Rare BSOD in MCH injection driver within IOCTL handler

c++ / delphi package - dll injection and api hooking
Post Reply
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Rare BSOD in MCH injection driver within IOCTL handler

Post by EaSy »

Hello,
I am currently working on some old bug reports and MCH driver BSOD is one of them.
It crashed in HandleEncryptedIoctl:

Code: Select all

...
               case IOCTL_INJECT_DLL:
                    // buf2 is released in DriverEvent_InjectionRequest
                    result = (InSize >= sizeof(DllItem)) &&
                             DriverEvent_InjectionRequest((PDllItem) buf2, processId, DriverUnloadEnabled);
                    if ((result) && (((PDllItem) buf2)->X86AllocAddr)) //<------ HERE
                      SetX86AllocAddr((PVOID) ((PDllItem) buf2)->X86AllocAddr);
                    break;
...
I managed to find cause deep inside DriverEvent_InjectionRequest. It calls InjectionUninjectionRequest, InjectionUninjectionRequest calls AddDll. AddDll can call ExFreePool(Dll); and return TRUE. Once the Dll is freed you are trying to access already freed buffer with (((PDllItem) buf2)->X86AllocAddr) and that leads into BSOD.

Thx,
PP
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare BSOD in MCH injection driver within IOCTL handler

Post by madshi »

You're a big help. Another good bugfix from you, thank you very much!

Do you want a new build/installer?

P.S: Remind me to give you a discount on your next upgrade... :wink:
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare BSOD in MCH injection driver within IOCTL handler

Post by EaSy »

Yes, I do want a new build.

Thx,
PP
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare BSOD in MCH injection driver within IOCTL handler

Post by madshi »

Post Reply