熊猫卫士2008驱动程序PavTPK.sys蓝屏BUG

 

熊猫卫士2008升级到最新版,PavTPK.sys，显示编译日期为2007.5.19

该驱动使用PsSetLoadImageNotifyRoutine,注册了一个镜像加载回调，位于PavTPK+0x21d0

大致函数结构如下:

PavTPK+0x21d0_ImageLoadNotifyRoutine

       |

          ------> PavTPK+0x1910_RaiseIrql                            

                         |

                          ------>   PavTPK+0x36f8_Call_PsCreateSystemThread

PavTPK+1910函数中，PavTPK.sys使用hal!KfRaiseIrql函数提升了当前线程的IRQL

kd>

PavTPK+0x1a19:

aac29a19 8b4510           mov      eax,dword ptr [ebp+10h]

aac29a1c 85c0             test     eax,eax

aac29a1e 740b             je       PavTPK+0x1a2b (aac29a2b)

aac29a20 b101             mov      cl,1

aac29a22 ff1500c0c2aa     call     dword ptr [PavTPK+0x4000 (aac2c000)] ->hal!KfRaiseIrql

aac29a28 8845e6           mov      byte ptr [ebp-1Ah],al

aac29a2b c745dc00000000   mov      dword ptr [ebp-24h],0

aac29a32 b902040000       mov      ecx,402h

接着在PavTPK+0x36f8中，PavTPK.sys又调用了PsCreateSystemThread来创建系统线程

kd>

PavTPK+0x3743:

aac2b743 894614           mov      dword ptr [esi+14h],eax

aac2b746 57               push     edi

aac2b747 8d45f8           lea      eax,[ebp-8]

aac2b74a 891e             mov      dword ptr [esi],ebx

aac2b74c 50               push     eax

aac2b74d 897dfc           mov      dword ptr [ebp-4],edi

aac2b750 ff15c0c0c2aa      call     dword ptr [PavTPK+0x40c0 (aac2c0c0)] ->nt!PsCreateSystemThread

aac2b756 85c0             test     eax,eax

MSDN中指出，PsCreateSystemThread函数是不允许执行在非PASSIVE_LEVEL下的：

Windows Driver Kit: Kernel-Mode Driver Architecture

PsCreateSystemThread

The PsCreateSystemThread routine creates a system thread that executes in kernel mode and returns a handle for the thread.

Requirements

IRQL: PASSIVE_LEVEL

Headers: Declared in wdm.h. Include wdm.h, ntddk.h, or ntifs.h.

同时PsCreateSystemThread在WIN2000下是不允许在非SYSTEM上下文调用的，熊猫卫士的驱动在Image Load Notify Routine中调用PsCreateSystemThread也是错误的

在高IRQL下调用PsCreateSystemThread至少打破了一条规则：MSDN下对线程通知回调的定义：

MSDN中对PsSetCreateNotifyRoutine的定义中明确指出：

When it is called, the driver's thread-creation notify routine runs at IRQL = PASSIVE_LEVEL either in the context of the newly created thread or in the context of the exiting thread.

也就是说 PsCreateSystemThread->PspCreateThread->call psp create thread notify routine 必须保证IRQL都是PASSIVE_LEVEL,在高IRQL下调用PsCreateSystemThread显然破坏了这一规则

建议：更改程序逻辑，不要在镜像回调中使用PsCreateSystemThread创建系统线程