From d68e844f8e97fab05588fdfed0535c492e4b6ed0 Mon Sep 17 00:00:00 2001 From: Trumeet Date: Sat, 24 Sep 2022 23:11:41 -0700 Subject: Add SMSSBSOD --- SMSSBSOD/092422-17687-01.dmp | Bin 0 -> 578732 bytes SMSSBSOD/092422-6953-01.dmp | Bin 0 -> 570492 bytes SMSSBSOD/Main.c | 130 +++++++++++++++++++++++++++++++++ SMSSBSOD/README.md | 17 +++++ SMSSBSOD/photo_2022-09-24_22-39-18.jpg | Bin 0 -> 159506 bytes SMSSBSOD/photo_2022-09-24_22-52-03.jpg | Bin 0 -> 174776 bytes SMSSBSOD/photo_2022-09-24_22-54-50.jpg | Bin 0 -> 170662 bytes SMSSBSOD/photo_2022-09-24_22-55-06.jpg | Bin 0 -> 35900 bytes 8 files changed, 147 insertions(+) create mode 100755 SMSSBSOD/092422-17687-01.dmp create mode 100755 SMSSBSOD/092422-6953-01.dmp create mode 100644 SMSSBSOD/Main.c create mode 100644 SMSSBSOD/README.md create mode 100644 SMSSBSOD/photo_2022-09-24_22-39-18.jpg create mode 100644 SMSSBSOD/photo_2022-09-24_22-52-03.jpg create mode 100644 SMSSBSOD/photo_2022-09-24_22-54-50.jpg create mode 100644 SMSSBSOD/photo_2022-09-24_22-55-06.jpg diff --git a/SMSSBSOD/092422-17687-01.dmp b/SMSSBSOD/092422-17687-01.dmp new file mode 100755 index 0000000..86b05a4 Binary files /dev/null and b/SMSSBSOD/092422-17687-01.dmp differ diff --git a/SMSSBSOD/092422-6953-01.dmp b/SMSSBSOD/092422-6953-01.dmp new file mode 100755 index 0000000..519f526 Binary files /dev/null and b/SMSSBSOD/092422-6953-01.dmp differ diff --git a/SMSSBSOD/Main.c b/SMSSBSOD/Main.c new file mode 100644 index 0000000..79de8bd --- /dev/null +++ b/SMSSBSOD/Main.c @@ -0,0 +1,130 @@ +#include +#include +#include +#include + +#pragma comment(lib,"ntdll.lib") + +typedef struct _SECTION_IMAGE_INFORMATION { + PVOID TransferAddress; + ULONG ZeroBits; + SIZE_T MaximumStackSize; + SIZE_T CommittedStackSize; + ULONG SubSystemType; + union { + struct { + USHORT SubSystemMinorVersion; + USHORT SubSystemMajorVersion; + }; + ULONG SubSystemVersion; + }; + ULONG GpValue; + USHORT ImageCharacteristics; + USHORT DllCharacteristics; + USHORT Machine; + BOOLEAN ImageContainsCode; + BOOLEAN Spare1; + ULONG LoaderFlags; + ULONG ImageFileSize; + ULONG Reserved[1]; +} SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION; + +typedef struct _RTL_USER_PROCESS_INFORMATION { + ULONG Size; + HANDLE ProcessHandle; + HANDLE ThreadHandle; + CLIENT_ID ClientId; + SECTION_IMAGE_INFORMATION ImageInformation; +} RTL_USER_PROCESS_INFORMATION, * PRTL_USER_PROCESS_INFORMATION; + +static UNICODE_STRING FileName; +static UNICODE_STRING CmdLine; +static RTL_USER_PROCESS_INFORMATION ProcessInfo; +static PRTL_USER_PROCESS_PARAMETERS UserProcessParam; + +static void cleanup(void) { + RtlFreeUnicodeString(&FileName); + RtlDestroyProcessParameters(UserProcessParam); + NtClose(ProcessInfo.ThreadHandle); + NtClose(ProcessInfo.ProcessHandle); +} + +int wmain(int argc, wchar_t* argv[]) +{ + atexit(cleanup); + + wchar_t Path[512], CmdLine[512]; + + NTSTATUS Result; + + if (argc < 2) + { + printf("Usage: ntstart.exe [Filename] [Command line]\n"); + return -1; + } + + if (!SearchPath(NULL, argv[1], L".exe", 512, Path, NULL)) + { + printf("Error: File not found\n"); + return 1; + } + + if (!RtlDosPathNameToNtPathName_U(Path, &FileName, NULL, NULL)) + { + printf("Error: Unable to convert path name\n"); + return 1; + } + + if (argc > 2) + { + swprintf(CmdLine, L"\"%ws\" %ws", Path, argv[2]); + RtlInitUnicodeString(&CmdLine, CmdLine); + } + + if (!NT_SUCCESS(Result = RtlCreateProcessParameters( + &UserProcessParam, + &FileName, + NULL, + NULL, + argc > 2 ? &CmdLine : NULL, + NULL, + NULL, + NULL, + NULL, + NULL))) + { + printf("Error: Unable to create process parameters: %x\n", Result); + return Result; + } + + if (!NT_SUCCESS(Result = RtlCreateUserProcess( + &FileName, + OBJ_CASE_INSENSITIVE, + UserProcessParam, + NULL, + NULL, + NULL, + FALSE, + NULL, + NULL, + &ProcessInfo))) + { + printf("Error: Unable to create process: %x\n", Result); + return Result; + } + + if (!NT_SUCCESS(Result = NtResumeThread(ProcessInfo.ThreadHandle, NULL))) + { + printf("Error: Unable to start process: %x\n", Result); + return Result; + } + + if (!NT_SUCCESS(Result = NtWaitForSingleObject(ProcessInfo.ProcessHandle, FALSE, NULL))) + { + printf("Error: Unable to wait for process: %x\n", Result); + return Result; + } + + printf("Process exited.\n"); + return 0; +} diff --git a/SMSSBSOD/README.md b/SMSSBSOD/README.md new file mode 100644 index 0000000..321ed8f --- /dev/null +++ b/SMSSBSOD/README.md @@ -0,0 +1,17 @@ +今天奇观了:用 NT API RtlCreateUserProcess 在 Win32 进程中启动了一个 Subsystem 为 Native 的进程(即,PE+ Subsystem = Native,入口点为 NtProcessStartup。smss.exe 就是这样一个程序,它是 Windows 第一个用户态进程,由它启动其他进程再启动 Win32 subsystem。感兴趣可以看下面参考文献 [0] 以及 ReactOS 相关代码。) + +正常调用 Win32 CreateProcess 来跑 Native 二进制会报错,试试看 autochk.exe。 + +然后今天看了一篇文章(参考文献 [1]),发现可以通过 RtlCreateUserProcess 直接跑 Native 二进制,于是试了一下成功了(不懂 Windows 开发,但目测 CreateProcess 或许是一个 Win32 的 RtlCreateUserProcess Wrapper,会检查 Subsystem 是不是 Win32 之类的)。 + +于是我跑了一下 smss.exe,发现会 BSOD,100% 复现,错误码为 0x000021a。 + +其实能跑是情理之中的,但会导致 BSOD 却是意外的。欢迎大家自行测试。 + +另外,NT 开进程的这套 API,和 Fuchsia 好像啊(小声 + +Windows 版本为 21H2 (OS Build 19044.2006)。 + +参考文献: +[0]: https://learn.microsoft.com/en-us/sysinternals/resources/inside-native-applications +[1]: http://www.rohitab.com/discuss/topic/41379-running-native-applications-with-rtlcreateuserprocess/ diff --git a/SMSSBSOD/photo_2022-09-24_22-39-18.jpg b/SMSSBSOD/photo_2022-09-24_22-39-18.jpg new file mode 100644 index 0000000..f123dff Binary files /dev/null and b/SMSSBSOD/photo_2022-09-24_22-39-18.jpg differ diff --git a/SMSSBSOD/photo_2022-09-24_22-52-03.jpg b/SMSSBSOD/photo_2022-09-24_22-52-03.jpg new file mode 100644 index 0000000..de57caf Binary files /dev/null and b/SMSSBSOD/photo_2022-09-24_22-52-03.jpg differ diff --git a/SMSSBSOD/photo_2022-09-24_22-54-50.jpg b/SMSSBSOD/photo_2022-09-24_22-54-50.jpg new file mode 100644 index 0000000..1bb0776 Binary files /dev/null and b/SMSSBSOD/photo_2022-09-24_22-54-50.jpg differ diff --git a/SMSSBSOD/photo_2022-09-24_22-55-06.jpg b/SMSSBSOD/photo_2022-09-24_22-55-06.jpg new file mode 100644 index 0000000..2088f1d Binary files /dev/null and b/SMSSBSOD/photo_2022-09-24_22-55-06.jpg differ -- cgit v1.2.3