Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

KMODE_EXCEPTION_NOT_HANDLED with valid address

parsaparsa Member Posts: 42
edited March 30 in NTDEV

Hi All,

I am debugging one BSOD that has kernel mode exception not handled properly. The BSOD occurred when accessing a memory location for write operation. As per the MSDN doc, when I check the Arg 4 (parameter 1) which is the problematic memory address, I see nothing wrong with that address. Indeed command "dd", "pte" as well as "address" show no issue with the address. Is my understanding correct? I am suspecting memory/hardware error may be causing this issue sometimes when the address is valid but system got bug checked.

I would greatly appreciate if you would provide any inputs to debug further.

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8060feb1349, The address that the exception occurred at
Arg3: fffff38e767a2e78, Parameter 0 of the exception
Arg4: fffff38e767a26b0, Parameter 1 of the exception

....
**WRITE_ADDRESS:  fffff38e767a26b0 **

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP: 
WppRecorder!WppAutoLogTrace+219
fffff806`0feb1349 0fb682dd000000  movzx   eax,byte ptr [rdx+0DDh]

EXCEPTION_PARAMETER1:  fffff38e767a2e78

EXCEPTION_PARAMETER2:  fffff38e767a26b0

BUGCHECK_STR:  0x1E_c0000005

1: kd> dd fffff38e767a26b0
fffff38e`767a26b0  a0b85870 ffffa40a 1d0a9763 fffff806
fffff38e`767a26c0  9c4cd990 ffffa40a 1d102110 fffff806
fffff38e`767a26d0  a0b858b8 ffffa40a a0b85870 ffffa40a
fffff38e`767a26e0  0010001f 00001f80 002b0010 0053002b
fffff38e`767a26f0  0018002b 00010202 00000000 00000000
fffff38e`767a2700  00000000 00000000 00000000 00000000
fffff38e`767a2710  00000000 00000000 8000130c ffffffff
fffff38e`767a2720  000009fc 00000000 767a31c8 fffff38e

1: kd> !address fffff38e767a26b0
Usage:                  Stack
Base Address:           fffff38e`7679e000
End Address:            fffff38e`767a4000
Region Size:            00000000`00006000
VA Type:                SystemRange

1: kd> !pte fffff38e767a26b0
                                           VA fffff38e767a26b0
PXE at FFFF8E472391CF38    PPE at FFFF8E47239E71C8    PDE at FFFF8E473CE39D98    PTE at FFFF8E79C73B3D10
contains 0A0000011C363863  contains 0A0000011C364863  contains 0A00000025CB2863  contains 8A00000083CBB863
pfn 11c363    ---DA--KWEV  pfn 11c364    ---DA--KWEV  pfn 25cb2     ---DA--KWEV  pfn 83cbb     ---DA--KW-V
Post edited by Scott_Noone_(OSR) on

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,442

    Can you post the full !analyze -v output?

    -scott
    OSR

  • parsaparsa Member Posts: 42

    Hi Scott,

    The problem occurs in the WppRecorder driver function. When I dump the trap frame it shows accessing some invalid address causing the issue.
    But not sure why the BSOD occurs in the WppRecorder driver which is from Microsoft.

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8060feb1349, The address that the exception occurred at
    Arg3: fffff38e767a2e78, Parameter 0 of the exception
    Arg4: fffff38e767a26b0, Parameter 1 of the exception

    Debugging Details:

    KEY_VALUES_STRING: 1

    PROCESSES_ANALYSIS: 1

    SERVICE_ANALYSIS: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 19041.1.amd64fre.vb_release.191206-1406

    SYSTEM_MANUFACTURER: Dell Inc.

    SYSTEM_PRODUCT_NAME: Inspiron 3420

    SYSTEM_SKU: To be filled by O.E.M.

    SYSTEM_VERSION: Not Specified

    BIOS_VENDOR: Dell Inc.

    BIOS_VERSION: A05

    BIOS_DATE: 09/28/2012

    BASEBOARD_MANUFACTURER: Dell Inc.

    BASEBOARD_PRODUCT: 04XGDT

    BASEBOARD_VERSION: A05

    DUMP_TYPE: 1

    BUGCHECK_P1: ffffffffc0000005

    BUGCHECK_P2: fffff8060feb1349

    BUGCHECK_P3: fffff38e767a2e78

    BUGCHECK_P4: fffff38e767a26b0

    WRITE_ADDRESS: fffff38e767a26b0

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    FAULTING_IP:
    WppRecorder!WppAutoLogTrace+219
    fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh]

    EXCEPTION_PARAMETER1: fffff38e767a2e78

    EXCEPTION_PARAMETER2: fffff38e767a26b0

    BUGCHECK_STR: 0x1E_c0000005

    CPU_COUNT: 4

    CPU_MHZ: 9be

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 3a

    CPU_STEPPING: 9

    CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 21'00000000 (cache) 21'00000000 (init)

