Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Hello,
I am trying to debug a malware which is x86 based using Windbg x86. While doing that, whenever I put an access break point on $peb using "ba r 1 $peb" and hit go, the OS freezes and reboots. I tried to see the dump file and the error code is 139 (KERNEL_SECURITY_CHECK_FAILURE) and previously it was error code 3b.
Out of curiosity, I Tried to debug Calc.exe (x64) version using Windbg x64 and the break point was hit and OS didnt crash. But when I did the same with Calc.exe (x86 version) using Windbg x86 the OS freezes and reboots.
Please help. I downloaded the symbols for x86 and x64 and loaded them as required and I am using Windows 10 (1903 build).
This is the dump analysis by windbg.
Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\minidump\110721-43234-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred .sympath cachec:\MySymbols
Deferred srvhttps://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath cachec:\MySymbols;srvhttps://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8066e600000 PsLoadedModuleList = 0xfffff806
6ea43290
Debug session time: Sun Nov 7 21:50:29.675 2021 (UTC + 5:30)
System Uptime: 0 days 0:33:22.509
Loading Kernel Symbols
...............................................................
................................................................
............................
Loading User Symbols
Loading unloaded module list
......
************* Path validation summary **************
Response Time (ms) Location
Deferred .sympath cachec:\MySymbols
Deferred srvhttps://msdl.microsoft.com/download/symbols
OK c:\sym
For analysis of this file, run !analyze -v
1: kd> !analyze -v
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack
extents for the thread.
Arg2: ffffc9002be57ff0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffc9002be57f48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec Value: 8828 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 48338 Key : Analysis.Init.CPU.mSec Value: 4968 Key : Analysis.Init.Elapsed.mSec Value: 93114 Key : Analysis.Memory.CommitPeak.Mb Value: 78 Key : FailFast.Name Value: INCORRECT_STACK Key : FailFast.Type Value: 4 Key : WER.OS.Branch Value: 19h1_release Key : WER.OS.Timestamp Value: 2019-03-18T12:02:00Z Key : WER.OS.Version Value: 10.0.18362.1
BUGCHECK_CODE: 139
BUGCHECK_P1: 4
BUGCHECK_P2: ffffc9002be57ff0
BUGCHECK_P3: ffffc9002be57f48
BUGCHECK_P4: 0
TRAP_FRAME: ffffc9002be57ff0 -- (.trap 0xffffc9002be57ff0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffed0c143a5000 rbx=0000000000000000 rcx=0000000000000004
rdx=ffffed0c143ab000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8066e84e703 rsp=ffffc9002be58180 rbp=ffffc9002be586f0
r8=ffffed0c143ab000 r9=ffffc9002be58701 r10=ffffb2040a1e4080
r11=000000000067fa34 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl zr na po nc
nt!RtlpGetStackLimitsEx+0x126937:
fffff806`6e84e703 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffc9002be57f48 -- (.exr 0xffffc9002be57f48)
ExceptionAddress: fffff8066e84e703 (nt!RtlpGetStackLimitsEx+0x0000000000126937)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000004
Subcode: 0x4 FAST_FAIL_INCORRECT_STACK
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: calc.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000004
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffffc9002be57cc8 fffff806
6e7ce469 : 0000000000000139 00000000
00000004 ffffc9002be57ff0 ffffc900
2be57f48 : nt!KeBugCheckEx
ffffc9002be57cd0 fffff806
6e7ce890 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiBugCheckDispatch+0x69
ffffc9002be57e10 fffff806
6e7ccc1f : fffff8066e72e6b8 fffff806
6ea0a614 ffffc9002be587d0 00000000
00000000 : nt!KiFastFailDispatch+0xd0
ffffc9002be57ff0 fffff806
6e84e703 : 0000000000000000 00000000
000002a9 0005e5cc00ab2000 00000000
0010001f : nt!KiRaiseSecurityCheckFailure+0x31f
ffffc9002be58180 fffff806
6e821056 : 000000000000008e 00000000
00000000 ffffc9002be586f0 00007fff
00000003 : nt!RtlpGetStackLimitsEx+0x126937
ffffc9002be581b0 fffff806
6e6b865e : ffffed0c143aa8b8 ffffc900
2be58e30 ffffed0c143aa8b8 00000000
00d51b60 : nt!RtlDispatchException+0x16cdb6
ffffc9002be58900 fffff806
6e7bd682 : 006f006f0062005f 00740074
002e0074 0000000000000066 006f006f
0062005c : nt!KiDispatchException+0x16e
ffffc9002be58fb0 fffff806
6e7bd650 : fffff8066e7ce596 00000000
00000000 0000000000000000 00000000
00000000 : nt!KxExceptionDispatchOnExceptionStack+0x12
ffffed0c143aa778 fffff806
6e7ce596 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiExceptionDispatchOnExceptionStackContinue
ffffed0c143aa780 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiExceptionDispatch+0x116
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.18362.30
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_nt!KiFastFailDispatch
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {1971a9b0-b7ec-89bf-0a51-10ac52818da5}
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Kernel Debugging | 30 January 2023 | Live, Online |
Developing Minifilters | 20 March 2023 | Live, Online |
Internals & Software Drivers | 17 April 2023 | Live, Online |
Writing WDF Drivers | 22 May 2023 | Live, Online |