Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
debasishm89
Junior Member
Posts: 7
Joined: Tue Mar 04, 2014 1:04 am

IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

Post by debasishm89 »

We know user mode applications can pass IOCTL code and data buffer to kernel device drivers by calling DeviceIoControl() API.

Code: Select all

BOOL WINAPI DeviceIoControl(
  _In_         HANDLE hDevice,
  _In_         DWORD dwIoControlCode, <--Control Code
  _In_opt_     LPVOID lpInBuffer,  <- Input buffer pointer
  _In_         DWORD nInBufferSize, <- Input buffer size
  _Out_opt_    LPVOID lpOutBuffer,
  _In_         DWORD nOutBufferSize,
  _Out_opt_    LPDWORD lpBytesReturned,
  _Inout_opt_  LPOVERLAPPED lpOverlapped
);
I've a situation, where an user mode application sometime passing an IOCTL buffer to a Kernel driver and which is causing BSOD again and again. Every time i'm getting kernel memory dump for BSOD.

So my question is, is it possible to find the exact malformed input buffer and IOCTL code which causes the BSOD from the Kernel memory dump so that I can reproduce the BSOD using simple C prog.

As you can find from the stack trace, its crashing just after ntDeviceIoContrilFile call.

Code: Select all

kd> kb
ChildEBP RetAddr  Args to Child              
b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123
b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab
Let me know if need more info.


Thanks in Advance,
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Assuming you're free to work with more than just the crash dump, could you run the app under a remote VMWare debugging session, while logging all DeviceIoControl calls? The last DeviceIoControl in the trace log when the VM BSOD's should be the culprit.

You should be able to do the same thing non-remotely, running under a debugger with a conditional breakpoint on DeviceIoControl, but you might have to step through the breaks manually since an automatic logging might not write the last logging entry to file before the BSOD.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

from the output you posted it seems the dump is from xp sp3

the winapi is finally transferred to system via nt!NtDeviceIoControlFile()

looking at gary nebbet's for prototype it seems the control code is 6th argument

so you need to look around this area of memory (b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code
and 7th dword for input buffer

b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a


lkd> ln 8056e4de
(8056e4b4) nt!NtDeviceIoControlFile+0x2a | (8056e4e8) nt!NtFsControlFile


Code: Select all

lkd> ub 8056e4de l3
nt!NtDeviceIoControlFile+0x1f:
8056e4d3 ff750c          push    dword ptr [ebp+0Ch]
8056e4d6 ff7508          push    dword ptr [ebp+8]
8056e4d9 e8ac710000      call    nt!IopXxxControlFile (8057568a)


lkd> uf 8056e4de

nt!NtDeviceIoControlFile:
8056e4b4 8bff            mov     edi,edi
8056e4b6 55              push    ebp
8056e4b7 8bec            mov     ebp,esp
8056e4b9 6a01            push    1
8056e4bb ff752c          push    dword ptr [ebp+2Ch] outbuff len
8056e4be ff7528          push    dword ptr [ebp+28h] out buff
8056e4c1 ff7524          push    dword ptr [ebp+24h] inbufflen
8056e4c4 ff7520          push    dword ptr [ebp+20h] inbuff
8056e4c7 ff751c          push    dword ptr [ebp+1Ch] IN ioControlCode
8056e4ca ff7518          push    dword ptr [ebp+18h] OUT ioStatusBlock 
8056e4cd ff7514          push    dword ptr [ebp+14h]  apc context (scan memory from ebp or esp from here)
8056e4d0 ff7510          push    dword ptr [ebp+10h] optional apc routine null
8056e4d3 ff750c          push    dword ptr [ebp+0Ch]  optional event null
8056e4d6 ff7508          push    dword ptr [ebp+8]   <-- 90 file handle in your stack
8056e4d9 e8ac710000      call    nt!IopXxxControlFile (8057568a)
8056e4de 5d              pop     ebp
8056e4df c22800          ret     28h


ok the push 1 is accounted for it seems a hardwired constant 

lkd> .fnent nt!NtDeviceIoControlFile
Debugger function entry 00cd2fd0 for:
(8056e4b4)   nt!NtDeviceIoControlFile   |  (8056e4e8)   nt!NtFsControlFile
Exact matches:
    nt!NtDeviceIoControlFile = <no type information>

OffStart:  000974b4
ProcSize:  0x2e
Prologue:  0x5
[B]Params:    0n10 (0x28 bytes)[/B]
Locals:    0n0 (0x0 bytes)
Non-FPO


lkd> .fnent nt!IopXxxControlFile
Debugger function entry 00cd3010 for:
(8057568a)   nt!IopXxxControlFile   |  (80575cc0)   nt!IopBootLog
Exact matches:
    nt!IopXxxControlFile = <no type information>

OffStart:  0009e68a
ProcSize:  0x619
Prologue:  0xc
[B]Params:    0n11 (0x2c bytes)[/B]
Locals:    0n30 (0x78 bytes)
Non-FPO
debasishm89
Junior Member
Posts: 7
Joined: Tue Mar 04, 2014 1:04 am

Post by debasishm89 »

Thanks @Kayaker for your reply.

