Giter VIP home page Giter VIP logo

lxmonika's Introduction

Just Monika

Discord Invite

Just Monika

lxmonika's People

Contributors

trungnt2910 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

lxmonika's Issues

Document functionality and interfaces

Document things that are potentially useful for Pico driver developers:

lxmonika behavior

  • Offset database and fallback heuristics.
  • Pico provider registration.
  • Dispatcher (Process/thread creation/termination, process/thread contexts, "parent" providers).
  • Interactions with lxcore.
  • /dev/reality and \Device\Reality.
  • Transparency & compatibility issues.
  • Additional Pico callbacks.

NT Pico processes internals

  • \Device\ConDrv\KernelConnect.
  • API changes since circa 2016 (when thinkcz's Pico toolbox was created).
  • Pico process/thread lifetime (process switching on exec, thread cleanup using APCs, etc...).
  • MEM_DOS_LIM and Pico processes.

BSOD & bootloop after `KB5032190` 

TRAP_FRAME:  ffffdf0924206fb0 -- (.trap 0xffffdf0924206fb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8077df51fa0 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077851ac23 rsp=ffffdf0924207140 rbp=ffffdf0924207300
 r8=0000000000000000  r9=7ffffffffffffffc r10=fffff80778437630
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
nt!PsStartSiloMonitor+0xe35f3:
fffff807`7851ac23 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffdf0924206f08 -- (.exr 0xffffdf0924206f08)
ExceptionAddress: fffff8077851ac23 (nt!PsStartSiloMonitor+0x00000000000e35f3)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffffdf09`24206478 fffff807`78166882     : ffffdf09`242065e0 fffff807`77f1afa0 fffff807`757ad180 00000000`00000001 : nt!DbgBreakPointWithStatus
ffffdf09`24206480 fffff807`78165f43     : fffff807`00000003 ffffdf09`242065e0 fffff807`7802fc70 00000000`00000139 : nt!KiBugCheckDebugBreak+0x12
ffffdf09`242064e0 fffff807`78016a87     : ffffcf05`2dc61db8 fffff807`77e96773 ffffcf05`2e1f6a00 00000000`00000000 : nt!KeBugCheck2+0xba3
ffffdf09`24206c50 fffff807`7802bfa9     : 00000000`00000139 00000000`00000003 ffffdf09`24206fb0 ffffdf09`24206f08 : nt!KeBugCheckEx+0x107
ffffdf09`24206c90 fffff807`7802c532     : 00000800`00000000 ffff94ca`7e01dff8 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffdf09`24206dd0 fffff807`7802a306     : fffff807`00000000 00000000`00001001 00000000`00000000 ffff848c`5c136a40 : nt!KiFastFailDispatch+0xb2
ffffdf09`24206fb0 fffff807`7851ac23     : ffffffff`ffffffff 00000000`00000000 ffffcf05`2e1f6a00 ffffcf05`2e1f6a00 : nt!KiRaiseSecurityCheckFailure+0x346
ffffdf09`24207140 fffff807`7fe9e1f4     : ffff848c`5c134cf0 ffff848c`5c134cf0 ffffdf09`242073a0 ffff848c`5afb026d : nt!PsStartSiloMonitor+0xe35f3
ffffdf09`242071c0 fffff807`7fe9e030     : ffff848c`5a6b3000 ffff848c`5a6b3000 ffff848c`5af31580 fffff807`77f143f5 : Msfs!DriverEntry+0x174
ffffdf09`24207220 fffff807`783e2ac0     : ffff848c`5a6b3000 00000000`00000000 ffff848c`5c134cf0 fffff807`77f141a8 : Msfs!GsDriverEntry+0x20
ffffdf09`24207250 fffff807`7829ad1b     : ffff848c`5a6b3000 00000000`00000000 00000000`00000000 ffffcf05`2e287550 : nt!PnpCallDriverEntry+0x54
ffffdf09`242072a0 fffff807`7876e85b     : ffff848c`5af4c5d8 ffff848c`5af4c5d8 ffffdf09`242074d0 00000000`00000050 : nt!IopLoadDriver+0x523
ffffdf09`24207460 fffff807`78747336     : fffff807`00000000 ffffcf05`2e02abc0 00000000`00000000 fffff807`7543dde0 : nt!IopInitializeSystemDrivers+0x157
ffffdf09`24207500 fffff807`78406f8b     : fffff807`78406f50 fffff807`7885db10 fffff807`78406f50 fffff807`7543dde0 : nt!IoInitSystem+0x52
ffffdf09`24207530 fffff807`77f07287     : ffff848c`59ea0080 fffff807`78406f50 fffff807`7543dde0 00000000`00000000 : nt!Phase1Initialization+0x3b
ffffdf09`24207570 fffff807`7801b8e4     : fffff807`757ad180 ffff848c`59ea0080 fffff807`77f07230 00000000`00000000 : nt!PspSystemThreadStartup+0x57
ffffdf09`242075c0 00000000`00000000     : ffffdf09`24208000 ffffdf09`24201000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34


SYMBOL_NAME:  Msfs!DriverEntry+174

MODULE_NAME: Msfs

IMAGE_NAME:  Msfs.SYS

IMAGE_VERSION:  10.0.22621.2506

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  174

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_Msfs!DriverEntry

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {ff3062aa-c31f-4aa1-f93a-d31e5d0d16e0}

Followup:     MachineOwner
---------

Regardless of PatchGuard status and load order, drivers loading after lxmonika would cause a BSOD with KERNEL_SECURITY_CHECK_FAILURE after calling PsStartSiloMonitor.

The relevant disassembly are:

mov     rax, cs:qword_140C37D18
lea     rcx, PspSiloMonitorList
cmp     [rax], rcx
jnz     loc_14091AC1E
loc_14091AC1E:
mov     ecx, 3
; This is nt!PsStartSiloMonitor+0xe35f3 in the stack trace.
int     29h             ; Win8: RtlFailFast(ecx)

Seems like a heuristic has gone wrong.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.