CVE-2025-1533
A stack-based buffer overflow vulnerability exists in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Asus Armoury Crate 5.9.13.0
AI suite 3 ver 1.0.0.0
AsIO3 Driver 1.02.30
Armoury Crate - https://rog.asus.com/us/content/armoury-crate/
8.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
Armoury Crate is a centralized software application developed by ASUS, designed to manage and customize the settings of ASUS hardware components and peripherals. It provides users with a unified interface to control various features, such as RGB lighting, system performance, fan speeds, and device configurations.
AsIO3.sys driver creates a device called Asusgio3. When we use accesschk tool to check which users have the authority to interact with this driver, even as an Administrator (integrity level High) we get the following respose:
accesschk.exe -o \Device\Asusgio3
\Device\Asusgio3
Error getting security:
Access is denied.
No matching objects found.
Reversing IRP_MJ_CREATE handler of AsIO3.sys we can learn that Asus developers have decided to implement their own mechanism to allow or restrict communication with this driver.
Please keep in mind that further code address are related to the following image base address:
Python>idaapi.get_imagebase()
0x140000000
When we try to obtain a handle to \Device\Asusgio3 there is a check to determine whether the application attempting this action has the proper SHA-256 image hash or if its process ID is on the allowed list.
Function responsible for checking whether an app obtaining a handle has the proper SHA256 hash is one visible below:
Line 1 bool sub_140002EF4() // Is AsusCertService.exe trying to obtain a handle ?
Line 2 {
Line 3 bool result; // bl
Line 4 _UNICODE_STRING *PoolWithTag; // rax
Line 5 _UNICODE_STRING *win32ImagePath; // r15
Line 6 void *fileContent; // rax
Line 7 void *v4; // r12
Line 8 __int64 blockSize; // rdi
Line 9 __int64 _fileSize; // rsi
Line 10 char *ptrFileContent; // r14
Line 11 char NumberOfBytes[20]; // [rsp+34h] [rbp-F4h] BYREF
Line 12 UNICODE_STRING ntImagePath; // [rsp+38h] [rbp-F0h] SPLIT BYREF
Line 13 __int64 fileSize; // [rsp+48h] [rbp-E0h] BYREF
Line 14 __int64 v12; // [rsp+50h] [rbp-D8h]
Line 15 char *v13; // [rsp+58h] [rbp-D0h]
Line 16 __int64 v14; // [rsp+60h] [rbp-C8h]
Line 17 _UNICODE_STRING *v15; // [rsp+68h] [rbp-C0h]
Line 18 int sha_ctx[28]; // [rsp+70h] [rbp-B8h] BYREF
Line 19 char calculatedSHA256[32]; // [rsp+E0h] [rbp-48h] BYREF
Line 20
Line 21
Line 22 if ( pZwQueryInformationProcess(
Line 23 (HANDLE)0xFFFFFFFFFFFFFFFFLL,
Line 24 ProcessImageFileNameWin32,
Line 25 0LL,
Line 26 0,
Line 27 (PULONG)NumberOfBytes) == 0xC0000004 )
Line 28 {
Line 29 win32ImagePath = (_UNICODE_STRING *)ExAllocatePoolWithTag(PagedPool, *(unsigned int *)NumberOfBytes, 'pPR');
Line 30 if ( win32ImagePath )
Line 31 {
Line 32 memset(PoolWithTag, 0, *(unsigned int *)NumberOfBytes);
Line 33 pZwQueryInformationProcess(
Line 34 (HANDLE)-1LL,
Line 35 ProcessImageFileNameWin32,
Line 36 win32ImagePath,
Line 37 *(unsigned int *)NumberOfBytes,
Line 38 0LL);
Line 39
Line 40 if ( (int)Win32PathToNtPath(win32ImagePath, &ntImagePath) >= 0 )
Line 41 {
Line 42 fileContent = GetFileContent(&ntImagePath, &fileSize);
Line 44 if ( fileContent )
Line 45 {
Line 46 blockSize = 64LL;
Line 47 v12 = 64LL;
Line 48 _fileSize = fileSize;
Line 49 v14 = fileSize;
Line 50 ptrFileContent = (char *)fileContent;
Line 51 v13 = (char *)fileContent;
Line 52 Z_SHA256_Init((SHA256_CTX *)sha_ctx);
Line 53 if ( _fileSize < 64 )
Line 54 blockSize = _fileSize;
Line 55 v12 = blockSize;
Line 56 while ( _fileSize > 0 )
Line 57 {
Line 58 if ( _fileSize - blockSize < 0 )
Line 59 blockSize = _fileSize;
Line 60 v12 = blockSize;
Line 61 Util::AES_Block_encrypt(sha_ctx, ptrFileContent, blockSize);
Line 62 ptrFileContent += blockSize;
Line 63 v13 = ptrFileContent;
Line 64 _fileSize -= blockSize;
Line 65 v14 = _fileSize;
Line 66 }
Line 67 SHA_Final(sha_ctx, calculatedSHA256);
Line 68 result = memcmp(calculatedSHA256, &g_sha256Hash, 0x20uLL) == 0;
Line 69 ExFreePoolWithTag(fileContent, 0x705052u);
Line 70 }
Line 71 }
Line 72 RtlFreeUnicodeString(&ntImagePath);
Line 73 ExFreePoolWithTag(win32ImagePath, 0);
Line 74 }
Line 75 }
Line 76 return result;
Line 77 }
When we dump hash from global variable g_sha256Hash visible at line 68 it looks in the following way:
Python>binascii.b2a_hex(idc.get_bytes(0x0000000140009150,32))
b'c5c176fc0cbf4cc4e37c84b6237392b8bea58dbccf5fbbc902819dfc72ca9efa'
Calculating SHA256 hash for AsusCertService.exe we see that it is the same hash:
PS C:\Users\icewall> Get-FileHash -Path "C:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exe" -Algorithm SHA256
Algorithm Hash Path
--------- ---- ----
SHA256 C5C176FC0CBF4CC4E37C84B6237392B8BEA58DBCCF5FBBC902819DFC72CA9EFA C:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exe
So, only AsusCertService.exe service and also processes which PIDs are added by it on allowed list are able to obtain a handle to Asusgio3 device. In other way we get the status Access is denied.
But before we obtain a handle, there is a function responsible of converting application image path from Win32 Path to NT Namespace Path.
In example:
C:\TestApp.exe
to
\Device\HarddiskVolume3\TestApp.exe
To do this first there is a call to pZwQueryInformationProcess in line 33 to obtain a Win32 Image Path of the application which is trying to obtain a handle to the device and later converted in function called by me Win32PathToNtPath in line 40 into NT Namespace Path.
Function address: 00000001400037B0
Line 100 __int64 __fastcall Win32PathToNtPath(_UNICODE_STRING *win32ImagePath, struct _UNICODE_STRING *outNtImagePath)
Line 101 {
Line 102 int backslashPos; // ebx
Line 103 PWSTR inBuffer; // rdx
Line 104 WCHAR v6; // ax
Line 105 __int64 i; // rcx
Line 106 __int64 inBufferLen; // rdi
Line 107 NTSTATUS status; // ebx
Line 108 PWSTR Buffer; // rcx
Line 109 signed __int64 v11; // rdx
Line 110 WCHAR v12; // ax
Line 111 WCHAR *ptrImagePath; // r9
Line 112 WCHAR *_hardDriveWithImagePath; // rdx
Line 113 __int64 idx; // r8
Line 114 WCHAR v16; // ax
Line 115 void *LinkHandle; // [rsp+20h] [rbp-E0h] BYREF
Line 116 struct _UNICODE_STRING LinkTarget; // [rsp+28h] [rbp-D8h] BYREF
Line 117 ULONG ReturnedLength; // [rsp+38h] [rbp-C8h] BYREF
Line 118 struct _UNICODE_STRING DestinationString; // [rsp+40h] [rbp-C0h] BYREF
Line 119 UNICODE_STRING tmpString; // [rsp+50h] [rbp-B0h] BYREF
Line 120 struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+60h] [rbp-A0h] BYREF
Line 121 WCHAR partition[32]; // [rsp+90h] [rbp-70h] BYREF
Line 122 WCHAR ntImagePath[255]; // [rsp+D0h] [rbp-30h] BYREF
Line 123
Line 124 backslashPos = 0;
Line 125 memset(partition, 0, sizeof(partition));
Line 126 inBuffer = win32ImagePath->Buffer; // e.g: C:\AAAAAAAAA......\AAAAAAAAAAA....\TestApp.exe
Line 127 wcscpy(partition, L"\\??\\");
Line 128 v6 = *inBuffer;
Line 129 if ( *inBuffer != '\\' )
Line 130 {
Line 131 i = 0LL;
Line 132 do
Line 133 {
Line 134 if ( !v6 )
Line 135 break;
Line 136 ++i;
Line 137 ++backslashPos;
Line 138 v6 = inBuffer[i];
Line 139 }
Line 140 while ( v6 != '\\' );
Line 141 }
Line 142
Line 143 memmove(&partition[4], inBuffer, backslashPos * 2);
Line 144 RtlInitUnicodeString(&DestinationString, partition);
Line 145 ObjectAttributes.Length = 48;
Line 146 ObjectAttributes.ObjectName = &DestinationString;
Line 147 ObjectAttributes.RootDirectory = 0LL;
Line 148 ObjectAttributes.Attributes = 64;
Line 149 ObjectAttributes.SecurityDescriptor = 0LL;
Line 150
Line 151 status = ZwOpenSymbolicLinkObject(&LinkHandle, 0x80000000, &ObjectAttributes);
Line 152 if ( status >= 0 )
Line 153 {
Line 154 LinkTarget.Buffer = (PWSTR)ExAllocatePoolWithTag(PagedPool, 0xFFuLL, 0x705052u);
Line 155 status = ZwQuerySymbolicLinkObject(LinkHandle, &LinkTarget, &ReturnedLength);
Line 156 ZwClose(LinkHandle);
Line 157
Line 158 memset(ntImagePath, 0, sizeof(ntImagePath));
Line 159 memcpy(ntImagePath, LinkTarget.Buffer , LinkTarget.Length) // where LinkTarget.Buffer e.g == \Device\HarddiskVolume3
Line 160
Line 161 ptrWin32ImagePath = &win32ImagePath->Buffer[backslashPos]; // set pointer to the application path without partition letter. e.g: AAAAAAAAA......\AAAAAAAAAAA....\TestApp.exe
Line 162 ptrNtImagePath = ntImagePath;
Line 163 do
Line 164 ++ptrNtImagePath;
Line 165 while ( *ptrNtImagePath ); //set pointer at the end of current string
Line 166 idx = 0LL;
Line 167 do
Line 168 {
Line 169 wcharToCopy = ptrWin32ImagePath[idx];
Line 170 ptrNtImagePath[idx++] = wcharToCopy;
Line 171 }
Line 172 while ( wcharToCopy );
Line 173 RtlInitUnicodeString(&tmpString, (PCWSTR)ntImagePath);
Line 174 RtlCopyUnicodeString(outNtImagePath, &tmpString);
Line 175 RtlFreeUnicodeString(&LinkTarget);
Line 176 }
Line 177 return (unsigned int)status;
Line 178 }
In general, Win32PathToNtPath takes partition letter from win32ImagePath and obtains coresponding NT namespace path using ZwOpenSymbolicLinkObject/ZwQuerySymbolicLinkObject lines 127-155.
Next in loop located in lines 167-172 we can see that rest of the win32ImagePath is copied to the local buffer ntImagePath.
Stack based buffer overflow exist because local array ntImagePath can contains only 255 wchar characters and there is no check in loop located in lines 167-172 whether path to the application included in win32ImagePath variable is longer than 255 characters.
It is a common mistake made by developers who assume that maximum path length on Windows is 255 characters. It is NOT.
We can read in the documentation the following sentence: https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=registry
The maximum path of 32,767 characters is approximate, because the "\\?\" prefix may be expanded to a longer string by the system at run time, and this expansion applies to the total length.
Using \\?\ prefix we can create paths longer than 255 characters.
I wrote more about this in 2010 in paper called Windows LongPaths extended-length path.pdf
Going back to our function we can calculate manualy real size of ntImagePath local buffer avoiding in the same way mistakes made by decompiler: We can substract from location of magic cookie begining address of ntImagePath stored on the stack:
rbp-30 - ffff938a`6fcce990 - ntImagePath == "\Device\HarddiskVolume3"
rbp+1D0h ffff938a`6fcceb90 - ffff960b`cca716b1 == magic cookie
Space to magic_cookie from beginning of ntImagePath
18: kd> ?ffff938a`6fcceb90-ffff938a`6fcce990
Evaluate expression: 512 = 00000000`00000200
So indeed, this buffer won’t fit more than 255 characters.
Knowing all those facts, we can see here classic stack based buffer overflow which can be triggered by an attacker by creating path longer than 255 characters, copy there executable file which later will try to open a handle to Asusgio3 device from that location.
Attacker to turn this vulnerability into kernel level arbitrary code execution will need to bypass security cookie mitigation.
Proof-of-Concept code has been shared with the vendor.
