PDA

View Full Version : IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]

debasishm89
March 7th, 2014, 07:00
We know user mode applications can pass IOCTL code and data buffer to kernel device drivers by calling DeviceIoControl() API.

Code:
BOOL WINAPI DeviceIoControl(

  _In_         HANDLE hDevice,

  _In_         DWORD dwIoControlCode, <--Control Code

  _In_opt_     LPVOID lpInBuffer,  <- Input buffer pointer

  _In_         DWORD nInBufferSize, <- Input buffer size

  _Out_opt_    LPVOID lpOutBuffer,

  _In_         DWORD nOutBufferSize,

  _Out_opt_    LPDWORD lpBytesReturned,

  _Inout_opt_  LPOVERLAPPED lpOverlapped

);

I've a situation, where an user mode application sometime passing an IOCTL buffer to a Kernel driver and which is causing BSOD again and again. Every time i'm getting kernel memory dump for BSOD.

So my question is, is it possible to find the exact malformed input buffer and IOCTL code which causes the BSOD from the Kernel memory dump so that I can reproduce the BSOD using simple C prog.

As you can find from the stack trace, its crashing just after ntDeviceIoContrilFile call.

Code:
kd> kb

ChildEBP RetAddr  Args to Child              

b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b

b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5

b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc

b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92

b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3

b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31

b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43

b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b

b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8

WARNING: Stack unwind information not available. Following frames may be wrong.

b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123

b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31

b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60

b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611

b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f

b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3

b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b

b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8

00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab


Let me know if need more info.


Thanks in Advance,
Kayaker
March 7th, 2014, 10:52
Assuming you're free to work with more than just the crash dump, could you run the app under a remote VMWare debugging session, while logging all DeviceIoControl calls? The last DeviceIoControl in the trace log when the VM BSOD's should be the culprit.

You should be able to do the same thing non-remotely, running under a debugger with a conditional breakpoint on DeviceIoControl, but you might have to step through the breaks manually since an automatic logging might not write the last logging entry to file before the BSOD.
blabberer
March 8th, 2014, 21:49
from the output you posted it seems the dump is from xp sp3

the winapi is finally transferred to system via nt!NtDeviceIoControlFile()

looking at gary nebbet's for prototype it seems the control code is 6th argument

so you need to look around this area of memory (b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code
and 7th dword for input buffer

b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a


lkd> ln 8056e4de
(8056e4b4) nt!NtDeviceIoControlFile+0x2a | (8056e4e8) nt!NtFsControlFile



Code:
lkd> ub 8056e4de l3

nt!NtDeviceIoControlFile+0x1f:

8056e4d3 ff750c          push    dword ptr [ebp+0Ch]

8056e4d6 ff7508          push    dword ptr [ebp+8]

8056e4d9 e8ac710000      call    nt!IopXxxControlFile (8057568a)





lkd> uf 8056e4de



nt!NtDeviceIoControlFile:

8056e4b4 8bff            mov     edi,edi

8056e4b6 55              push    ebp

8056e4b7 8bec            mov     ebp,esp

8056e4b9 6a01            push    1

8056e4bb ff752c          push    dword ptr [ebp+2Ch] outbuff len

8056e4be ff7528          push    dword ptr [ebp+28h] out buff

8056e4c1 ff7524          push    dword ptr [ebp+24h] inbufflen

8056e4c4 ff7520          push    dword ptr [ebp+20h] inbuff

8056e4c7 ff751c          push    dword ptr [ebp+1Ch] IN ioControlCode

8056e4ca ff7518          push    dword ptr [ebp+18h] OUT ioStatusBlock 

8056e4cd ff7514          push    dword ptr [ebp+14h]  apc context (scan memory from ebp or esp from here)

8056e4d0 ff7510          push    dword ptr [ebp+10h] optional apc routine null

8056e4d3 ff750c          push    dword ptr [ebp+0Ch]  optional event null

8056e4d6 ff7508          push    dword ptr [ebp+8]   <-- 90 file handle in your stack

8056e4d9 e8ac710000      call    nt!IopXxxControlFile (8057568a)

8056e4de 5d              pop     ebp

8056e4df c22800          ret     28h





ok the push 1 is accounted for it seems a hardwired constant 



lkd> .fnent nt!NtDeviceIoControlFile

Debugger function entry 00cd2fd0 for:

(8056e4b4)   nt!NtDeviceIoControlFile   |  (8056e4e8)   nt!NtFsControlFile

Exact matches:

    nt!NtDeviceIoControlFile = <no type information>



OffStart:  000974b4

ProcSize:  0x2e

Prologue:  0x5

Params:    0n10 (0x28 bytes)

Locals:    0n0 (0x0 bytes)

Non-FPO





lkd> .fnent nt!IopXxxControlFile

Debugger function entry 00cd3010 for:

(8057568a)   nt!IopXxxControlFile   |  (80575cc0)   nt!IopBootLog

Exact matches:

    nt!IopXxxControlFile = <no type information>



OffStart:  0009e68a

ProcSize:  0x619

Prologue:  0xc

Params:    0n11 (0x2c bytes)

Locals:    0n30 (0x78 bytes)

Non-FPO
debasishm89
March 10th, 2014, 13:30
Thanks @Kayaker for your reply.

@blabberer

Thanks for your response..Really appreciate your detail explanation. Now i'm into one confusion. When you say

"(b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code and 7th dword for input buffer"

Do you mean below thing d esp or you mean to debug the Kernel at run-time by setting a break point at nt!NtDeviceIoControlFile.

Actually I don't know exactly when the application is crashing. Only thing I have is Full Kernel memory dump.

Explaing the "(b8048af8 ) (deduce esp and look at the 6th dword from esp ) for control code and 7th dword for input buffer" would be very helpful.

