Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Help with windbg crash and OS crash while debugging

jamesbond008jamesbond008 Member Posts: 1

Hello,
I am trying to debug a malware which is x86 based using Windbg x86. While doing that, whenever I put an access break point on $peb using "ba r 1 $peb" and hit go, the OS freezes and reboots. I tried to see the dump file and the error code is 139 (KERNEL_SECURITY_CHECK_FAILURE) and previously it was error code 3b.

Out of curiosity, I Tried to debug Calc.exe (x64) version using Windbg x64 and the break point was hit and OS didnt crash. But when I did the same with Calc.exe (x86 version) using Windbg x86 the OS freezes and reboots.

Please help. I downloaded the symbols for x86 and x64 and loaded them as required and I am using Windows 10 (1903 build).
This is the dump analysis by windbg.

Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\minidump\110721-43234-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred .sympath cachec:\MySymbols
Deferred srv
https://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath cachec:\MySymbols;srvhttps://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8066e600000 PsLoadedModuleList = 0xfffff8066ea43290
Debug session time: Sun Nov 7 21:50:29.675 2021 (UTC + 5:30)
System Uptime: 0 days 0:33:22.509
Loading Kernel Symbols
...............................................................
................................................................
............................
Loading User Symbols
Loading unloaded module list
......

************* Path validation summary **************
Response Time (ms) Location
Deferred .sympath cachec:\MySymbols
Deferred srv
https://msdl.microsoft.com/download/symbols
OK c:\sym
For analysis of this file, run !analyze -v
1: kd> !analyze -v


  • *
  • Bugcheck Analysis *
  • *

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack
extents for the thread.
Arg2: ffffc9002be57ff0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffc9002be57f48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 8828

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 48338

Key  : Analysis.Init.CPU.mSec
Value: 4968

Key  : Analysis.Init.Elapsed.mSec
Value: 93114

Key  : Analysis.Memory.CommitPeak.Mb
Value: 78

Key  : FailFast.Name
Value: INCORRECT_STACK

Key  : FailFast.Type
Value: 4

Key  : WER.OS.Branch
Value: 19h1_release

Key  : WER.OS.Timestamp
Value: 2019-03-18T12:02:00Z

Key  : WER.OS.Version
Value: 10.0.18362.1

BUGCHECK_CODE: 139

BUGCHECK_P1: 4

BUGCHECK_P2: ffffc9002be57ff0

BUGCHECK_P3: ffffc9002be57f48

BUGCHECK_P4: 0

TRAP_FRAME: ffffc9002be57ff0 -- (.trap 0xffffc9002be57ff0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffed0c143a5000 rbx=0000000000000000 rcx=0000000000000004
rdx=ffffed0c143ab000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8066e84e703 rsp=ffffc9002be58180 rbp=ffffc9002be586f0
r8=ffffed0c143ab000 r9=ffffc9002be58701 r10=ffffb2040a1e4080
r11=000000000067fa34 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl zr na po nc
nt!RtlpGetStackLimitsEx+0x126937:
fffff806`6e84e703 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffc9002be57f48 -- (.exr 0xffffc9002be57f48)
ExceptionAddress: fffff8066e84e703 (nt!RtlpGetStackLimitsEx+0x0000000000126937)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000004
Subcode: 0x4 FAST_FAIL_INCORRECT_STACK

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: calc.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000004

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffffc9002be57cc8 fffff8066e7ce469 : 0000000000000139 0000000000000004 ffffc9002be57ff0 ffffc9002be57f48 : nt!KeBugCheckEx
ffffc9002be57cd0 fffff8066e7ce890 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffc9002be57e10 fffff8066e7ccc1f : fffff8066e72e6b8 fffff8066ea0a614 ffffc9002be587d0 0000000000000000 : nt!KiFastFailDispatch+0xd0
ffffc9002be57ff0 fffff8066e84e703 : 0000000000000000 00000000000002a9 0005e5cc00ab2000 000000000010001f : nt!KiRaiseSecurityCheckFailure+0x31f
ffffc9002be58180 fffff8066e821056 : 000000000000008e 0000000000000000 ffffc9002be586f0 00007fff00000003 : nt!RtlpGetStackLimitsEx+0x126937
ffffc9002be581b0 fffff8066e6b865e : ffffed0c143aa8b8 ffffc9002be58e30 ffffed0c143aa8b8 0000000000d51b60 : nt!RtlDispatchException+0x16cdb6
ffffc9002be58900 fffff8066e7bd682 : 006f006f0062005f 00740074002e0074 0000000000000066 006f006f0062005c : nt!KiDispatchException+0x16e
ffffc9002be58fb0 fffff8066e7bd650 : fffff8066e7ce596 0000000000000000 0000000000000000 0000000000000000 : nt!KxExceptionDispatchOnExceptionStack+0x12
ffffed0c143aa778 fffff8066e7ce596 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiExceptionDispatchOnExceptionStackContinue
ffffed0c143aa780 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiExceptionDispatch+0x116

SYMBOL_NAME: nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.18362.30

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_nt!KiFastFailDispatch

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {1971a9b0-b7ec-89bf-0a51-10ac52818da5}

Followup: MachineOwner

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online