Stack before get overwritten
fffff807`66943926 4533c0 xor r8d,r8d
18: kd> kb
# RetAddr : Args to Child : Call Site
00 fffff807`66943021 : 00000000`00000000 ffff9888`b4ab586c 00000000`00000000 00000000`00000001 : AsIO3+0x3926
01 fffff807`66942596 : ffff9888`c152ad00 00000000`c0000002 ffff9888`c152ae50 00000000`00000001 : AsIO3+0x3021
02 fffff807`622650d5 : 00000000`00000000 fffff807`62261993 00000000`00000000 ffff9888`e3ab7e98 : AsIO3+0x2596
03 fffff807`626becb3 : 00000000`00000000 ffff938a`6fccf0d0 ffff9888`e3ab7e98 ffff9888`c152ad00 : nt!IofCallDriver+0x55
04 fffff807`626cac24 : fffff807`626bd700 fffff807`626bd700 ffff9888`b4941a00 ffff938a`6fccf1f0 : nt!IopParseDevice+0x15b3
05 fffff807`626c95d2 : ffff9888`e30d9a01 ffff938a`6fccf1f0 00000000`00000040 ffff9888`b4ab5820 : nt!ObpLookupObjectName+0x1104
06 fffff807`626ace47 : ffff9249`00000000 ffff9888`dbf27a20 00000098`c0f6f980 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1f2
07 fffff807`626ac319 : 00000098`c0f6f920 00000000`c0100080 00000098`c0f6f980 00000098`c0f6f928 : nt!IopCreateFile+0xb17
08 fffff807`6242a508 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79
09 00007ffd`68ff0e44 : 00007ffd`6671a650 00000000`00000000 00000000`00000000 00000000`00000360 : nt!KiSystemServiceCopyEnd+0x28
0a 00007ffd`6671a650 : 00000000`00000000 00000000`00000000 00000000`00000360 00000000`00000000 : ntdll!NtCreateFile+0x14
0b 00007ffd`66719fbc : 00007ff6`af8311ae b2200007`ff69d4f0 a8c00000`00032cc1 00000000`00000000 : KERNELBASE!CreateFileInternal+0x590
0c 00007ff6`af835925 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!CreateFileW+0x7c
0d 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00410041`00000003 : 0x00007ff6`af835925
Bug triggered
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff807`6241f2f0 cc int 3
18: kd> !analyze -v
Connected to Windows 10 22621 x64 target at (Thu Jan 23 21:09:08.278 2025 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.............................................
Loading User Symbols
.........
Loading unloaded module list
...........
************* Symbol Loading Error Summary **************
Module name Error
SharedUserData No error - symbol load deferred
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and BugCheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ffbe93cb6f8de881, Actual security check cookie from the stack
Arg2: 00000581a36bfe71, Expected security check cookie
Arg3: fffffa7e5c94018e, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
Unable to load image \??\C:\Windows\system32\drivers\AsIO3.sys, Win32 error 0n2
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4468
Key : Analysis.Elapsed.mSec
Value: 7908
Key : Analysis.IO.Other.Mb
Value: 103
Key : Analysis.IO.Read.Mb
Value: 8
Key : Analysis.IO.Write.Mb
Value: 212
Key : Analysis.Init.CPU.mSec
Value: 119062
Key : Analysis.Init.Elapsed.mSec
Value: 14902895
Key : Analysis.Memory.CommitPeak.Mb
Value: 711
Key : Analysis.Version.DbgEng
Value: 10.0.27725.1000
Key : Analysis.Version.Description
Value: 10.2408.27.01 amd64fre
Key : Analysis.Version.Ext
Value: 1.2408.27.1
Key : Bugcheck.Code.KiBugCheckData
Value: 0xf7
Key : Bugcheck.Code.LegacyAPI
Value: 0xf7
Key : Bugcheck.Code.TargetModel
Value: 0xf7
Key : Failure.Bucket
Value: 0xF7_MISSING_GSFRAME_AsIO3!unknown_function
Key : Failure.Hash
Value: {68c21115-0ca3-f8a6-af3e-515cd49c9679}
Key : Hypervisor.Enlightenments.ValueHex
Value: 1497cf94
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 1
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 1
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 0
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 1
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 1
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 1
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 0
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 1
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 4853999
Key : Hypervisor.Flags.ValueHex
Value: 4a10ef
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 1
Key : Hypervisor.RootFlags.AccessStats
Value: 1
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 1
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 1
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 1
