CVE-2022-21910 and CVE-2022-21879 进攻IOCTL

说明

今年一月份微软修补了关于我的一个漏洞报告的问题并分配CVE-2022-21910与CVE-2022-21879，该报告总共报送了四个问题同时MSRC也为此分配了四个案例，其中两处越界读取被认为两个信息泄露漏洞，两处空指针的问题没有被认。

报告以及poc可以在这里找到
https://github.com/tianlinlintian/Report-vulnerabilities/tree/main/21910%20or%2021879

如果你看完我的报告，可能会惊讶：漏洞如此简单，竟然没有人报告过，这可能是由于clusport.sys没有被人发掘过而导致的，下图中可以看到此漏洞影响范围非常少，所以我就是来分享怎么是想到看clusport.sys的。

挖掘过程

如果你了解过驱动开发，相信对符号链接并不陌生，一般来说，它通过IoCreateSymbolicLink调用创建，遍历SymbolicLink这些并不难，只需要调用QueryDosDevice即可。

不仅仅只有符号链接可以打开后调用DeviceIoControl来进入驱动的IRP_MJ_DEVICE_CONTROL例程，还有设备名本身可以，因为设备本身也是一个对象，它可以被如ObSetSecurityObjectByPointer之类的函数设置安全描述符，如果该安全描述符被user可以打开，那么它就值得一看,这么一个例子是CNG

下面是获得这些能打开的符号链接以及设备名的代码（以当前进程权限）

//目的：获得当前进程所有可以打开的驱动设备名以及设备连接

//要查看名字所在的驱动可在DeviceIoControl调用之前设置了一个 __debugbreak()断点
//还需要设置cpu为单核，命中 __debugbreak()断点后继续对bp nt!IofCallDriver下断点然后按g放行
//nt!IofCallDriver断下后，一直按t单步跟，跟不了多久就会进入目标驱动的ioctl派遣函数（也就是nt!guard_dispatch_icall消失的时候）,此时如果没有符号可通过基地址对比查看对应驱动

//因为还有部分驱动在IRP_MJ_CREATE派遣函数中也就是在打开设备时进行了了判断,比如WS2IFSL.sys(一个例子是CVE-2019-1215)
//所以为了包含所有可能的结果即使在打开设备时出错但只要不是拒绝访问或者没有设置IRP_MJ_CREATE,设备无效那么就打印错误值 以及设备名，这种情况需要自己去驱动的IRP_MJ_CREATE分析

//关于ioctl定位通过对IofCompleteRequest交叉引用即可

//由于只是获得通信名字，进一步发送ioctl需要拥有权限(https://docs.microsoft.com/en-us/windows-hardware/drivers/storage/acls-and-the-device-stack)
//如果以成功发送ioctl为目的，从方便角度上看，MAXIMUM_ALLOWED改为GENERIC_WRITE | MAXIMUM_ALLOWED是更好的选择

//以管理员权限运行


#include "windows.h"
#include "stdio.h"

#pragma comment(lib,"ntdll.lib")
#pragma warning(disable:4996)
#define STATUS_BUFFER_TOO_SMALL 0xC0000023
#define STATUS_NO_MORE_ENTRIES 0x8000001A


typedef struct _UNICODE_STRING
{
	unsigned short Length;
	unsigned short MaxLength;
	unsigned long Pad;
	wchar_t* Buffer;
}UNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
	ULONGLONG           Length;
	HANDLE          RootDirectory;
	_UNICODE_STRING* ObjectName;
	ULONGLONG           Attributes;
	PVOID           SecurityDescriptor;
	PVOID           SecurityQualityOfService;
} OBJECT_ATTRIBUTES;



extern "C"
{
	int __stdcall ZwOpenDirectoryObject(HANDLE*, int DesiredAccess, _OBJECT_ATTRIBUTES*);
	int __stdcall ZwQueryDirectoryObject(HANDLE, void* Buffer, unsigned long BufferSize, BOOL ReturnSingleEntry, BOOL RestartScan, unsigned long* pContext, unsigned long* pReturnLength);
	int __stdcall ZwOpenSymbolicLinkObject(HANDLE* LinkHandle, int DesiredAccess, _OBJECT_ATTRIBUTES* ObjectAttributes);
	int __stdcall ZwQuerySymbolicLinkObject(HANDLE LinkHandle, _UNICODE_STRING* LinkTarget, unsigned long* ReturnedLength);

	int __stdcall ZwQueryObject(HANDLE, unsigned long Class, void* Buffer, unsigned long BufferSize, unsigned long* pReturnedLength);
	int __stdcall ZwClose(HANDLE);
}

wchar_t* Print_Level(int lvl)
{
	if (!lvl) return (WCHAR*)L"";
	else if (lvl == 1) return (WCHAR*)L"=>";
	else if (lvl == 2) return (WCHAR*)L"==>";

	wchar_t X = '=';

	wchar_t* p = (wchar_t*)LocalAlloc(LMEM_ZEROINIT, (lvl * 2) + 2 + 2); //Never freed, fix later

	int lvl_x = lvl, i = 0;

	while (lvl_x--) p[i++] = X;
	p[i] = '>';
	return p;
}

BOOL ShouldConcat(wchar_t* pStr)
{
	if (!pStr) return FALSE;
	unsigned long Len = wcslen(pStr);
	if (Len)
	{
		if (pStr[Len - 1] == '\\') return FALSE;
	}

	return TRUE;
}
wchar_t Dir_S2[0X1000];

HANDLE hToken;
wchar_t* Dir_S3;
wchar_t* Buffer2 = 0;
INT i = 1;
int z = 0;
int Recur(HANDLE hDirectory, wchar_t* DirName)
{
	unsigned long BufSize = 0;
	void* Buffer = 0;
	unsigned long Context = 0;
	WCHAR path[0x1000];
	int ret = 0;

	while (ret >= 0)
	{

		unsigned long ReturnLength = 0;
		ret = ZwQueryDirectoryObject(hDirectory, 0, 0, TRUE, FALSE, &Context, &ReturnLength);
		//	wprintf(L"%s ret: %X, Context: %X, ReturnLength: %X\r\n",Print_Level(LevelX),ret,Context,ReturnLength);




		if (ret == STATUS_BUFFER_TOO_SMALL)
		{
			BufSize = ReturnLength;
			Buffer = LocalAlloc(LMEM_ZEROINIT, BufSize);

			ret = ZwQueryDirectoryObject(hDirectory, Buffer, BufSize, TRUE, FALSE, &Context, &ReturnLength);


			//	wprintf(L"%s ret: %X, Context: %X, ReturnLength: %X\r\n",Print_Level(LevelX),ret,Context,ReturnLength);

			_UNICODE_STRING* pUni = (_UNICODE_STRING*)Buffer;

			char* StartBuffer = (char*)Buffer;
			char* EndBuffer = ((char*)Buffer) + ReturnLength;

			char* Cur = (char*)pUni;

			char* Str1 = (char*)(pUni->Buffer);
			unsigned long Len1 = pUni->MaxLength;


			char* Str2 = (char*)((pUni + 1)->Buffer);
			unsigned long Len2 = (pUni + 1)->MaxLength;

			if ((Cur >= StartBuffer) && (Cur + (sizeof(_UNICODE_STRING) * 2) <= EndBuffer) /*At least two _UNICODE_STRING structures*/
				&&
				(Str1 >= StartBuffer) && (Str1 + Len1 <= EndBuffer)
				&&
				(Str2 >= StartBuffer) && (Str2 + Len2 <= EndBuffer))
			{
				wchar_t* Name = 0, * Type = 0;
				if (pUni->Length != 0 && pUni->MaxLength != 0 && pUni->Buffer != 0) Name = pUni->Buffer;
				pUni++;
				if (pUni->Length != 0 && pUni->MaxLength != 0 && pUni->Buffer != 0) Type = pUni->Buffer;
				wchar_t FullObjName[MAX_PATH + 1] = { 0 };
				if (Name && Type && !_wcsicmp(Type, L"Device"))
				{
					WCHAR dir[0x1000];
					memset(dir, 0, 0X1000);
					wcscat(dir, L"\\\\.\\GLOBALROOT");
					wcscat(dir, Dir_S2);
					wcscat(dir, L"\\");
					wcscat(dir, Name);
					dir[wcslen(dir)] = L'\0';
					//	printf("%S\n", dir);

