whensungoesdown: 十二月 2017

In page fault handler, the fs register needs to be set up. see the following log, fs varies, hence SetMember of proc varies.

Microsoft (R) Windows Debugger Version 10.0.15063.137 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Tue Dec 26 17:16:04.644 2017 (UTC - 5:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is:
Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
System Uptime: not available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Deferred srv*c:\symbols*https://msdl.microsoft.com/download/symbols
OK C:\Projects\hookidt\test\Debug

************* Symbol Path validation summary **************
Response Time (ms) Location
OK C:\Projects\hookidt\test\Src
nt!DebugService2+0x10:
80531eb2 cc int 3
kd> g
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
watchdog!WdUpdateRecoveryState: Recovery enabled.
Start hooking...
[HookCPU]
IDT: 0x8003F400, originalIDT2eISR: 0x805444A8
Processor[1] is hooked, dwProcAddress: 0xEE6FA690
IDT: 0xF7881590, originalIDT2eISR: 0x805444A8
Processor[2] is hooked, dwProcAddress: 0xEE6FA690
Hook is done.
HookKiSystemCallExit2
testxxxintersendmsgex_test.exe, 0x6d40340
testxxxintersendmsgex_sleep100.exe, 0x6d40360
KeQueryActiveProcessors: 3
CPU 0
In DoStartVMX, Processor 0
VMXON Region Size 0x0
VMXON Access Width Bit 0x0
[ 1] --> 32-bit
[ 0] --> 64-bit
VMXON Memory Type 0x6
[ 0] --> Strong Uncacheable
[ 1-5] --> Unused
[ 6] --> Write Back
[7-15] --> Unused
SUCCESS: VMXON operation completed.
VMM is now running on processor 0.
GUEST_ES_SELECTOR 0x20
GUEST_CS_SELECTOR 0x8
GUEST_SS_SELECTOR 0x10
GUEST_DS_SELECTOR 0x20
GUEST_FS_SELECTOR 0x30
GUEST_GS_SELECTOR 0x0
GUEST_LDTR_SELECTOR 0x0
GUEST_TR_SELECTOR 0x28
HOST_ES_SELECTOR 0x20
HOST_CS_SELECTOR 0x8
HOST_SS_SELECTOR 0x10
HOST_DS_SELECTOR 0x20
HOST_FS_SELECTOR 0x30
HOST_GS_SELECTOR 0x0
HOST_TR_SELECTOR 0x28
CPU_BASED_VM_EXEC_CONTROL 0x401e372
PIN_BASED_VM_EXEC_CONTROL 0x16
VM_EXIT_CONTROLS 0x3edff
GUEST_ES_LIMIT 0xffffffff
GUEST_CS_LIMIT 0xffffffff
GUEST_SS_LIMIT 0xffffffff
GUEST_DS_LIMIT 0xffffffff
GUEST_FS_LIMIT 0x1fff
GUEST_GS_LIMIT 0x0
GUEST_LDTR_LIMIT 0x0
GUEST_TR_LIMIT 0x20ab
GUEST_GDTR_LIMIT 0x3ff
GUEST_IDTR_LIMIT 0x7ff
GUEST_ES_AR_BYTES 0xc0f3
GUEST_CS_AR_BYTES 0xc09b
GUEST_SS_AR_BYTES 0xc093
GUEST_DS_AR_BYTES 0xc0f3
GUEST_FS_AR_BYTES 0xc093
GUEST_GS_AR_BYTES 0x10000
GUEST_TR_AR_BYTES 0x8b
GUEST_LDTR_AR_BYTES 0x10000
GUEST_CR0 0x8001003b
GUEST_CR3 0x6d40020
GUEST_CR4 0x26f9
GUEST_CS_BASE 0x0
GUEST_SS_BASE 0x0
GUEST_DS_BASE 0x0
GUEST_ES_BASE 0x0
GUEST_FS_BASE 0xffdff000
GUEST_GS_BASE 0x0
GUEST_LDTR_BASE 0x0
GUEST_TR_BASE 0x80042000
