aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrumeet <yuuta@yuuta.moe>2022-09-24 23:11:41 -0700
committerTrumeet <yuuta@yuuta.moe>2022-09-24 23:11:41 -0700
commitd68e844f8e97fab05588fdfed0535c492e4b6ed0 (patch)
treeee982f5171a74b68a7dd2d9407c371816673efcb
parent9a94822c314fa8324efb65ffc821fe6fbd607a3f (diff)
downloadgists-d68e844f8e97fab05588fdfed0535c492e4b6ed0.tar
gists-d68e844f8e97fab05588fdfed0535c492e4b6ed0.tar.gz
gists-d68e844f8e97fab05588fdfed0535c492e4b6ed0.tar.bz2
gists-d68e844f8e97fab05588fdfed0535c492e4b6ed0.zip
Add SMSSBSOD
-rwxr-xr-xSMSSBSOD/092422-17687-01.dmpbin0 -> 578732 bytes
-rwxr-xr-xSMSSBSOD/092422-6953-01.dmpbin0 -> 570492 bytes
-rw-r--r--SMSSBSOD/Main.c130
-rw-r--r--SMSSBSOD/README.md17
-rw-r--r--SMSSBSOD/photo_2022-09-24_22-39-18.jpgbin0 -> 159506 bytes
-rw-r--r--SMSSBSOD/photo_2022-09-24_22-52-03.jpgbin0 -> 174776 bytes
-rw-r--r--SMSSBSOD/photo_2022-09-24_22-54-50.jpgbin0 -> 170662 bytes
-rw-r--r--SMSSBSOD/photo_2022-09-24_22-55-06.jpgbin0 -> 35900 bytes
8 files changed, 147 insertions, 0 deletions
diff --git a/SMSSBSOD/092422-17687-01.dmp b/SMSSBSOD/092422-17687-01.dmp
new file mode 100755
index 0000000..86b05a4
--- /dev/null
+++ b/SMSSBSOD/092422-17687-01.dmp
Binary files differ
diff --git a/SMSSBSOD/092422-6953-01.dmp b/SMSSBSOD/092422-6953-01.dmp
new file mode 100755
index 0000000..519f526
--- /dev/null
+++ b/SMSSBSOD/092422-6953-01.dmp
Binary files differ
diff --git a/SMSSBSOD/Main.c b/SMSSBSOD/Main.c
new file mode 100644
index 0000000..79de8bd
--- /dev/null
+++ b/SMSSBSOD/Main.c
@@ -0,0 +1,130 @@
+#include <stdio.h>
+#include <Windows.h>
+#include <winternl.h>
+#include <stdlib.h>
+
+#pragma comment(lib,"ntdll.lib")
+
+typedef struct _SECTION_IMAGE_INFORMATION {
+ PVOID TransferAddress;
+ ULONG ZeroBits;
+ SIZE_T MaximumStackSize;
+ SIZE_T CommittedStackSize;
+ ULONG SubSystemType;
+ union {
+ struct {
+ USHORT SubSystemMinorVersion;
+ USHORT SubSystemMajorVersion;
+ };
+ ULONG SubSystemVersion;
+ };
+ ULONG GpValue;
+ USHORT ImageCharacteristics;
+ USHORT DllCharacteristics;
+ USHORT Machine;
+ BOOLEAN ImageContainsCode;
+ BOOLEAN Spare1;
+ ULONG LoaderFlags;
+ ULONG ImageFileSize;
+ ULONG Reserved[1];
+} SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION;
+
+typedef struct _RTL_USER_PROCESS_INFORMATION {
+ ULONG Size;
+ HANDLE ProcessHandle;
+ HANDLE ThreadHandle;
+ CLIENT_ID ClientId;
+ SECTION_IMAGE_INFORMATION ImageInformation;
+} RTL_USER_PROCESS_INFORMATION, * PRTL_USER_PROCESS_INFORMATION;
+
+static UNICODE_STRING FileName;
+static UNICODE_STRING CmdLine;
+static RTL_USER_PROCESS_INFORMATION ProcessInfo;
+static PRTL_USER_PROCESS_PARAMETERS UserProcessParam;
+
+static void cleanup(void) {
+ RtlFreeUnicodeString(&FileName);
+ RtlDestroyProcessParameters(UserProcessParam);
+ NtClose(ProcessInfo.ThreadHandle);
+ NtClose(ProcessInfo.ProcessHandle);
+}
+
+int wmain(int argc, wchar_t* argv[])
+{
+ atexit(cleanup);
+
+ wchar_t Path[512], CmdLine[512];
+
+ NTSTATUS Result;
+
+ if (argc < 2)
+ {
+ printf("Usage: ntstart.exe [Filename] [Command line]\n");
+ return -1;
+ }
+
+ if (!SearchPath(NULL, argv[1], L".exe", 512, Path, NULL))
