Results 1 to 10 of 10

Thread: IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

  1. #1

    IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

    We know user mode applications can pass IOCTL code and data buffer to kernel device drivers by calling DeviceIoControl() API.

    Code:
    BOOL WINAPI DeviceIoControl(
      _In_         HANDLE hDevice,
      _In_         DWORD dwIoControlCode, <--Control Code
      _In_opt_     LPVOID lpInBuffer,  <- Input buffer pointer
      _In_         DWORD nInBufferSize, <- Input buffer size
      _Out_opt_    LPVOID lpOutBuffer,
      _In_         DWORD nOutBufferSize,
      _Out_opt_    LPDWORD lpBytesReturned,
      _Inout_opt_  LPOVERLAPPED lpOverlapped
    );
    I've a situation, where an user mode application sometime passing an IOCTL buffer to a Kernel driver and which is causing BSOD again and again. Every time i'm getting kernel memory dump for BSOD.

    So my question is, is it possible to find the exact malformed input buffer and IOCTL code which causes the BSOD from the Kernel memory dump so that I can reproduce the BSOD using simple C prog.

    As you can find from the stack trace, its crashing just after ntDeviceIoContrilFile call.

    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
    b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
    b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
    b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
    b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
    b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
    b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
    b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
    b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123
    b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
    b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
    b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
    b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
    b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
    b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
    b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
    00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab
    Let me know if need more info.


    Thanks in Advance,
    Last edited by debasishm89; March 10th, 2014 at 13:33. Reason: Added CODE highlighter

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Assuming you're free to work with more than just the crash dump, could you run the app under a remote VMWare debugging session, while logging all DeviceIoControl calls? The last DeviceIoControl in the trace log when the VM BSOD's should be the culprit.

    You should be able to do the same thing non-remotely, running under a debugger with a conditional breakpoint on DeviceIoControl, but you might have to step through the breaks manually since an automatic logging might not write the last logging entry to file before the BSOD.

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    from the output you posted it seems the dump is from xp sp3

    the winapi is finally transferred to system via nt!NtDeviceIoControlFile()

    looking at gary nebbet's for prototype it seems the control code is 6th argument

    so you need to look around this area of memory (b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code
    and 7th dword for input buffer

    b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a


    lkd> ln 8056e4de
    (8056e4b4) nt!NtDeviceIoControlFile+0x2a | (8056e4e8) nt!NtFsControlFile



    Code:
    lkd> ub 8056e4de l3
    nt!NtDeviceIoControlFile+0x1f:
    8056e4d3 ff750c          push    dword ptr [ebp+0Ch]
    8056e4d6 ff7508          push    dword ptr [ebp+8]
    8056e4d9 e8ac710000      call    nt!IopXxxControlFile (8057568a)
    
    
    lkd> uf 8056e4de
    
    nt!NtDeviceIoControlFile:
    8056e4b4 8bff            mov     edi,edi
    8056e4b6 55              push    ebp
    8056e4b7 8bec            mov     ebp,esp
    8056e4b9 6a01            push    1
    8056e4bb ff752c          push    dword ptr [ebp+2Ch] outbuff len
    8056e4be ff7528          push    dword ptr [ebp+28h] out buff
    8056e4c1 ff7524          push    dword ptr [ebp+24h] inbufflen
    8056e4c4 ff7520          push    dword ptr [ebp+20h] inbuff
    8056e4c7 ff751c          push    dword ptr [ebp+1Ch] IN ioControlCode
    8056e4ca ff7518          push    dword ptr [ebp+18h] OUT ioStatusBlock 
    8056e4cd ff7514          push    dword ptr [ebp+14h]  apc context (scan memory from ebp or esp from here)
    8056e4d0 ff7510          push    dword ptr [ebp+10h] optional apc routine null
    8056e4d3 ff750c          push    dword ptr [ebp+0Ch]  optional event null
    8056e4d6 ff7508          push    dword ptr [ebp+8]   <-- 90 file handle in your stack
    8056e4d9 e8ac710000      call    nt!IopXxxControlFile (8057568a)
    8056e4de 5d              pop     ebp
    8056e4df c22800          ret     28h
    
    
    ok the push 1 is accounted for it seems a hardwired constant 
    
    lkd> .fnent nt!NtDeviceIoControlFile
    Debugger function entry 00cd2fd0 for:
    (8056e4b4)   nt!NtDeviceIoControlFile   |  (8056e4e8)   nt!NtFsControlFile
    Exact matches:
        nt!NtDeviceIoControlFile = <no type information>
    
    OffStart:  000974b4
    ProcSize:  0x2e
    Prologue:  0x5
    Params:    0n10 (0x28 bytes)
    Locals:    0n0 (0x0 bytes)
    Non-FPO
    
    
    lkd> .fnent nt!IopXxxControlFile
    Debugger function entry 00cd3010 for:
    (8057568a)   nt!IopXxxControlFile   |  (80575cc0)   nt!IopBootLog
    Exact matches:
        nt!IopXxxControlFile = <no type information>
    
    OffStart:  0009e68a
    ProcSize:  0x619
    Prologue:  0xc
    Params:    0n11 (0x2c bytes)
    Locals:    0n30 (0x78 bytes)
    Non-FPO

  4. #4
    Thanks @Kayaker for your reply.

    @blabberer

    Thanks for your response..Really appreciate your detail explanation. Now i'm into one confusion. When you say

    "(b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code and 7th dword for input buffer"

    Do you mean below thing d esp or you mean to debug the Kernel at run-time by setting a break point at nt!NtDeviceIoControlFile.

