的确可以,直接创建快捷方式为\\.\GLOBALROOT\Device\ConDrv\KernelConnect,即可触发蓝屏。rax=ffff8509c116f9b8 rbx=ffff8509b3cc2e80 rcx=0000000000000000
rdx=ffff8509c116f8a0 rsi=0000000000000000 rdi=ffff8509c116f8a0
rip=fffff8038023b04f rsp=ffffbd8c527db2d0 rbp=0000000000000000
r8=ffff8509c116f8a0 r9=ffff8509c14dce10 r10=fffff8038023b030
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffff8509c14dce10
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050282
condrv!CdpDispatchCleanup+0x1f:
fffff803`8023b04f 488b01 mov rax,qword ptr [rcx] ds:002b:00000000`00000000=????????????????
Resetting default scope
PROCESS_NAME: explorer.exe
STACK_TEXT:
ffffbd8c`527db2d0 fffff803`7a431f79 : 00000000`00000000 fffff803`7a431e5d 00000000`00000000 00000000`00000000 : condrv!CdpDispatchCleanup+0x1f
ffffbd8c`527db300 fffff803`7a9e42b8 : 00000000`00000000 ffff8509`b3cc2e80 00000000`00000000 ffff8509`c116f8a0 : nt!IofCallDriver+0x59
ffffbd8c`527db340 fffff803`7a9e6939 : ffffbd8c`527db890 00000000`00000001 ffff8509`c116f8a0 fffff803`7a9e5b00 : nt!IopCloseFile+0x188
ffffbd8c`527db3d0 fffff803`7a9ed1bf : ffff8509`c14dce10 00000000`00000000 ffff8509`c13c09a0 00000000`00000001 : nt!IopParseDevice+0xd79
ffffbd8c`527db540 fffff803`7a9eb621 : ffff8509`c13c0900 ffffbd8c`527db788 00000000`00000040 ffff8509`b32f7e80 : nt!ObpLookupObjectName+0x78f
ffffbd8c`527db700 fffff803`7aaafc06 : ffff8509`00000001 00000000`0991d280 00000000`0991db28 00000000`0991e43c : nt!ObOpenObjectByNameEx+0x201
ffffbd8c`527db840 fffff803`7a5d2d15 : ffff8509`c02d8080 00000000`00000000 ffff8509`c02d8080 00000000`0991e43c : nt!NtQueryAttributesFile+0x1e6
ffffbd8c`527dbb00 00007fff`1ae1c864 : 00007fff`17f36345 00000000`00000000 00007fff`19004632 00000000`40000000 : nt!KiSystemServiceCopyEnd+0x25
00000000`0991d218 00007fff`17f36345 : 00000000`00000000 00007fff`19004632 00000000`40000000 00007fff`1ada4e00 : ntdll!NtQueryAttributesFile+0x14
00000000`0991d220 00007fff`17f1c57b : 00000000`00000000 00000000`00000001 00000000`0991e43c 00000000`00d750d0 : KERNELBASE!GetFileAttributesW+0x85
00000000`0991d2c0 00007fff`0c5c7e52 : 00000000`00000000 00000000`0991e43c 00000000`0991e43c 00000000`00000000 : KERNELBASE!PathFileExistsW+0x2b
00000000`0991d2f0 00007fff`0c5c8a2c : 00000000`00000001 00000000`0991e430 00000000`00000000 00000000`0002019c : appwiz!NextPushed+0x9a
00000000`0991d390 00007fff`1900879e : 00000000`00000001 00000000`0991d548 00000000`00000000 00000000`00000001 : appwiz!BrowseDlgProc+0x16c
00000000`0991d3c0 00007fff`19007f62 : 00000000`00000000 00007fff`0c5c88c0 00000000`0000004e 00007fff`1ada5013 : USER32!UserCallDlgProcCheckWow+0x18a
00000000`0991d4d0 00007fff`19007e6f : 00000000`0991db28 00000000`00000000 00000000`0000004e 00000000`00000000 : USER32!DefDlgProcWorker+0xd2
00000000`0991d590 00007fff`190063ed : 00000000`00000001 00000000`00000000 00000000`00000001 00000000`00000000 : USER32!DefDlgProcW+0x4f
00000000`0991d5d0 00007fff`190060be : 00000000`0002019c 00007fff`1ae1be50 00000000`0002019c 00000000`0000004e : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991d760 00007fff`0c4fdf35 : 00000000`0dc15e20 00000000`0991db28 00000000`00000000 00000000`0000004e : USER32!CallWindowProcW+0x8e
00000000`0991d7b0 00007ffe`f4d211d8 : 00000000`00000007 00000000`00000000 00000000`0000004e 00000000`0002019c : DUser!WndBridge::RawWndProc+0xa5
00000000`0991d830 00007fff`190063ed : 00000000`06a9fcf0 00000000`05d8e401 00000000`00000001 00000000`00000000 : atlthunk!AtlThunk_0x09+0x18
