A forum for reverse engineering, OS internals and malware analysis 

NtGdiDdDDISetHwProtectionTeardownRecovery BSOD

Discussion on reverse-engineering and debugging.

NtGdiDdDDISetHwProtectionTeardownRecovery BSOD

 #28804  by EP_X0FF
 Sun Jul 03, 2016 3:39 am
NtGdiDdDDISetHwProtectionTeardownRecovery (0x121B) service implemented in Windows 10 TH2 has no validation of input parameter which is pointer.
Code: Select all
.text:00000001C00BA0C0                 public NtGdiDdDDISetHwProtectionTeardownRecovery
.text:00000001C00BA0C0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near
.text:00000001C00BA0C0                 xor     r8d, r8d
.text:00000001C00BA0C3                 mov     edx, 1
.text:00000001C00BA0C8                 cmp     [rcx+4], r8d //<- Have a nice BSOD
.text:00000001C00BA0CC                 setz    r8b
.text:00000001C00BA0D0                 xor     ecx, ecx
.text:00000001C00BA0D2                 jmp     DCompositionForceRender
.text:00000001C00BA0D2 NtGdiDdDDISetHwProtectionTeardownRecovery endp
Service implemented in win32kbase.sys and can be easily used to crash system.
This feature(?) exist since TH2 release and confirmed in 10586.456 version of Win32k.

It was fixed only in RS1 builds, below is 14372 (so it's in production for about year).
Code: Select all
.text:00000001C00C96A0                 public NtGdiDdDDISetHwProtectionTeardownRecovery
.text:00000001C00C96A0 NtGdiDdDDISetHwProtectionTeardownRecovery proc near
.text:00000001C00C96A0
.text:00000001C00C96A0 arg_8           = qword ptr  10h
.text:00000001C00C96A0
.text:00000001C00C96A0                 sub     rsp, 28h
.text:00000001C00C96A4                 cmp     rcx, cs:W32UserProbeAddress
.text:00000001C00C96AB                 cmovnb  rcx, cs:W32UserProbeAddress
.text:00000001C00C96B3                 movsd   xmm0, qword ptr [rcx]
.text:00000001C00C96B7                 movsd   [rsp+28h+arg_8], xmm0
.text:00000001C00C96BD                 xor     r8d, r8d
.text:00000001C00C96C0                 cmp     dword ptr [rsp+28h+arg_8+4], r8d
.text:00000001C00C96C5                 setz    r8b
.text:00000001C00C96C9                 mov     edx, 1
.text:00000001C00C96CE                 xor     ecx, ecx
.text:00000001C00C96D0                 call    DCompositionForceRender
.text:00000001C00C96D5                 jmp     short loc_1C00C96DC
.text:00000001C00C96D7 ; ---------------------------------------------------------------------------
.text:00000001C00C96D7                 mov     eax, 0C000000Dh
.text:00000001C00C96DC
.text:00000001C00C96DC loc_1C00C96DC:                         
.text:00000001C00C96DC                 add     rsp, 28h
.text:00000001C00C96E0                 retn
.text:00000001C00C96E0 NtGdiDdDDISetHwProtectionTeardownRecovery endp
New service -> new bug. Nice code quality.
 Return to “Reverse Engineering and Debugging”