BSOD on Windows 10 [15063] about tdl HOT 11 CLOSED

Well, I bless you to investigate this "important event" in the internals of PsCreateSystemThread->PsCreateSystemThreadEx (no I don't, it was sarcasm). I think it will now bugcheck for every PsCreateSystemThread(Ex) call from allocated memory pool. Windows 10 changing rapidly and with each big update there always will be surprises, of course mostly if you don't follow their documented way of coding and code policy.

If it doesn't like current startup code, then just change it. PsCreateSystemThread was here just to run DriverEntry and by the way it leak thread handle (I was lazy to close it). Clearly if your driver entry isn't infinite loop you can try drop this call.

Step by step.

1. Go to shellcode.h
2. Uncomment and copy TDLBootstrapLoader function to the main.c right before TDLMain
3. See TDLBootstrapLoader_code in shellcode.h we are going to regenerate it.
4. Change TDLBootstrapLoader to directly call driver entry instead of creating thread with driver entry as startup address

declare driver entry somewhere as typedef

typedef NTSTATUS(NTAPI *PfnDriverEntry)();

in TDLBootstrapLoader declare variable of this type.

In the end of shellcode where system thread created, remove all this code and write new

DriverEntry = (PfnDriverEntry)(exbuffer + popth->AddressOfEntryPoint);
DriverEntry();

5. Get back to main.c in the TDLMain. Right at it start call TDLBootstrapLoader with NULL's and return from TDLMain.

   TDLBootstrapLoader(NULL, NULL);
   return;

6. Compile exe, ignore warnings of unreachable code.

7. Open result binary, locate TDLBootstrapLoader function (it will be called right on entry point don't forget this) and copy it body as C array.

8. Go to shellcode.h again and replace TDLBootstrapLoader_code array with your newly generated shellcode.

9. Go to main.c remove TDLBootstrapLoader(NULL, NULL); return; calls.

10. Recompile furutaka.exe and try to load driver

11. Voila
    http://i.imgur.com/X3Pot8S.png

As for reason why it BSOD - as I said investigate yourself, I'm not really interested in this crap and generally in Windows10 as I don't use any Windows at all and encourage you to do the same.

It BSOD's now, well you fixed it and then next big update - it BSOD again. Why? Because your code is dirty system hack and you shouldn't do this. You know Microsoft isn't stupid at all.

You can experiment also with work items etc. This "tool" is open-source so why you don't want to change/improve it?

I maybe drop v 1.1.1 with this new shellcode "workaround", but this clearly not in my top priority list of TODO.

from tdl.

Update 20 Apr 2017.

The reason of this bugcheck is changes affecting VirtualBox driver code execution. Prior to Windows 10 RS2 code executing on exploit stage runs at IRQL = PASSIVE_LEVEL. Starting from Windows 10 RS2 (15063) the IRQL on this stage is DISPATCH_LEVEL which is the reason of bugcheck because PsCreateSystemThread needs PASSIVE_LEVEL.

So take a hint that your code at fake DriverEntry will also run on DISPATCH_LEVEL on RS2+ which limits some kernel mode API usage. And it is fatal error to lower Irql if you are not one who rised it.

I highly unadvise using TDL on Windows 10 RS2 as it can and will lead to system instability.

The update to TDL with mentioned above shellcode changes is schedulled but without any date.

from tdl.

v 1.1.1 uploaded, this issue closed.

from tdl.

Congratulations! Now what?

from tdl.

Confirmed

from tdl.

Well, nothing I guess, I just have no idea how to fix it by myself, so I reported issue here.

from tdl.

No you don't get it. What blue screened, where and how. What was before and what was after. I don't know what you started, how you started it and what it should do. I don't have telepathy and I don't have magic power to tell you anything from useless IRQL UNEXPECTED VALUE. So far your just posted issue which is the candidate #1 on 2017 uselessness award.

from tdl.

It happened after big Windows update, so I thought you would understand why it happens anyway, I don't really know what else to report here. I will try to give you some details.

It happens almost instantly when I try to load my driver.

from tdl.

I need minidump. If you driver uses callbacks then it will BSOD yes this is new PatchGuard update.

from tdl.

It bugchecks inside PsCreateSystemThread which is the starting point of shellcode. Feel free to rewrite startup code to something else.

from tdl.

Can you give more info what exactly it is checking inside PsCreateSystemThread and how maybe we can fix this.

from tdl.