@blabberer

Thanks for your response..Really appreciate your detail explanation. Now i'm into one confusion. When you say

"(b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code and 7th dword for input buffer"

Do you mean below thing d esp or you mean to debug the Kernel at run-time by setting a break point at nt!NtDeviceIoControlFile.

Actually I don't know exactly when the application is crashing. Only thing I have is Full Kernel memory dump.

Explaing the "(b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code and 7th dword for input buffer" would be very helpful.

Thanks in Advance,
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

d esp will not cut the cake
when you do d esp it shows the esp of frame 1 (i hope you understand stack layout frames and other jargon)

each call in the stack has its own esp and ebp

when i said deduce i meant you need to go to the frame that contains the call you are interseted
there windbg will show you the ebp

if the call (usually system calls make prolog and epilog so there would be an push ebp , mov ebp,esp ........ pop ebp ret X sequence in each calls)
so from the ebp you can scan dwords in memory and some where between successive frame address you should be able to locate the return address and arguments in the stack the address that contain the return address was the esp at the moment the next call was made (manual stack walking)

shit i need a course in teaching profession it seems

did you follow anything ?? at all ?? reply and ask the next question


before asking question your homework follows in the paste below

Code: Select all


|0:kd> .shell dir /s f:\deskback\*.dmp
 Directory of f:\deskback

15/06/2008  12:17            90,112 Mini061508-01.dmp
.shell: Process exited
Press ENTER to continue

||0:kd> .opendump f:\deskback\Mini061508-01.dmp

Loading Dump File [f:\deskback\Mini061508-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Opened 'f:\deskback\Mini061508-01.dmp'
||0:kd> !for_each_frame .frame /r @$Frame
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 a8cf4b4c 8051ef1d nt!MiReleasePageFileSpace+0x55
00 a8cf4b4c 8051ef1d nt!MiReleasePageFileSpace+0x55
eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=8051e9ef esp=a8cf4b3c ebp=a8cf4b4c iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!MiReleasePageFileSpace+0x55:
8051e9ef 213e            and     dword ptr [esi],edi  ds:0023:a5bf21a4=????????
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 a8cf4b84 8051f090 nt!MiDeletePte+0x499
01 a8cf4b84 8051f090 nt!MiDeletePte+0x499
eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=8051ef1d esp=a8cf4b54 ebp=a8cf4b84 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!MiDeletePte+0x499:
8051ef1d 85c0            test    eax,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 a8cf4c48 805164b7 nt!MiDeleteVirtualAddresses+0x164
02 a8cf4c48 805164b7 nt!MiDeleteVirtualAddresses+0x164
eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=8051f090 esp=a8cf4b8c ebp=a8cf4c48 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!MiDeleteVirtualAddresses+0x164:
8051f090 8945f4          mov     dword ptr [ebp-0Ch],eax ss:0010:a8cf4c3c=00000000
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 a8cf4cf4 805a6cd5 nt!MiRemoveMappedView+0x237
03 a8cf4cf4 805a6cd5 nt!MiRemoveMappedView+0x237
eax=8642f6b8 ebx=862ba110 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=805164b7 esp=a8cf4c50 ebp=a8cf4cf4 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!MiRemoveMappedView+0x237:
805164b7 85db            test    ebx,ebx
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 a8cf4d38 805a6dc4 nt!MiUnmapViewOfSection+0x12b
04 a8cf4d38 805a6dc4 nt!MiUnmapViewOfSection+0x12b
eax=8642f6b8 ebx=85ba4da0 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=805a6cd5 esp=a8cf4cfc ebp=a8cf4d38 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!MiUnmapViewOfSection+0x12b:
805a6cd5 8d8ecc000000    lea     ecx,[esi+0CCh]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54
05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54
eax=8642f6b8 ebx=01240000 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=805a6dc4 esp=a8cf4d40 ebp=a8cf4d54 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!NtUnmapViewOfSection+0x54:
805a6dc4 8b4d0c          mov     ecx,dword ptr [ebp+0Ch] ss:0010:a8cf4d60=85ba4da0
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 a8cf4d54 7c90eb94 nt!KiFastCallEntry+0xf8
06 a8cf4d54 7c90eb94 nt!KiFastCallEntry+0xf8
eax=8642f6b8 ebx=01240000 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff
eip=8053c808 esp=a8cf4d5c ebp=a8cf4d64 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!KiFastCallEntry+0xf8:
8053c808 8be5            mov     esp,ebp
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 009dece4 00000000 0x7c90eb94
07 009dece4 00000000 0x7c90eb94
eax=007f3ba0 ebx=00000000 ecx=007f178c edx=007f3ba0 esi=00194cd0 edi=009decb8
eip=7c90eb94 esp=009debf4 ebp=009dece4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
001b:7c90eb94 ??              ???
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54
||0:kd> kb
ChildEBP RetAddr  Args to Child              
a8cf4b4c 8051ef1d 00000020 fffe0cfc 013ac000 nt!MiReleasePageFileSpace+0x55
a8cf4b84 8051f090 c0009d60 013ac000 00000000 nt!MiDeletePte+0x499
a8cf4c48 805164b7 e19cfba0 0151ffff 00000000 nt!MiDeleteVirtualAddresses+0x164
a8cf4cf4 805a6cd5 85ba4da0 86251e00 a8cf4d64 nt!MiRemoveMappedView+0x237
a8cf4d38 805a6dc4 85a63808 864a3438 00000000 nt!MiUnmapViewOfSection+0x12b
a8cf4d54 8053c808 ffffffff 85ba4da0 009dece4 nt!NtUnmapViewOfSection+0x54
a8cf4d54 7c90eb94 ffffffff 85ba4da0 009dece4 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
debasishm89
Junior Member
Posts: 7
Joined: Tue Mar 04, 2014 1:04 am

Post by debasishm89 »

@blabberer

Thanks for your response. Based on your instruction, I tried this below thing to dump the context of each and every stack frame.

Code: Select all

kd> !for_each_frame .frame /r @$Frame
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 b8048798 805246fb nt!KeBugCheckEx+0x1b
00 b8048798 805246fb nt!KeBugCheckEx+0x1b
eax=ffdff13c ebx=00000001 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c
eip=805339ae esp=b8048780 ebp=b8048798 iopl=0         nv up ei ng nz na pe nc
cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!KeBugCheckEx+0x1b:
805339ae 5d              pop     ebp
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 b80487e4 804e1ff1 nt!MmAccessFault+0x6f5
01 b80487e4 804e1ff1 nt!MmAccessFault+0x6f5
eax=ffdff13c ebx=00000001 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c
eip=805246fb esp=b80487a0 ebp=b80487e4 iopl=0         nv up ei ng nz na pe nc
cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!MmAccessFault+0x6f5:
805246fb 83bb3c02000010  cmp     dword ptr [ebx+23Ch],10h ds:0023:0000023d=????????
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 b80487e4 804ed0db nt!KiTrap0E+0xcc
02 b80487e4 804ed0db nt!KiTrap0E+0xcc
eax=ffdff13c ebx=8976a7b8 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c
eip=804e1ff1 esp=b80487ec ebp=b80487fc iopl=0         nv up ei ng nz na pe nc
cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!KiTrap0E+0xcc:
804e1ff1 85c0            test    eax,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 b80488b4 804ed15a nt!IopCompleteRequest+0x92
03 b80488b4 804ed15a nt!IopCompleteRequest+0x92
eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
eip=804ed0db esp=b8048870 ebp=b80488b4 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopCompleteRequest+0x92:
0008:804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 b8048904 806f2c0a nt!KiDeliverApc+0xb3
04 b8048904 806f2c0a nt!KiDeliverApc+0xb3
eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
eip=804ed15a esp=b80488bc ebp=b8048904 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!KiDeliverApc+0xb3:
0008:804ed15a 8d55d8          lea     edx,[ebp-28h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 b8048904 806ed0b3 hal!HalpApcInterrupt2ndEntry+0x31
05 b8048904 806ed0b3 hal!HalpApcInterrupt2ndEntry+0x31
eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
eip=806f2c0a esp=b804890c ebp=b804891c iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
hal!HalpApcInterrupt2ndEntry+0x31:
0008:806f2c0a e95190c839      jmp     ba37bc60
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 b8048990 804e59ec hal!KfLowerIrql+0x43
06 b8048990 804e59ec hal!KfLowerIrql+0x43
eax=806ed0b3 ebx=00000001 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=806ed0b3 esp=b8048990 ebp=b80489b0 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
hal!KfLowerIrql+0x43:
0008:806ed0b3 9d              popfd
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 b80489b0 804ed174 nt!KeInsertQueueApc+0x4b
07 b80489b0 804ed174 nt!KeInsertQueueApc+0x4b
eax=806ed0b3 ebx=00000001 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=804e59ec esp=b8048998 ebp=b80489b0 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!KeInsertQueueApc+0x4b:
0008:804e59ec 5f              pop     edi
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 b80489e4 f7432123 nt!IopfCompleteRequest+0x1d8
08 b80489e4 f7432123 nt!IopfCompleteRequest+0x1d8
eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=804ed174 esp=b80489b8 ebp=b80489e4 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!IopfCompleteRequest+0x1d8:
0008:804ed174 e91b71ffff      jmp     nt!IopfCompleteRequest+0xa9 (804e4294)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 b80489f8 804e3d77 NinjaDriver+0x1123
09 b80489f8 804e3d77 NinjaDriver+0x1123
eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=f7432123 esp=b80489ec ebp=b80489f8 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
NinjaDriver+0x1123:
0008:f7432123 5f              pop     edi
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a b8048a08 8056a9ab nt!IopfCallDriver+0x31
0a b8048a08 8056a9ab nt!IopfCallDriver+0x31
eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=804e3d77 esp=b8048a00 ebp=b8048a1c iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!IopfCallDriver+0x31:
0008:804e3d77 5e              pop     esi
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b b8048a1c 8057d9f7 nt!IopSynchronousServiceTail+0x60
0b b8048a1c 8057d9f7 nt!IopSynchronousServiceTail+0x60
eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=8056a9ab esp=b8048a10 ebp=b8048a1c iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!IopSynchronousServiceTail+0x60:
0008:8056a9ab 807d1400        cmp     byte ptr [ebp+14h],0  ss:0010:b8048a30=00
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c b8048ac4 8057fbfa nt!IopXxxControlFile+0x611
0c b8048ac4 8057fbfa nt!IopXxxControlFile+0x611
eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=8057d9f7 esp=b8048a24 ebp=b8048ac4 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!IopXxxControlFile+0x611:
0008:8057d9f7 e8d650f6ff      call    nt!_SEH_epilog (804e2ad2)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

