# Syser causes BSOD

a new bug in Syser was found. download this file, unpack it and run make-all-and-run.bat.
under XP SP2 with Syser we have BSOD:

# BugCheck 100000D1, {45b0, ff, 0, f580aa75}
# Probably caused by : Syser.sys ( Syser+aa75 )
# DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

this is _very_ strange, since the program causes crash – is a user-mode application, or, to be exactly, there are two programs – one traces another to find out NT bug: OS kernel doesn’t zero TF bit on faults (see this post for more detail), leading to crash OllyDbg, but OllyDbg just refuses to debug, while Syser causes BSOD. not good :=( excellent way to defeat Syser, although :=)

note:
the bug was located
rebuild PeterFerrie.exe with following options and forgot about BSOD:

$link.exe PeterFerrie.obj /ENTRY:nezumi /SUBSYSTEM:CONSOLE KERNEL32.LIB

the previous ones were:

$link.exe PeterFerrie.obj /FIXED /ENTRY:nezumi /SUBSYSTEM:CONSOLE /ALIGN:16 /MERGE:.rdata=.text /STUB:stub KERNEL32.LIB

I’m too lazy to check every combination to find out which one triggers BSOD. it might be /ALIGN:16 or section merging or incorrect ms-dos stub (I just truncated file at the end of MZ-header without fixing size of the file – windows doesn’t check it).

I sent my report to Syser team, but got no answer. never mind. it’s probable nothing. however, the bug gives a great opportunity to malware-writers, so it has to be fixed.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: