Results 1 to 10 of 10

Thread: IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

Threaded View

  1. #1

    IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

    We know user mode applications can pass IOCTL code and data buffer to kernel device drivers by calling DeviceIoControl() API.

    BOOL WINAPI DeviceIoControl(
      _In_         HANDLE hDevice,
      _In_         DWORD dwIoControlCode, <--Control Code
      _In_opt_     LPVOID lpInBuffer,  <- Input buffer pointer
      _In_         DWORD nInBufferSize, <- Input buffer size
      _Out_opt_    LPVOID lpOutBuffer,
      _In_         DWORD nOutBufferSize,
      _Out_opt_    LPDWORD lpBytesReturned,
      _Inout_opt_  LPOVERLAPPED lpOverlapped
    I've a situation, where an user mode application sometime passing an IOCTL buffer to a Kernel driver and which is causing BSOD again and again. Every time i'm getting kernel memory dump for BSOD.

    So my question is, is it possible to find the exact malformed input buffer and IOCTL code which causes the BSOD from the Kernel memory dump so that I can reproduce the BSOD using simple C prog.

    As you can find from the stack trace, its crashing just after ntDeviceIoContrilFile call.

    kd> kb
    ChildEBP RetAddr  Args to Child              
    b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
    b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
    b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
    b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
    b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
    b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
    b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
    b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
    b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123
    b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
    b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
    b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
    b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
    b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
    b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
    b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
    00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab
    Let me know if need more info.

    Thanks in Advance,
    Last edited by debasishm89; March 10th, 2014 at 13:33. Reason: Added CODE highlighter

Similar Threads

  1. Text Input Box Grayed Out
    By Maze in forum The Newbie Forum
    Replies: 3
    Last Post: March 26th, 2009, 16:51
  2. IOCTL-Proxy
    By _g_ in forum Blogs Forum
    Replies: 7
    Last Post: December 31st, 2008, 03:12
  3. aMSN Input Validation Error
    By evilcry in forum Blogs Forum
    Replies: 2
    Last Post: February 7th, 2008, 03:29
  4. W32DASM Buffer Overflow
    By br00t_4_c in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: January 30th, 2005, 07:01
  5. IDA Buffer Overflow Vulnerability
    By ZaiRoN in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: January 26th, 2005, 12:54

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts