driver causing system crash

Andrew_Scott · April 23, 2013, 5:58am

Hi,

I am working on an upper volume filter driver that monitors sector read/writes.
My problem is that the driver is working fine when tested on Windows 7 but when tested on Windows server 2008 standard edition the system crashes. I am also not able to debug my driver through windbg at startup, as soon as the OS loads a little bit the system crashes.

Below is the output of "!analyze -v" of windbg,

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

*** Fatal System Error: 0x00000050
(0x83A00000,0x00000001,0x81691085,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2008 x86 compatible target at (Tue Apr 23 13:09:19.842 2013 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
..........................................
Loading User Symbols

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {83a00000, 1, 81691085, 0}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
816f6514 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 83a00000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 81691085, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

WRITE_ADDRESS: 83a00000

FAULTING_IP:
nt!memset+45
81691085 f3ab rep stos dword ptr es:[edi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

CURRENT_IRQL: 2

TRAP_FRAME: 81733a10 -- (.trap 0xffffffff81733a10)
ErrCode = 0000000b
eax=00000000 ebx=00000963 ecx=00000400 edx=00000000 esi=83a00000 edi=83a00000
eip=81691085 esp=81733a84 ebp=81733ab8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0010 efl=00210206
nt!memset+0x45:
81691085 f3ab rep stos dword ptr es:[edi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 8170b2d7 to 816f6514

STACK_TEXT:
81733564 8170b2d7 00000003 3a33d3fa 00000000 nt!RtlpBreakWithStatusInstruction
817335b4 8170bdbd 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
81733980 816e3155 00000050 83a00000 00000001 nt!KeBugCheck2+0x66d
817339f8 81698bb4 00000001 83a00000 00000000 nt!MmAccessFault+0x10a
817339f8 81691085 00000001 83a00000 00000000 nt!KiTrap0E+0xdc
81733a84 81986164 83a00000 00000000 00001000 nt!memset+0x45
81733ab8 81985d95 83a00000 00000000 00001000 nt!MxMapVa+0x1f9
81733ae4 81992069 c041d000 00000000 00000001 nt!MiCreateSparsePfnDatabase+0xc5
81733b04 81991236 8081156c 00000000 8081156c nt!MiCreatePfnDatabase+0x1c1
81733b4c 8199b19f 8081156c 0000bb40 81733cf0 nt!MmInitNucleus+0x1b7
81733b5c 8198a867 00000000 00000000 8173a640 nt!MmInitSystem+0x12
81733cf0 81907e73 8081156c 3a33db72 827fec00 nt!InitBootProcessor+0x27f
81733d3c 8172a7c9 8173a900 8173a640 81734000 nt!KiInitializeKernel+0x65b
00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x319

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiTrap0E+dc
81698bb4 85c0 test eax,eax

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!KiTrap0E+dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12

FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+dc

BUCKET_ID: 0x50_nt!KiTrap0E+dc

Followup: MachineOwner

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Any kind of suggestion will be appreciated.
Thanks in advance.

OSR_Community_User · April 23, 2013, 6:35am

Generally when you see a crash like this, it strongly suggests that your
driver is scribbling on memory it doesn’t own. It may just happen that on
Win7 it scribbles to someplace harmless, but on WinServ 2008 it scribbles
to someplace critical.

Check:
All pointer usages; a local variable that is a pointer should always be
declared as
WHATEVER * ptr = NULL;
If you are calling ExAllocate…() functions, make sure you are asking for
enough space; watch out for off-by-1 errors.
Make sure you are not retaining a pointer somewhere after you free the
storage. Whenever feasible, assign NULL to the pointer once you’ve freed
what it points to (most commonly this applies to pointers in your device
extension).

Perhaps some DV expert can comment on this, but I’ve never tried to use DV
on a boot-load driver.
If you are storing pointers in your device extension, it is a Really Good
Idea to assign NULL to them after you’ve created the device object (same
issue as assigning NULL to local variables…you may be using te pointer
somehow before you’ve set it, but there is a “valid” (that is, accessible
without causing a page fault) address in it, but the address points to
some random place in te kernel heap.