GUEST_GDTR_BASE 0x8003f000
GUEST_IDTR_BASE 0x8003f400
GUEST_RSP 0xf7a40c20
GUEST_RIP 0xf79d8b0d
GUEST_RFLAGS 0x200202
GUEST_SYSENTER_ESP 0xf7a15000
GUEST_SYSENTER_EIP 0x80541520
GUEST_SYSENTER_CS 0x8
HOST_CR0 0x8001003b
HOST_CR3 0x6d40020
HOST_CR4 0x26f9
HOST_FS_BASE 0xffdff000
HOST_GS_BASE 0x0
HOST_TR_BASE 0x80042000, selector 0x28
HOST_GDTR_BASE 0x8003f000
HOST_IDTR_BASE 0x8003f400
CPU 1
In DoStartVMX, Processor 1
VMXON Region Size 0x0
VMXON Access Width Bit 0x0
[ 1] --> 32-bit
[ 0] --> 64-bit
VMXON Memory Type 0x6
[ 0] --> Strong Uncacheable
[ 1-5] --> Unused
[ 6] --> Write Back
[7-15] --> Unused
SUCCESS: VMXON operation completed.
VMM is now running on processor 1.
GUEST_ES_SELECTOR 0x20
GUEST_CS_SELECTOR 0x8
GUEST_SS_SELECTOR 0x10
GUEST_DS_SELECTOR 0x20
GUEST_FS_SELECTOR 0x30
GUEST_GS_SELECTOR 0x0
GUEST_LDTR_SELECTOR 0x0
GUEST_TR_SELECTOR 0x28
HOST_ES_SELECTOR 0x20
HOST_CS_SELECTOR 0x8
HOST_SS_SELECTOR 0x10
HOST_DS_SELECTOR 0x20
HOST_FS_SELECTOR 0x30
HOST_GS_SELECTOR 0x0
HOST_TR_SELECTOR 0x28
CPU_BASED_VM_EXEC_CONTROL 0x401e372
PIN_BASED_VM_EXEC_CONTROL 0x16
VM_EXIT_CONTROLS 0x3edff
GUEST_ES_LIMIT 0xffffffff
GUEST_CS_LIMIT 0xffffffff
GUEST_SS_LIMIT 0xffffffff
GUEST_DS_LIMIT 0xffffffff
GUEST_FS_LIMIT 0x1fff
GUEST_GS_LIMIT 0x0
GUEST_LDTR_LIMIT 0x0
GUEST_TR_LIMIT 0x20ab
GUEST_GDTR_LIMIT 0x3ff
GUEST_IDTR_LIMIT 0x7ff
GUEST_ES_AR_BYTES 0xc0f3
GUEST_CS_AR_BYTES 0xc09b
GUEST_SS_AR_BYTES 0xc093
GUEST_DS_AR_BYTES 0xc0f3
GUEST_FS_AR_BYTES 0xc093
GUEST_GS_AR_BYTES 0x10000
GUEST_TR_AR_BYTES 0x8b
GUEST_LDTR_AR_BYTES 0x10000
GUEST_CR0 0x8001003b
GUEST_CR3 0x6d40020
GUEST_CR4 0x26f9
GUEST_CS_BASE 0x0
GUEST_SS_BASE 0x0
GUEST_DS_BASE 0x0
GUEST_ES_BASE 0x0
GUEST_FS_BASE 0xf787d000
GUEST_GS_BASE 0x0
GUEST_LDTR_BASE 0x0
GUEST_TR_BASE 0xf787dd70
GUEST_GDTR_BASE 0xf7881190
GUEST_IDTR_BASE 0xf7881590
GUEST_RSP 0xf7a40c20
GUEST_RIP 0xf79d8b0d
GUEST_RFLAGS 0x200202
GUEST_SYSENTER_ESP 0xf7a25000
GUEST_SYSENTER_EIP 0x80541520
GUEST_SYSENTER_CS 0x8
HOST_CR0 0x8001003b
HOST_CR3 0x6d40020
HOST_CR4 0x26f9
HOST_FS_BASE 0xf787d000
HOST_GS_BASE 0x0
HOST_TR_BASE 0xf787dd70, selector 0x28
HOST_GDTR_BASE 0xf7881190
HOST_IDTR_BASE 0xf7881590
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xffdff120
SetMember 0x1
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run console kernel debugger) or, *
* CTRL+BREAK (if you run GUI kernel debugger), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
current kprcb: 0xf787d120
SetMember 0x2
current kprcb: 0xf787d120
SetMember 0x2
nt!RtlpBreakWithStatusInstruction:
8052b5dc cc int 3
current kprcb: 0xf787d120
SetMember 0x2