Thanks in Advance,
blabberer
March 11th, 2014, 06:01
d esp will not cut the cake
when you do d esp it shows the esp of frame 1 (i hope you understand stack layout frames and other jargon)

each call in the stack has its own esp and ebp

when i said deduce i meant you need to go to the frame that contains the call you are interseted
there windbg will show you the ebp

if the call (usually system calls make prolog and epilog so there would be an push ebp , mov ebp,esp ........ pop ebp ret X sequence in each calls)
so from the ebp you can scan dwords in memory and some where between successive frame address you should be able to locate the return address and arguments in the stack the address that contain the return address was the esp at the moment the next call was made (manual stack walking)

shit i need a course in teaching profession it seems

did you follow anything ?? at all ?? reply and ask the next question


before asking question your homework follows in the paste below

Code:




|0:kd> .shell dir /s f:\deskback\*.dmp

 Directory of f:\deskback



15/06/2008  12:17            90,112 Mini061508-01.dmp

.shell: Process exited

Press ENTER to continue



||0:kd> .opendump f:\deskback\Mini061508-01.dmp



Loading Dump File [f:\deskback\Mini061508-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available



Opened 'f:\deskback\Mini061508-01.dmp'

||0:kd> !for_each_frame .frame /r @$Frame

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

00 a8cf4b4c 8051ef1d nt!MiReleasePageFileSpace+0x55

00 a8cf4b4c 8051ef1d nt!MiReleasePageFileSpace+0x55

eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=8051e9ef esp=a8cf4b3c ebp=a8cf4b4c iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!MiReleasePageFileSpace+0x55:

8051e9ef 213e            and     dword ptr [esi],edi  ds:0023:a5bf21a4=????????

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

01 a8cf4b84 8051f090 nt!MiDeletePte+0x499

01 a8cf4b84 8051f090 nt!MiDeletePte+0x499

eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=8051ef1d esp=a8cf4b54 ebp=a8cf4b84 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!MiDeletePte+0x499:

8051ef1d 85c0            test    eax,eax

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

02 a8cf4c48 805164b7 nt!MiDeleteVirtualAddresses+0x164

02 a8cf4c48 805164b7 nt!MiDeleteVirtualAddresses+0x164

eax=8642f6b8 ebx=c0009d60 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=8051f090 esp=a8cf4b8c ebp=a8cf4c48 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!MiDeleteVirtualAddresses+0x164:

8051f090 8945f4          mov     dword ptr [ebp-0Ch],eax ss:0010:a8cf4c3c=00000000

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

03 a8cf4cf4 805a6cd5 nt!MiRemoveMappedView+0x237

03 a8cf4cf4 805a6cd5 nt!MiRemoveMappedView+0x237

eax=8642f6b8 ebx=862ba110 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=805164b7 esp=a8cf4c50 ebp=a8cf4cf4 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!MiRemoveMappedView+0x237:

805164b7 85db            test    ebx,ebx

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

04 a8cf4d38 805a6dc4 nt!MiUnmapViewOfSection+0x12b

04 a8cf4d38 805a6dc4 nt!MiUnmapViewOfSection+0x12b

eax=8642f6b8 ebx=85ba4da0 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=805a6cd5 esp=a8cf4cfc ebp=a8cf4d38 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!MiUnmapViewOfSection+0x12b:

805a6cd5 8d8ecc000000    lea     ecx,[esi+0CCh]

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54

05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54

eax=8642f6b8 ebx=01240000 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=805a6dc4 esp=a8cf4d40 ebp=a8cf4d54 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!NtUnmapViewOfSection+0x54:

805a6dc4 8b4d0c          mov     ecx,dword ptr [ebp+0Ch] ss:0010:a8cf4d60=85ba4da0

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

06 a8cf4d54 7c90eb94 nt!KiFastCallEntry+0xf8

06 a8cf4d54 7c90eb94 nt!KiFastCallEntry+0xf8

eax=8642f6b8 ebx=01240000 ecx=0000001c edx=00000000 esi=a5bf21a4 edi=efffffff

eip=8053c808 esp=a8cf4d5c ebp=a8cf4d64 iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

nt!KiFastCallEntry+0xf8:

8053c808 8be5            mov     esp,ebp

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

07 009dece4 00000000 0x7c90eb94

07 009dece4 00000000 0x7c90eb94

eax=007f3ba0 ebx=00000000 ecx=007f178c edx=007f3ba0 esi=00194cd0 edi=009decb8

eip=7c90eb94 esp=009debf4 ebp=009dece4 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

001b:7c90eb94 ??              ???

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

05 a8cf4d54 8053c808 nt!NtUnmapViewOfSection+0x54

||0:kd> kb

ChildEBP RetAddr  Args to Child              

a8cf4b4c 8051ef1d 00000020 fffe0cfc 013ac000 nt!MiReleasePageFileSpace+0x55

a8cf4b84 8051f090 c0009d60 013ac000 00000000 nt!MiDeletePte+0x499

a8cf4c48 805164b7 e19cfba0 0151ffff 00000000 nt!MiDeleteVirtualAddresses+0x164

a8cf4cf4 805a6cd5 85ba4da0 86251e00 a8cf4d64 nt!MiRemoveMappedView+0x237

a8cf4d38 805a6dc4 85a63808 864a3438 00000000 nt!MiUnmapViewOfSection+0x12b

a8cf4d54 8053c808 ffffffff 85ba4da0 009dece4 nt!NtUnmapViewOfSection+0x54

a8cf4d54 7c90eb94 ffffffff 85ba4da0 009dece4 nt!KiFastCallEntry+0xf8

WARNING: Frame IP not in any known module. Following frames may be wrong.
debasishm89
March 11th, 2014, 06:52
@blabberer

Thanks for your response. Based on your instruction, I tried this below thing to dump the context of each and every stack frame.

