The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I am debugging one BSOD that has kernel mode exception not handled properly. The BSOD occurred when accessing a memory location for write operation. As per the MSDN doc, when I check the Arg 4 (parameter 1) which is the problematic memory address, I see nothing wrong with that address. Indeed command "dd", "pte" as well as "address" show no issue with the address. Is my understanding correct? I am suspecting memory/hardware error may be causing this issue sometimes when the address is valid but system got bug checked.
I would greatly appreciate if you would provide any inputs to debug further.
KMODE_EXCEPTION_NOT_HANDLED (1e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: fffff8060feb1349, The address that the exception occurred at Arg3: fffff38e767a2e78, Parameter 0 of the exception Arg4: fffff38e767a26b0, Parameter 1 of the exception .... **WRITE_ADDRESS: fffff38e767a26b0 ** EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. FAULTING_IP: WppRecorder!WppAutoLogTrace+219 fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh] EXCEPTION_PARAMETER1: fffff38e767a2e78 EXCEPTION_PARAMETER2: fffff38e767a26b0 BUGCHECK_STR: 0x1E_c0000005 1: kd> dd fffff38e767a26b0 fffff38e`767a26b0 a0b85870 ffffa40a 1d0a9763 fffff806 fffff38e`767a26c0 9c4cd990 ffffa40a 1d102110 fffff806 fffff38e`767a26d0 a0b858b8 ffffa40a a0b85870 ffffa40a fffff38e`767a26e0 0010001f 00001f80 002b0010 0053002b fffff38e`767a26f0 0018002b 00010202 00000000 00000000 fffff38e`767a2700 00000000 00000000 00000000 00000000 fffff38e`767a2710 00000000 00000000 8000130c ffffffff fffff38e`767a2720 000009fc 00000000 767a31c8 fffff38e 1: kd> !address fffff38e767a26b0 Usage: Stack Base Address: fffff38e`7679e000 End Address: fffff38e`767a4000 Region Size: 00000000`00006000 VA Type: SystemRange 1: kd> !pte fffff38e767a26b0 VA fffff38e767a26b0 PXE at FFFF8E472391CF38 PPE at FFFF8E47239E71C8 PDE at FFFF8E473CE39D98 PTE at FFFF8E79C73B3D10 contains 0A0000011C363863 contains 0A0000011C364863 contains 0A00000025CB2863 contains 8A00000083CBB863 pfn 11c363 ---DA--KWEV pfn 11c364 ---DA--KWEV pfn 25cb2 ---DA--KWEV pfn 83cbb ---DA--KW-V
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Developing Minifilters||24 May 2021||Live, Online|
|Writing WDF Drivers||14 June 2021||Live, Online|
|Internals & Software Drivers||2 August 2021||Live, Online|
|Kernel Debugging||27 Sept 2021||Live, Online|