[B]Following the ESP of this frame I tried to get the control code input buffer[/B]

0d b8048af8 b6e6a06f nt!NtDeviceIoControlFile+0x2a
0d b8048af8 b6e6a06f nt!NtDeviceIoControlFile+0x2a
eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=8057fbfa [B]esp=b8048acc[/B] ebp=b8048af8 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!NtDeviceIoControlFile+0x2a:
0008:8057fbfa 5d              pop     ebp
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0e b8048b8c b6e6a5c3 Ninja+0x506f
0e b8048b8c b6e6a5c3 Ninja+0x506f
eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=b6e6a06f esp=b8048b00 ebp=b8048b8c iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
Ninja+0x506f:
0008:b6e6a06f 8945cc          mov     dword ptr [ebp-34h],eax ss:0010:b8048b58=00000000
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0f b8048c80 b6e6ab9b Ninja+0x55c3
0f b8048c80 b6e6ab9b Ninja+0x55c3
eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=b6e6a5c3 esp=b8048b94 ebp=b8048c80 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
Ninja+0x55c3:
0008:b6e6a5c3 0fb64dd3        movzx   ecx,byte ptr [ebp-2Dh] ss:0010:b8048c53=00
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
10 b8048d34 804df06b Ninja+0x5b9b
10 b8048d34 804df06b Ninja+0x5b9b
eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=b6e6ab9b esp=b8048c88 ebp=b8048d34 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
Ninja+0x5b9b:
0008:b6e6ab9b 6a00            push    0
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
11 b8048d34 7c90ebab nt!KiFastCallEntry+0xf8
11 b8048d34 7c90ebab nt!KiFastCallEntry+0xf8
eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38
eip=804df06b esp=b8048d3c ebp=b8048d64 iopl=0         nv up di ng nz ac pe nc
cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094
nt!KiFastCallEntry+0xf8:
0008:804df06b 8be5            mov     esp,ebp
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
12 00f8fd7c 00000000 0x7c90ebab
12 00f8fd7c 00000000 0x7c90ebab
eax=00f8fd3c ebx=00000000 ecx=00000101 edx=00000000 esi=00000000 edi=00785580
eip=7c90ebab esp=00f8fd1c ebp=00f8fd7c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010202
001b:7c90ebab ??              ???
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 b80489f8 804e3d77 NinjaDriver+0x1123
From the register context dump of nt!NtDeviceIoControlFile (http://undocumented.ntinternals.net/Use ... lFile.html) frame I collected the stack pointer (esp) and tried to dump the dwords.

Code: Select all

kd> dd b8048acc 
b8048acc  00000090 00000000 00000000 00000000
b8048adc  00f8fd58 [B]0022a00c[/B] [B]00f8fdc8[/B] 0000001c
b8048aec  ffff0000 00000000 [B]00000001[/B] b8048b8c   ; This 1 is getting pushed and after executing PUSH 1 instruction at 0x8057fbd5 (nt!NtDeviceIoControlFile)
b8048afc  b6e6a06f 00000090 00000000 00000000
b8048b0c  00000000 00f8fd58 0022a00c 00f8fdc8
b8048b1c  0000001c ffff0000 00000000 8057a312
b8048b2c  b8048be8 b8048c84 8057a125 00000000
b8048b3c  00100002 00000000 00000003 00000000

Code: Select all


kd> uf nt!NtDeviceIoControlFile
nt!NtDeviceIoControlFile:
8057fbd0 8bff            mov     edi,edi
8057fbd2 55              push    ebp
8057fbd3 8bec            mov     ebp,esp
[B]8057fbd5 6a01            push    1[/B]
8057fbd7 ff752c          push    dword ptr [ebp+2Ch]
8057fbda ff7528          push    dword ptr [ebp+28h]
8057fbdd ff7524          push    dword ptr [ebp+24h]
8057fbe0 ff7520          push    dword ptr [ebp+20h]
8057fbe3 ff751c          push    dword ptr [ebp+1Ch]
8057fbe6 ff7518          push    dword ptr [ebp+18h]
8057fbe9 ff7514          push    dword ptr [ebp+14h]
8057fbec ff7510          push    dword ptr [ebp+10h]
8057fbef ff750c          push    dword ptr [ebp+0Ch]
8057fbf2 ff7508          push    dword ptr [ebp+8]
8057fbf5 e8dddbffff      call    nt!IopXxxControlFile (8057d7d7)
8057fbfa 5d              pop     ebp
8057fbfb c22800          ret     28h


Code: Select all


kd> d 00f8fdc8
00f8fdc8  ???????? ???????? ???????? ????????
00f8fdd8  ???????? ???????? ???????? ????????
00f8fde8  ???????? ???????? ???????? ????????
00f8fdf8  ???????? ???????? ???????? ????????
00f8fe08  ???????? ???????? ???????? ????????
00f8fe18  ???????? ???????? ???????? ????????
00f8fe28  ???????? ???????? ???????? ????????
00f8fe38  ???????? ???????? ???????? ????????