					if (ImpersonateLoggedOnUser(hToken))
					{
						HANDLE hDriver = CreateFileW(dir, MAXIMUM_ALLOWED, 0, NULL, OPEN_EXISTING, 0, NULL);

						if (hDriver != INVALID_HANDLE_VALUE) {
							printf("%S\n", dir);
						}
						else if (GetLastError() > 5 && GetLastError() != 31)
						{
							printf("%S   需要进一步分析，错误值%d\n", dir, GetLastError());
						}
						RevertToSelf();
					}

					memset(dir, 0, 0X1000);

				}

				if (!_wcsicmp(Type, L"Directory"))
				{
					_UNICODE_STRING UNI_S = { 0 };

					wchar_t* Dir_S = Name;


					UNI_S.Length = wcslen(Dir_S) * 2;
					UNI_S.MaxLength = UNI_S.Length + 2;
					UNI_S.Buffer = Dir_S;

					_OBJECT_ATTRIBUTES ObjAttr_S = { sizeof(ObjAttr_S) };
					ObjAttr_S.RootDirectory = hDirectory;
					ObjAttr_S.ObjectName = &UNI_S;
					ObjAttr_S.Attributes = 0x40;

					HANDLE hDir_S = 0;

					int ret_S = ZwOpenDirectoryObject(&hDir_S, 0x20001, &ObjAttr_S);
					if (ret_S < 0)
					{
					}
					else
					{

						Dir_S3 = Dir_S2;
						z = wcslen(Dir_S2);
						wcscpy(path, Dir_S2);

						wcscat(Dir_S2, L"\\");
						wcscat(Dir_S2, Name);
						Buffer2 = Name;
						//	printf("%S\n", Dir_S2);
						int R = Recur(hDir_S, Dir_S2);
						memset(Dir_S2, 0, 0x1000);
						wcscat(Dir_S2, path);
						memset(path, 0, 0x1000);
						ZwClose(hDir_S);
					}
				}

			}
		}
		else
		{

			wcscpy(Dir_S2, Dir_S3);
			Dir_S2[z] = L'\0';

		}

	}
	return 0;
}
int ShowProcessIntegrityLevel(int pid)
{

	HANDLE hProcess;

	DWORD dwLengthNeeded;
	DWORD dwError = ERROR_SUCCESS;

	PTOKEN_MANDATORY_LABEL pTIL = NULL;
	LPWSTR pStringSid;
	DWORD dwIntegrityLevel;

	if (OpenProcessToken(OpenProcess(MAXIMUM_ALLOWED, 0, pid), MAXIMUM_ALLOWED, &hToken))
	{
		// Get the Integrity level.
		if (!GetTokenInformation(hToken, TokenIntegrityLevel,
			NULL, 0, &dwLengthNeeded))
		{
			dwError = GetLastError();
			if (dwError == ERROR_INSUFFICIENT_BUFFER)
			{
				pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0,
					dwLengthNeeded);
				if (pTIL != NULL)
				{
					if (GetTokenInformation(hToken, TokenIntegrityLevel,
						pTIL, dwLengthNeeded, &dwLengthNeeded))
					{
						dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid,
							(DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) - 1));

						if (dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID)
						{
							// Low Integrity
							//wprintf(L"Low Process");
						}
						else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID &&
							dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
						{
							// Medium Integrity
							//wprintf(L"Medium Process");

							if (ImpersonateLoggedOnUser(hToken))
							{
								RevertToSelf();
								return 1;
							}
						}
						else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
						{
							// High Integrity
							//wprintf(L"High Integrity Process");
						}
					}
					LocalFree(pTIL);
				}
			}
		}
		CloseHandle(hToken);
	}
	return 0;
}


int main()
{
	//获取一个medium进程的token 当调用createfile再模拟
	for (size_t i = 0; i < 12345; i++)
	{
		if (ShowProcessIntegrityLevel(i))
		{
			break;
		}
	}
	_UNICODE_STRING UNI = { 0 };
	wchar_t* Dir = (WCHAR*)L"\\";
	UNI.Length = wcslen(Dir) * 2;
	UNI.MaxLength = UNI.Length + 2;
	UNI.Buffer = Dir;

	_OBJECT_ATTRIBUTES ObjAttr = { sizeof(ObjAttr) };
	ObjAttr.ObjectName = &UNI;
	ObjAttr.Attributes = 0x40;

	HANDLE hDir = 0;
	int ret = ZwOpenDirectoryObject(&hDir, 0x20001, &ObjAttr);
	wprintf(L"ZwOpenDirectoryObject, ret: %X, HANDLE: %X\r\n", ret, hDir);

	if (ret >= 0)
	{
		Recur(hDir, UNI.Buffer);
		ZwClose(hDir);
	}
	char* buf = (char*)malloc(0xffffff);
	char path[MAX_PATH] = { 0 };
	HANDLE hDriver = NULL;
	memset(buf, 0, 0xffffff);

	QueryDosDeviceA(NULL, buf, 0xffffff);
	ImpersonateLoggedOnUser(hToken);
	for (size_t i = 0; i < 0xffffff; i++)
	{
		if (buf[i] == 0 && buf[i + 1] != 0)
		{
			memcpy_s(path, MAX_PATH, "\\\\.\\", MAX_PATH);
			char* test = &buf[i + 1];
			strcat_s(path, test);

			hDriver = CreateFileA(path, MAXIMUM_ALLOWED, 0, NULL, OPEN_EXISTING, 0, NULL);

			if (hDriver != INVALID_HANDLE_VALUE) {
				printf("%s\n", path);
			}
			else if (GetLastError() > 5 && GetLastError() != 31)
			{
				printf("%s   需要进一步分析，错误值%d\n", path, GetLastError());
			}
			memset(path, 0, MAX_PATH);
		}
	}

	RevertToSelf();

	return 0;
}

由于只是获得能通信名字，这些来看IRP_MJ_CREATE的处理倒是可以，而进一步发送ioctl需要拥有对应的权限。(https://docs.microsoft.com/en-us/windows-hardware/drivers/storage/acls-and-the-device-stack)

如果以成功发送ioctl为目的，从方便角度上看，MAXIMUM_ALLOWED改为GENERIC_WRITE | MAXIMUM_ALLOWED是更好的选择。

将MAXIMUM_ALLOWED改为GENERIC_WRITE | MAXIMUM_ALLOWED并在server 2022上运行后，我得到了如下结果(结果不完整，代码在写此文后以改动）

\\.\GLOBALROOT\Device\NDMP2
\\.\GLOBALROOT\Device\0000006a   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\NTPNP_PCI0002
\\.\GLOBALROOT\Device\0000008e
\\.\GLOBALROOT\Device\00000068   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\NDMP4
\\.\GLOBALROOT\Device\0000000f
\\.\GLOBALROOT\Device\MMCSS   需要进一步分析，错误值1168
\\.\GLOBALROOT\Device\USBPDO-1
\\.\GLOBALROOT\Device\00000074
\\.\GLOBALROOT\Device\NTPNP_PCI0005   需要进一步分析，错误值50
\\.\GLOBALROOT\Device\00000084   需要进一步分析，错误值32
\\.\GLOBALROOT\Device\00000070
\\.\GLOBALROOT\Device\0000001b
\\.\GLOBALROOT\Device\00000094
\\.\GLOBALROOT\Device\00000005
\\.\GLOBALROOT\Device\ahcache
\\.\GLOBALROOT\Device\00000015
\\.\GLOBALROOT\Device\NDMP10
\\.\GLOBALROOT\Device\NDMP9
\\.\GLOBALROOT\Device\PEAuth
\\.\GLOBALROOT\Device\NDMP11
\\.\GLOBALROOT\Device\0000006f   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\WMIDataDevice
\\.\GLOBALROOT\Device\Spaceport
\\.\GLOBALROOT\Device\0000006b   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\LanmanDatagramReceiver
\\.\GLOBALROOT\Device\0000007b
\\.\GLOBALROOT\Device\VMCIGuestDev   需要进一步分析，错误值50
\\.\GLOBALROOT\Device\ConDrv   需要进一步分析，错误值1168
\\.\GLOBALROOT\Device\USBPDO-2
\\.\GLOBALROOT\Device\USBFDO-0
\\.\GLOBALROOT\Device\Null
\\.\GLOBALROOT\Device\00000085   需要进一步分析，错误值32
\\.\GLOBALROOT\Device\NamedPipe
\\.\GLOBALROOT\Device\NTPNP_PCI0040
\\.\GLOBALROOT\Device\00000071
\\.\GLOBALROOT\Device\0000001c
\\.\GLOBALROOT\Device\00000095
\\.\GLOBALROOT\Device\00000081
\\.\GLOBALROOT\Device\NTPNP_PCI0041
\\.\GLOBALROOT\Device\KsecDD
\\.\GLOBALROOT\Device\00000016
\\.\GLOBALROOT\Device\DeviceApi   需要进一步分析，错误值87
\\.\GLOBALROOT\Device\vmmemctl
\\.\GLOBALROOT\Device\NTPNP_PCI0043
\\.\GLOBALROOT\Device\CNG
\\.\GLOBALROOT\Device\00000012   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\lwm   需要进一步分析，错误值123
\\.\GLOBALROOT\Device\NTPNP_PCI0044
\\.\GLOBALROOT\Device\NTPNP_PCI0045
\\.\GLOBALROOT\Device\0000006c   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\0000007c
\\.\GLOBALROOT\Device\USBPDO-3
\\.\GLOBALROOT\Device\USBFDO-1
\\.\GLOBALROOT\Device\00000086
\\.\GLOBALROOT\Device\Mailslot
\\.\GLOBALROOT\Device\00000072   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\0000001d
\\.\GLOBALROOT\Device\RasAcd
\\.\GLOBALROOT\Device\Tdx
\\.\GLOBALROOT\Device\00000007
\\.\GLOBALROOT\Device\PointerClass0
\\.\GLOBALROOT\Device\WindowsTrustedRT
\\.\GLOBALROOT\Device\00000017
\\.\GLOBALROOT\Device\PointerClass1   需要进一步分析，错误值32
\\.\GLOBALROOT\Device\00000027
\\.\GLOBALROOT\Device\PointerClass2   需要进一步分析，错误值32
\\.\GLOBALROOT\Device\RdpBus
\\.\GLOBALROOT\Device\0000006d   需要进一步分析，错误值433
\\.\GLOBALROOT\Device\VmSwitchInternal   需要进一步分析，错误值50
\\.\GLOBALROOT\Device\AppidEDPPlugin
\\.\GLOBALROOT\Device\USBFDO-2
\\.\GLOBALROOT\Device\KeyboardClass0
\\.\GLOBALROOT\Device\MQAC
\\.\GLOBALROOT\Device\USBPDO-0
\\.\GLOBALROOT\Device\CLUSPORT
\\.\GLOBALROOT\Device\0000001e
\\.\GLOBALROOT\Device\0000001a
\\.\GLOBALROOT\Device\00000093
\\.\GLOBALROOT\Device\ClusDisk
\\.\GLOBALROOT\Device\Netbios
\\.\GLOBALROOT\Device\00000018
\\.\GLOBALROOT\Device\Afd
\\.\GLOBALROOT\Device\NameResTrk   需要进一步分析，错误值87
\\.\GLOBALROOT\Device\NDMP1
\\.\GLOBALROOT\Device\WS2IFSL   需要进一步分析，错误值87
\\.\GLOBALROOT\Device\0000006e
\\.\VDRVROOT
\\.\ROOT#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}
\\.\USB#VID_0E0F&PID_0003#6&30c5d09c&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_2#{dbe4373d-3c81-40cb-ace4-e0e5d05f0c9f}
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_0#{dbe4373d-3c81-40cb-ace4-e0e5d05f0c9f}
\\.\ROOT#spaceport#0000#{ef66a56f-88d1-4cd8-98c4-49faf57ad8af}
\\.\{08BE4064-D3FA-4495-8582-6E5F82A2501D}
\\.\PCI#VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00#000C29FFFF37254900#{cac88484-7515-4c03-82e6-71a87abac361}
