PDA

View Full Version : Blue screen code


mint77
August 7th, 2013, 15:39
For study purposes only, I have been trying to find some "blue screen code" that will work on XP.

I have gotten a few blue screens from some programs and wanted to study it, but Event Viewer and log files are often useless.

Thanks.

Kayaker
August 7th, 2013, 16:55
Not sure exactly what you're after, but Windbg "!analyze -v" is the usual method of analysing a BSOD.

This might be useful as well.
http://www.nirsoft.net/utils/blue_screen_view.html

And perhaps read up on KeBugCheckEx and associated callbacks, plus this:

http://windowsitpro.com/systems-management/inside-blue-screen

Woodmann
August 7th, 2013, 21:41
If I recall, the event log shows exactly what causes BSOD.

Can you post some output ?

Woodmann

mint77
August 7th, 2013, 23:18
Maybe I have not been clear.

I am looking for some code that will cause a BSOD in order to study it.

I am using Win XP which is very stable.

Under Win 98, code was more susceptible to Blue Screen.

Does that make sense.

Best regards,
Andy

Kayaker
August 7th, 2013, 23:40
Lol, I do that without trying when I write driver code

In that case check out NotMyFault, comes with source. Scroll down to Book Tools.

http://technet.microsoft.com/en-us/sysinternals/bb963901

blabberer
August 8th, 2013, 00:28
Quote:
[Originally Posted by mint77;95167]

I am looking for some code that will cause a BSOD in order to study it.



the mighty google has umpteen projects in its laps you probably didn't look
infact it even has links to compiled binary for download from reputed sources like

notmyfault bang etc didn't they provide you any clues ??

well whatever

this code below will cause a blue screen study it

<caveat start>
this is not the way to write drivers do not post this snippet asking for help in forums dealing with serious driver writing
microsoft actively discourages wdm style (legacy style drivers)
the most proper way to write drivers nowadays excluding exotic scenerios is to use KMDF (kernel mode driver framework)
this legacy style code also lacks Completion Routines . has not not passed Driver Verifier
this is a HACK for study purpose only DO NOT ASSUME that since this is working this is THE way to write drivers

also be aware that inline asm is not acceptable for x64 drivers
<caveat end>


Code:



C:\WinDDK\7600.16385.1\src\bangbangbust>dir /b
bangbangbust.c
buildandcopy.bat
makefile
sources

C:\WinDDK\7600.16385.1\src\bangbangbust>type *.*

bangbangbust.c


#include <ntddk.h>

DRIVER_INITIALIZE DriverEntry;
DRIVER_UNLOAD DriverUnload;

void DriverUnload( PDRIVER_OBJECT DriverObject )
{
DbgPrint("Driver unloading\n";
}

NTSTATUS
DriverEntry( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING Registry
Path )
{
DriverObject->DriverUnload = DriverUnload;
DbgPrint("we are gonna bang bang bust now wanna blue with me\n";
DbgPrint("some western classical music in the background with windows runnin
g rodeo guns blazing\n";
_asm
{
mov eax,0
mov [eax],0
}
return STATUS_SUCCESS; // what the compiler knows we arent returning ever
}


buildandcopy.bat


REM doubledot for pushd as arg pushes currentdir
pushd ..
REM invoke xpcheckedbuild environment
@Call C:\WinDDK\7600.16385.1\bin\setenv.bat C:\WinDDK\7600.16385.1\ chk x86 WXP
REM go back to the dir that this batch was launched
popd
REM just to confirm if we are in dir we want list the directory
dir /b
REM we can now build the sources
build -bcZg
Echo install bang bang bust service in a vm with sc or osrloader and start the s
ervice to enjoy blue screen



makefile


!INCLUDE $(NTMAKEENV)\makefile.def
sources


TARGETNAME=bangbangbust
TARGETTYPE=DRIVER
TARGETPATH=obj
SOURCES = bangbangbust.c
C:\WinDDK\7600.16385.1\src\bangbangbust>buildandcopy.bat

C:\WinDDK\7600.16385.1\src\bangbangbust>REM doubledot for pushd as arg pushes cu
rrentdir

C:\WinDDK\7600.16385.1\src\bangbangbust>pushd ..

C:\WinDDK\7600.16385.1\src>REM invoke xpcheckedbuild environment
OACR monitor running already
bangbangbust.c
buildandcopy.bat
makefile
sources
BUILD: Compile and Link for x86
BUILD: Start time: Thu Aug 08 10:32:41 2013
BUILD: Examining c:\winddk\7600.16385.1\src\bangbangbust directory for files to
compile.
c:\winddk\7600.16385.1\src\bangbangbust Auto-cleaning queue for 'root:x86chk
' (1 of 1 file(s) removed)
Invalidating OACR warning log for 'root:x86chk'
BUILD: Compiling and Linking c:\winddk\7600.16385.1\src\bangbangbust directory
Configuring OACR for 'root:x86chk' - <OACR on>
_NT_TARGET_VERSION SET TO WINXP
Compiling - bangbangbust.c
Linking Executable - objchk_wxp_x86\i386\bangbangbust.sys
BUILD: Finish time: Thu Aug 08 10:32:43 2013
BUILD: Done

3 files compiled
1 executable built
install bang bang bust service in a vm with sc or osrloader and start the servic
e to enjoy blue screen
C:\WinDDK\7600.16385.1\src\bangbangbust>



registered this service with osrloadr in vm and started service

the result

Code:

watchdog!WdUpdateRecoveryState: Recovery enabled.
we are gonna bang bang bust now wanna blue with me
some western classical music in the background with windows running rodeo guns blazing

*** Fatal System Error: 0x0000007e
(0xC0000005,0xFAE6F4DE,0xFAC83BB4,0xFAC838B0)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Thu Aug 8 10:24:29.125 2013 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
...............................
Loading User Symbols

Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, fae6f4de, fac83bb4, fac838b0}

Probably caused by : memory_corruption

Followup: memory_corruption
---------

nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: fae6f4de, The address that the exception occurred at
Arg3: fac83bb4, Exception Record Address
Arg4: fac838b0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
bangbangbust!DriverEntry+2e [c:\winddk\7600.16385.1\src\bangbangbust\bangbangbust.c @ 20]
fae6f4de c60000 mov byte ptr [eax],0

EXCEPTION_RECORD: fac83bb4 -- (.exr 0xfffffffffac83bb4)
ExceptionAddress: fae6f4de (bangbangbust!DriverEntry+0x0000002e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000

CONTEXT: fac838b0 -- (.cxr 0xfffffffffac838b0)
eax=00000000 ebx=00000000 ecx=804ff063 edx=00000057 esi=e1704b82 edi=ffbc4030
eip=fae6f4de esp=fac83c7c ebp=fac83c7c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
bangbangbust!DriverEntry+0x2e:
fae6f4de c60000 mov byte ptr [eax],0 ds:0023:00000000=??
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
bangbangbust!DriverEntry+2e [c:\winddk\7600.16385.1\src\bangbangbust\bangbangbust.c @ 20]
fae6f4de c60000 mov byte ptr [eax],0

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: CODE_CORRUPTION

LAST_CONTROL_TRANSFER: from 805a399d to fae6f4de

STACK_TEXT:
fac83c7c 805a399d ffbc4030 812d0000 00000000 bangbangbust!DriverEntry+0x2e [c:\winddk\7600.16385.1\src\bangbangbust\bangbangbust.c @ 20]
fac83d4c 805a3c73 80000198 00000001 00000000 nt!IopLoadDriver+0x66d
fac83d74 804e426b 80000198 00000000 812f5b30 nt!IopLoadUnloadDriver+0x45
fac83dac 8057aeff f74fbcf4 00000000 00000000 nt!ExpWorkerThread+0x100
fac83ddc 804f88ea 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

mint77
August 8th, 2013, 09:18
Thanks Kayaker, the source code by Mark Russinovich was informative.

Thanks blabberer. I understand what you are saying. I have a Kernel Mode Driver Development Kit.

mint77
August 8th, 2013, 19:20
I could not find out how to post code in it's own box. Been a long day.

As you'll see below, Build says DONE, but..

1. No driver was made.
2. There is no log file.
3. Microsoft compilers are stupid. :wallbash:

CODE C Language

C:\WinDDK\7600.16385.1>REM invoke xpcheckedbuild environment
OACR monitor running already
.binaries
.obj
amd64
amd64mk.inc
bangbangbust.c
BlockDir
Buildit.bat
coffbase.txt
generic.mac
i386mk.inc
ia64
ia64mk.inc
makefile
makefile.ctrpp
makefile.def
makefile.new
makefile.plt
makefile.txt
newest.bat
oacr_base.ini
path.txt
projects.inc
selfsign
setenv.bat
setwdf.bat
t.bat
verify.src
WppConfig
x86
BUILD: Compile and Link for x86
BUILD: Start time: Thu Aug 08 19:06:31 2013
BUILD: Finish time: Thu Aug 08 19:06:31 2013
BUILD: Done

Install bang bang bust service in a vm with sc or osrloader and
start the service to enjoy a blue screen.

C:\WinDDK\7600.16385.1\bin>

blabberer
August 9th, 2013, 04:58
Quote:
[Originally Posted by mint77;95172]

3. Microsoft compilers are stupid. :wallbash:



several billions of computers run windows and all were compiled with microsofts compilers
and this statement means you are implying that billions of people are stupid and one in a billion includes me

did you read the bat ? (double clicking is not reading)
did you try to understand what build actually builds ??
did you do a directory listing of the folder (coming to this point dont pollute your bin directory with $%^& make new directory and leave the excretas there so that it is easy to flush them down the drain) (the folder path should not contains any spaces )

you should have three files to start with
1)your XXXX.c file
2 a dummy MAKEFILE
3) a sources file

and each of them should contain exactly what is displayed in the post above
if you have them and then execute the bat file
it should build the driver

at this moment the compiler does not see your sources file
so it says it checked found nothing to build and i am done for now

provide it with a sources file that it can see (look in my post)
and build it

the wdk uses build system and compiler is a back end to that
compiler comes into the picture very very late in the build process

Indy
August 9th, 2013, 09:20
Open source, WRK

mint77
August 9th, 2013, 09:20
1>/entry:GsDriverEntry@8
1>/out:c:\winddk\7600.16385.1\bin\objchk_wxp_x86\i386\bangbangbust.sys

Thanks.

mint77
August 9th, 2013, 09:59
I looked up open source and wrk.

Did not find anything code wise ?

Kayaker
August 9th, 2013, 12:45
Yeah, that's an idea too. mint77, WRK is 'Windows Research Kernel v1.2 ', kernel source provided by MS for academic study. Ostensibly not available for public download but available through other channels. Worth it. Get yourself a good file text search app as well so you have a way of finding keywords in the myriad of files.

btw, the hash icon # is what adds [CODE] tags around post text.

mint77
August 9th, 2013, 14:39
NotMyFault is 3/4 of the way down this page. Pretty handy and has source too.

http://technet.microsoft.com/en-us/sysinternals/bb963901