@@YAHPEB_W0@Z) MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\MyProject\MyProject.obj 1

Error LNK2001 unresolved external symbol "int __cdecl KbLoader::KbUnload(void)" (?KbUnload@KbLoader@@yahxz) MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\MyProject\MyProject.obj 1

Error LNK1120 2 unresolved externals MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\x64\Release\MyProject.exe 1

leaks memory when SummaryLength < SSO_SIZE

I'm trying to hexdump another process and I don't really know how to find the mapped regions of the target process. Do you have any idea if theres already a relatively simple method to do that?

Best regards!

Hello.
I get this error:
[+] Ensuring previous driver instance is removed...
[+] Installing Kernel-Bridge driver...
[-] Failed to install Kernel-Bridge driver!
Last error: -2146762484
How can I fix this?

I tried to load the driver as a filter, and immediately got a blue screen, from some debugging, I found the bug in the DriverControl function, in line 311:

 IoCompleteRequest(Irp, IO_NO_INCREMENT);
 return Irp->IoStatus.Status;

The Irp variable is used after IoCompleteRequest, which should not be done (according to google)

KbWriteProcessMemory writes to a static address, reopening the process will not restore the previous data

Hello, dear friends!
I am new to the topic, so my question could be very naïve:
I have successfully build the tool from sources using VS 2019, copied all necessary files to a remote computer, installed the certificate and now trying to install the driver itself there, using DEVCON.
"devcon install Kernel-Bridge.inf hardware ID ?"
What is hardware ID, which I need to use?
Thanks a lot in advance! Your help is greatly appreciated!

While testing, I noticed reading a process memory using Kernel-Bridge is slower than a small driver I wrote.
I checked and it seems KB is mapping MDLs and then copies the memory. While all I need is using a Method_Out_Direct to get a kernel-address space buffer and attach to target process stack, Copy memory and detach.
I wonder if such a thing or something close is possible in KB?

debug_me.exe is a simple application which call MessageBoxA when button clicked.

Now we use KbWriteProcessMemory with TriggleCoW to user32.MessageBoxA like this:

VOID BSOD_Test() {

    WdkTypes::PEPROCESS Process;
    DWORD ProcessId = GetProcessIdByName(TEXT("debug_me.exe")); // A wow64 process
    PVOID Address = (PVOID)0x76311F70; // user32.MessageBoxA

    Processes::Descriptors::KbGetEprocess(ProcessId, &Process);
    printf("MessageBoxA: VA:%p, PA:0x%I64X\n", Address, GetPhysAddr(Process, Address));
    {
        BYTE Buffer[1] = { 0 };
        BOOL Status = Processes::MemoryManagement::KbReadProcessMemory(ProcessId, (WdkTypes::PVOID)Address, Buffer, 1);
        printf("MessageBoxA: KbReadProcessMemory:  0x%02X\n", Buffer[0]);
    }

    {
        BYTE* NewBuffer = new BYTE[1];
        NewBuffer[0] = 0xC3;
        BOOL Status = Processes::MemoryManagement::KbWriteProcessMemory(ProcessId, (WdkTypes::PVOID)Address, NewBuffer, 1, TRUE);
        delete[] NewBuffer;
        printf("MessageBoxA: KbWriteProcessMemory: %d\n", Status);
        printf("MessageBoxA: PA:0x%I64X\n", GetPhysAddr(Process, Address));
    }

    Processes::Descriptors::KbDereferenceObject(Process);
}

The debug_me.exe will crash obviously because the user32.MessageBoxA is changed to 0xC3 and caused some stack error.

Then it will cause immediately BSOD.

QUOTA_UNDERFLOW (21)
This bugcheck occurs if a kernel component mishandles quota charges and
returns more quota than was previously charged to a particular quota block.
Arguments:
Arg1: ffffc9872b1ee080, The process (if any) that was initially charged.
Arg2: 0000000000000002, The quota type in question (paged pool, nonpaged pool, etc.)
Arg3: ffffffffffffffff, The initial charge amount to return.
Arg4: fffffffffffae8bd, The remaining (unreturned) charge.
------------------
os: 
Windows 10 1809

stack:
[0x4]   nt!PspReturnQuota + 0x180085   
[0x5]   nt!PsReturnProcessPageFileQuota + 0x25   
[0x6]   nt!MiReturnFullProcessCharges + 0x4b   
[0x7]   nt!MiRemoveVadCharges + 0xab   
[0x8]   nt!MiFinishVadDeletion + 0xf1   
[0x9]   nt!MiDeleteVad + 0x15f2   
[0xa]   nt!MiUnmapVad + 0x49   
[0xb]   nt!MiCleanVad + 0x30   
[0xc]   nt!MmCleanProcessAddressSpace + 0x113   
[0xd]   nt!PspRundownSingleProcess + 0x129   
[0xe]   nt!PspProcessRundownWorkerSingle + 0x32   
[0xf]   nt!ExpWorkerThread + 0x16a   
[0x10]   nt!PspSystemThreadStartup + 0x55   
[0x11]   nt!KiStartSystemThread + 0x1c   

Since the KbTriggerCopyOnWrite will still take some minnutes/hours to cause a BSOD, which meen it difficult to debug.
This maybe helpful to find the problem.

Would it be possible to edit the DMI information that resides in the ROM ( 0x000F0000-0x000FFFFF ) ? I've tried editing the SMBIOS that resides in the Phys address and it works on some chipsets, but on some it doesnt, any workaround ?

By the way, DMI != SMBIOS.

I'd like to keep using the wrappers included in the project, pretty neat project

Hello @HoShiMin
Can you please guide me on how to intercept KUSER_SHARED_DATA using the hypervisor?
I know it's possible using EPT but I just don't know how to do it using KbVmmInterceptPage
Thanks

Hello,

I'm working on the hypervisor to add more functionality to it. I've now added a dynamic buffer to change the result of CPUID instruction in hypervisor mode. now I want to detect which process caused a VM EXIT regardless of the exit reason.

psGetCurrentProcess() doesn't work;

Trying to include "CppSupport.h" from your project, but these errors occur:

Severity	Code	Description	Project	File	Line	Suppression State
Error	C2980	C++ exception handling is not supported with /kernel	MyDriver1	C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\km\crt\exception	72	
Error	C2146	syntax error: missing ';' before identifier '_Raise_handler'	MyDriver1	C:\Sources\My\MyDriver1\MyDriver1\CppSupport.cpp	227	
Error	C2980	C++ exception handling is not supported with /kernel	MyDriver1	C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\km\crt\exception	72	

It shows and error at the following code:

_Prhand _Raise_handler = &RaiseHandler;

Could you help me, please, how to solve these errors?

#include <stdexcept>

I used the api incorrectly

waiting for your inter vt production ^_^

after the target process terminated, there will still be a pfn left on system,
and bsod when produrce of memory management try to scan all pfn and find a useless pfn.

How to use ept hook

There are some memory regions where this function seems to fail (returns 0), whereas other memory regions seem to work fine. Any idea as to why this is happening or if there is a possible fix?

The same memory regions that KbFindSignature fails on KbReadProcessMemory also fails.

in my previous question #25 i described how i have access to kernel functions and system (kernel) address space.
is it possible to map all physical memory to system address space? im trying to not leave traces in usermode program such as very big mapped region.
my uc thread with code: https://www.unknowncheats.me/forum/general-programming-and-reversing/409449-mapping-physical-memory-system-address-space.html
as you can see my code in post on uc is not working as it should
is that even possible to do this?

Hello,
Any chance for a Delphi API to access this beautiful library ?

Thank you

hi,
i want to add api, not sure if it is planned?
like:
NtWaitForSingleObject (wait for create thread)
NtQueryVirtualMemory

How does one implement a system where one can read register values between each instruction?
Hypervisor? Callbacks?

Thank you!

Please let us know when can we have an ARM64 version for Windows on ARM OS. We can help you test We have Windows on Rasberry Pi setup. Please pursue it we at Windows on Rasberry Pi community will be glad to extend support in testing your drivers and tools for ARM64.

I just do with ntSuspendThread before but it return with 0xC00000022

CommPortListener Events are never called, it stuck in Subscribe function.
I tried to debug the problem , it's something in this line
" Status=Self>Port.Recv(reinterpret_cast<CommPortPacket>(&Message));"
in ListenerThread function

any ideas what could be the problem ?
P.S : same problem is happening for TestObCallbacks event listener never called

alpaca::serialize can be successfully executed

alpaca::deserialize Execution fails

Could you take a look

[https://github.com/p-ranav/alpaca #](url)