Question 1:
So according to your earlier instruction 0x0022a00c should be the IOCTL code and 0x00f8fdc8 is the pointer to the input buffer which is possibly involved in the crash??

Question 2:

Now if the send the same IOCTL code and the input buffer from any user mode application (CreateFileW!Kernel32 , DeviceIoControl!Kernel32) to the device created by NinjaDriver, would i be able to reproduce the BSOD/ crash ?

Please let me know If i got you wrong and did anything wrong.

Thanks in Advance,
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Nice detective work both ways. I don't know if this is relevant to the BSOD, but notice that OutputBuffer is non-NULL (oddly defined as 0xffff0000), but OutputBufferLength is 0.

IopXxxControlFile may be handled similarly to this ReactOS source for IopDeviceFsIoControl.

http://doxygen.reactos.org/d5/de1/iofun ... b9109.html

I'm wondering if the error of an output buffer with zero length isn't handled gracefully, whether that might cause problems.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Code: Select all

!decodeioctl 22a00c

IoControlCode = 22A00C
Device = UNKNOWN
Function = 00000803
Access = FILE_WRITE_ACCESS
Method = METHOD_BUFFERED

lkd>


the input buffer may have been swapped out so the ???????

the output buffer does not seem to point to a valid address ( if user space address it is invalid > 0xffff0000

if kernel space address it doesnt seem to lie in paged _ non paged pool limits

i am not sure of the semantics off my head

but logically for write access from user mode you may need to provide a buffer that would be validated by the kernel and locked until it is discarded by some trigger

also your output buffer length seems to be null so where are you writing seems to be a valid question

whether you can produce a crash is dependent on various factors you may need to experiment with it

the input buffer address seems to point to an user mode address (below 0x7fffffff) so is the buffer probed and locked what irql that kind of questions arise which you may need to asceriain to produce a duplicate crash

what is the conclusion of !analyze -v
debasishm89
Junior Member
Posts: 7
Joined: Tue Mar 04, 2014 1:04 am

Post by debasishm89 »

@Kayaker Actually I tried to send same IO control code ,input buffer and out put buff length from a user land using a C prog. But I did not give me a crash. :(

@blabberer

It seems to be a POOL corruption.

!analyze -v Output is Given Below:

Code: Select all

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffff0000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 804ed0db, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
.....
.....
.....
Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details

WRITE_ADDRESS:  ffff0000 

FAULTING_IP: 
nt!IopCompleteRequest+92
804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

BUGCHECK_STR:  0x50

PROCESS_NAME:  NinjaUIServ.exe

IRP_ADDRESS:  88e239f8

DEVICE_OBJECT: 89817030

DRIVER_OBJECT: 8980b300

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAULTING_MODULE: f7431000 NinjaDriver

TRAP_FRAME:  b80487fc -- (.trap 0xffffffffb80487fc)
ErrCode = 00000002
eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000
eip=804ed0db esp=b8048870 ebp=b80488b4 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopCompleteRequest+0x92:
0008:804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER:  from 805246fb to 805339ae

STACK_TEXT:  
b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123
b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab


STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    804d90c9-804d90cd  5 bytes - nt!KiXMMIZeroPage+30
	[ fa f7 80 0c 02:e9 2a 1a ea 39 ]
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
Page 2158 not present in the dump file. Type ".hh dbgerr004" for details
    804d9545-804d9549  5 bytes - nt!ExAcquireResourceSharedLite+10 (+0x47c)
	[ fa 8b 75 08 33:e9 76 c4 e6 39 ]
    804dabaf-804dabb3  5 bytes - nt!KiChainedDispatch+28 (+0x166a)
	[ fa ff 15 dc 75:e9 5c 2b eb 39 ]
    804dbbdb-804dbbdf  5 bytes - nt!ExReleaseResourceLite+b (+0x102c)
	[ fa 66 8b 51 0e:e9 80 89 e6 39 ]
    804dbee9-804dbeed  5 bytes - nt!SwapContext+30 (+0x30e)
	[ fa 89 67 28 8b:e9 4a 82 e6 39 ]
    804dc0da-804dc0de  5 bytes - nt!KiIdleLoop+13 (+0x1f1)
	[ fa 3b 6d 00 74:e9 a9 79 e9 39 ]
    804dc180-804dc184  5 bytes - nt!KiRetireDpcList+4d (+0xa6)
	[ fa 3b 6d 00 75:e9 23 7d e9 39 ]
    804dc213-804dc217  5 bytes - nt!Ki386AdjustEsp0+1e (+0x93)
	[ fa 8b 15 40 f0:e9 28 64 e6 39 ]
    804dc22c-804dc230  5 bytes - nt!KiSetDebugActive+6 (+0x19)
	[ fa 88 48 2c 88:e9 ff a2 e6 39 ]
    804df07c-804df080  5 bytes - nt!KiServiceExit (+0x2e50)
	[ fa f7 45 70 00:e9 6f 36 e6 39 ]
    804df0de - nt!KiServiceExit+62 (+0x62)
	[ fa:cc ]
    804df224-804df228  5 bytes - nt!KiServiceExit2 (+0x146)
	[ fa f7 45 70 00:e9 47 4d ea 39 ]
    804df264 - nt!KiServiceExit2+40 (+0x40)
	[ fa:cc ]
    804df8fb-804df8ff  5 bytes - nt!KiExceptionExit (+0x697)
	[ fa f7 45 70 00:e9 e0 6c e6 39 ]
    804df93b - nt!Kei386EoiHelper+40 (+0x40)
	[ fa:cc ]
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    804e16ae - nt!VdmFixEspEbp+3 (+0x1d73)
	[ 0f:cc ]
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
    804e2825-804e2829  5 bytes - nt!KiFlushNPXState+4 (+0x1177)
	[ fa 8b 3d 1c f0:e9 5e 3b e6 39 ]
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 1954 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e2e28-804e2e2b  4 bytes - nt!KiServiceTable+108 (+0x603)
	[ d0 fb 57 80:40 a6 e6 b6 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e31e9-804e31ed  5 bytes - nt!KiCallUserMode+54 (+0x3c1)
	[ fa 8b 0e 89 0c:e9 42 05 eb 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e32dc-804e32e0  5 bytes - nt!KeSwitchKernelStack+3e (+0xf3)
	[ fa 89 8a 68 01:e9 87 25 e6 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e337b-804e337f  5 bytes - nt!NtCallbackReturn+3b (+0x9f)
	[ fa 8b 35 04 f0:e9 58 05 eb 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e34a3-804e34a7  5 bytes - nt!ExfInterlockedAddUlong+1 (+0x128)
	[ fa 8b 01 01 11:e9 b8 a1 ea 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e34b4-804e34b8  5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x11)
	[ fa 8b 01 89 02:e9 ef 03 e9 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e34d1-804e34d5  5 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)
	[ fa 8b 41 04 89:e9 c2 fb e8 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e34f2-804e34f6  5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)
	[ fa 8b 01 3b c1:e9 51 a1 e9 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e3823-804e3827  5 bytes - nt!KeUpdateSystemTime+e6 (+0x331)
	[ fa ff 81 70 08:e9 18 52 e9 39 ]
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
Page 2397 not present in the dump file. Type ".hh dbgerr004" for details
    804e3874-804e3878  5 bytes - nt!KeUpdateSystemTime+137 (+0x51)
	[ fa ff 15 dc 75:e9 df 25 e9 39 ]
Page 222c not present in the dump file. Type ".hh dbgerr004" for details
    804e3b54 - nt!ExAcquireResourceExclusiveLite+f (+0x2e0)
	[ fa:cc ]
Page 222c not present in the dump file. Type ".hh dbgerr004" for details
    804e6106 - nt!KiSaveProcessorControlState+75 (+0x25b2)
	[ 0f:cc ]
Page 222c not present in the dump file. Type ".hh dbgerr004" for details
    804e610d - nt!KiSaveProcessorControlState+7c (+0x07)
	[ 0f:cc ]
    804e611b - nt!KiSaveProcessorControlState+8a (+0x0e)
	[ 0f:cc ]
    804e9070-804e9074  5 bytes - nt!ExIsResourceAcquiredExclusiveLite+b (+0x2f55)
	[ fa 8b 4d 08 32:e9 eb a8 e8 39 ]
