Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hello, I'm having a problem with code mismatch when instrumenting cldflt.sys. #19

Open
AshLQ opened this issue Jan 16, 2025 · 3 comments
Open

Hello, I'm having a problem with code mismatch when instrumenting cldflt.sys. #19

AshLQ opened this issue Jan 16, 2025 · 3 comments

Comments

@AshLQ
Copy link

AshLQ commented Jan 16, 2025

l didn't quite figure out what caused it. Code alignment, or some section not fixed?
this is ida,It's normal.
.text_:FFFFF801813673CC 90 nop
.text_:FFFFF801813673CD 90 nop
.text_:FFFFF801813673CE 90 nop
.text_:FFFFF801813673CF 90 nop
.text_:FFFFF801813673D0 90 nop
.text_:FFFFF801813673D1 90 nop
.text_:FFFFF801813673D2 90 nop
.text_:FFFFF801813673D3 48 FF 15 7E 10 call cs:PsGetProcessPeb
.text_:FFFFF801813673D3 FA FF
.text_:FFFFF801813673DA 0F 1F 44 00 00 nop dword ptr [rax+rax+00h]
.text_:FFFFF801813673DF 48 85 C0 test rax, rax
.text_:FFFFF801813673E2 0F 84 A4 00 00 jz loc_FFFFF8018136748C
.text_:FFFFF801813673E2 00
.text_:FFFFF801813673E8 90 nop
.text_:FFFFF801813673E9 90 nop
.text_:FFFFF801813673EA 90 nop

this is windbg,After PsGetProcessPeb, its code is completely messed up.
fffff801813673cc 90 nop fffff801813673cd 90 nop
fffff801813673ce 90 nop fffff801813673cf 90 nop
fffff801813673d0 90 nop fffff801813673d1 90 nop
fffff801813673d2 4c8b157f10faff mov r10, qword ptr [cldflt_instrumented!_imp_PsGetProcessPeb (fffff80181308458)]
fffff801813673d9 e8e25dbef1 call nt!PsGetProcessPeb (fffff80172f4d1c0)
fffff801813673de 004885 add byte ptr [rax-7Bh], cl ds:002b:0000005172f5af85=??
fffff801813673e1 c00f84 ror byte ptr [rdi], 84h fffff801813673e4 a4 movs byte ptr [rdi], byte ptr [rsi]
fffff801813673e5 0000 add byte ptr [rax], al fffff801813673e7 009090909090 add byte ptr [rax-6F6F6F70h], dl
fffff801`813673ed 90 nop
@Kristal-g
Copy link
Contributor

Hi,

  1. What exact version of cldflt.sys you're trying to instrument?
  2. What was the full command line you used?
  3. What's the address that was instrumented badly?

@AshLQ
Copy link
Author

AshLQ commented Jan 16, 2025
edited
Loading

cldflt.sys version: 10.0.19041.5369
pe_afl.py -n cldflt.sys cldflt.sys.dump.json
pe_afl.py -l 6 -nt ntoskrnl.exe cldflt.sys cldflt.sys.dump.json
Both of the above commands will have this problem
cldflt.instrumented.sys!9B9B9
.text_:000000000009B9B7 58 pop rax
.text_:000000000009B9B8 5B pop rbx
.text_:000000000009B9B9 48 FF 15 98 CA call cs:PsGetProcessPeb
.text_:000000000009B9B9 F8 FF
.text_:000000000009B9C0 0F 1F 44 00 00 nop dword ptr [rax+rax+00h]
.text_:000000000009B9C5 48 85 C0 test rax, rax

cldflt.sys!599D
.text:000000000000599D call cs:PsGetProcessPeb
.text:00000000000059A4 nop dword ptr [rax+rax+00h]
.text:00000000000059A9 test rax, rax
.text:00000000000059AC jz short loc_59E6

It looks fine in ida, but when I run it, I get that problem.
This is the only place where there is a problem, because I can run it after manually patching it.

@Kristal-g
Copy link
Contributor

If it looks okay statically but has an issue when running, it's possibly related to a bad relocation entry. I suggest running the script with verbose output and searching for a relocation entry for the address after the PsProcessPeb, where there shouldn't be one.
I'm glad that it works for you after patching because I'm not sure I'll be able to work on it in the near term.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Kristal-g @AshLQ