My understanding–and perhaps those-in-the-know can confirm this, unless
they are restricted by NDA–is that there was a lot of rework on the Win7
and Win8 allocators to improve performance. This means that they would
generate different access patterns, so the bug can show up only in
situations where a meaningful address is scribbled to (meaningful to
someone else). The implication here is that the newer kernel allocators
have allocation patterns where the bug ends up being harmless. And I’ve
seen it work the other way: a driver which had a bug for years that only
became a harmful bug in a newer OS.

Bugs like this are the worst to analyze. I’ve seen cases where the damage
did not cause a crash until five minutes after the driver had been
unloaded, when the user was running Windows Explorer to look at some
directories. It is very dependent on the access patterns.

This is a guess, but it’s a guess based on decades of experience when bugs
of this nature are reported. In nearly all cases, it was caused by
scribbling on memory that was not owned by the driver, and it was always a
simple error to fix once the root cause was identified. But that can take
days or weeks of work, even in single-threaded apps; it is far worse in
multithreaded apps, and they are trivial compared to multicore kernel
components. Ask a friend to help you do a code review. I have found that
has been one of the most successful techniques over the years.

joe

Hi,

I am working on an upper volume filter driver that monitors sector
read/writes.
My problem is that the driver is working fine when tested on Windows 7 but
when tested on Windows server 2008 standard edition the system crashes. I
am also not able to debug my driver through windbg at startup, as soon as
the OS loads a little bit the system crashes.

Below is the output of “!analyze -v” of windbg,

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

*** Fatal System Error: 0x00000050
(0x83A00000,0x00000001,0x81691085,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2008 x86 compatible target at (Tue Apr 23
13:09:19.842 2013 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
…
Loading User Symbols

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {83a00000, 1, 81691085, 0}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
816f6514 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: 83a00000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 81691085, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

WRITE_ADDRESS: 83a00000

FAULTING_IP:
nt!memset+45
81691085 f3ab rep stos dword ptr es:[edi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

CURRENT_IRQL: 2

TRAP_FRAME: 81733a10 – (.trap 0xffffffff81733a10)
ErrCode = 0000000b
eax=00000000 ebx=00000963 ecx=00000400 edx=00000000 esi=83a00000
edi=83a00000
eip=81691085 esp=81733a84 ebp=81733ab8 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0010
efl=00210206
nt!memset+0x45:
81691085 f3ab rep stos dword ptr es:[edi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 8170b2d7 to 816f6514

STACK_TEXT:
81733564 8170b2d7 00000003 3a33d3fa 00000000
nt!RtlpBreakWithStatusInstruction
817335b4 8170bdbd 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
81733980 816e3155 00000050 83a00000 00000001 nt!KeBugCheck2+0x66d
817339f8 81698bb4 00000001 83a00000 00000000 nt!MmAccessFault+0x10a
817339f8 81691085 00000001 83a00000 00000000 nt!KiTrap0E+0xdc
81733a84 81986164 83a00000 00000000 00001000 nt!memset+0x45
81733ab8 81985d95 83a00000 00000000 00001000 nt!MxMapVa+0x1f9
81733ae4 81992069 c041d000 00000000 00000001
nt!MiCreateSparsePfnDatabase+0xc5
81733b04 81991236 8081156c 00000000 8081156c nt!MiCreatePfnDatabase+0x1c1
81733b4c 8199b19f 8081156c 0000bb40 81733cf0 nt!MmInitNucleus+0x1b7
81733b5c 8198a867 00000000 00000000 8173a640 nt!MmInitSystem+0x12
81733cf0 81907e73 8081156c 3a33db72 827fec00 nt!InitBootProcessor+0x27f
81733d3c 8172a7c9 8173a900 8173a640 81734000 nt!KiInitializeKernel+0x65b
00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x319

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiTrap0E+dc
81698bb4 85c0 test eax,eax

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!KiTrap0E+dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12

FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+dc

BUCKET_ID: 0x50_nt!KiTrap0E+dc

Followup: MachineOwner

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Any kind of suggestion will be appreciated.
Thanks in advance.