00000000`0991d870 00007fff`190059fc : 00000000`00d54e40 00007ffe`f4d211c0 00000000`0002019c 00007ffe`f4d211c0 : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991da00 00007fff`19005768 : 00000000`00000000 00000000`0dc72700 00000000`00000000 00000000`00d54e40 : USER32!SendMessageWorker+0x22c
00000000`0991daa0 00007fff`05e95ebc : 00000000`00000000 00000000`0002019c 00000000`ffffff31 00007fff`0c4fd7ad : USER32!SendMessageW+0xf8
00000000`0991db00 00007fff`05e94b0e : 00000000`00040000 00000000`00000004 00000000`0e9fa2f8 00000000`00040000 : comctl32!DuiWizardMarkupHost::SendWMNotifyToPage+0x7c
00000000`0991db90 00007fff`05e94f02 : 00000000`069e5e80 00000000`067fcae0 00000000`0000c065 00000000`0e967ac0 : comctl32!DuiWizardMarkupHost::NextOrBackPressed+0x4e
00000000`0991dbe0 00007fff`05e972cd : 00000000`00000000 00000000`00d69ec0 00000000`067fcae0 00007fff`1900387e : comctl32!DuiWizardMarkupHost::OnFrameButtonClicked+0xbe
00000000`0991dc10 00007fff`05d98d41 : 00000000`00000000 00000000`000402da 00000000`0000c065 00000000`0e93ca70 : comctl32!DuiWizardMarkupHost::WndProc+0x7d
00000000`0991dc70 00007fff`190063ed : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : comctl32!DirectUI::HWNDElement::StaticWndProc+0x51
00000000`0991dcb0 00007fff`190060be : 00000000`000402da 00007fff`05d98cf0 00000000`000402da 00000000`0000c065 : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991de40 00007fff`0c4f813e : 00000000`0000c065 00000000`00000000 00000000`06a9fcf0 00000000`00000000 : USER32!CallWindowProcW+0x8e
00000000`0991de90 00007fff`190063ed : 00000000`00006011 00000000`00000001 00000000`ffffffff 00000000`00000000 : DUser!ExtraInfoWndProc+0x8e
00000000`0991dee0 00007fff`19005de2 : 00000000`00d69ec0 00007fff`0c4f80b0 00000000`000402da 00000000`0991e118 : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991e070 00007fff`05e68c14 : 00007fff`0c4f80b0 00000000`0dc17860 00000000`00000000 000001cc`00000264 : USER32!DispatchMessageWorker+0x1e2
00000000`0991e0f0 00007fff`05e68fda : 00000000`0991e230 00000000`00000000 00000000`00000000 00000000`00000000 : comctl32!DuiWizardFrame::Run+0x4c
00000000`0991e160 00007fff`05e37ecf : 00000000`0dc17860 00000000`0991e230 00000000`0991e300 00000000`00000080 : comctl32!_AeroPropertySheet+0xf6
00000000`0991e1a0 00007fff`0c5e7045 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : comctl32!_PropertySheet+0x1b
00000000`0991e1d0 00007fff`0c5e355f : 00000000`00000000 10017450`00000005 00000000`0991e300 00000000`00000000 : appwiz!PropertySheetW+0x5d
00000000`0991e200 00007fff`0c5e36d9 : 00000000`0991e430 00000000`0991e430 00007fff`0c5ec898 00000000`80000022 : appwiz!DoWizard+0x14f
00000000`0991e3b0 00007fff`0c5d9bcd : 00000000`ffffffff 00007fff`0c5ec898 00000000`0e931388 00000000`00000000 : appwiz!LinkWizard+0x25
00000000`0991e3f0 00007fff`199cdce5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000018 : appwiz!CNewShortcutHandler::s_NewShortcutThreadProc+0xfd
00000000`0991f8c0 00007fff`19627bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : shcore!_WrapperThreadProc+0xf5
00000000`0991f9a0 00007fff`1adeced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`0991f9d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: condrv!CdpDispatchCleanup+1f
MODULE_NAME: condrv
IMAGE_NAME: condrv.sys
STACK_COMMAND: .cxr 0xffffbd8c527da8e0 ; kb
BUCKET_ID_FUNC_OFFSET: 1f
FAILURE_BUCKET_ID: 0x3B_c0000005_condrv!CdpDispatchCleanup
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4713cd15-5baf-96a2-7e8b-3fec2da6a08d}
Followup: MachineOwner
PAGE:00000001C000AF50 CdpDispatchCleanup proc near ; DATA XREF: .rdata:00000001C0002EE8↑o
PAGE:00000001C000AF50 ; .pdata:00000001C000548C↑o ...
PAGE:00000001C000AF50
PAGE:00000001C000AF50 ; FUNCTION CHUNK AT PAGE:00000001C000BDF0 SIZE 00000028 BYTES
PAGE:00000001C000AF50
PAGE:00000001C000AF50 sub rsp, 28h
PAGE:00000001C000AF54 mov rax, [rdx+0B8h]
PAGE:00000001C000AF5B mov r8, rdx
PAGE:00000001C000AF5E mov rcx, [rax+30h]
PAGE:00000001C000AF62 test rcx, rcx
PAGE:00000001C000AF65 jz loc_1C000BDF0
PAGE:00000001C000AF6B mov rcx, [rcx+18h]
PAGE:00000001C000AF6F mov rax, [rcx]
PAGE:00000001C000AF72 mov r9, [rax+20h]
PAGE:00000001C000AF76 test r9, r9
PAGE:00000001C000AF79 jnz short loc_1C000AF9D
PAGE:00000001C000AF7B xor ecx, ecx
PAGE:00000001C000AF7D mov [rdx+30h], ecx
PAGE:00000001C000AF80 mov [rdx+38h], rcx
PAGE:00000001C000AF84 xor edx, edx ; PriorityBoost
PAGE:00000001C000AF86 mov rcx, r8 ; Irp
PAGE:00000001C000AF89 call cs:__imp_IofCompleteRequest
PAGE:00000001C000AF90 nop dword ptr [rax+rax+00h]
PAGE:00000001C000AF95 xor eax, eax
PAGE:00000001C000AF97
PAGE:00000001C000AF97 loc_1C000AF97: ; CODE XREF: CdpDispatchCleanup+5E↓j
PAGE:00000001C000AF97 ; CdpDispatchCleanup+EC3↓j
PAGE:00000001C000AF97 add rsp, 28h
PAGE:00000001C000AF9B retn
问题出在 condrv.sys,应该是打开失败了,触发了关闭操作,但只检测了IRPSP->FileObject有效性,但没检测IRPSP->FileObject->FsContext 的有效性,就直接去操作这个FsContext ,导致了访问空指针的蓝屏BUG.
1: kd> dt nt!_FILE_OBJECT ffff8509`b3cc2e80
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xffff8509`c14dce10 _DEVICE_OBJECT
+0x010 Vpb : (null)
+0x018 FsContext : (null)
+0x020 FsContext2 : (null)
+0x028 SectionObjectPointer : (null)
+0x030 PrivateCacheMap : (null)
+0x038 FinalStatus : 0n0
+0x040 RelatedFileObject : (null)
+0x048 LockOperation : 0 ''
+0x049 DeletePending : 0 ''
+0x04a ReadAccess : 0 ''
+0x04b WriteAccess : 0 ''
+0x04c DeleteAccess : 0 ''
+0x04d SharedRead : 0 ''
+0x04e SharedWrite : 0 ''
+0x04f SharedDelete : 0 ''
+0x050 Flags : 0x40000
+0x058 FileName : _UNICODE_STRING "\KernelConnect"
+0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x070 Waiters : 0
+0x074 Busy : 0
+0x078 LastLock : (null)
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : (null)
+0x0b8 IrpListLock : 0
+0x0c0 IrpList : _LIST_ENTRY [ 0xffff8509`b3cc2f40 - 0xffff8509`b3cc2f40 ]
+0x0d0 FileObjectExtension : (null)
|