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 1
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 1
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 1
Key : Hypervisor.RootFlags.MceEnlightened
Value: 1
Key : Hypervisor.RootFlags.Nested
Value: 0
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 1
Key : Hypervisor.RootFlags.Value
Value: 1015
Key : Hypervisor.RootFlags.ValueHex
Value: 3f7
Key : SecureKernel.HalpHvciEnabled
Value: 0
Key : WER.OS.Branch
Value: ni_release
Key : WER.OS.Version
Value: 10.0.22621.1
BUGCHECK_CODE: f7
BUGCHECK_P1: ffbe93cb6f8de881
BUGCHECK_P2: 581a36bfe71
BUGCHECK_P3: fffffa7e5c94018e
BUGCHECK_P4: 0
FAULTING_THREAD: ffff9888e33f2080
SECURITY_COOKIE: Expected 00000581a36bfe71 found ffbe93cb6f8de881
PROCESS_NAME: TestCon.exe
SYMBOL_NAME: AsIO3+6f97
MODULE_NAME: AsIO3
IMAGE_NAME: AsIO3.sys
STACK_COMMAND: .process /r /p 0xffff9888e32f00c0; .thread 0xffff9888e33f2080 ; kb
BUCKET_ID_FUNC_OFFSET: 6f97
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_AsIO3!unknown_function
OS_VERSION: 10.0.22621.1
BUILDLAB_STR: ni_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {68c21115-0ca3-f8a6-af3e-515cd49c9679}
Followup: MachineOwner
---------
magic_cookie value check:
18: kd> dq ffff938a`6fcceb90 L1
ffff938a`6fcceb90 00410041`00410041
Last 20 frames
18: kd> kb 20
# RetAddr : Args to Child : Call Site
00 fffff807`62566c12 : ffff938a`6fcccf40 fffff807`622a9f60 ffff8181`38f51180 ffbe93cb`6f8de801 : nt!DbgBreakPointWithStatus
01 fffff807`625662d3 : ffff8181`00000003 ffff938a`6fcccf40 fffff807`6242ef20 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
02 fffff807`62415017 : 00000000`000000ee fffff807`623c26fb ffff938a`6fcce648 00000000`00000001 : nt!KeBugCheck2+0xba3
03 fffff807`66946f97 : 00000000`000000f7 ffbe93cb`6f8de881 00000581`a36bfe71 fffffa7e`5c94018e : nt!KeBugCheckEx+0x107
04 fffff807`66947032 : ffff938a`6fccd6d8 ffff938a`6fccdce0 00000000`6fccde60 ffff938a`6fccdc68 : AsIO3+0x6f97
05 fffff807`66946fcb : fffff807`00000000 fffff807`6222e158 fffff807`66946fb8 00000000`00000000 : AsIO3+0x7032
06 fffff807`624205b2 : ffff938a`6fccde60 ffff938a`6fccd720 fffff807`66940000 fffff807`66943958 : AsIO3+0x6fcb
07 fffff807`6222cc93 : ffff938a`6fcce890 ffff938a`6fcce648 fffff807`66943958 fffff807`6694a0b4 : nt!RtlpExecuteHandlerForException+0x12
08 fffff807`6231817e : ffffffff`ffffffff ffff938a`6fcce6f0 ffff938a`6fcce6f0 ffff938a`6fccde60 : nt!RtlDispatchException+0x2f3
09 fffff807`6242af7c : ffffd203`b9792f70 ffff938a`6fccec08 00000000`00000000 00000000`00000004 : nt!KiDispatchException+0x1ae
0a fffff807`62425dd8 : 00000000`00ff0000 ffffd203`ee528180 00000000`000000d0 ffffd203`b96b44d0 : nt!KiExceptionDispatch+0x13c
0b fffff807`6242bc67 : fffff807`62261993 00000000`00000010 fffff807`66943929 00000000`00000010 : nt!KiGeneralProtectionFault+0x358
0c fffff807`62261993 : 00000000`00000010 fffff807`66943929 00000000`00000010 00000000`00040244 : nt!memcpy+0xa7
0d fffff807`66943958 : 00000000`00000000 ffffd203`cca31010 00000000`00000000 00000000`00000000 : nt!RtlCopyUnicodeString+0x43
0e 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : AsIO3+0x3958
0f 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
10 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
11 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
12 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
13 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
14 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
15 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
16 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
17 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
18 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
19 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
1a 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
1b 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
1c 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
1d 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
1e 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
1f 00410041`00410041 : 00410041`00410041 00410041`00410041 00410041`00410041 00410041`00410041 : 0x00410041`00410041
2025-02-06 - Vendor Disclosure
2025-05-12 - Vendor Patch Release
2025-06-16 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.