blue screen , my driver ????

NTDEV
1

Hello , i had a blue screen ;

I do not know if it’s my driver which involved?
How do we know ; if it’s my driver or no ?
Coincidence ?

My driver which mount virtual drive rawdisk and filesystem.

I mount a virtual drive with Truecrypt or with my driver virtual rawdisk or filesystem.

Thank you.

PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details

ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 41107faa

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - L’instruction “0x%08lx” emploie l’adresse m moire “0x%08lx”. La m moire ne peut pas tre “%s”.

FAULTING_IP:
nt!NtQuerySystemInformation+233a
80588429 8b08 mov ecx,dword ptr [eax]

TRAP_FRAME: b70bac4c – (.trap 0xffffffffb70bac4c)
ErrCode = 00000000
eax=51c020e5 ebx=00000000 ecx=00000009 edx=00000000 esi=00000038 edi=825c2970
eip=80588429 esp=b70bacc0 ebp=b70bacd4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!NtQuerySystemInformation+0x233a:
80588429 8b08 mov ecx,dword ptr [eax] ds:0023:51c020e5=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 80522839 to 80537832

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b70ba814 80522839 0000008e c0000005 80588429 nt!KeBugCheckEx+0x1b
b70babdc 804de998 b70babf8 00000000 b70bac4c nt!KePulseEvent+0x629e
b70bac90 804da591 ffffffff 00000030 825c2970 nt!Kei386EoiHelper+0x1de
b70bacd4 80570dd6 8251c020 015c2970 82be8040 nt!ExAcquireResourceExclusiveLite+0x4a
b70bacfc 80570cfc e28c7b30 825c2988 000001e0 nt!NtClose+0xad
b70bad44 80570d46 000001e0 00000001 00000000 nt!ExfAcquirePushLockShared+0x49f
b70bad58 804ddf0f 000001e0 0006fdb0 7c91eb94 nt!NtClose+0x1d
b70bad64 7c91eb94 badb0d00 0006fda0 00000000 nt!KiDeliverApc+0xbbb
b70bad68 badb0d00 0006fda0 00000000 00000000 0x7c91eb94
b70bad6c 0006fda0 00000000 00000000 00000000 0xbadb0d00
b70bad70 00000000 00000000 00000000 00000000 0x6fda0

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!NtQuerySystemInformation+233a
80588429 8b08 mov ecx,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!NtQuerySystemInformation+233a

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlmp.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

2

xxxxx@sivaller.no-ip.org wrote:

Hello , i had a blue screen ;

I do not know if it’s my driver which involved?
How do we know ; if it’s my driver or no ?
Coincidence ?

My driver which mount virtual drive rawdisk and filesystem.

I mount a virtual drive with Truecrypt or with my driver virtual rawdisk or filesystem.

Well, what’s happened here is that some critical system data structure
has been overwritten. Since there are hundreds of millions of Windows
systems that are running without your driver that do not see this blue
screen, I think you can be pretty safe in assuming that your driver is
the one that caused the data overwrite.

Are you running Driver Verifier?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.