    Actually I don't know exactly when the application is crashing. Only thing I have is Full Kernel memory dump.

    Explaing the "(b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code and 7th dword for input buffer" would be very helpful.

    Thanks in Advance,

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    d esp will not cut the cake
    when you do d esp it shows the esp of frame 1 (i hope you understand stack layout frames and other jargon)

    each call in the stack has its own esp and ebp

    when i said deduce i meant you need to go to the frame that contains the call you are interseted
    there windbg will show you the ebp

    if the call (usually system calls make prolog and epilog so there would be an push ebp , mov ebp,esp ........ pop ebp ret X sequence in each calls)
    so from the ebp you can scan dwords in memory and some where between successive frame address you should be able to locate the return address and arguments in the stack the address that contain the return address was the esp at the moment the next call was made (manual stack walking)

    shit i need a course in teaching profession it seems

    did you follow anything ?? at all ?? reply and ask the next question


    before asking question your homework follows in the paste below

    Code:
    |0:kd> .shell dir /s f:\deskback\*.dmp
     Directory of f:\deskback
    
    15/06/2008  12:17            90,112 Mini061508-01.dmp
    .shell: Process exited
    Press ENTER to continue
    
    ||0:kd> .opendump f:\deskback\Mini061508-01.dmp
    
    Loading Dump File [f:\deskback\Mini061508-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    Opened 'f:\deskback\Mini061508-01.dmp'
    ||0:kd> !for_each_frame .frame /r @$Frame
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    00 a8cf4b4c 8051ef1d nt!MiReleasePageFileSpace+0x55
    00 a8cf4b4c 8051ef1d nt!MiReleasePageFileSpace+0x55
    eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=8051e9ef esp=a8cf4b3c ebp=a8cf4b4c iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiReleasePageFileSpace+0x55:
    8051e9ef 213e            and     dword ptr [esi],edi  ds:0023:a5bf21a4=????????
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    01 a8cf4b84 8051f090 nt!MiDeletePte+0x499
    01 a8cf4b84 8051f090 nt!MiDeletePte+0x499
    eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=8051ef1d esp=a8cf4b54 ebp=a8cf4b84 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiDeletePte+0x499:
    8051ef1d 85c0            test    eax,eax
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    02 a8cf4c48 805164b7 nt!MiDeleteVirtualAddresses+0x164
    02 a8cf4c48 805164b7 nt!MiDeleteVirtualAddresses+0x164
    eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=8051f090 esp=a8cf4b8c ebp=a8cf4c48 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiDeleteVirtualAddresses+0x164:
    8051f090 8945f4          mov     dword ptr [ebp-0Ch],eax ss:0010:a8cf4c3c=00000000
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    03 a8cf4cf4 805a6cd5 nt!MiRemoveMappedView+0x237
    03 a8cf4cf4 805a6cd5 nt!MiRemoveMappedView+0x237
    eax=8642f6b8 ebx=862ba110 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=805164b7 esp=a8cf4c50 ebp=a8cf4cf4 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiRemoveMappedView+0x237:
    805164b7 85db            test    ebx,ebx
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    04 a8cf4d38 805a6dc4 nt!MiUnmapViewOfSection+0x12b
    04 a8cf4d38 805a6dc4 nt!MiUnmapViewOfSection+0x12b
    eax=8642f6b8 ebx=85ba4da0 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=805a6cd5 esp=a8cf4cfc ebp=a8cf4d38 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiUnmapViewOfSection+0x12b:
    805a6cd5 8d8ecc000000    lea     ecx,[esi+0CCh]
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54
    05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54
    eax=8642f6b8 ebx=01240000 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=805a6dc4 esp=a8cf4d40 ebp=a8cf4d54 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!NtUnmapViewOfSection+0x54:
    805a6dc4 8b4d0c          mov     ecx,dword ptr [ebp+0Ch] ss:0010:a8cf4d60=85ba4da0
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    06 a8cf4d54 7c90eb94 nt!KiFastCallEntry+0xf8
    06 a8cf4d54 7c90eb94 nt!KiFastCallEntry+0xf8
    eax=8642f6b8 ebx=01240000 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
    eip=8053c808 esp=a8cf4d5c ebp=a8cf4d64 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!KiFastCallEntry+0xf8:
    8053c808 8be5            mov     esp,ebp
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    07 009dece4 00000000 0x7c90eb94
    07 009dece4 00000000 0x7c90eb94
    eax=007f3ba0 ebx=00000000 ecx=007f178c edx=007f3ba0 esi=00194cd0 edi=009decb8
    eip=7c90eb94 esp=009debf4 ebp=009dece4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    001b:7c90eb94 ??              ???
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54
    ||0:kd> kb
    ChildEBP RetAddr  Args to Child              
    a8cf4b4c 8051ef1d 00000020 fffe0cfc 013ac000 nt!MiReleasePageFileSpace+0x55
    a8cf4b84 8051f090 c0009d60 013ac000 00000000 nt!MiDeletePte+0x499
    a8cf4c48 805164b7 e19cfba0 0151ffff 00000000 nt!MiDeleteVirtualAddresses+0x164
    a8cf4cf4 805a6cd5 85ba4da0 86251e00 a8cf4d64 nt!MiRemoveMappedView+0x237
    a8cf4d38 805a6dc4 85a63808 864a3438 00000000 nt!MiUnmapViewOfSection+0x12b
    a8cf4d54 8053c808 ffffffff 85ba4da0 009dece4 nt!NtUnmapViewOfSection+0x54
    a8cf4d54 7c90eb94 ffffffff 85ba4da0 009dece4 nt!KiFastCallEntry+0xf8
    WARNING: Frame IP not in any known module. Following frames may be wrong.