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    804e9175-804e9179  5 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x105)
	[ fa 8b 75 08 33:e9 a6 23 e9 39 ]
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    804ecdae-804ecdb2  5 bytes - nt!KeRestoreFloatingPointState+79 (+0x3c39)
	[ fa f6 03 01 0f:e9 55 63 ea 39 ]
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
Page 210f not present in the dump file. Type ".hh dbgerr004" for details
    804ece88-804ece8c  5 bytes - nt!KeSaveFloatingPointState+9f (+0xda)
	[ fa 0f 20 c0 8b:e9 e3 65 ea 39 ]
    804ed809-804ed80d  5 bytes - nt!CcGetActiveVacb+5 (+0x981)
	[ fa 8b 45 08 8b:e9 fa 55 e8 39 ]
    804ee842-804ee845  4 bytes - nt!ExIsResourceAcquiredSharedLite+c (+0x1039)
	[ fa 8b 4d 08:e9 c9 4e e8 ]
    804ef1dc-804ef1e0  5 bytes - nt!CcSetActiveVacb+7 (+0x99a)
	[ fa 8b 45 08 83:e9 97 49 e9 39 ]
    804f04d6-804f04da  5 bytes - nt!ExReleaseResourceForThreadLite+8 (+0x12fa)
	[ fa 8b 45 08 66:e9 3d 2f e9 39 ]
    804f0848-804f084c  5 bytes - nt!ExDisableResourceBoostLite+5 (+0x372)
	[ fa 8b 45 08 80:e9 03 29 e8 39 ]
    804f0c78 - nt!ExAcquireSharedStarveExclusive+f (+0x430)
	[ fa:cc ]
    804f0e29-804f0e2d  5 bytes - nt!ExSetResourceOwnerPointer+c (+0x1b1)
	[ fa 8b 75 08 f6:e9 52 2b e9 39 ]
    804f1570-804f1574  5 bytes - nt!ExpAllocateExclusiveWaiterEvent+65 (+0x747)
	[ fa 5f 5e 5b c9:e9 43 35 e5 39 ]
    804fbc61-804fbc65  5 bytes - nt!ExpFindCurrentThread+10d (+0xa6f1)
	[ fa 8b 75 f8 8b:e9 6a a2 e4 39 ]
    804fbccb - nt!ExpFindCurrentThread+187 (+0x6a)
	[ fa:cc ]
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    804fbd2f-804fbd33  5 bytes - nt!ExpAllocateSharedWaiterSemaphore+5e (+0x64)
	[ fa 5f 5e c9 c2:e9 14 a5 e4 39 ]
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
Page 214b not present in the dump file. Type ".hh dbgerr004" for details
    804fc679-804fc67f  7 bytes - nt!NtYieldExecution (+0x94a)
	[ 83 3d 6c 19 55 80 00:e9 c6 e5 69 77 90 90 ]
    804fd0ae-804fd0b2  5 bytes - nt!KeRemoveQueueDpc+6 (+0xa35)
	[ fa 8b 45 08 8b:e9 75 04 e9 39 ]
    8050314d-80503151  5 bytes - nt!ExConvertExclusiveToSharedLite+5 (+0x609f)
	[ fa 8b 45 08 66:e9 5e a7 e7 39 ]
    8050bf37-8050bf3b  5 bytes - nt!IoStartTimer+17 (+0x8dea)
	[ fa 66 83 78 02:e9 dc 3b e7 39 ]
WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view  entire output.
    805684d5-805684d9  5 bytes - nt!NtOpenKey
	[ 68 94 00 00 00:e9 d6 26 63 77 ]
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    8056f063-8056f067  5 bytes - nt!NtCreateKey (+0x6b8e)
	[ 68 c4 00 00 00:e9 5c bb 62 77 ]
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
    80573789-8057378d  5 bytes - nt!NtUnmapViewOfSection (+0x4726)
	[ 8b ff 55 8b ec:e9 e2 74 62 77 ]
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 278d not present in the dump file. Type ".hh dbgerr004" for details
Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
    80573c04-80573c0a  7 bytes - nt!NtMapViewOfSection (+0x47b)
	[ 6a 44 68 e0 30 4f 80:e9 51 70 62 77 90 90 ]
Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details
    8057459e-805745a2  5 bytes - nt!NtOpenProcess (+0x99a)
	[ 68 c4 00 00 00:e9 e5 65 62 77 ]
    80575527-8057552d  7 bytes - nt!NtSetValueKey (+0xf89)
	[ 6a 5c 68 b8 f2 4e 80:e9 ee 56 62 77 90 90 ]
    8058ae1e-8058ae22  5 bytes - nt!NtTerminateProcess (+0x158f7)
	[ 8b ff 55 8b ec:e9 61 fe 60 77 ]
    80597430-80597436  7 bytes - nt!NtDeleteValueKey (+0xc612)
	[ 6a 48 68 f0 ee 4f 80:e9 cf 37 60 77 90 90 ]
    80597c0a-80597c0e  5 bytes - nt!NtOpenThread (+0x7da)
	[ 68 c0 00 00 00:e9 8d 2f 60 77 ]
    8059d6bd-8059d6c3  7 bytes - nt!NtDeleteKey (+0x5ab3)
	[ 6a 38 68 50 ef 4f 80:e9 16 d5 5f 77 90 90 ]
    8059db78-8059db7c  5 bytes - nt!NtSetSecurityObject (+0x4bb)
	[ 8b ff 55 8b ec:e9 b3 d0 5f 77 ]
    8064d39f-8064d3a5  7 bytes - nt!NtRenameKey (+0xaf827)
	[ 6a 34 68 00 aa 52 80:e9 4a d8 54 77 90 90 ]
302 errors : !nt (804d90c9-8064d3a5)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