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    PROCESS_NAME: svchost.exe

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: CLW-G4B6HR2

    ANALYSIS_SESSION_TIME: 03-30-2021 10:38:54.0655

    ANALYSIS_VERSION: 10.0.18362.1 amd64fre

    LAST_CONTROL_TRANSFER: from fffff8060db0ed9f to fffff8060d9f5a80

    STACK_TEXT:
    fffff38e767a1e38 fffff8060db0ed9f : 000000000000001e ffffffffc0000005 fffff8060feb1349 fffff38e767a2e78 : nt!KeBugCheckEx
    fffff38e767a1e40 fffff8060da11c86 : fffff38e767a26b0 fffff8060d903845 fffff38e767a30b0 fffff8060feb1349 : nt!KiFatalFilter+0x1f
    fffff38e767a1e80 fffff8060d9cc052 : fffff80600000002 fffff8060d6d8e34 fffff38e7679e000 fffff38e767a4000 : nt!KeExpandKernelStackAndCalloutInternal$filt$0+0x16
    fffff38e767a1ec0 fffff8060d9fe942 : fffff8060d6d8e34 fffff38e767a24a0 fffff8060d9cbfb0 0000000000000000 : nt!_C_specific_handler+0xa2
    fffff38e767a1f30 fffff8060d92bf97 : fffff38e767a24a0 0000000000000000 fffff38e767a35e0 fffff8060d954488 : nt!RtlpExecuteHandlerForException+0x12
    fffff38e767a1f60 fffff8060d92ab86 : fffff38e767a2e78 fffff38e767a2bb0 fffff38e767a2e78 0000000000000000 : nt!RtlDispatchException+0x297
    fffff38e767a2680 fffff8060da07bac : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDispatchException+0x186
    fffff38e767a2d40 fffff8060da038e0 : 000000000000003e 0000000000000000 ffffa40aa7be6810 fffff80610e5e23b : nt!KiExceptionDispatch+0x12c
    fffff38e767a2f20 fffff8060feb1349 : 0000000000000000 0000000063467453 00000000000000a0 00000000000009a7 : nt!KiGeneralProtectionFault+0x320
    fffff38e767a30b0 fffff806097a5824 : 0000000000000000 fffff806097bd4f8 0000000000000000 0000000000000000 : WppRecorder!WppAutoLogTrace+0x219
    fffff38e767a3120 fffff806097a109e : ffffa40aac53d920 ffffa40aac0eaf10 0000000000000014 000000000000013a : customdrv!WPP_RECORDER_SF_XDD+0x12c
    fffff38e767a31a0 fffff80610c10576 : ffffa40a968958a0 fffff806097a1010 ffffa40a96840220 fffff80610a95a2b : customdrv!StreamFlowDeletion+0x8e
    fffff38e767a3210 fffff80610c10037 : 0000000000005d7f ffffa40aab11c550 0000000000000000 ffffa40a96840220 : NETIO!WfpNotifyFlowContextDelete+0x20a
    fffff38e767a3290 fffff80610e5e799 : fffff38e7600ff00 ffffa40aac0eaf10 fffff38e767a33f0 ffffa40aab11c520 : NETIO!KfdAleNotifyFlowDeletion+0x1c7
    fffff38e767a32f0 fffff80610e5e570 : 0000000000000000 0000000000000000 ffffa40a96ad7a00 ffffa40aaa51fa20 : tcpip!TcpCleanupTcbWorkQueueRoutine+0x149
    fffff38e767a3450 fffff80610e5e2a5 : 0000000000000001 fffff38e767a36c0 fffff38e767a36c0 0000000000000000 : tcpip!TcpCloseTcb+0x2b0
    fffff38e767a35b0 fffff8060d954488 : 0000000000000000 0000000000000000 0000000000000000 0000000000000001 : tcpip!TcpTlConnectionCloseEndpointCalloutRoutine+0x15
    fffff38e767a35e0 fffff8060d9543fd : fffff80610e5e290 fffff38e767a36c0 ffffa40a9681a1e0 0000000000000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78
    fffff38e767a3650 fffff80610e75b1a : fffff38e767a3908 ffffa40aac748700 fffff38e767a3908 0000000100060000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
    fffff38e767a3690 fffff8061cd229b9 : ffffa40a96c56ce0 0000000000000000 000000000000006a fffff8060d848cc2 : tcpip!TcpTlConnectionCloseEndpoint+0x6a
    fffff38e767a3700 fffff8061cd023df : ffffa40aaa85b2b0 ffffa40aa9aa9b30 ffffa40aa9772e10 fffff8060d853131 : afd!AfdCloseConnection+0x8d
    fffff38e767a3740 fffff8061cd0231e : ffffa40aaa85b2b0 0000000000000000 00000000ffff800d ffffa40aaa85b2b0 : afd!AfdCloseCore+0xaf
    fffff38e767a3780 fffff8061cd1fbfb : ffffa40aac002e60 0000000000000000 fffff38e767a3a39 fffff8060d852f97 : afd!AfdClose+0x3a
    fffff38e767a37b0 fffff8060d852f55 : ffffa40aac002e60 fffff38e767a3a00 0000000000000000 ffffa40aa9aa9b30 : afd!AfdDispatch+0x7b
    fffff38e767a37f0 fffff8060dc00eea : fffff38e767a3a39 ffffa40aac002e60 0000000000000000 0000000000000000 : nt!IofCallDriver+0x55
    fffff38e767a3830 fffff8060dbfb250 : fffff38e767a3a39 0000000000000000 ffffa40a95ec12a0 ffffa40aa9aa9b30 : nt!IopDeleteFile+0x13a
    fffff38e767a38b0 fffff8060d861277 : 0000000000000000 0000000000000000 fffff38e767a3a39 ffffa40aac002e60 : nt!ObpRemoveObjectRoutine+0x80
    fffff38e767a3910 fffff8060dc28cbe : ffffa40a95ec12a0 0000000000000000 ffffffff00000000 ffffa40a95ec12a0 : nt!ObfDereferenceObjectWithTag+0xc7
    fffff38e767a3950 fffff8060dc2c93c : 000000000000039c 0000000000000000 0000000000000000 fffff38e767a3b80 : nt!ObCloseHandleTableEntry+0x29e
    fffff38e767a3a90 fffff8060da074b8 : ffffa40a00000000 ffffa40a00000001 fffff38e767a3b80 fffff38e767a3b80 : nt!NtClose+0xec
    fffff38e767a3b00 00007ff9bdeac804 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
    000000137207f268 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff9`bdeac804

    THREAD_SHA1_HASH_MOD_FUNC: 62eae1283d3274c50a747d1897548590b36fb6a9

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1210ea6613a4655fb1dfd96c1191f658fc282959

    THREAD_SHA1_HASH_MOD: bec7129f59d735b3ed8a521eeb57280e59c5cb06

    FOLLOWUP_IP:
    WppRecorder!WppAutoLogTrace+219
    fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh]

    FAULT_INSTR_CODE: dd82b60f

    SYMBOL_STACK_INDEX: 9

    SYMBOL_NAME: WppRecorder!WppAutoLogTrace+219

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: WppRecorder

    IMAGE_NAME: WppRecorder.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 15060d00

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 219

    FAILURE_BUCKET_ID: 0x1E_c0000005_WppRecorder!WppAutoLogTrace

    BUCKET_ID: 0x1E_c0000005_WppRecorder!WppAutoLogTrace

    PRIMARY_PROBLEM_CLASS: 0x1E_c0000005_WppRecorder!WppAutoLogTrace

    TARGET_TIME: 2021-03-26T14:18:28.000Z

    OSBUILD: 19041

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 784

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 1977-03-08 15:51:50

    BUILDDATESTAMP_STR: 191206-1406

    BUILDLAB_STR: vb_release

    BUILDOSVER_STR: 10.0.19041.1.amd64fre.vb_release.191206-1406

    ANALYSIS_SESSION_ELAPSED_TIME: 1e92

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0x1e_c0000005_wpprecorder!wppautologtrace

    FAILURE_ID_HASH: {66a8f622-be9f-28b6-2043-e2f20ce95285}

    1: kd> .trap fffff38e767a2f20 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff38e767a31c8 rbx=0000000000000000 rcx=fffff806097b94e0 rdx=0065006800730069 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8060feb1349 rsp=fffff38e767a30b0 rbp=fffff806097b94d0 r8=0000000000000001 r9=fffff806097b94d0 r10=fffff806097bc000 r11=fffff806097b94e0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc WppRecorder!WppAutoLogTrace+0x219: fffff8060feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh] ds:00650068`00730146=??

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    So, the address is a stack address, but notice that, at the time the exception occurred, it was way off the end of the stack. During the exception process, the stack was extended to make additional room, but when the exception occurred, it was an invalid address. You need to look at your StreamFlowDeletion to see what you are passing to the log message. One very common cause of this is when a program calls a function that returns a pointer to a buffer on the stack. When the function returns, that stack address is no longer valid.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • parsaparsa Member Posts: 42

    Hi Tim,

    Thank you for your response. Could you please clarify which address you are referring as the stack address.

  • MBond2MBond2 Member Posts: 304

    Any stack address that is returned from a called function to a calling function. A trivial example (in the real world it can be much more complex)

    void func1()
    {
    char* pBuf;

    pBuf = func2();
    
    func3(pBuf);
    

    }

    char* func2()
    {
    char szBuf[100];

    szBuf[0] = 'A'; // assign some value
    
    return szBuf;
    

    }

    void func3(char* pBuf)
    {
    int local1;

    local1 = 123;   // corrupt the value in pBuf since it occupies the same memory in the stack
    
    // do more stuff and crash
    

    }

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online