From 6b9bfe03e9fb8073441f6afb0a033892a075eeba Mon Sep 17 00:00:00 2001 From: xerox Date: Tue, 21 Apr 2020 18:25:07 +0000 Subject: [PATCH] Update README.md --- README.md | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7642d16..f59ec6b 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Before I begin, those who helped me create this project shall be credited. -- Can1357, for helping me find the correct page in physical memory. +- [Can1357](https://blog.can.ac), for helping me find the correct page in physical memory. - buck, for teaching me everything about paging tables. (although not used in this project) - Ch40zz, for helping me fix many issues in things I could never have fixed. - wlan, I used your drv_image class :) @@ -164,3 +164,28 @@ NTSTATUS DriverEntry(PVOID lpBaseAddress, DWORD32 dwSize) } ``` + +# System Crash Probability + +I made a small test to see the average amount of times you could hook `NtTraceControl` and call into it before having another thread call into it at the same time or patch guard +detecting you have patched code in ntoskrnl. Here are the results: + +- 6,004 calls +- 2,194 calls +- 6,897 calls +- 679 calls +- 17,159 calls +- 4,140 calls + +`6004 + 2194 + 6897 +679 + 17159 + 4140 = 37073` +`37073 / 6 = 6178.83333333` + +On average one in every 6,178 syscalls will another thread call into the function that is currently hooked. It takes three syscalls to map a driver if you are clearing the pe header. + +`6,178 / 3 = 2059` + +So on average one in every 2,059 drivers mapped you will crash once. + +`2059 / 3 = 686` + +If you were to use physmeme to load your driver three times a day it would take on average 686 days to crash your system. \ No newline at end of file