Code:


kd> !for_each_frame .frame /r @$Frame

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

00 b8048798 805246fb nt!KeBugCheckEx+0x1b

00 b8048798 805246fb nt!KeBugCheckEx+0x1b

eax=ffdff13c ebx=00000001 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c

eip=805339ae esp=b8048780 ebp=b8048798 iopl=0         nv up ei ng nz na pe nc

cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!KeBugCheckEx+0x1b:

805339ae 5d              pop     ebp

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

01 b80487e4 804e1ff1 nt!MmAccessFault+0x6f5

01 b80487e4 804e1ff1 nt!MmAccessFault+0x6f5

eax=ffdff13c ebx=00000001 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c

eip=805246fb esp=b80487a0 ebp=b80487e4 iopl=0         nv up ei ng nz na pe nc

cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!MmAccessFault+0x6f5:

805246fb 83bb3c02000010  cmp     dword ptr [ebx+23Ch],10h ds:0023:0000023d=????????

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

02 b80487e4 804ed0db nt!KiTrap0E+0xcc

02 b80487e4 804ed0db nt!KiTrap0E+0xcc

eax=ffdff13c ebx=8976a7b8 ecx=00000000 edx=804e2a00 esi=c03fffc0 edi=806ed03c

eip=804e1ff1 esp=b80487ec ebp=b80487fc iopl=0         nv up ei ng nz na pe nc

cs=0009  ss=0011  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!KiTrap0E+0xcc:

804e1ff1 85c0            test    eax,eax

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

03 b80488b4 804ed15a nt!IopCompleteRequest+0x92

03 b80488b4 804ed15a nt!IopCompleteRequest+0x92

eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000

eip=804ed0db esp=b8048870 ebp=b80488b4 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202

nt!IopCompleteRequest+0x92:

0008:804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

04 b8048904 806f2c0a nt!KiDeliverApc+0xb3

04 b8048904 806f2c0a nt!KiDeliverApc+0xb3

eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000

eip=804ed15a esp=b80488bc ebp=b8048904 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202

nt!KiDeliverApc+0xb3:

0008:804ed15a 8d55d8          lea     edx,[ebp-28h]

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

05 b8048904 806ed0b3 hal!HalpApcInterrupt2ndEntry+0x31

05 b8048904 806ed0b3 hal!HalpApcInterrupt2ndEntry+0x31

eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000

eip=806f2c0a esp=b804890c ebp=b804891c iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202

hal!HalpApcInterrupt2ndEntry+0x31:

0008:806f2c0a e95190c839      jmp     ba37bc60

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

06 b8048990 804e59ec hal!KfLowerIrql+0x43

06 b8048990 804e59ec hal!KfLowerIrql+0x43

eax=806ed0b3 ebx=00000001 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=806ed0b3 esp=b8048990 ebp=b80489b0 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

hal!KfLowerIrql+0x43:

0008:806ed0b3 9d              popfd

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

07 b80489b0 804ed174 nt!KeInsertQueueApc+0x4b

07 b80489b0 804ed174 nt!KeInsertQueueApc+0x4b

eax=806ed0b3 ebx=00000001 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=804e59ec esp=b8048998 ebp=b80489b0 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!KeInsertQueueApc+0x4b:

0008:804e59ec 5f              pop     edi

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

08 b80489e4 f7432123 nt!IopfCompleteRequest+0x1d8

08 b80489e4 f7432123 nt!IopfCompleteRequest+0x1d8

eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=804ed174 esp=b80489b8 ebp=b80489e4 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!IopfCompleteRequest+0x1d8:

0008:804ed174 e91b71ffff      jmp     nt!IopfCompleteRequest+0xa9 (804e4294)

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

09 b80489f8 804e3d77 NinjaDriver+0x1123

09 b80489f8 804e3d77 NinjaDriver+0x1123

eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=f7432123 esp=b80489ec ebp=b80489f8 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

NinjaDriver+0x1123:

0008:f7432123 5f              pop     edi

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

0a b8048a08 8056a9ab nt!IopfCallDriver+0x31

0a b8048a08 8056a9ab nt!IopfCallDriver+0x31

eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=804e3d77 esp=b8048a00 ebp=b8048a1c iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!IopfCallDriver+0x31:

0008:804e3d77 5e              pop     esi

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

0b b8048a1c 8057d9f7 nt!IopSynchronousServiceTail+0x60

0b b8048a1c 8057d9f7 nt!IopSynchronousServiceTail+0x60

eax=806ed0b3 ebx=88e239f8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=8056a9ab esp=b8048a10 ebp=b8048a1c iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!IopSynchronousServiceTail+0x60:

0008:8056a9ab 807d1400        cmp     byte ptr [ebp+14h],0  ss:0010:b8048a30=00

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

0c b8048ac4 8057fbfa nt!IopXxxControlFile+0x611

0c b8048ac4 8057fbfa nt!IopXxxControlFile+0x611

eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=8057d9f7 esp=b8048a24 ebp=b8048ac4 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!IopXxxControlFile+0x611:

0008:8057d9f7 e8d650f6ff      call    nt!_SEH_epilog (804e2ad2)

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



Following the ESP of this frame I tried to get the control code input buffer



0d b8048af8 b6e6a06f nt!NtDeviceIoControlFile+0x2a

0d b8048af8 b6e6a06f nt!NtDeviceIoControlFile+0x2a

eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=8057fbfa esp=b8048acc ebp=b8048af8 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!NtDeviceIoControlFile+0x2a:

0008:8057fbfa 5d              pop     ebp

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

0e b8048b8c b6e6a5c3 Ninja+0x506f

0e b8048b8c b6e6a5c3 Ninja+0x506f

eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=b6e6a06f esp=b8048b00 ebp=b8048b8c iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