Now what i'm troubling with is this:

I try to use hypercall to inform hypervisor and let it invalid a tlb entry for me on all processors.
In hypercall handler, I tried to call NtProtectVirtualMemory do that. I set breakpoint right before calling NtProtectVirtualMemroy. Sometimes single step over it is fine. I may run for several times. But eventually the system freeze. I got this:

Microsoft (R) Windows Debugger Version 10.0.15063.137 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Mon Dec 25 18:03:25.836 2017 (UTC - 5:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is:
Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
System Uptime: not available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Deferred srv*c:\symbols*https://msdl.microsoft.com/download/symbols
OK C:\Projects\hookidt\test\Debug

************* Symbol Path validation summary **************
Response Time (ms) Location
OK C:\Projects\hookidt\test\Src
nt!DebugService2+0x10:
80531eb2 cc int 3
kd> g
ERROR: DavReadRegistryValues/RegQueryValueExW(4). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(5). WStatus = 5
ERROR: DavReadRegistryValues/RegQueryValueExW(6). WStatus = 5
Start hooking...
[HookCPU]
IDT: 0x8003F400, originalIDT2eISR: 0x805444A8
Processor[1] is hooked, dwProcAddress: 0xB19E5620
IDT: 0xBAB3C590, originalIDT2eISR: 0x805444A8
Processor[2] is hooked, dwProcAddress: 0xB19E5620
Hook is done.
HookKiSystemCallExit2
testxxxintersendmsgex_sleep100.exe, 0xaac0300
KeQueryActiveProcessors: 3
CPU 0
In DoStartVMX, Processor 0
VMXON Region Size 0x0
VMXON Access Width Bit 0x0
[ 1] --> 32-bit
[ 0] --> 64-bit
VMXON Memory Type 0x6
[ 0] --> Strong Uncacheable
[ 1-5] --> Unused
[ 6] --> Write Back
[7-15] --> Unused
SUCCESS: VMXON operation completed.
VMM is now running on processor 0.
GUEST_ES_SELECTOR 0x20
GUEST_CS_SELECTOR 0x8
GUEST_SS_SELECTOR 0x10
GUEST_DS_SELECTOR 0x20
GUEST_FS_SELECTOR 0x30
GUEST_GS_SELECTOR 0x0
GUEST_LDTR_SELECTOR 0x0
GUEST_TR_SELECTOR 0x28
HOST_ES_SELECTOR 0x20
HOST_CS_SELECTOR 0x8
HOST_SS_SELECTOR 0x10
HOST_DS_SELECTOR 0x20
HOST_FS_SELECTOR 0x30
HOST_GS_SELECTOR 0x0
HOST_TR_SELECTOR 0x28
CPU_BASED_VM_EXEC_CONTROL 0x401e372
PIN_BASED_VM_EXEC_CONTROL 0x16
VM_EXIT_CONTROLS 0x3edff
GUEST_ES_LIMIT 0xffffffff
GUEST_CS_LIMIT 0xffffffff
GUEST_SS_LIMIT 0xffffffff
GUEST_DS_LIMIT 0xffffffff
GUEST_FS_LIMIT 0x1fff
GUEST_GS_LIMIT 0x0
GUEST_LDTR_LIMIT 0x0
GUEST_TR_LIMIT 0x20ab
GUEST_GDTR_LIMIT 0x3ff
GUEST_IDTR_LIMIT 0x7ff
GUEST_ES_AR_BYTES 0xc0f3
GUEST_CS_AR_BYTES 0xc09b
