don't BSOD when KVA shadowing is enabled

dumbasPL · dumbasPL · commit ff6f8f4551c2 · 2024-02-04T20:09:07.000+01:00
diff --git a/src/include/util.h b/src/include/util.h
@@ -15,6 +15,26 @@ typedef struct _STAGE2_LOADER_DATA {
     DWORD loader_pid;
 } STAGE2_LOADER_DATA, *PSTAGE2_LOADER_DATA;
 
+typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION {
+    union {
+        ULONG KvaShadowFlags;
+        struct {
+            ULONG KvaShadowEnabled : 1;
+            ULONG KvaShadowUserGlobal : 1;
+            ULONG KvaShadowPcid : 1;
+            ULONG KvaShadowInvpcid : 1;
+            ULONG KvaShadowRequired : 1; // REDSTONE4
+            ULONG KvaShadowRequiredAvailable : 1;
+            ULONG InvalidPteBit : 6;
+            ULONG L1DataCacheFlushSupported : 1;
+            ULONG L1TerminalFaultMitigationPresent : 1;
+            ULONG Reserved : 18;
+        };
+    };
+} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
+
+constexpr SYSTEM_INFORMATION_CLASS SystemKernelVaShadowInformation = (SYSTEM_INFORMATION_CLASS)196;
+
 extern "C" NTSYSAPI NTSTATUS NTAPI RtlGetVersion(
     _Out_ PRTL_OSVERSIONINFOW lpVersionInformation
 );
@@ -43,6 +63,14 @@ inline bool isHvciEnabled() {
     return false;
 }
 
+inline bool isKVAShadowEnabled() {
+    SYSTEM_KERNEL_VA_SHADOW_INFORMATION kvs = { 0 };
+    if (NT_SUCCESS(NtQuerySystemInformation(SystemKernelVaShadowInformation, &kvs, sizeof(kvs), NULL))) {
+        return kvs.KvaShadowEnabled;
+    }
+    return false;
+}
+
 inline std::wstring get_proces_name(HANDLE process) {
     std::wstring process_name;
     process_name.resize(MAX_PATH);
diff --git a/src/stage1/fumo_preloader.h b/src/stage1/fumo_preloader.h
@@ -9,6 +9,7 @@
 #define ERR_STAGE1_FAILED_TO_GET_DEBUG_PRIVILEGES 3
 #define ERR_STAGE1_UNSUPPORTED_OS 50
 #define ERR_STAGE1_HVCI_ENABLED 51
+#define ERR_STAGE1_KVA_SHADOW_ENABLED 52
 #define ERR_STAGE1_FAILED_TO_MAP_DRIVER 100
 #define ERR_STAGE1_FAILED_TO_OPEN_DRIVER 101
 #define ERR_STAGE1_FAILED_TO_GET_DRIVER_VERSION 102
diff --git a/src/stage1/stage1.cpp b/src/stage1/stage1.cpp
@@ -81,6 +81,9 @@ int main(PFUMO_EMBEDDED_DATA embedded_data) {
     if (isHvciEnabled())
         return fumo::error(ERR_STAGE1_HVCI_ENABLED, L"HyperVisor Code Integrity (HVCI) is enabled, please disable it and try again");
     
+    if (isKVAShadowEnabled())
+        return fumo::error(ERR_STAGE1_KVA_SHADOW_ENABLED, L"Kernel Virtual Address Shadow (KVAS) is enabled, please disable it and try again");
+
     if(!get_debug_privileges())
         return fumo::error(ERR_STAGE1_FAILED_TO_GET_DEBUG_PRIVILEGES, L"Failed to get debug privileges");
 