Ninja+0x506f:

0008:b6e6a06f 8945cc          mov     dword ptr [ebp-34h],eax ss:0010:b8048b58=00000000

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

0f b8048c80 b6e6ab9b Ninja+0x55c3

0f b8048c80 b6e6ab9b Ninja+0x55c3

eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=b6e6a5c3 esp=b8048b94 ebp=b8048c80 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

Ninja+0x55c3:

0008:b6e6a5c3 0fb64dd3        movzx   ecx,byte ptr [ebp-2Dh] ss:0010:b8048c53=00

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

10 b8048d34 804df06b Ninja+0x5b9b

10 b8048d34 804df06b Ninja+0x5b9b

eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=b6e6ab9b esp=b8048c88 ebp=b8048d34 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

Ninja+0x5b9b:

0008:b6e6ab9b 6a00            push    0

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

11 b8048d34 7c90ebab nt!KiFastCallEntry+0xf8

11 b8048d34 7c90ebab nt!KiFastCallEntry+0xf8

eax=806ed0b3 ebx=896864c8 ecx=00000000 edx=00000001 esi=8960e7c8 edi=88e23a38

eip=804df06b esp=b8048d3c ebp=b8048d64 iopl=0         nv up di ng nz ac pe nc

cs=0008  ss=0010  ds=b100  es=72bb  fs=3a38  gs=8964             efl=00000094

nt!KiFastCallEntry+0xf8:

0008:804df06b 8be5            mov     esp,ebp

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

12 00f8fd7c 00000000 0x7c90ebab

12 00f8fd7c 00000000 0x7c90ebab

eax=00f8fd3c ebx=00000000 ecx=00000101 edx=00000000 esi=00000000 edi=00785580

eip=7c90ebab esp=00f8fd1c ebp=00f8fd7c iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010202

001b:7c90ebab ??              ???

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

09 b80489f8 804e3d77 NinjaDriver+0x1123


From the register context dump of nt!NtDeviceIoControlFile (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/NtDeviceIoControlFile.html) frame I collected the stack pointer (esp) and tried to dump the dwords.

Code:


kd> dd b8048acc 

b8048acc  00000090 00000000 00000000 00000000

b8048adc  00f8fd58 0022a00c 00f8fdc8 0000001c

b8048aec  ffff0000 00000000 00000001 b8048b8c   ; This 1 is getting pushed and after executing PUSH 1 instruction at 0x8057fbd5 (nt!NtDeviceIoControlFile)

b8048afc  b6e6a06f 00000090 00000000 00000000

b8048b0c  00000000 00f8fd58 0022a00c 00f8fdc8

b8048b1c  0000001c ffff0000 00000000 8057a312

b8048b2c  b8048be8 b8048c84 8057a125 00000000

b8048b3c  00100002 00000000 00000003 00000000



Code:




kd> uf nt!NtDeviceIoControlFile

nt!NtDeviceIoControlFile:

8057fbd0 8bff            mov     edi,edi

8057fbd2 55              push    ebp

8057fbd3 8bec            mov     ebp,esp

8057fbd5 6a01            push    1

8057fbd7 ff752c          push    dword ptr [ebp+2Ch]

8057fbda ff7528          push    dword ptr [ebp+28h]

8057fbdd ff7524          push    dword ptr [ebp+24h]

8057fbe0 ff7520          push    dword ptr [ebp+20h]

8057fbe3 ff751c          push    dword ptr [ebp+1Ch]

8057fbe6 ff7518          push    dword ptr [ebp+18h]

8057fbe9 ff7514          push    dword ptr [ebp+14h]

8057fbec ff7510          push    dword ptr [ebp+10h]

8057fbef ff750c          push    dword ptr [ebp+0Ch]

8057fbf2 ff7508          push    dword ptr [ebp+8]

8057fbf5 e8dddbffff      call    nt!IopXxxControlFile (8057d7d7)

8057fbfa 5d              pop     ebp

8057fbfb c22800          ret     28h


Code:




kd> d 00f8fdc8

00f8fdc8  ???????? ???????? ???????? ????????

00f8fdd8  ???????? ???????? ???????? ????????

00f8fde8  ???????? ???????? ???????? ????????

00f8fdf8  ???????? ???????? ???????? ????????

00f8fe08  ???????? ???????? ???????? ????????

00f8fe18  ???????? ???????? ???????? ????????

00f8fe28  ???????? ???????? ???????? ????????

00f8fe38  ???????? ???????? ???????? ????????


Question 1:
So according to your earlier instruction 0x0022a00c should be the IOCTL code and 0x00f8fdc8 is the pointer to the input buffer which is possibly involved in the crash??

Question 2:

Now if the send the same IOCTL code and the input buffer from any user mode application (CreateFileW!Kernel32 , DeviceIoControl!Kernel32) to the device created by NinjaDriver, would i be able to reproduce the BSOD/ crash ?

Please let me know If i got you wrong and did anything wrong.

Thanks in Advance,
Kayaker
March 12th, 2014, 01:32
Nice detective work both ways. I don't know if this is relevant to the BSOD, but notice that OutputBuffer is non-NULL (oddly defined as 0xffff0000), but OutputBufferLength is 0.

IopXxxControlFile may be handled similarly to this ReactOS source for IopDeviceFsIoControl.

http://doxygen.reactos.org/d5/de1/iofunc_8c_a8be97bd7c9d6cb5192fcb2b9dc1b9109.html

I'm wondering if the error of an output buffer with zero length isn't handled gracefully, whether that might cause problems.
blabberer
March 12th, 2014, 03:38
Code:


!decodeioctl 22a00c



IoControlCode = 22A00C

Device = UNKNOWN

Function = 00000803

Access = FILE_WRITE_ACCESS

Method = METHOD_BUFFERED



lkd>




the input buffer may have been swapped out so the ???????

the output buffer does not seem to point to a valid address ( if user space address it is invalid > 0xffff0000

if kernel space address it doesnt seem to lie in paged _ non paged pool limits

i am not sure of the semantics off my head

but logically for write access from user mode you may need to provide a buffer that would be validated by the kernel and locked until it is discarded by some trigger

also your output buffer length seems to be null so where are you writing seems to be a valid question

whether you can produce a crash is dependent on various factors you may need to experiment with it

the input buffer address seems to point to an user mode address (below 0x7fffffff) so is the buffer probed and locked what irql that kind of questions arise which you may need to asceriain to produce a duplicate crash

what is the conclusion of !analyze -v
debasishm89
March 12th, 2014, 04:38
@Kayaker Actually I tried to send same IO control code ,input buffer and out put buff length from a user land using a C prog. But I did not give me a crash.

@blabberer

It seems to be a POOL corruption.

!analyze -v Output is Given Below:
Code:


kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************



PAGE_FAULT_IN_NONPAGED_AREA (50)

Invalid system memory was referenced.  This cannot be protected by try-except,

it must be protected by a Probe.  Typically the address is just plain bad or it

is pointing at freed memory.

Arguments:

Arg1: ffff0000, memory referenced.

Arg2: 00000001, value 0 = read operation, 1 = write operation.

Arg3: 804ed0db, If non-zero, the instruction address which referenced the bad memory

	address.

Arg4: 00000000, (reserved)



Debugging Details:

------------------



Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

.....

.....

.....

Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details



WRITE_ADDRESS:  ffff0000 



FAULTING_IP: 

nt!IopCompleteRequest+92

804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]



MM_INTERNAL_CODE:  0



DEFAULT_BUCKET_ID:  CODE_CORRUPTION



BUGCHECK_STR:  0x50



PROCESS_NAME:  NinjaUIServ.exe



IRP_ADDRESS:  88e239f8



DEVICE_OBJECT: 89817030



DRIVER_OBJECT: 8980b300



DEBUG_FLR_IMAGE_TIMESTAMP:  0



FAULTING_MODULE: f7431000 NinjaDriver



TRAP_FRAME:  b80487fc -- (.trap 0xffffffffb80487fc)

ErrCode = 00000002

eax=0000001c ebx=88e239f8 ecx=00000007 edx=00000000 esi=8976a7b8 edi=ffff0000

eip=804ed0db esp=b8048870 ebp=b80488b4 iopl=0         nv up ei pl nz na po nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202

nt!IopCompleteRequest+0x92:

0008:804ed0db f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

Resetting default scope



LAST_CONTROL_TRANSFER:  from 805246fb to 805339ae



STACK_TEXT:  

b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b

b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5

b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc

b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92

b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3

b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31

b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43

b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b

b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8

WARNING: Stack unwind information not available. Following frames may be wrong.

b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123

b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31

b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60

b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611

b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f

b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3

b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b

b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8

00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab





STACK_COMMAND:  kb



CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

    804d90c9-804d90cd  5 bytes - nt!KiXMMIZeroPage+30

	[ fa f7 80 0c 02:e9 2a 1a ea 39 ]

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

Page 2158 not present in the dump file. Type ".hh dbgerr004" for details

    804d9545-804d9549  5 bytes - nt!ExAcquireResourceSharedLite+10 (+0x47c)

	[ fa 8b 75 08 33:e9 76 c4 e6 39 ]

    804dabaf-804dabb3  5 bytes - nt!KiChainedDispatch+28 (+0x166a)

	[ fa ff 15 dc 75:e9 5c 2b eb 39 ]

    804dbbdb-804dbbdf  5 bytes - nt!ExReleaseResourceLite+b (+0x102c)

	[ fa 66 8b 51 0e:e9 80 89 e6 39 ]

    804dbee9-804dbeed  5 bytes - nt!SwapContext+30 (+0x30e)

	[ fa 89 67 28 8b:e9 4a 82 e6 39 ]

    804dc0da-804dc0de  5 bytes - nt!KiIdleLoop+13 (+0x1f1)

	[ fa 3b 6d 00 74:e9 a9 79 e9 39 ]

    804dc180-804dc184  5 bytes - nt!KiRetireDpcList+4d (+0xa6)

	[ fa 3b 6d 00 75:e9 23 7d e9 39 ]

    804dc213-804dc217  5 bytes - nt!Ki386AdjustEsp0+1e (+0x93)

	[ fa 8b 15 40 f0:e9 28 64 e6 39 ]

    804dc22c-804dc230  5 bytes - nt!KiSetDebugActive+6 (+0x19)

	[ fa 88 48 2c 88:e9 ff a2 e6 39 ]

    804df07c-804df080  5 bytes - nt!KiServiceExit (+0x2e50)

	[ fa f7 45 70 00:e9 6f 36 e6 39 ]

    804df0de - nt!KiServiceExit+62 (+0x62)

	[ fa:cc ]

    804df224-804df228  5 bytes - nt!KiServiceExit2 (+0x146)

	[ fa f7 45 70 00:e9 47 4d ea 39 ]

    804df264 - nt!KiServiceExit2+40 (+0x40)

	[ fa:cc ]

    804df8fb-804df8ff  5 bytes - nt!KiExceptionExit (+0x697)

	[ fa f7 45 70 00:e9 e0 6c e6 39 ]

    804df93b - nt!Kei386EoiHelper+40 (+0x40)

	[ fa:cc ]

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

    804e16ae - nt!VdmFixEspEbp+3 (+0x1d73)

	[ 0f:cc ]

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

    804e2825-804e2829  5 bytes - nt!KiFlushNPXState+4 (+0x1177)

	[ fa 8b 3d 1c f0:e9 5e 3b e6 39 ]

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 1954 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e2e28-804e2e2b  4 bytes - nt!KiServiceTable+108 (+0x603)

	[ d0 fb 57 80:40 a6 e6 b6 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e31e9-804e31ed  5 bytes - nt!KiCallUserMode+54 (+0x3c1)

	[ fa 8b 0e 89 0c:e9 42 05 eb 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e32dc-804e32e0  5 bytes - nt!KeSwitchKernelStack+3e (+0xf3)

	[ fa 89 8a 68 01:e9 87 25 e6 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e337b-804e337f  5 bytes - nt!NtCallbackReturn+3b (+0x9f)

	[ fa 8b 35 04 f0:e9 58 05 eb 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e34a3-804e34a7  5 bytes - nt!ExfInterlockedAddUlong+1 (+0x128)

	[ fa 8b 01 01 11:e9 b8 a1 ea 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e34b4-804e34b8  5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x11)

	[ fa 8b 01 89 02:e9 ef 03 e9 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e34d1-804e34d5  5 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)

	[ fa 8b 41 04 89:e9 c2 fb e8 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e34f2-804e34f6  5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)

	[ fa 8b 01 3b c1:e9 51 a1 e9 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e3823-804e3827  5 bytes - nt!KeUpdateSystemTime+e6 (+0x331)

	[ fa ff 81 70 08:e9 18 52 e9 39 ]

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

Page 2397 not present in the dump file. Type ".hh dbgerr004" for details

    804e3874-804e3878  5 bytes - nt!KeUpdateSystemTime+137 (+0x51)

	[ fa ff 15 dc 75:e9 df 25 e9 39 ]

Page 222c not present in the dump file. Type ".hh dbgerr004" for details

    804e3b54 - nt!ExAcquireResourceExclusiveLite+f (+0x2e0)

	[ fa:cc ]

Page 222c not present in the dump file. Type ".hh dbgerr004" for details

    804e6106 - nt!KiSaveProcessorControlState+75 (+0x25b2)

	[ 0f:cc ]

Page 222c not present in the dump file. Type ".hh dbgerr004" for details

    804e610d - nt!KiSaveProcessorControlState+7c (+0x07)

	[ 0f:cc ]

    804e611b - nt!KiSaveProcessorControlState+8a (+0x0e)

	[ 0f:cc ]

    804e9070-804e9074  5 bytes - nt!ExIsResourceAcquiredExclusiveLite+b (+0x2f55)

	[ fa 8b 4d 08 32:e9 eb a8 e8 39 ]

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

    804e9175-804e9179  5 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x105)

	[ fa 8b 75 08 33:e9 a6 23 e9 39 ]

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

    804ecdae-804ecdb2  5 bytes - nt!KeRestoreFloatingPointState+79 (+0x3c39)

	[ fa f6 03 01 0f:e9 55 63 ea 39 ]

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

Page 210f not present in the dump file. Type ".hh dbgerr004" for details

    804ece88-804ece8c  5 bytes - nt!KeSaveFloatingPointState+9f (+0xda)

	[ fa 0f 20 c0 8b:e9 e3 65 ea 39 ]

    804ed809-804ed80d  5 bytes - nt!CcGetActiveVacb+5 (+0x981)

	[ fa 8b 45 08 8b:e9 fa 55 e8 39 ]

    804ee842-804ee845  4 bytes - nt!ExIsResourceAcquiredSharedLite+c (+0x1039)

	[ fa 8b 4d 08:e9 c9 4e e8 ]

    804ef1dc-804ef1e0  5 bytes - nt!CcSetActiveVacb+7 (+0x99a)

	[ fa 8b 45 08 83:e9 97 49 e9 39 ]

    804f04d6-804f04da  5 bytes - nt!ExReleaseResourceForThreadLite+8 (+0x12fa)

	[ fa 8b 45 08 66:e9 3d 2f e9 39 ]

    804f0848-804f084c  5 bytes - nt!ExDisableResourceBoostLite+5 (+0x372)

	[ fa 8b 45 08 80:e9 03 29 e8 39 ]

    804f0c78 - nt!ExAcquireSharedStarveExclusive+f (+0x430)

	[ fa:cc ]

    804f0e29-804f0e2d  5 bytes - nt!ExSetResourceOwnerPointer+c (+0x1b1)

	[ fa 8b 75 08 f6:e9 52 2b e9 39 ]

    804f1570-804f1574  5 bytes - nt!ExpAllocateExclusiveWaiterEvent+65 (+0x747)

	[ fa 5f 5e 5b c9:e9 43 35 e5 39 ]

    804fbc61-804fbc65  5 bytes - nt!ExpFindCurrentThread+10d (+0xa6f1)

	[ fa 8b 75 f8 8b:e9 6a a2 e4 39 ]

    804fbccb - nt!ExpFindCurrentThread+187 (+0x6a)

	[ fa:cc ]

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

    804fbd2f-804fbd33  5 bytes - nt!ExpAllocateSharedWaiterSemaphore+5e (+0x64)

	[ fa 5f 5e c9 c2:e9 14 a5 e4 39 ]

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

Page 214b not present in the dump file. Type ".hh dbgerr004" for details

    804fc679-804fc67f  7 bytes - nt!NtYieldExecution (+0x94a)

	[ 83 3d 6c 19 55 80 00:e9 c6 e5 69 77 90 90 ]

    804fd0ae-804fd0b2  5 bytes - nt!KeRemoveQueueDpc+6 (+0xa35)

	[ fa 8b 45 08 8b:e9 75 04 e9 39 ]

    8050314d-80503151  5 bytes - nt!ExConvertExclusiveToSharedLite+5 (+0x609f)

	[ fa 8b 45 08 66:e9 5e a7 e7 39 ]

    8050bf37-8050bf3b  5 bytes - nt!IoStartTimer+17 (+0x8dea)

	[ fa 66 83 78 02:e9 dc 3b e7 39 ]

WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view  entire output.

    805684d5-805684d9  5 bytes - nt!NtOpenKey

	[ 68 94 00 00 00:e9 d6 26 63 77 ]

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

    8056f063-8056f067  5 bytes - nt!NtCreateKey (+0x6b8e)

	[ 68 c4 00 00 00:e9 5c bb 62 77 ]

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

    80573789-8057378d  5 bytes - nt!NtUnmapViewOfSection (+0x4726)

	[ 8b ff 55 8b ec:e9 e2 74 62 77 ]

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 278d not present in the dump file. Type ".hh dbgerr004" for details

Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details

    80573c04-80573c0a  7 bytes - nt!NtMapViewOfSection (+0x47b)

	[ 6a 44 68 e0 30 4f 80:e9 51 70 62 77 90 90 ]

Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details

Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details

Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details

Page 1f91 not present in the dump file. Type ".hh dbgerr004" for details

    8057459e-805745a2  5 bytes - nt!NtOpenProcess (+0x99a)

	[ 68 c4 00 00 00:e9 e5 65 62 77 ]

    80575527-8057552d  7 bytes - nt!NtSetValueKey (+0xf89)

	[ 6a 5c 68 b8 f2 4e 80:e9 ee 56 62 77 90 90 ]

    8058ae1e-8058ae22  5 bytes - nt!NtTerminateProcess (+0x158f7)

	[ 8b ff 55 8b ec:e9 61 fe 60 77 ]

    80597430-80597436  7 bytes - nt!NtDeleteValueKey (+0xc612)

	[ 6a 48 68 f0 ee 4f 80:e9 cf 37 60 77 90 90 ]

    80597c0a-80597c0e  5 bytes - nt!NtOpenThread (+0x7da)

	[ 68 c0 00 00 00:e9 8d 2f 60 77 ]

    8059d6bd-8059d6c3  7 bytes - nt!NtDeleteKey (+0x5ab3)

	[ 6a 38 68 50 ef 4f 80:e9 16 d5 5f 77 90 90 ]

    8059db78-8059db7c  5 bytes - nt!NtSetSecurityObject (+0x4bb)

	[ 8b ff 55 8b ec:e9 b3 d0 5f 77 ]

    8064d39f-8064d3a5  7 bytes - nt!NtRenameKey (+0xaf827)

	[ 6a 34 68 00 aa 52 80:e9 4a d8 54 77 90 90 ]

302 errors : !nt (804d90c9-8064d3a5)



MODULE_NAME: memory_corruption



IMAGE_NAME:  memory_corruption



FOLLOWUP_NAME:  memory_corruption



MEMORY_CORRUPTOR:  LARGE



FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE



BUCKET_ID:  MEMORY_CORRUPTION_LARGE



Followup: memory_corruption

---------


IRP Output:

Code:




kd> !irp 88e239f8

Irp is active with 2 stacks 4 is current (= 00000000)

 No Mdl: System buffer=8976a7b8: Thread 8960e7fc:  Irp is completed.  

     cmd  flg cl Device   File     Completion-Context

 [  0, 0]   0  0 00000000 00000000 00000000-00000000    



			Args: 00000000 00000000 00000000 00000000

 [  e, 0]   0  0 89817030 00000000 00000000-00000000    

	       \Driver\NinjaDriver

			Args: 00000000 00000000 00000000 00000000

Stack Frame
Code:


kd> kb

ChildEBP RetAddr  Args to Child              

b8048798 805246fb 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b

b80487e4 804e1ff1 00000001 ffff0000 00000000 nt!MmAccessFault+0x6f5

b80487e4 804ed0db 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc

b80488b4 804ed15a 88e23a38 b8048900 b80488f4 nt!IopCompleteRequest+0x92

b8048904 806f2c0a 00000000 00000000 b804891c nt!KiDeliverApc+0xb3

b8048904 806ed0b3 00000000 00000000 b804891c hal!HalpApcInterrupt2ndEntry+0x31

b8048990 804e59ec 88e23a38 88e239f8 00000000 hal!KfLowerIrql+0x43

b80489b0 804ed174 88e23a38 896864c8 00000000 nt!KeInsertQueueApc+0x4b

b80489e4 f7432123 8960e9d8 8980b300 00000000 nt!IopfCompleteRequest+0x1d8

WARNING: Stack unwind information not available. Following frames may be wrong.

b80489f8 804e3d77 0000001c 0000001c 806ed070 NinjaDriver+0x1123  Next section IDA disassembly if this function is shown

b8048a08 8056a9ab 88e23a8c 896864c8 88e239f8 nt!IopfCallDriver+0x31

b8048a1c 8057d9f7 89817030 88e239f8 896864c8 nt!IopSynchronousServiceTail+0x60

b8048ac4 8057fbfa 00000090 00000000 00000000 nt!IopXxxControlFile+0x611

b8048af8 b6e6a06f 00000090 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

b8048b8c b6e6a5c3 00000001 00000090 00000000 Ninja+0x506f

b8048c80 b6e6ab9b 00000001 88da9898 00000090 Ninja+0x55c3

b8048d34 804df06b 00000090 00000000 00000000 Ninja+0x5b9b

b8048d34 7c90ebab 00000090 00000000 00000000 nt!KiFastCallEntry+0xf8

00f8fd7c 00000000 00000000 00000000 00000000 0x7c90ebab


IDA Dis assembly of Ninjadriver+0x1123 is below. It was seen in DriverEntry point, that below function is the IRP_MJ_QUERY_SECURITY dispatch Routine of NinjaDriver

Code:


.text:F7432080 ; int __stdcall IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE(int, PIRP Irp)