  6. #6
    @blabberer

    Thanks for your response. Based on your instruction, I tried this below thing to dump the context of each and every stack frame.

    Code:
    kd> !for_each_frame .frame /r @$Frame
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    00 b8048798 805246fb nt!KeBugCheckEx+0x1b
    00 b8048798 805246fb nt!KeBugCheckEx+0x1b
    eax=ffdff13c ebx=00000001 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c
    eip=805339ae esp=b8048780 ebp=b8048798 iopl=0         nv up ei ng nz na pe nc
    cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
    nt!KeBugCheckEx+0x1b:
    805339ae 5d              pop     ebp
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    01 b80487e4 804e1ff1 nt!MmAccessFault+0x6f5
    01 b80487e4 804e1ff1 nt!MmAccessFault+0x6f5
    eax=ffdff13c ebx=00000001 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c
    eip=805246fb esp=b80487a0 ebp=b80487e4 iopl=0         nv up ei ng nz na pe nc
    cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
    nt!MmAccessFault+0x6f5:
    805246fb 83bb3c02000010  cmp     dword ptr [ebx+23Ch],10h ds:0023:0000023d=????????
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    02 b80487e4 804ed0db nt!KiTrap0E+0xcc
    02 b80487e4 804ed0db nt!KiTrap0E+0xcc
    eax=ffdff13c ebx=8976a7b8 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c
    eip=804e1ff1 esp=b80487ec ebp=b80487fc iopl=0         nv up ei ng nz na pe nc
    cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
    nt!KiTrap0E+0xcc:
    804e1ff1 85c0            test    eax,eax
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    03 b80488b4 804ed15a nt!IopCompleteRequest+0x92
    03 b80488b4 804ed15a nt!IopCompleteRequest+0x92
    eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
    eip=804ed0db esp=b8048870 ebp=b80488b4 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    nt!IopCompleteRequest+0x92:
    0008:804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    04 b8048904 806f2c0a nt!KiDeliverApc+0xb3
    04 b8048904 806f2c0a nt!KiDeliverApc+0xb3
    eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
    eip=804ed15a esp=b80488bc ebp=b8048904 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    nt!KiDeliverApc+0xb3:
    0008:804ed15a 8d55d8          lea     edx,[ebp-28h]
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    05 b8048904 806ed0b3 hal!HalpApcInterrupt2ndEntry+0x31
    05 b8048904 806ed0b3 hal!HalpApcInterrupt2ndEntry+0x31
    eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
    eip=806f2c0a esp=b804890c ebp=b804891c iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    hal!HalpApcInterrupt2ndEntry+0x31:
    0008:806f2c0a e95190c839      jmp     ba37bc60
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    06 b8048990 804e59ec hal!KfLowerIrql+0x43
    06 b8048990 804e59ec hal!KfLowerIrql+0x43
    eax=806ed0b3 ebx=00000001 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=806ed0b3 esp=b8048990 ebp=b80489b0 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    hal!KfLowerIrql+0x43:
    0008:806ed0b3 9d              popfd
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    07 b80489b0 804ed174 nt!KeInsertQueueApc+0x4b
    07 b80489b0 804ed174 nt!KeInsertQueueApc+0x4b
    eax=806ed0b3 ebx=00000001 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=804e59ec esp=b8048998 ebp=b80489b0 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!KeInsertQueueApc+0x4b:
    0008:804e59ec 5f              pop     edi
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    08 b80489e4 f7432123 nt!IopfCompleteRequest+0x1d8
    08 b80489e4 f7432123 nt!IopfCompleteRequest+0x1d8
    eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=804ed174 esp=b80489b8 ebp=b80489e4 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!IopfCompleteRequest+0x1d8:
    0008:804ed174 e91b71ffff      jmp     nt!IopfCompleteRequest+0xa9 (804e4294)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    09 b80489f8 804e3d77 NinjaDriver+0x1123
    09 b80489f8 804e3d77 NinjaDriver+0x1123
    eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=f7432123 esp=b80489ec ebp=b80489f8 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    NinjaDriver+0x1123:
    0008:f7432123 5f              pop     edi
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    0a b8048a08 8056a9ab nt!IopfCallDriver+0x31
    0a b8048a08 8056a9ab nt!IopfCallDriver+0x31
    eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=804e3d77 esp=b8048a00 ebp=b8048a1c iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!IopfCallDriver+0x31:
    0008:804e3d77 5e              pop     esi
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    0b b8048a1c 8057d9f7 nt!IopSynchronousServiceTail+0x60
    0b b8048a1c 8057d9f7 nt!IopSynchronousServiceTail+0x60
    eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=8056a9ab esp=b8048a10 ebp=b8048a1c iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!IopSynchronousServiceTail+0x60:
    0008:8056a9ab 807d1400        cmp     byte ptr [ebp+14h],0  ss:0010:b8048a30=00
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    0c b8048ac4 8057fbfa nt!IopXxxControlFile+0x611
    0c b8048ac4 8057fbfa nt!IopXxxControlFile+0x611
    eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=8057d9f7 esp=b8048a24 ebp=b8048ac4 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!IopXxxControlFile+0x611:
    0008:8057d9f7 e8d650f6ff      call    nt!_SEH_epilog (804e2ad2)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    
    Following the ESP of this frame I tried to get the control code input buffer
    
    0d b8048af8 b6e6a06f nt!NtDeviceIoControlFile+0x2a
    0d b8048af8 b6e6a06f nt!NtDeviceIoControlFile+0x2a
    eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=8057fbfa esp=b8048acc ebp=b8048af8 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!NtDeviceIoControlFile+0x2a:
    0008:8057fbfa 5d              pop     ebp
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    0e b8048b8c b6e6a5c3 Ninja+0x506f
    0e b8048b8c b6e6a5c3 Ninja+0x506f
    eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=b6e6a06f esp=b8048b00 ebp=b8048b8c iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    Ninja+0x506f:
    0008:b6e6a06f 8945cc          mov     dword ptr [ebp-34h],eax ss:0010:b8048b58=00000000
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    0f b8048c80 b6e6ab9b Ninja+0x55c3
    0f b8048c80 b6e6ab9b Ninja+0x55c3
    eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=b6e6a5c3 esp=b8048b94 ebp=b8048c80 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    Ninja+0x55c3:
    0008:b6e6a5c3 0fb64dd3        movzx   ecx,byte ptr [ebp-2Dh] ss:0010:b8048c53=00
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    10 b8048d34 804df06b Ninja+0x5b9b
    10 b8048d34 804df06b Ninja+0x5b9b
    eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=b6e6ab9b esp=b8048c88 ebp=b8048d34 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    Ninja+0x5b9b:
    0008:b6e6ab9b 6a00            push    0
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    11 b8048d34 7c90ebab nt!KiFastCallEntry+0xf8
    11 b8048d34 7c90ebab nt!KiFastCallEntry+0xf8
    eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
    eip=804df06b esp=b8048d3c ebp=b8048d64 iopl=0         nv up di ng nz ac pe nc
    cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
    nt!KiFastCallEntry+0xf8:
    0008:804df06b 8be5            mov     esp,ebp
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    12 00f8fd7c 00000000 0x7c90ebab
    12 00f8fd7c 00000000 0x7c90ebab
    eax=00f8fd3c ebx=00000000 ecx=00000101 edx=00000000 esi=00000000 edi=00785580
    eip=7c90ebab esp=00f8fd1c ebp=00f8fd7c iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010202
    001b:7c90ebab ??              ???
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    09 b80489f8 804e3d77 NinjaDriver+0x1123
    From the register context dump of nt!NtDeviceIoControlFile (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/NtDeviceIoControlFile.html) frame I collected the stack pointer (esp) and tried to dump the dwords.

    Code:
    kd> dd b8048acc 
    b8048acc  00000090 00000000 00000000 00000000
    b8048adc  00f8fd58 0022a00c 00f8fdc8 0000001c
    b8048aec  ffff0000 00000000 00000001 b8048b8c   ; This 1 is getting pushed and after executing PUSH 1 instruction at 0x8057fbd5 (nt!NtDeviceIoControlFile)
    b8048afc  b6e6a06f 00000090 00000000 00000000
    b8048b0c  00000000 00f8fd58 0022a00c 00f8fdc8
    b8048b1c  0000001c ffff0000 00000000 8057a312
    b8048b2c  b8048be8 b8048c84 8057a125 00000000
    b8048b3c  00100002 00000000 00000003 00000000

    Code:
    kd> uf nt!NtDeviceIoControlFile
    nt!NtDeviceIoControlFile:
    8057fbd0 8bff            mov     edi,edi
    8057fbd2 55              push    ebp
    8057fbd3 8bec            mov     ebp,esp
    8057fbd5 6a01            push    1
    8057fbd7 ff752c          push    dword ptr [ebp+2Ch]
    8057fbda ff7528          push    dword ptr [ebp+28h]
    8057fbdd ff7524          push    dword ptr [ebp+24h]
    8057fbe0 ff7520          push    dword ptr [ebp+20h]
    8057fbe3 ff751c          push    dword ptr [ebp+1Ch]
    8057fbe6 ff7518          push    dword ptr [ebp+18h]
    8057fbe9 ff7514          push    dword ptr [ebp+14h]
    8057fbec ff7510          push    dword ptr [ebp+10h]
    8057fbef ff750c          push    dword ptr [ebp+0Ch]
    8057fbf2 ff7508          push    dword ptr [ebp+8]
    8057fbf5 e8dddbffff      call    nt!IopXxxControlFile (8057d7d7)
    8057fbfa 5d              pop     ebp
    8057fbfb c22800          ret     28h
    Code:
    kd> d 00f8fdc8
    00f8fdc8  ???????? ???????? ???????? ????????
    00f8fdd8  ???????? ???????? ???????? ????????
    00f8fde8  ???????? ???????? ???????? ????????
    00f8fdf8  ???????? ???????? ???????? ????????
    00f8fe08  ???????? ???????? ???????? ????????
    00f8fe18  ???????? ???????? ???????? ????????
    00f8fe28  ???????? ???????? ???????? ????????
    00f8fe38  ???????? ???????? ???????? ????????
    Question 1:
    So according to your earlier instruction 0x0022a00c should be the IOCTL code and 0x00f8fdc8 is the pointer to the input buffer which is possibly involved in the crash??

    Question 2:

    Now if the send the same IOCTL code and the input buffer from any user mode application (CreateFileW!Kernel32 , DeviceIoControl!Kernel32) to the device created by NinjaDriver, would i be able to reproduce the BSOD/ crash ?

    Please let me know If i got you wrong and did anything wrong.

    Thanks in Advance,
    Last edited by debasishm89; March 11th, 2014 at 07:06. Reason: Added one question and reference

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Nice detective work both ways. I don't know if this is relevant to the BSOD, but notice that OutputBuffer is non-NULL (oddly defined as 0xffff0000), but OutputBufferLength is 0.

