I was getting bored with my XP box one day, so I decided to try some of the answers to this question to see if any of them would cause a BSOD.
They didn't, and they seemed like they would be the most likely to do that, so I was wondering if it is possible to trigger a BSOD from user-mode in C/C++, and if so, how?
问题:
回答1:
It seriously difficult to make a BSOD from user mode unless the user mode program interacts with buggy drivers (may be a particular sequence of operations can reveal the bugs in particular driver) disturbs the driver stack. From user mode, the inputs are validated well before passing to the kernel mode to ensure the stability of the system. Most of the Microsoft API/Drivers have validated well to avoid security issues in the system; so does the driver manufactures.
The best way is to disturb the driver stack, but it's not user mode.
You can create BSOD with NotMyFault SystInternals utility. It fundamentally injects a driver and create the BSOD
http://download.sysinternals.com/Files/Notmyfault.zip
回答2:
There's the undocumented function NtRaiseHardError.
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Error/NtRaiseHardError.html
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Error/HARDERROR_RESPONSE_OPTION.html
If the fifth parameter is 6 (OptionShutdownSystem), you'll get a BSOD. This requires enabling the shutdown privilege.
回答3:
It's just this:
#include <iostream>
#include <Windows.h>
#include <winternl.h>
using namespace std;
typedef NTSTATUS(NTAPI *pdef_NtRaiseHardError)(NTSTATUS ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask OPTIONAL, PULONG_PTR Parameters, ULONG ResponseOption, PULONG Response);
typedef NTSTATUS(NTAPI *pdef_RtlAdjustPrivilege)(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled);
int main()
{
BOOLEAN bEnabled;
ULONG uResp;
LPVOID lpFuncAddress = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
LPVOID lpFuncAddress2 = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtRaiseHardError");
pdef_RtlAdjustPrivilege NtCall = (pdef_RtlAdjustPrivilege)lpFuncAddress;
pdef_NtRaiseHardError NtCall2 = (pdef_NtRaiseHardError)lpFuncAddress2;
NTSTATUS NtRet = NtCall(19, TRUE, FALSE, &bEnabled);
NtCall2(STATUS_FLOAT_MULTIPLE_FAULTS, 0, 0, 0, 6, &uResp);
return 0;
}
回答4:
The approach other than bugs is resource exhaustion. An area you could investigate would be to consume all CPU on the machine (run as many threads as you have cores at a real time priority level), and consume a kernel resource and depend on the real-time priority to stop the kernel from cleaning up.
Not sure what a good resource would be though. Lots of outstanding async operations against a device that can't get CPU to clean up? You could at least experiment in that direction.
回答5:
If the operating system has no bugs in it, then it should be impossible to BSOD a machine from user space. At worst, it should just crash the offending application.
However, nothing is perfect. There are bugs in every operating system and every operating system has had bugs which cause a BSOD (or an OOPS as Linux does, or however else a given OS chooses to report an irrecoverable error) that is exploitable from user space.
As far as specifics, it really depends on the nature of the bug. There is no generic answer beyond "yes, it's possible".
For more details, you should look more into OS design, and how paging, ring levels and other techniques can be used to separate processes from each other and kernel space.
回答6:
Well, BSODs are from unrecoverable errors that happen in kernel mode; there is no way to cause that to happen without triggering a kernel error somehow. In general, if you wanted to do it, you would have to find a flaw in a driver [edit: or as a commenter pointed out, a system call] and exploit that.
Or, you could do what this app does: http://www.nirsoft.net/utils/start_blue_screen.html . Just write your own driver to crash the system any way you want to. :)
The Wikipedia page had some interesting information so I include it for reference: http://en.wikipedia.org/wiki/Blue_Screen_of_Death .
回答7:
You can force a system crash with the keyboard. Your title talks about user mode, I am not sure whether this qualifies as user mode, yet it might be useful.
回答8:
Two ways without using drivers:
- Using the undocumented function NtRaiseHardError as someone pointed out
- Setting a critical process with the undocumented function RtlSetProcessIsCritical then terminating it. Requires the SE_DEBUG_NAME privilege. http://www.codeproject.com/Articles/43405/Protecting-Your-Process-with-RtlSetProcessIsCriti
回答9:
I found at this link a code that generates a bsod : https://www.mpgh.net/forum/showthread.php?t=1100477
And here's the code (I tried it and it works, you just need to call the BlueScreen() function)
#include <windows.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS NTAPI RtlAdjustPrivilege(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN OldValue);
extern "C" NTSTATUS NTAPI NtRaiseHardError(LONG ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask,
PULONG_PTR Parameters, ULONG ValidResponseOptions, PULONG Response);
void BlueScreen()
{
BOOLEAN bl;
ULONG Response;
RtlAdjustPrivilege(19, TRUE, FALSE, &bl); // Enable SeShutdownPrivilege
NtRaiseHardError(STATUS_ASSERTION_FAILURE, 0, 0, NULL, 6, &Response); // Shutdown
}