From ff6f8f4551c2f1c052cc0611e35496d0f86d7128 Mon Sep 17 00:00:00 2001 From: nezu <29180158+dumbasPL@users.noreply.github.com> Date: Sun, 4 Feb 2024 20:09:07 +0100 Subject: [PATCH] don't BSOD when KVA shadowing is enabled --- src/include/util.h | 28 ++++++++++++++++++++++++++++ src/stage1/fumo_preloader.h | 1 + src/stage1/stage1.cpp | 3 +++ 3 files changed, 32 insertions(+) diff --git a/src/include/util.h b/src/include/util.h index cef7ffb..d842494 100644 --- a/src/include/util.h +++ b/src/include/util.h @@ -15,6 +15,26 @@ typedef struct _STAGE2_LOADER_DATA { DWORD loader_pid; } STAGE2_LOADER_DATA, *PSTAGE2_LOADER_DATA; +typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION { + union { + ULONG KvaShadowFlags; + struct { + ULONG KvaShadowEnabled : 1; + ULONG KvaShadowUserGlobal : 1; + ULONG KvaShadowPcid : 1; + ULONG KvaShadowInvpcid : 1; + ULONG KvaShadowRequired : 1; // REDSTONE4 + ULONG KvaShadowRequiredAvailable : 1; + ULONG InvalidPteBit : 6; + ULONG L1DataCacheFlushSupported : 1; + ULONG L1TerminalFaultMitigationPresent : 1; + ULONG Reserved : 18; + }; + }; +} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION; + +constexpr SYSTEM_INFORMATION_CLASS SystemKernelVaShadowInformation = (SYSTEM_INFORMATION_CLASS)196; + extern "C" NTSYSAPI NTSTATUS NTAPI RtlGetVersion( _Out_ PRTL_OSVERSIONINFOW lpVersionInformation ); @@ -43,6 +63,14 @@ inline bool isHvciEnabled() { return false; } +inline bool isKVAShadowEnabled() { + SYSTEM_KERNEL_VA_SHADOW_INFORMATION kvs = { 0 }; + if (NT_SUCCESS(NtQuerySystemInformation(SystemKernelVaShadowInformation, &kvs, sizeof(kvs), NULL))) { + return kvs.KvaShadowEnabled; + } + return false; +} + inline std::wstring get_proces_name(HANDLE process) { std::wstring process_name; process_name.resize(MAX_PATH); diff --git a/src/stage1/fumo_preloader.h b/src/stage1/fumo_preloader.h index 1afef31..054bd1f 100644 --- a/src/stage1/fumo_preloader.h +++ b/src/stage1/fumo_preloader.h @@ -9,6 +9,7 @@ #define ERR_STAGE1_FAILED_TO_GET_DEBUG_PRIVILEGES 3 #define ERR_STAGE1_UNSUPPORTED_OS 50 #define ERR_STAGE1_HVCI_ENABLED 51 +#define ERR_STAGE1_KVA_SHADOW_ENABLED 52 #define ERR_STAGE1_FAILED_TO_MAP_DRIVER 100 #define ERR_STAGE1_FAILED_TO_OPEN_DRIVER 101 #define ERR_STAGE1_FAILED_TO_GET_DRIVER_VERSION 102 diff --git a/src/stage1/stage1.cpp b/src/stage1/stage1.cpp index 782d9dd..d3ca1f9 100644 --- a/src/stage1/stage1.cpp +++ b/src/stage1/stage1.cpp @@ -81,6 +81,9 @@ int main(PFUMO_EMBEDDED_DATA embedded_data) { if (isHvciEnabled()) return fumo::error(ERR_STAGE1_HVCI_ENABLED, L"HyperVisor Code Integrity (HVCI) is enabled, please disable it and try again"); + if (isKVAShadowEnabled()) + return fumo::error(ERR_STAGE1_KVA_SHADOW_ENABLED, L"Kernel Virtual Address Shadow (KVAS) is enabled, please disable it and try again"); + if(!get_debug_privileges()) return fumo::error(ERR_STAGE1_FAILED_TO_GET_DEBUG_PRIVILEGES, L"Failed to get debug privileges");