    IopXxxControlFile may be handled similarly to this ReactOS source for IopDeviceFsIoControl.

    http://doxygen.reactos.org/d5/de1/iofunc_8c_a8be97bd7c9d6cb5192fcb2b9dc1b9109.html

    I'm wondering if the error of an output buffer with zero length isn't handled gracefully, whether that might cause problems.

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    Code:
    !decodeioctl 22a00c
    
    IoControlCode = 22A00C
    Device = UNKNOWN
    Function = 00000803
    Access = FILE_WRITE_ACCESS
    Method = METHOD_BUFFERED
    
    lkd>


    the input buffer may have been swapped out so the ???????

    the output buffer does not seem to point to a valid address ( if user space address it is invalid > 0xffff0000

    if kernel space address it doesnt seem to lie in paged _ non paged pool limits

    i am not sure of the semantics off my head

    but logically for write access from user mode you may need to provide a buffer that would be validated by the kernel and locked until it is discarded by some trigger

    also your output buffer length seems to be null so where are you writing seems to be a valid question

    whether you can produce a crash is dependent on various factors you may need to experiment with it

    the input buffer address seems to point to an user mode address (below 0x7fffffff) so is the buffer probed and locked what irql that kind of questions arise which you may need to asceriain to produce a duplicate crash

    what is the conclusion of !analyze -v

  9. #9
    @Kayaker Actually I tried to send same IO control code ,input buffer and out put buff length from a user land using a C prog. But I did not give me a crash.

    @blabberer

    It seems to be a POOL corruption.

    !analyze -v Output is Given Below:
    Code:
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: ffff0000, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 804ed0db, If non-zero, the instruction address which referenced the bad memory
    	address.
    Arg4: 00000000, (reserved)
    
    Debugging Details:
    ------------------
    
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    .....
    .....
    .....
    Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
    
    WRITE_ADDRESS:  ffff0000 
    
    FAULTING_IP: 
    nt!IopCompleteRequest+92
    804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    
    MM_INTERNAL_CODE:  0
    
    DEFAULT_BUCKET_ID:  CODE_CORRUPTION
    
    BUGCHECK_STR:  0x50
    
    PROCESS_NAME:  NinjaUIServ.exe
    
    IRP_ADDRESS:  88e239f8
    
    DEVICE_OBJECT: 89817030
    
    DRIVER_OBJECT: 8980b300
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
    
    FAULTING_MODULE: f7431000 NinjaDriver
    
    TRAP_FRAME:  b80487fc -- (.trap 0xffffffffb80487fc)
    ErrCode = 00000002
    eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
    eip=804ed0db esp=b8048870 ebp=b80488b4 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    nt!IopCompleteRequest+0x92:
    0008:804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from 805246fb to 805339ae
    
    STACK_TEXT:  
    b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
    b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
    b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
    b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
    b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
    b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
    b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
    b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
    b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123
    b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
    b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
    b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
    b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
    b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
    b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
    b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
    00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab
    