GUEST_SS_AR_BYTES 0xc093
GUEST_DS_AR_BYTES 0xc0f3
GUEST_FS_AR_BYTES 0xc093
GUEST_GS_AR_BYTES 0x10000
GUEST_TR_AR_BYTES 0x8b
GUEST_LDTR_AR_BYTES 0x10000
GUEST_CR0 0x8001003b
GUEST_CR3 0xaac0020
GUEST_CR4 0x26f9
GUEST_CS_BASE 0x0
GUEST_SS_BASE 0x0
GUEST_DS_BASE 0x0
GUEST_ES_BASE 0x0
GUEST_FS_BASE 0xffdff000
GUEST_GS_BASE 0x0
GUEST_LDTR_BASE 0x0
GUEST_TR_BASE 0x80042000
GUEST_GDTR_BASE 0x8003f000
GUEST_IDTR_BASE 0x8003f400
GUEST_RSP 0xbacffc20
GUEST_RIP 0xbac2bb0d
GUEST_RFLAGS 0x202
GUEST_SYSENTER_ESP 0xbacd0000
GUEST_SYSENTER_EIP 0x80541520
GUEST_SYSENTER_CS 0x8
HOST_CR0 0x8001003b
HOST_CR3 0xaac0020
HOST_CR4 0x26f9
HOST_FS_BASE 0xffdff000
HOST_GS_BASE 0x0
HOST_TR_BASE 0x80042000, selector 0x28
HOST_GDTR_BASE 0x8003f000
HOST_IDTR_BASE 0x8003f400
CPU 1
In DoStartVMX, Processor 1
VMXON Region Size 0x0
VMXON Access Width Bit 0x0
[ 1] --> 32-bit
[ 0] --> 64-bit
VMXON Memory Type 0x6
[ 0] --> Strong Uncacheable
[ 1-5] --> Unused
[ 6] --> Write Back
[7-15] --> Unused
SUCCESS: VMXON operation completed.
VMM is now running on processor 1.
GUEST_ES_SELECTOR 0x20
GUEST_CS_SELECTOR 0x8
GUEST_SS_SELECTOR 0x10
GUEST_DS_SELECTOR 0x20
GUEST_FS_SELECTOR 0x30
GUEST_GS_SELECTOR 0x0
GUEST_LDTR_SELECTOR 0x0
GUEST_TR_SELECTOR 0x28
HOST_ES_SELECTOR 0x20
HOST_CS_SELECTOR 0x8
HOST_SS_SELECTOR 0x10
HOST_DS_SELECTOR 0x20
HOST_FS_SELECTOR 0x30
HOST_GS_SELECTOR 0x0
HOST_TR_SELECTOR 0x28
CPU_BASED_VM_EXEC_CONTROL 0x401e372
PIN_BASED_VM_EXEC_CONTROL 0x16
VM_EXIT_CONTROLS 0x3edff
GUEST_ES_LIMIT 0xffffffff
GUEST_CS_LIMIT 0xffffffff
GUEST_SS_LIMIT 0xffffffff
GUEST_DS_LIMIT 0xffffffff
GUEST_FS_LIMIT 0x1fff
GUEST_GS_LIMIT 0x0
GUEST_LDTR_LIMIT 0x0
GUEST_TR_LIMIT 0x20ab
GUEST_GDTR_LIMIT 0x3ff
GUEST_IDTR_LIMIT 0x7ff
GUEST_ES_AR_BYTES 0xc0f3
GUEST_CS_AR_BYTES 0xc09b
GUEST_SS_AR_BYTES 0xc093
GUEST_DS_AR_BYTES 0xc0f3
GUEST_FS_AR_BYTES 0xc093
GUEST_GS_AR_BYTES 0x10000
GUEST_TR_AR_BYTES 0x8b
GUEST_LDTR_AR_BYTES 0x10000
GUEST_CR0 0x8001003b
GUEST_CR3 0xaac0020
GUEST_CR4 0x26f9
GUEST_CS_BASE 0x0
GUEST_SS_BASE 0x0
GUEST_DS_BASE 0x0
GUEST_ES_BASE 0x0
GUEST_FS_BASE 0xbab38000
GUEST_GS_BASE 0x0
GUEST_LDTR_BASE 0x0
GUEST_TR_BASE 0xbab38d70
GUEST_GDTR_BASE 0xbab3c190
GUEST_IDTR_BASE 0xbab3c590
GUEST_RSP 0xbacffc20
GUEST_RIP 0xbac2bb0d
GUEST_RFLAGS 0x202
GUEST_SYSENTER_ESP 0xbace0000
GUEST_SYSENTER_EIP 0x80541520
GUEST_SYSENTER_CS 0x8
HOST_CR0 0x8001003b
HOST_CR3 0xaac0020
HOST_CR4 0x26f9
HOST_FS_BASE 0xbab38000
HOST_GS_BASE 0x0
HOST_TR_BASE 0xbab38d70, selector 0x28
HOST_GDTR_BASE 0xbab3c190
HOST_IDTR_BASE 0xbab3c590
Break instruction exception - code 80000003 (first chance)
WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020
WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020
hypervisor!TestFlush+0x29:
bac2a299 cc int 3
1: kd> p
hypervisor!TestFlush+0x2a:
bac2a29a 833d18c0c2ba00 cmp dword ptr [hypervisor!pZwProtectVirtualMemory (bac2c018)],0
WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020
WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020
1: kd> p
hypervisor!TestFlush+0x33:
bac2a2a3 c70518c0c2bae0075080 mov dword ptr [hypervisor!pZwProtectVirtualMemory (bac2c018)],offset nt!ZwProtectVirtualMemory (805007e0)
WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020
WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020
1: kd> r cr3
cr3=0aac0020
1: kd> dd 0
00000000 00000001 00000004 0040b408 00000000
00000010 00000000 00000000 00000000 00000000
00000020 00000000 00000000 00000000 00000000
00000030 00000000 00000000 00000000 00000000
00000040 00000000 00000000 00000000 00000000
00000050 00000000 00000000 00000000 00000000
00000060 00000000 00000000 00000000 00000000
00000070 00000000 00000000 00000000 00000000
1: kd> !process
Failed to get VadRoot
PROCESS 89e7e448 SessionId: 0 Cid: 0448 Peb: 7ffde000 ParentCid: 06c8
DirBase: 0aac0300 ObjectTable: e23c08a8 HandleCount: 14.
Image: testxxxintersendmsgex_sleep100.exe
VadRoot 00000000 Vads 0 Clone 0 Private 60. Modified 0. Locked 0.
DeviceMap e16df2e0
Token e2580bc0
ElapsedTime 00:01:19.421
UserTime 00:00:00.015
KernelTime 00:00:00.187
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (379, 50, 345) (1516KB, 200KB, 1380KB)
PeakWorkingSetSize 379
VirtualSize 13 Mb
PeakVirtualSize 13 Mb
PageFaultCount 373
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 79

THREAD 899d4020 Cid 0448.0428 Teb: 7ffdd000 Win32Thread: e223e720 RUNNING on processor 1

1: kd> r cr3
cr3=0aac0020

This is not a crash, just when I single step over after the break point, windbg shows:

WARNING: Process directory table base 0AAC0300 doesn't match CR3 0AAC0020

The current process's page dir base is 0AAC0300 but the current cr3 is 0AAC0020 which is belong to SYSTEM process.

At first I thought that the reason could be that during NtProtectVirtualMemory, it may call other system calls to wait or sleep. Hence process context switch happens.

But I didn't event entering NtProtectVirtualMemory. Must be some place wrong with my hypervisor?

whensungoesdown

2017年12月26日星期二

2017年12月25日星期一

博客归档