.text:F7432080 IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE proc near

.text:F7432080                                         ; CODE XREF: call_crash_function+78p

.text:F7432080                                         ; DATA XREF: DriverEntry+D2o

.text:F7432080

.text:F7432080 var_4           = dword ptr -4

.text:F7432080 arg_0           = dword ptr  8

.text:F7432080 Irp             = dword ptr  0Ch

.text:F7432080

.text:F7432080                 push    ebp

.text:F7432081                 mov     ebp, esp

.text:F7432083                 push    ecx

.text:F7432084                 mov     eax, [ebp+arg_0]

.text:F7432087                 mov     ecx, [eax+28h]

.text:F743208A                 push    esi

.text:F743208B                 push    edi

.text:F743208C                 mov     edi, [ebp+Irp]

.text:F743208F                 mov     eax, [edi+60h]

.text:F7432092                 mov     edx, [eax+0Ch]

.text:F7432095                 mov     esi, [eax+8]

.text:F7432098                 mov     eax, [eax+18h]

.text:F743209B                 mov     [ebp+var_4], 0

.text:F74320A2                 mov     [ebp+arg_0], 0

.text:F74320A9                 test    eax, eax

.text:F74320AB                 jz      short loc_F74320B4

.text:F74320AD                 mov     eax, [eax+0Ch]

.text:F74320B0                 test    eax, eax

.text:F74320B2                 jnz     short loc_F74320BA

.text:F74320B4

.text:F74320B4 loc_F74320B4:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+2Bj

.text:F74320B4                 mov     eax, [ecx+1F0h]

.text:F74320BA

.text:F74320BA loc_F74320BA:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+32j

.text:F74320BA                 push    ebx

.text:F74320BB                 lea     ebx, [ebp+Irp]

.text:F74320BE                 push    ebx

.text:F74320BF                 mov     ebx, [edi+0Ch]

.text:F74320C2                 push    esi

.text:F74320C3                 push    ebx

.text:F74320C4                 push    eax

.text:F74320C5                 push    ecx

.text:F74320C6                 push    edx

.text:F74320C7                 call    Swith_Case_statement

.text:F74320CC                 pop     ebx

.text:F74320CD                 test    eax, eax

.text:F74320CF                 js      short loc_F74320ED

.text:F74320D1                 mov     eax, [ebp+Irp]

.text:F74320D4                 cmp     eax, esi

.text:F74320D6                 jbe     short loc_F74320E1

.text:F74320D8                 mov     eax, esi

.text:F74320DA                 mov     esi, 0C0000023h

.text:F74320DF                 jmp     short loc_F74320E4

.text:F74320E1 ; ---------------------------------------------------------------------------

.text:F74320E1

.text:F74320E1 loc_F74320E1:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+56j

.text:F74320E1                 mov     esi, [ebp+var_4]

.text:F74320E4

.text:F74320E4 loc_F74320E4:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+5Fj

.text:F74320E4                 test    eax, eax

.text:F74320E6                 jz      short loc_F7432110

.text:F74320E8                 mov     [ebp+arg_0], eax

.text:F74320EB                 jmp     short loc_F7432110

.text:F74320ED ; ---------------------------------------------------------------------------

.text:F74320ED

.text:F74320ED loc_F74320ED:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+4Fj

.text:F74320ED                 cmp     eax, 0FFFFFFDBh

.text:F74320F0                 jz      short loc_F743210B

.text:F74320F2                 cmp     eax, 0FFFFFFFEh

.text:F74320F5                 jz      short loc_F743210B

.text:F74320F7                 sub     eax, 0FFFFFFCAh

.text:F74320FA                 neg     eax

.text:F74320FC                 sbb     eax, eax

.text:F74320FE                 and     eax, 0FFFFFDFBh

.text:F7432103                 lea     esi, [eax-3FFFFDFAh]

.text:F7432109                 jmp     short loc_F7432110

.text:F743210B ; ---------------------------------------------------------------------------

.text:F743210B

.text:F743210B loc_F743210B:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+70j

.text:F743210B                                         ; IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+75j

.text:F743210B                 mov     esi, 0C000000Dh

.text:F7432110

.text:F7432110 loc_F7432110:                           ; CODE XREF: IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+66j

.text:F7432110                                         ; IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE+6Bj ...

.text:F7432110                 mov     ecx, [ebp+arg_0]

.text:F7432113                 mov     [edi+1Ch], ecx

.text:F7432116                 xor     dl, dl          ; PriorityBoost

.text:F7432118                 mov     ecx, edi        ; Irp

.text:F743211A                 mov     [edi+18h], esi

.text:F743211D                 call    ds:IofCompleteRequest ; The IoCompleteRequest routine indicates that the caller has completed all processing for a given I/O request and is returning the given IRP to the I/O manager.

.text:F7432123                 pop     edi

.text:F7432124                 mov     eax, esi

.text:F7432126                 pop     esi

.text:F7432127                 mov     esp, ebp

.text:F7432129                 pop     ebp

.text:F743212A                 retn    8

.text:F743212A IRP_MJ_QUERY_SECURITY_DISPATCH_ROUTINE endp


Please let me know if need more info.

Thanks,
Kayaker
March 14th, 2014, 05:05
Quote:
[Originally Posted by debasishm89;96221]
PAGE_FAULT_IN_NONPAGED_AREA (50)

Arg1: ffff0000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.

WRITE_ADDRESS: ffff0000


Again, this seems to be pointing directly to the invalid OutputBuffer address. What exactly is it you're trying to determine? We've got no context, is this your code, someone else's borked code, someone else's code which should work but is for some unknown reason corrupted?

You've got the IOCTL code, so should be able to find the call in the usermode app (since you seem to have the driver at least) to see if it's an obvious code error there.