    
    STACK_COMMAND:  kb
    
    CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
        804d90c9-804d90cd  5 bytes - nt!KiXMMIZeroPage+30
    	[ fa f7 80 0c 02:e9 2a 1a ea 39 ]
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
        804d9545-804d9549  5 bytes - nt!ExAcquireResourceSharedLite+10 (+0x47c)
    	[ fa 8b 75 08 33:e9 76 c4 e6 39 ]
        804dabaf-804dabb3  5 bytes - nt!KiChainedDispatch+28 (+0x166a)
    	[ fa ff 15 dc 75:e9 5c 2b eb 39 ]
        804dbbdb-804dbbdf  5 bytes - nt!ExReleaseResourceLite+b (+0x102c)
    	[ fa 66 8b 51 0e:e9 80 89 e6 39 ]
        804dbee9-804dbeed  5 bytes - nt!SwapContext+30 (+0x30e)
    	[ fa 89 67 28 8b:e9 4a 82 e6 39 ]
        804dc0da-804dc0de  5 bytes - nt!KiIdleLoop+13 (+0x1f1)
    	[ fa 3b 6d 00 74:e9 a9 79 e9 39 ]
        804dc180-804dc184  5 bytes - nt!KiRetireDpcList+4d (+0xa6)
    	[ fa 3b 6d 00 75:e9 23 7d e9 39 ]
        804dc213-804dc217  5 bytes - nt!Ki386AdjustEsp0+1e (+0x93)
    	[ fa 8b 15 40 f0:e9 28 64 e6 39 ]
        804dc22c-804dc230  5 bytes - nt!KiSetDebugActive+6 (+0x19)
    	[ fa 88 48 2c 88:e9 ff a2 e6 39 ]
        804df07c-804df080  5 bytes - nt!KiServiceExit (+0x2e50)
    	[ fa f7 45 70 00:e9 6f 36 e6 39 ]
        804df0de - nt!KiServiceExit+62 (+0x62)
    	[ fa:cc ]
        804df224-804df228  5 bytes - nt!KiServiceExit2 (+0x146)
    	[ fa f7 45 70 00:e9 47 4d ea 39 ]
        804df264 - nt!KiServiceExit2+40 (+0x40)
    	[ fa:cc ]
        804df8fb-804df8ff  5 bytes - nt!KiExceptionExit (+0x697)
    	[ fa f7 45 70 00:e9 e0 6c e6 39 ]
        804df93b - nt!Kei386EoiHelper+40 (+0x40)
    	[ fa:cc ]
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
        804e16ae - nt!VdmFixEspEbp+3 (+0x1d73)
    	[ 0f:cc ]
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
        804e2825-804e2829  5 bytes - nt!KiFlushNPXState+4 (+0x1177)
    	[ fa 8b 3d 1c f0:e9 5e 3b e6 39 ]
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e2e28-804e2e2b  4 bytes - nt!KiServiceTable+108 (+0x603)
    	[ d0 fb 57 80:40 a6 e6 b6 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e31e9-804e31ed  5 bytes - nt!KiCallUserMode+54 (+0x3c1)
    	[ fa 8b 0e 89 0c:e9 42 05 eb 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e32dc-804e32e0  5 bytes - nt!KeSwitchKernelStack+3e (+0xf3)
    	[ fa 89 8a 68 01:e9 87 25 e6 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e337b-804e337f  5 bytes - nt!NtCallbackReturn+3b (+0x9f)
    	[ fa 8b 35 04 f0:e9 58 05 eb 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e34a3-804e34a7  5 bytes - nt!ExfInterlockedAddUlong+1 (+0x128)
    	[ fa 8b 01 01 11:e9 b8 a1 ea 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e34b4-804e34b8  5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x11)
    	[ fa 8b 01 89 02:e9 ef 03 e9 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e34d1-804e34d5  5 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)
    	[ fa 8b 41 04 89:e9 c2 fb e8 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e34f2-804e34f6  5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)
    	[ fa 8b 01 3b c1:e9 51 a1 e9 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e3823-804e3827  5 bytes - nt!KeUpdateSystemTime+e6 (+0x331)
    	[ fa ff 81 70 08:e9 18 52 e9 39 ]
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
        804e3874-804e3878  5 bytes - nt!KeUpdateSystemTime+137 (+0x51)
    	[ fa ff 15 dc 75:e9 df 25 e9 39 ]
    Page 222c not present in the dump file. Type ".hh dbgerr004" for details
        804e3b54 - nt!ExAcquireResourceExclusiveLite+f (+0x2e0)
    	[ fa:cc ]
    Page 222c not present in the dump file. Type ".hh dbgerr004" for details
        804e6106 - nt!KiSaveProcessorControlState+75 (+0x25b2)
    	[ 0f:cc ]
    Page 222c not present in the dump file. Type ".hh dbgerr004" for details
        804e610d - nt!KiSaveProcessorControlState+7c (+0x07)
    	[ 0f:cc ]
        804e611b - nt!KiSaveProcessorControlState+8a (+0x0e)
    	[ 0f:cc ]
        804e9070-804e9074  5 bytes - nt!ExIsResourceAcquiredExclusiveLite+b (+0x2f55)
    	[ fa 8b 4d 08 32:e9 eb a8 e8 39 ]
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
        804e9175-804e9179  5 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x105)
    	[ fa 8b 75 08 33:e9 a6 23 e9 39 ]
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
        804ecdae-804ecdb2  5 bytes - nt!KeRestoreFloatingPointState+79 (+0x3c39)
    	[ fa f6 03 01 0f:e9 55 63 ea 39 ]
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    Page 210f not present in the dump file. Type ".hh dbgerr004" for details
        804ece88-804ece8c  5 bytes - nt!KeSaveFloatingPointState+9f (+0xda)
    	[ fa 0f 20 c0 8b:e9 e3 65 ea 39 ]
        804ed809-804ed80d  5 bytes - nt!CcGetActiveVacb+5 (+0x981)
    	[ fa 8b 45 08 8b:e9 fa 55 e8 39 ]
        804ee842-804ee845  4 bytes - nt!ExIsResourceAcquiredSharedLite+c (+0x1039)
    	[ fa 8b 4d 08:e9 c9 4e e8 ]
        804ef1dc-804ef1e0  5 bytes - nt!CcSetActiveVacb+7 (+0x99a)
    	[ fa 8b 45 08 83:e9 97 49 e9 39 ]
        804f04d6-804f04da  5 bytes - nt!ExReleaseResourceForThreadLite+8 (+0x12fa)
    	[ fa 8b 45 08 66:e9 3d 2f e9 39 ]
        804f0848-804f084c  5 bytes - nt!ExDisableResourceBoostLite+5 (+0x372)
    	[ fa 8b 45 08 80:e9 03 29 e8 39 ]
        804f0c78 - nt!ExAcquireSharedStarveExclusive+f (+0x430)
    	[ fa:cc ]
        804f0e29-804f0e2d  5 bytes - nt!ExSetResourceOwnerPointer+c (+0x1b1)
    	[ fa 8b 75 08 f6:e9 52 2b e9 39 ]
        804f1570-804f1574  5 bytes - nt!ExpAllocateExclusiveWaiterEvent+65 (+0x747)
    	[ fa 5f 5e 5b c9:e9 43 35 e5 39 ]
        804fbc61-804fbc65  5 bytes - nt!ExpFindCurrentThread+10d (+0xa6f1)
    	[ fa 8b 75 f8 8b:e9 6a a2 e4 39 ]
        804fbccb - nt!ExpFindCurrentThread+187 (+0x6a)
    	[ fa:cc ]
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
        804fbd2f-804fbd33  5 bytes - nt!ExpAllocateSharedWaiterSemaphore+5e (+0x64)
    	[ fa 5f 5e c9 c2:e9 14 a5 e4 39 ]
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    Page 214b not present in the dump file. Type ".hh dbgerr004" for details
        804fc679-804fc67f  7 bytes - nt!NtYieldExecution (+0x94a)
    	[ 83 3d 6c 19 55 80 00:e9 c6 e5 69 77 90 90 ]
        804fd0ae-804fd0b2  5 bytes - nt!KeRemoveQueueDpc+6 (+0xa35)
    	[ fa 8b 45 08 8b:e9 75 04 e9 39 ]
        8050314d-80503151  5 bytes - nt!ExConvertExclusiveToSharedLite+5 (+0x609f)
    	[ fa 8b 45 08 66:e9 5e a7 e7 39 ]
        8050bf37-8050bf3b  5 bytes - nt!IoStartTimer+17 (+0x8dea)
    	[ fa 66 83 78 02:e9 dc 3b e7 39 ]
    WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view  entire output.
        805684d5-805684d9  5 bytes - nt!NtOpenKey
    	[ 68 94 00 00 00:e9 d6 26 63 77 ]
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
        8056f063-8056f067  5 bytes - nt!NtCreateKey (+0x6b8e)
    	[ 68 c4 00 00 00:e9 5c bb 62 77 ]
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
        80573789-8057378d  5 bytes - nt!NtUnmapViewOfSection (+0x4726)
    	[ 8b ff 55 8b ec:e9 e2 74 62 77 ]
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
        80573c04-80573c0a  7 bytes - nt!NtMapViewOfSection (+0x47b)
    	[ 6a 44 68 e0 30 4f 80:e9 51 70 62 77 90 90 ]
    Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
    Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
        8057459e-805745a2  5 bytes - nt!NtOpenProcess (+0x99a)
    	[ 68 c4 00 00 00:e9 e5 65 62 77 ]
        80575527-8057552d  7 bytes - nt!NtSetValueKey (+0xf89)
    	[ 6a 5c 68 b8 f2 4e 80:e9 ee 56 62 77 90 90 ]
        8058ae1e-8058ae22  5 bytes - nt!NtTerminateProcess (+0x158f7)
    	[ 8b ff 55 8b ec:e9 61 fe 60 77 ]
        80597430-80597436  7 bytes - nt!NtDeleteValueKey (+0xc612)
    	[ 6a 48 68 f0 ee 4f 80:e9 cf 37 60 77 90 90 ]
        80597c0a-80597c0e  5 bytes - nt!NtOpenThread (+0x7da)
    	[ 68 c0 00 00 00:e9 8d 2f 60 77 ]
        8059d6bd-8059d6c3  7 bytes - nt!NtDeleteKey (+0x5ab3)
    	[ 6a 38 68 50 ef 4f 80:e9 16 d5 5f 77 90 90 ]
        8059db78-8059db7c  5 bytes - nt!NtSetSecurityObject (+0x4bb)
    	[ 8b ff 55 8b ec:e9 b3 d0 5f 77 ]
        8064d39f-8064d3a5  7 bytes - nt!NtRenameKey (+0xaf827)
    	[ 6a 34 68 00 aa 52 80:e9 4a d8 54 77 90 90 ]
    302 errors : !nt (804d90c9-8064d3a5)
    
