Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRASH on PHRestore #13

Open
rohaaan opened this issue May 12, 2017 · 1 comment
Open

CRASH on PHRestore #13

rohaaan opened this issue May 12, 2017 · 1 comment

Comments

@rohaaan
Copy link

rohaaan commented May 12, 2017

If I hook ntcreatethread and ntcreateprocess using PHHook then while unhooking BugCheck 19 occurs which says memory already corrupt.

Following is windbg output which shows PFN and PTE Entries for both functions is same
2: kd> !pte nt!ntcreateprocess
VA fffff8037a4b90a0
PXE at FFFFF6FB7DBEDF80 PPE at FFFFF6FB7DBF0068 PDE at FFFFF6FB7E00DE90 PTE at FFFFF6FC01BD25C8
contains 0000000000704063 contains 0000000000705063 contains 000000013BA009E3 contains 0000000000000000
pfn 704 ---DA--KWEV pfn 705 ---DA--KWEV pfn 13ba00 -GLDA--KWEV LARGE PAGE pfn 13bab9

2: kd> !pte nt!ntcreatethread
VA fffff8037a4b911c
PXE at FFFFF6FB7DBEDF80 PPE at FFFFF6FB7DBF0068 PDE at FFFFF6FB7E00DE90 PTE at FFFFF6FC01BD25C8
contains 0000000000704063 contains 0000000000705063 contains 000000013BA009E3 contains 0000000000000000
pfn 704 ---DA--KWEV pfn 705 ---DA--KWEV pfn 13ba00 -GLDA--KWEV LARGE PAGE pfn 13bab9

what can we do to resolve this scenario?
@rohaaan
Copy link
Author

rohaaan commented May 12, 2017

The above scenario is generated on Windows 10 x64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rohaaan