\\.\PCI#VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00#000C29FFFF37254900#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\USB#ROOT_HUB#5&2891968b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
\\.\ROOT#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}
\\.\SWD#MSRRAS#MS_NDISWANIPV6#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\DISPLAY#Default_Monitor#4&427137e&0&UID0#{10910c20-0c64-4172-9409-add3064c0cad}
\\.\ahcache
\\.\HID#VID_0E0F&PID_0003&MI_01#8&12a4bdba&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}   需要进一步分析，错误值32
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_2#{97fadb10-4e33-40ae-359c-8bef029dbdd0}
\\.\PEAuth
\\.\SWD#MSRRAS#MS_NDISWANIPV6#{cac88484-7515-4c03-82e6-71a87abac361}
\\.\HCD1
\\.\WMIDataDevice
\\.\Spaceport
\\.\SWD#MSRRAS#MS_AGILEVPNMINIPORT#{cac88484-7515-4c03-82e6-71a87abac361}
\\.\USB#ROOT_HUB20#5&36a4b5d6&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
\\.\{C5E84FD3-7C28-4127-9537-46932AEC7DB5}
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}
\\.\ACPI#VMW0003#4&1bd7f811&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}
\\.\ACPI#PNP0303#4&1bd7f811&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
\\.\ROOT#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}
\\.\{FB65BF16-81E0-4A40-9856-6C9342225361}
\\.\ROOT#spaceport#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}
\\.\ROOT#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}
\\.\{33E69CE9-E4B4-4024-82A7-961C99B04B17}
\\.\ROOT#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}
\\.\SWD#MSRRAS#MS_NDISWANIP#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\vmmemctl
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}
\\.\SWD#MSRRAS#MS_NDISWANBH#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\{CAB6BE80-91EE-4D3A-A11A-E30DC775CEA8}
\\.\HCD2
\\.\SWD#MSRRAS#MS_NDISWANBH#{cac88484-7515-4c03-82e6-71a87abac361}
\\.\ACPI_HAL#PNP0C08#0#{15c5e253-b8c4-452e-99df-461d0f5078c8}
\\.\DISPLAY#Default_Monitor#4&427137e&0&UID0#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7}
\\.\HID#VID_0E0F&PID_0003&MI_00#8&367bfb7c&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}   需要进一步分析，错误值32
\\.\ROOT#vdrvroot#0000#{2e34d650-5819-42ca-84ae-d30803bae505}
\\.\MAILSLOT
\\.\HID#VID_0E0F&PID_0003&MI_01#8&12a4bdba&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}   需要进一步分析，错误值32
\\.\ROOT#NetFT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\WindowsTrustedRT
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_3#{97fadb10-4e33-40ae-359c-8bef029dbdd0}
\\.\ROOT#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}
\\.\ROOT#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}
\\.\SWD#MSRRAS#MS_NDISWANIP#{cac88484-7515-4c03-82e6-71a87abac361}
\\.\USB#ROOT_HUB30#5&21ab4ffc&0&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_3#{dbe4373d-3c81-40cb-ace4-e0e5d05f0c9f}
\\.\PCI#VEN_15AD&DEV_0774&SUBSYS_197615AD&REV_00#4&bbf9765&0&0088#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
\\.\AppidEDPPlugin
\\.\NfsRdr
\\.\PCI#VEN_15AD&DEV_0779&SUBSYS_077915AD&REV_00#4&1ee266c4&0&00B0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
\\.\PCI#VEN_15AD&DEV_0770&SUBSYS_077015AD&REV_00#4&bbf9765&0&1088#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
\\.\ACPI_ROOT_OBJECT
\\.\MQAC
\\.\ACPI#AuthenticAMD_-_AMD64_Family_23_Model_96_-_AMD_Ryzen_7_4800H_with_Radeon_Graphics_________#_1#{dbe4373d-3c81-40cb-ace4-e0e5d05f0c9f}
\\.\CLUSPORT
\\.\HID#VID_0E0F&PID_0003&MI_00#8&367bfb7c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}   需要进一步分析，错误值32
\\.\PIPE
\\.\GLOBALROOT   需要进一步分析，错误值123
\\.\SWD#MSRRAS#MS_AGILEVPNMINIPORT#{ad498944-762f-11d0-8dcb-00c04fc3358c}
\\.\ROOT#NetFT#0000#{cac88484-7515-4c03-82e6-71a87abac361}
\\.\NUL
\\.\{FF9B4267-AF09-4034-89FF-AF2471EAD848}
\\.\DISPLAY#Default_Monitor#4&427137e&0&UID0#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}
\\.\HCD0