    MODULE_NAME: memory_corruption
    
    IMAGE_NAME:  memory_corruption
    
    FOLLOWUP_NAME:  memory_corruption
    
    MEMORY_CORRUPTOR:  LARGE
    
    FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE
    
    BUCKET_ID:  MEMORY_CORRUPTION_LARGE
    
    Followup: memory_corruption
    ---------
    IRP Output:

    Code:
    kd> !irp 88e239f8
    Irp is active with 2 stacks 4 is current (= 00000000)
     No Mdl: System buffer=8976a7b8: Thread 8960e7fc:  Irp is completed.  
         cmd  flg cl Device   File     Completion-Context
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
    			Args: 00000000 00000000 00000000 00000000
     [  e, 0]   0  0 89817030 00000000 00000000-00000000    
    	       \Driver\NinjaDriver
    			Args: 00000000 00000000 00000000 00000000
    Stack Frame
    Code:
    kd> kb
    ChildEBP RetAddr  Args to Child              
    b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
    b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
    b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
    b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
    b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
    b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
    b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
    b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
    b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123  Next section IDA disassembly if this function is shown
    b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
    b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
    b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
    b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
    b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
    b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
    b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
    00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab
    IDA Dis assembly of Ninjadriver+0x1123 is below. It was seen in DriverEntry point, that below function is the IRP_MJ_QUERY_SECURITY dispatch Routine of NinjaDriver

