[liangtong]

Hello,the test machine has no VT support(I installed XP Mode with a recent KB977206 update).

[EP_X0FF]

Hello,

I was able to reproduce your crash.

This is VirtualPC caused. You can reproduce that even with old VirtualPC 2007 (result of execution will be BSOD in rku driver).
When hardware acceleration is not available or disabled SGDT instruction gives unpredictable result when executed in kernel mode.
For example it returns Limit value = MAXWORD, while the same SGDT call in user mode giving me correct value of 1023.
Exactly this causing rku to crash. When hardware acceleration is enabled - everything works as expected.

We already have strange behavior of virtual machine in case of VMWare with VT disabled.
When VT is disabled for VmWare virtual machine, SGDT in user mode returns incorrect values. When hardware acceleration is enabled - everything works as expected.

The only workaround that I see for now - detection of public virtual machines (it could be done easy without VT) and turning off some features while work.

Regards.

[Dreg]

I am working in a new method to fix this scenario without disable the detection

[teamtopkarl]

stealth code:

Exception code : 0xC0000005
Instruction address : 0x0043D470
Attempt to read at address : 0x013A100B

[EP_X0FF]

Hello,

the same reason as above. Currently rku stealth code scan is not compatible with Virtual Machines without Vanderpool / Pacifica hw support.
This will be fixed in next beta version update.

Thanks.

[EP_X0FF]

Hello,

liangtong and other who has experienced crash under windowsxp mode.

Please test this version. It contains workaround for this problem (used Dreg's advice).

It was tested with Virtual PC / VmWare and hw VT acceleration disabled.

MD5
9f89fd4edee0bfaa1bbe16f4bf2c527f

SHA1
8d9e92561870dff75c25b0b939823b84fde1cae0

[kingken]

:D :D good

[liangtong]

Hello,
Stealth code scan worked well on XP Mode with no VT support.
But there's another problem.On Windows 7,stealth code always gets the following result.

0x8EADBF2E Unknown thread object [ ETHREAD 0x8B8F6D48 ] TID: 2372, 600 bytes

kd> dt nt!_ethread 8b8f6d48
+0x218 StartAddress : 0x8eadbf2e Void
+0x260 Win32StartAddress : 0x8eadbf2e Void
0: kd> u 0x8eadbf2e
<Unloaded_spsys.sys>+0x2af2e:
8eadbf2e ?? ???
^ Memory access error in 'u 0x8eadbf2e'

[EP_X0FF]

Thanks for testing. Your contribution helped to solve this issue.

0x8EADBF2E Unknown thread object [ ETHREAD 0x8B8F6D48 ] TID: 2372, 600 bytes

This is false positive. Process exiting and thread marked as terminated but still accessible through manual structures parsing.

[markusg]

do you found a ossibility to use the screen reader together with your tool