其中\.\GLOBALROOT\Device\CLUSPORT引起了我的注意（该符号链接没有在我虚拟机上的其他windows版本上发现），所以，我决定审计该驱动。

我不太确定这个驱动是不是默认组件，我只知道是微软的驱动问题微软就会处理，不管它是不是默认启动，为此，我几乎安装了所有组件

并启动了所有已经安装的驱动，代码如下，以管理员运行。

//启动所有的驱动 
//请在虚拟机下运行 否则电脑无法开机
#include
#include 
#pragma warning (disable: 4996)
int main() {
	HANDLE hFile;
	char* lpFileName = (char*)"C:\\Windows\\System32\\drivers\\*";
	WIN32_FIND_DATAA pNextInfo;
	hFile = FindFirstFileA(lpFileName, &pNextInfo);
	char path[0x1000];
	char path2[0x1000];
	char path3[0x1000];

	while (FindNextFileA(hFile, &pNextInfo))
	{
		if (pNextInfo.cFileName[0] == '.')
			continue;
		memcpy(path, "sc config ", strlen("sc config "));
		pNextInfo.cFileName[strlen(pNextInfo.cFileName)] = 0;
		pNextInfo.cFileName[strlen(pNextInfo.cFileName) - 1] = 0;
		pNextInfo.cFileName[strlen(pNextInfo.cFileName) - 2] = 0;
		for (size_t i = 0; i < strlen(pNextInfo.cFileName); i++)
		{
			if (pNextInfo.cFileName[i] == '.')
			{
				pNextInfo.cFileName[i] = 0;
			}
		}
		/*memcpy(path3, "sc create ", strlen("sc create "));
		strcat(path3, pNextInfo.cFileName);
		strcat(path3, " binPath= C:\\Windows\\System32\\drivers\\");
		strcat(path3, pNextInfo.cFileName);
		strcat(path3, ".sys");
		strcat(path3, " type= kernel start= auto");

		printf("command ：%s\n", path3);
		system(path3);*/

		strcat(path,pNextInfo.cFileName);
		strcat(path, " start= auto");

		printf("command ：%s\n", path);
		system(path);
		strcat(path2, "sc start ");
		strcat(path2 , pNextInfo.cFileName);

		printf("command ：%s\n", path2);

		system(path2);

		//memset(path3, 0, 0x1000);
		memset(path, 0, 0x1000);
		memset(path2, 0, 0x1000);
	}


	return 0;
}

上面只是启动所有已经安装的驱动，为什么不遍历安装所有驱动，然后再启动驱动？因为这么做会蓝屏，你可以手动安装微软的驱动再启动。