MEMORY_CORRUPTOR:  LARGE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------
IRP Output:

Code: Select all


kd> !irp 88e239f8
Irp is active with 2 stacks 4 is current (= 00000000)
 No Mdl: System buffer=8976a7b8: Thread 8960e7fc:  Irp is completed.  
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
 [  e, 0]   0  0 89817030 00000000 00000000-00000000    
	       \Driver\NinjaDriver
			Args: 00000000 00000000 00000000 00000000
Stack Frame

Code: Select all

kd> kb
ChildEBP RetAddr  Args to Child              
b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5
b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92
b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3
b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31
b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43
b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b
b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
[B]b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123  Next section IDA disassembly if this function is shown[/B]
b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31
b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60
b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611
b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f
b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3
b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b
b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8
00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab
IDA Dis assembly of Ninjadriver+0x1123 is below. It was seen in DriverEntry point, that below function is the IRP_MJ_QUERY_SECURITY dispatch Routine of NinjaDriver

Code: Select all

.text:F7432080 ; int __stdcall IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE(int, PIRP Irp)
.text:F7432080 IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE proc near
.text:F7432080                                         ; CODE XREF: call_crash_function+78p
.text:F7432080                                         ; DATA XREF: DriverEntry+D2o
.text:F7432080
.text:F7432080 var_4           = dword ptr -4
.text:F7432080 arg_0           = dword ptr  8
.text:F7432080 Irp             = dword ptr  0Ch
.text:F7432080
.text:F7432080                 push    ebp
.text:F7432081                 mov     ebp, esp
.text:F7432083                 push    ecx
.text:F7432084                 mov     eax, [ebp+arg_0]
.text:F7432087                 mov     ecx, [eax+28h]
.text:F743208A                 push    esi
.text:F743208B                 push    edi
.text:F743208C                 mov     edi, [ebp+Irp]
.text:F743208F                 mov     eax, [edi+60h]
.text:F7432092                 mov     edx, [eax+0Ch]
.text:F7432095                 mov     esi, [eax+8]
.text:F7432098                 mov     eax, [eax+18h]
.text:F743209B                 mov     [ebp+var_4], 0
.text:F74320A2                 mov     [ebp+arg_0], 0
.text:F74320A9                 test    eax, eax
.text:F74320AB                 jz      short loc_F74320B4
.text:F74320AD                 mov     eax, [eax+0Ch]
.text:F74320B0                 test    eax, eax
.text:F74320B2                 jnz     short loc_F74320BA
.text:F74320B4
.text:F74320B4 loc_F74320B4:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+2Bj
.text:F74320B4                 mov     eax, [ecx+1F0h]
.text:F74320BA
.text:F74320BA loc_F74320BA:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+32j
.text:F74320BA                 push    ebx
.text:F74320BB                 lea     ebx, [ebp+Irp]
.text:F74320BE                 push    ebx
.text:F74320BF                 mov     ebx, [edi+0Ch]
.text:F74320C2                 push    esi
.text:F74320C3                 push    ebx
.text:F74320C4                 push    eax
.text:F74320C5                 push    ecx
.text:F74320C6                 push    edx
.text:F74320C7                 call    Swith_Case_statement
.text:F74320CC                 pop     ebx
.text:F74320CD                 test    eax, eax
.text:F74320CF                 js      short loc_F74320ED
.text:F74320D1                 mov     eax, [ebp+Irp]
.text:F74320D4                 cmp     eax, esi
.text:F74320D6                 jbe     short loc_F74320E1
.text:F74320D8                 mov     eax, esi
.text:F74320DA                 mov     esi, 0C0000023h
.text:F74320DF                 jmp     short loc_F74320E4
.text:F74320E1 ; ---------------------------------------------------------------------------
.text:F74320E1
.text:F74320E1 loc_F74320E1:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+56j
.text:F74320E1                 mov     esi, [ebp+var_4]
.text:F74320E4
.text:F74320E4 loc_F74320E4:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+5Fj
.text:F74320E4                 test    eax, eax
.text:F74320E6                 jz      short loc_F7432110
.text:F74320E8                 mov     [ebp+arg_0], eax
.text:F74320EB                 jmp     short loc_F7432110
.text:F74320ED ; ---------------------------------------------------------------------------
.text:F74320ED
.text:F74320ED loc_F74320ED:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+4Fj
.text:F74320ED                 cmp     eax, 0FFFFFFDBh
.text:F74320F0                 jz      short loc_F743210B
.text:F74320F2                 cmp     eax, 0FFFFFFFEh
.text:F74320F5                 jz      short loc_F743210B
.text:F74320F7                 sub     eax, 0FFFFFFCAh
.text:F74320FA                 neg     eax
.text:F74320FC                 sbb     eax, eax
.text:F74320FE                 and     eax, 0FFFFFDFBh
.text:F7432103                 lea     esi, [eax-3FFFFDFAh]
.text:F7432109                 jmp     short loc_F7432110
.text:F743210B ; ---------------------------------------------------------------------------
.text:F743210B
.text:F743210B loc_F743210B:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+70j
.text:F743210B                                         ; IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+75j
.text:F743210B                 mov     esi, 0C000000Dh
.text:F7432110
.text:F7432110 loc_F7432110:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+66j
.text:F7432110                                         ; IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+6Bj ...
.text:F7432110                 mov     ecx, [ebp+arg_0]
.text:F7432113                 mov     [edi+1Ch], ecx
.text:F7432116                 xor     dl, dl          ; PriorityBoost
.text:F7432118                 mov     ecx, edi        ; Irp
.text:F743211A                 mov     [edi+18h], esi
[B].text:F743211D                 call    ds:IofCompleteRequest ; The IoCompleteRequest routine indicates that the caller has completed all processing for a given I/O request and is returning the given IRP to the I/O manager.[/B]
.text:F7432123                 pop     edi
.text:F7432124                 mov     eax, esi
.text:F7432126                 pop     esi
.text:F7432127                 mov     esp, ebp
.text:F7432129                 pop     ebp
.text:F743212A                 retn    8
.text:F743212A IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE endp
Please let me know if need more info.

Thanks,
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

debasishm89 wrote: PAGE_FAULT_IN_NONPAGED_AREA (50)

Arg1: ffff0000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.

WRITE_ADDRESS: ffff0000
Again, this seems to be pointing directly to the invalid OutputBuffer address. What exactly is it you're trying to determine? We've got no context, is this your code, someone else's borked code, someone else's code which should work but is for some unknown reason corrupted?

You've got the IOCTL code, so should be able to find the call in the usermode app (since you seem to have the driver at least) to see if it's an obvious code error there.
Locked