    Code:
    .text:F7432080 ; int __stdcall IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE(int, PIRP Irp)
    .text:F7432080 IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE proc near
    .text:F7432080                                         ; CODE XREF: call_crash_function+78p
    .text:F7432080                                         ; DATA XREF: DriverEntry+D2o
    .text:F7432080
    .text:F7432080 var_4           = dword ptr -4
    .text:F7432080 arg_0           = dword ptr  8
    .text:F7432080 Irp             = dword ptr  0Ch
    .text:F7432080
    .text:F7432080                 push    ebp
    .text:F7432081                 mov     ebp, esp
    .text:F7432083                 push    ecx
    .text:F7432084                 mov     eax, [ebp+arg_0]
    .text:F7432087                 mov     ecx, [eax+28h]
    .text:F743208A                 push    esi
    .text:F743208B                 push    edi
    .text:F743208C                 mov     edi, [ebp+Irp]
    .text:F743208F                 mov     eax, [edi+60h]
    .text:F7432092                 mov     edx, [eax+0Ch]
    .text:F7432095                 mov     esi, [eax+8]
    .text:F7432098                 mov     eax, [eax+18h]
    .text:F743209B                 mov     [ebp+var_4], 0
    .text:F74320A2                 mov     [ebp+arg_0], 0
    .text:F74320A9                 test    eax, eax
    .text:F74320AB                 jz      short loc_F74320B4
    .text:F74320AD                 mov     eax, [eax+0Ch]
    .text:F74320B0                 test    eax, eax
    .text:F74320B2                 jnz     short loc_F74320BA
    .text:F74320B4
    .text:F74320B4 loc_F74320B4:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+2Bj
    .text:F74320B4                 mov     eax, [ecx+1F0h]
    .text:F74320BA
    .text:F74320BA loc_F74320BA:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+32j
    .text:F74320BA                 push    ebx
    .text:F74320BB                 lea     ebx, [ebp+Irp]
    .text:F74320BE                 push    ebx
    .text:F74320BF                 mov     ebx, [edi+0Ch]
    .text:F74320C2                 push    esi
    .text:F74320C3                 push    ebx
    .text:F74320C4                 push    eax
    .text:F74320C5                 push    ecx
    .text:F74320C6                 push    edx
    .text:F74320C7                 call    Swith_Case_statement
    .text:F74320CC                 pop     ebx
    .text:F74320CD                 test    eax, eax
    .text:F74320CF                 js      short loc_F74320ED
    .text:F74320D1                 mov     eax, [ebp+Irp]
    .text:F74320D4                 cmp     eax, esi
    .text:F74320D6                 jbe     short loc_F74320E1
    .text:F74320D8                 mov     eax, esi
    .text:F74320DA                 mov     esi, 0C0000023h
    .text:F74320DF                 jmp     short loc_F74320E4
    .text:F74320E1 ; ---------------------------------------------------------------------------
    .text:F74320E1
    .text:F74320E1 loc_F74320E1:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+56j
    .text:F74320E1                 mov     esi, [ebp+var_4]
    .text:F74320E4
    .text:F74320E4 loc_F74320E4:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+5Fj
    .text:F74320E4                 test    eax, eax
    .text:F74320E6                 jz      short loc_F7432110
    .text:F74320E8                 mov     [ebp+arg_0], eax
    .text:F74320EB                 jmp     short loc_F7432110
    .text:F74320ED ; ---------------------------------------------------------------------------
    .text:F74320ED
    .text:F74320ED loc_F74320ED:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+4Fj
    .text:F74320ED                 cmp     eax, 0FFFFFFDBh
    .text:F74320F0                 jz      short loc_F743210B
    .text:F74320F2                 cmp     eax, 0FFFFFFFEh
    .text:F74320F5                 jz      short loc_F743210B
    .text:F74320F7                 sub     eax, 0FFFFFFCAh
    .text:F74320FA                 neg     eax
    .text:F74320FC                 sbb     eax, eax
    .text:F74320FE                 and     eax, 0FFFFFDFBh
    .text:F7432103                 lea     esi, [eax-3FFFFDFAh]
    .text:F7432109                 jmp     short loc_F7432110
    .text:F743210B ; ---------------------------------------------------------------------------
    .text:F743210B
    .text:F743210B loc_F743210B:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+70j
    .text:F743210B                                         ; IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+75j
    .text:F743210B                 mov     esi, 0C000000Dh
    .text:F7432110
    .text:F7432110 loc_F7432110:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+66j
    .text:F7432110                                         ; IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+6Bj ...
    .text:F7432110                 mov     ecx, [ebp+arg_0]
    .text:F7432113                 mov     [edi+1Ch], ecx
    .text:F7432116                 xor     dl, dl          ; PriorityBoost
    .text:F7432118                 mov     ecx, edi        ; Irp
    .text:F743211A                 mov     [edi+18h], esi
    .text:F743211D                 call    ds:IofCompleteRequest ; The IoCompleteRequest routine indicates that the caller has completed all processing for a given I/O request and is returning the given IRP to the I/O manager.
    .text:F7432123                 pop     edi
    .text:F7432124                 mov     eax, esi
    .text:F7432126                 pop     esi
    .text:F7432127                 mov     esp, ebp
    .text:F7432129                 pop     ebp
    .text:F743212A                 retn    8
    .text:F743212A IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE endp
    Please let me know if need more info.

    Thanks,
    Last edited by debasishm89; March 12th, 2014 at 05:19. Reason: added disassembly

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Quote Originally Posted by debasishm89 View Post
    PAGE_FAULT_IN_NONPAGED_AREA (50)

    Arg1: ffff0000, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.

    WRITE_ADDRESS: ffff0000
    Again, this seems to be pointing directly to the invalid OutputBuffer address. What exactly is it you're trying to determine? We've got no context, is this your code, someone else's borked code, someone else's code which should work but is for some unknown reason corrupted?

    You've got the IOCTL code, so should be able to find the call in the usermode app (since you seem to have the driver at least) to see if it's an obvious code error there.

Similar Threads

  1. Text Input Box Grayed Out
    By Maze in forum The Newbie Forum
    Replies: 3
    Last Post: March 26th, 2009, 16:51
  2. IOCTL-Proxy
    By _g_ in forum Blogs Forum
    Replies: 7
    Last Post: December 31st, 2008, 03:12
  3. aMSN Input Validation Error
    By evilcry in forum Blogs Forum
    Replies: 2
    Last Post: February 7th, 2008, 03:29
  4. W32DASM Buffer Overflow
    By br00t_4_c in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: January 30th, 2005, 07:01
  5. IDA Buffer Overflow Vulnerability
    By ZaiRoN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: January 26th, 2005, 12:54

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •