Created
November 15, 2019 16:27
-
-
Save hfiref0x/6901a8e571946e84d8adb1c6f720fdad to your computer and use it in GitHub Desktop.
NtGdiDdDDISetHwProtectionTeardownRecovery BSOD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NtGdiDdDDISetHwProtectionTeardownRecovery (0x121B) service implemented in Windows 10 TH2 has no validation of input parameter which is pointer. | |
| .text:00000001C00BA0C0 public NtGdiDdDDISetHwProtectionTeardownRecovery | |
| .text:00000001C00BA0C0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near | |
| .text:00000001C00BA0C0 xor r8d, r8d | |
| .text:00000001C00BA0C3 mov edx, 1 | |
| .text:00000001C00BA0C8 cmp [rcx+4], r8d //<- Have a nice BSOD | |
| .text:00000001C00BA0CC setz r8b | |
| .text:00000001C00BA0D0 xor ecx, ecx | |
| .text:00000001C00BA0D2 jmp DCompositionForceRender | |
| .text:00000001C00BA0D2 NtGdiDdDDISetHwProtectionTeardownRecovery endp | |
| Service implemented in win32kbase.sys and can be easily used to crash system. | |
| This feature(?) exist since TH2 release and confirmed in 10586.456 version of Win32k. | |
| It was fixed only in RS1 builds, below is 14372 (so it's in production for about year). | |
| .text:00000001C00C96A0 public NtGdiDdDDISetHwProtectionTeardownRecovery | |
| .text:00000001C00C96A0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near | |
| .text:00000001C00C96A0 | |
| .text:00000001C00C96A0 arg_8 = qword ptr 10h | |
| .text:00000001C00C96A0 | |
| .text:00000001C00C96A0 sub rsp, 28h | |
| .text:00000001C00C96A4 cmp rcx, cs:W32UserProbeAddress | |
| .text:00000001C00C96AB cmovnb rcx, cs:W32UserProbeAddress | |
| .text:00000001C00C96B3 movsd xmm0, qword ptr [rcx] | |
| .text:00000001C00C96B7 movsd [rsp+28h+arg_8], xmm0 | |
| .text:00000001C00C96BD xor r8d, r8d | |
| .text:00000001C00C96C0 cmp dword ptr [rsp+28h+arg_8+4], r8d | |
| .text:00000001C00C96C5 setz r8b | |
| .text:00000001C00C96C9 mov edx, 1 | |
| .text:00000001C00C96CE xor ecx, ecx | |
| .text:00000001C00C96D0 call DCompositionForceRender | |
| .text:00000001C00C96D5 jmp short loc_1C00C96DC | |
| .text:00000001C00C96D7 ; --------------------------------------------------------------------------- | |
| .text:00000001C00C96D7 mov eax, 0C000000Dh | |
| .text:00000001C00C96DC | |
| .text:00000001C00C96DC loc_1C00C96DC: | |
| .text:00000001C00C96DC add rsp, 28h | |
| .text:00000001C00C96E0 retn | |
| .text:00000001C00C96E0 NtGdiDdDDISetHwProtectionTeardownRecovery endp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment