Analysing Crash Dump

NTDEV
1

Dear Team,

While performing the Common Scenario Stress with IO tests for the Custom KMDf HID driver, there was BSOD with below message captured at minidump of Vista.

The tests passes normally in the other systems but fails only in this particular system. At the end of message it says that problem is caused by bang.sys module.

I tried to locate this bang.sys in the entire system but did not find.

Can somebody provide a pointer to analyze the crash dump to know what might have caused the original problem.

Regards.

=========================================================
CrashDump

Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\Mini121107-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+

Unable to load image ntoskrnl.exe, Win32 error 0n2
 WARNING: Unable to verify timestamp for ntoskrnl.exe
ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Vista Kernel Version 6000 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x81800000 PsLoadedModuleList = 0x81908ab0
Debug session time: Tue Dec 11 06:51:06.519 2007 (GMT-8)
System Uptime: 0 days 0:11:35.160

 Symbols can not be loaded because symbol path is not initialized.

The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+

Unable to load image ntoskrnl.exe, Win32 error 0n2
 WARNING: Unable to verify timestamp for ntoskrnl.exe
ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols

Loading User Symbols
Loading unloaded module list

Unable to load image BANG.SYS, Win32 error 0n2
 WARNING: Unable to verify timestamp for BANG.SYS
ERROR: Module load completed but symbols could not be loaded for BANG.SYS
*********
*
Bugcheck Analysis
*
**************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck DEADDEAD, {0, 0, 0, 0}

 Kernel symbols are WRONG. Please fix symbols to do analysis.

Your debugger is not using the correct symbols

In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.

Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.

Type referenced: nt!_KPRCB


Probably caused by : BANG.SYS ( BANG+4032 )

Followup: MachineOwner
---------</symbol_path></symbol_path>

2

Please take some time to look at the output from the debugger BEFORE posting
to this list. You are not set up with the correct symbols. That said,
bugcheck deaddead is being invoked by the driver bang.sys, as you noted,
which driver is dynamically inserted by the osr utilty/pseudo-malware
bang.exe. I rather doubt DTM is running bang.exe, although I suppose it is
possible, so the question is why is bang.exe getting run on your vista test
system?

On Dec 24, 2007 2:57 AM, wrote:

>
> Dear Team,
>
> While performing the Common Scenario Stress with IO tests for the Custom
> KMDf HID driver, there was BSOD with below message captured at minidump of
> Vista.
>
> The tests passes normally in the other systems but fails only in this
> particular system. At the end of message it says that problem is caused by
> bang.sys module.
>
> I tried to locate this bang.sys in the entire system but did not find.
>
> Can somebody provide a pointer to analyze the crash dump to know what
> might have caused the original problem.
>
> Regards.
>
> =========================================================
> CrashDump
> =========================================================
>
>
> Microsoft (R) Windows Debugger Version 6.7.0005.1 http:</http:>
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\Windows\Minidump\Mini121107-01.dmp]
> Mini Kernel Dump File: Only registers and stack trace are available
>
> Symbol search path is: Invalid
>
>
> * Symbol loading may be unreliable without a symbol search path.
>
> * Use .symfix to have the debugger choose a symbol path.
>
> * After setting your symbol path, use .reload to refresh symbol locations.
>
>
>
> Executable search path is:
>
> * Symbols can not be loaded because symbol path is not initialized.
> *
> * The Symbol Path can be set by:
> * using the _NT_SYMBOL_PATH environment variable.
> * using the -y <symbol_path> argument when starting the debugger.
> * using .sympath and .sympath+
>
> Unable to load image ntoskrnl.exe, Win32 error 0n2
> WARNING: Unable to verify timestamp for ntoskrnl.exe
> ERROR: Module load completed but symbols could not be loaded for
> ntoskrnl.exe
> Windows Vista Kernel Version 6000 UP Free x86 compatible
> Product: WinNt, suite: TerminalServer SingleUserTS
> Kernel base = 0x81800000 PsLoadedModuleList = 0x81908ab0
> Debug session time: Tue Dec 11 06:51:06.519 2007 (GMT-8)
> System Uptime: 0 days 0:11:35.160
>
> * Symbols can not be loaded because symbol path is not initialized.
> *
> * The Symbol Path can be set by:
> * using the _NT_SYMBOL_PATH environment variable.
> * using the -y <symbol_path> argument when starting the debugger.
> * using .sympath and .sympath+
>
> Unable to load image ntoskrnl.exe, Win32 error 0n2
> WARNING: Unable to verify timestamp for ntoskrnl.exe
> ERROR: Module load completed but symbols could not be loaded for
> ntoskrnl.exe
> Loading Kernel Symbols
>
> …
> Loading User Symbols
> Loading unloaded module list
> …
> Unable to load image BANG.SYS, Win32 error 0n2
> WARNING: Unable to verify timestamp for BANG.SYS
> ERROR: Module load completed but symbols could not be loaded for
> BANG.SYS
>
>
>
>
> * Bugcheck Analysis
>
>
>
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck DEADDEAD, {0, 0, 0, 0}
>
> Kernel symbols are WRONG. Please fix symbols to do analysis.
>
>************************************************
> ******
> ******
> Your debugger is not using the correct symbols
> ******
> In order for this command to work properly, your symbol path
> must point to .pdb files that have full type information.
> ******
> Certain .pdb files (such as the public OS symbols) do not
> contain the required information. Contact the group that
> provided you with these symbols if you need this command to
> work.
> ******
> Type referenced: nt!_KPRCB
> ******
> *************************************************************************
> Probably caused by : BANG.SYS ( BANG+4032 )
>
> Followup: MachineOwner
> ---------
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Mark Roddy</symbol_path></symbol_path>