Hi, guys
I am analyzing a dump which has arrived from another satisfied customer.
!analyze -v
UNEXPECTED_KERNEL_MODE_TRAP (7f)
Arguments:
Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
OVERLAPPED_MODULE: Address regions for ‘kmixer’ and ‘kmixer.sys’ overlap
BUGCHECK_STR: 0x7f_0
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: csrss.exe
TRAP_FRAME: a7f64bc0 – (.trap 0xffffffffa7f64bc0)
ErrCode = 00000000
eax=881f52d8 ebx=e3f5aa9c ecx=00000000 edx=00010002 esi=e3f5aaa0 edi=00000000
eip=00011f79 esp=a7f64c34 ebp=a7f64c6c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
00011f79 0000 add byte ptr [eax],al ds:0023:881f52d8=c8
Resetting default scope
LAST_CONTROL_TRANSFER: from 805a26fd to 804f9f1e
STACK_TEXT:
a7f64b5c 805a26fd 0000007f 00011f79 e3f5aaa0 nt!KeBugCheck+0x14
a7f64bb4 80542284 a7f64bc0 a7f64c6c 00011f79 nt!Ki386CheckDivideByZeroTrap+0x41
a7f64bb4 00011f79 a7f64bc0 a7f64c6c 00011f79 nt!KiTrap00+0x84
WARNING: Frame IP not in any known module. Following frames may be wrong.
a7f64c30 805bb48e e3f5aab8 00000002 00000000 0x11f79
a7f64c6c 805266fa e3f5aab8 00000000 00000000 nt!ObpRemoveObjectRoutine+0xc4
a7f64c84 bf80343a bbf5d780 a7f64c9c bf8029a0 nt!ObfDereferenceObject+0x4c
a7f64c90 bf8029a0 e314e4d8 a7f64cf8 bf838c2c win32k!DereferenceW32Thread+0x25
a7f64c9c bf838c2c a7f64cb4 bbf5d780 e3750008 win32k!PopAndFreeW32ThreadLock+0x25
a7f64cf8 bf8391f4 bbf5d780 e3750008 00000000 win32k!xxxSetForegroundWindow2+0x3d4
a7f64d28 bf85845f bbf5d780 00000001 a7f64d54 win32k!xxxSetForegroundWindow+0x164
a7f64d38 bf824614 bbf5d780 0136fce4 00000000 win32k!xxxStubSetForegroundWindow+0xf
a7f64d54 8054167c 002a16ba 0000005b 0136fce4 win32k!NtUserCallHwndLock+0x4b
a7f64d54 7c90e514 002a16ba 0000005b 0136fce4 nt!KiFastCallEntry+0xfc
0136fce4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
This is Win7x32
The strange return address here is of course 0x11f79. The customer says the system was “hung” and he just pushed the power button. He also says that when he turned on the machine again the dump was being written. From other stacks I clearly see the dump describes the memory snapshot during system shutdown (Winlogon calls ExitWindowsEx() from other thread and message is sent to CSRSS.exe). I have two questions:
- Is it possible that somehow the dump written after reboot represents a snapshot of the memory before reboot?
- Is this just a plain stack corruption caused by pushing a power button?
Thanks!