+ {
+ printf("Error: File not found\n");
+ return 1;
+ }
+
+ if (!RtlDosPathNameToNtPathName_U(Path, &FileName, NULL, NULL))
+ {
+ printf("Error: Unable to convert path name\n");
+ return 1;
+ }
+
+ if (argc > 2)
+ {
+ swprintf(CmdLine, L"\"%ws\" %ws", Path, argv[2]);
+ RtlInitUnicodeString(&CmdLine, CmdLine);
+ }
+
+ if (!NT_SUCCESS(Result = RtlCreateProcessParameters(
+ &UserProcessParam,
+ &FileName,
+ NULL,
+ NULL,
+ argc > 2 ? &CmdLine : NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL)))
+ {
+ printf("Error: Unable to create process parameters: %x\n", Result);
+ return Result;
+ }
+
+ if (!NT_SUCCESS(Result = RtlCreateUserProcess(
+ &FileName,
+ OBJ_CASE_INSENSITIVE,
+ UserProcessParam,
+ NULL,
+ NULL,
+ NULL,
+ FALSE,
+ NULL,
+ NULL,
+ &ProcessInfo)))
+ {
+ printf("Error: Unable to create process: %x\n", Result);
+ return Result;
+ }
+
+ if (!NT_SUCCESS(Result = NtResumeThread(ProcessInfo.ThreadHandle, NULL)))
+ {
+ printf("Error: Unable to start process: %x\n", Result);
+ return Result;
+ }
+
+ if (!NT_SUCCESS(Result = NtWaitForSingleObject(ProcessInfo.ProcessHandle, FALSE, NULL)))
+ {
+ printf("Error: Unable to wait for process: %x\n", Result);
+ return Result;
+ }
+
+ printf("Process exited.\n");
+ return 0;
+}
diff --git a/SMSSBSOD/README.md b/SMSSBSOD/README.md
new file mode 100644
index 0000000..321ed8f
--- /dev/null
+++ b/SMSSBSOD/README.md
@@ -0,0 +1,17 @@
+今天奇观了:用 NT API RtlCreateUserProcess 在 Win32 进程中启动了一个 Subsystem 为 Native 的进程(即,PE+ Subsystem = Native,入口点为 NtProcessStartup。smss.exe 就是这样一个程序,它是 Windows 第一个用户态进程,由它启动其他进程再启动 Win32 subsystem。感兴趣可以看下面参考文献 [0] 以及 ReactOS 相关代码。)
+
+正常调用 Win32 CreateProcess 来跑 Native 二进制会报错,试试看 autochk.exe。
+
+然后今天看了一篇文章(参考文献 [1]),发现可以通过 RtlCreateUserProcess 直接跑 Native 二进制,于是试了一下成功了(不懂 Windows 开发,但目测 CreateProcess 或许是一个 Win32 的 RtlCreateUserProcess Wrapper,会检查 Subsystem 是不是 Win32 之类的)。
+
+于是我跑了一下 smss.exe,发现会 BSOD,100% 复现,错误码为 0x000021a。
+
+其实能跑是情理之中的,但会导致 BSOD 却是意外的。欢迎大家自行测试。
+
+另外,NT 开进程的这套 API,和 Fuchsia 好像啊(小声
+
+Windows 版本为 21H2 (OS Build 19044.2006)。
+
+参考文献:
+[0]: https://learn.microsoft.com/en-us/sysinternals/resources/inside-native-applications
+[1]: http://www.rohitab.com/discuss/topic/41379-running-native-applications-with-rtlcreateuserprocess/
diff --git a/SMSSBSOD/photo_2022-09-24_22-39-18.jpg b/SMSSBSOD/photo_2022-09-24_22-39-18.jpg
new file mode 100644
index 0000000..f123dff
--- /dev/null
+++ b/SMSSBSOD/photo_2022-09-24_22-39-18.jpg
Binary files differ
diff --git a/SMSSBSOD/photo_2022-09-24_22-52-03.jpg b/SMSSBSOD/photo_2022-09-24_22-52-03.jpg
new file mode 100644
index 0000000..de57caf
--- /dev/null
+++ b/SMSSBSOD/photo_2022-09-24_22-52-03.jpg
Binary files differ
diff --git a/SMSSBSOD/photo_2022-09-24_22-54-50.jpg b/SMSSBSOD/photo_2022-09-24_22-54-50.jpg
new file mode 100644
index 0000000..1bb0776
--- /dev/null
+++ b/SMSSBSOD/photo_2022-09-24_22-54-50.jpg
Binary files differ
diff --git a/SMSSBSOD/photo_2022-09-24_22-55-06.jpg b/SMSSBSOD/photo_2022-09-24_22-55-06.jpg
new file mode 100644
index 0000000..2088f1d
--- /dev/null
+++ b/SMSSBSOD/photo_2022-09-24_22-55-06.jpg
Binary files differ