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Alex_Grig · April 23, 2013, 8:56am

Enable an initial breakpoint in the debugger. Then set a breakpoint in your DriverEntry and when caught, move EIP to the RET instruction.

You can also delete your driver by booting to a recovery mode, then select command prompt.

Enable DriverVerifier with special pool for your driver.

OSR_Community_User · April 23, 2013, 5:26pm

> Enable an initial breakpoint in the debugger. Then set a breakpoint in

your DriverEntry and when caught, move EIP to the RET instruction.

What value do you think should be in EAX? 0 means success, but the
bypassing means it wasn’t actually implemented, so among other things the
AddDevice pointer will be NULL.

So I would think the correct response would be to set EAX to some
meaningful error value…but which one?
joe

You can also delete your driver by booting to a recovery mode, then select
command prompt.

Enable DriverVerifier with special pool for your driver.

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Andrew_Scott · April 24, 2013, 7:13am

Hi,

Thanks to your replies. I added breakpoint (DbgBreakPoint) in DriverEntry, but then too the system got crashed without entering the DriverEntry function, I got the same output as above when ran “!analyze -v” in windbg.
Infact when I tested the diskperf driver without making any changes in it, then too I got the same problem as above and the system crashed, I tried 2-3 other drivers but its continuously crashing.

What I am exactly doing is, I am building the driver on Windows 7(64 bit) using WDK’s “Build Environments” (x86 Checked Build Environment for Windows Vista and Windows Server 2008), then I am copying the driver on Windows server 2008 which is on virtual box and installing the driver through “*.inf” file. The OS reboots and then crashes after the OS loads a little bit.

Please anyone of you can suggest now what to do. I tried many times but with the same result.

Mikae · April 24, 2013, 9:50am

Andrew

Before connecting with WinDbg, did you turned on boot debugging mode? (http://msdn.microsoft.com/en-us/library/windows/hardware/ff542183(v=vs.85).aspx) You didn’t mention it in previous posts, so I would like to ask.

Do you use binary compiled with Checked Build Environment in Checked build of Windows? If you don’t have Checked Build, then use Free Environment.

Scott_Noone_OSR · April 24, 2013, 9:52am

>> Enable an initial breakpoint in the debugger. Then set a breakpoint in

> your DriverEntry and when caught, move EIP to the RET instruction.

What value do you think should be in EAX? 0 means success, but the
bypassing means it wasn’t actually implemented, so among other things the
AddDevice pointer will be NULL.

It’s legal to create a boot start driver that just returns STATUS_SUCCESS
from its DriverEntry (even one registered as a filter). Not very useful, but
it works.

So I would think the correct response would be to set EAX to some
meaningful error value…but which one?

Failing is also an option. The error doesn’t need to be meaningful, you’re
just trying to get the damn thing to not load. I usually do this by using
WinDbg’s assembler:

kd> a nothing!driverentry
8c586010 mov @eax, c0000001
mov @eax, c0000001
8c586015 ret 8
ret 8
8c586018

kd> uf nothing!driverentry
8c586010 mov eax,0C0000001h
8c586015 ret 8

-scott
OSR

wrote in message news:xxxxx@ntdev…

Enable an initial breakpoint in the debugger. Then set a breakpoint in
your DriverEntry and when caught, move EIP to the RET instruction.

What value do you think should be in EAX? 0 means success, but the
bypassing means it wasn’t actually implemented, so among other things the
AddDevice pointer will be NULL.

So I would think the correct response would be to set EAX to some
meaningful error value…but which one?
joe

You can also delete your driver by booting to a recovery mode, then select
command prompt.

Enable DriverVerifier with special pool for your driver.

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · April 24, 2013, 9:55am

>driver on Windows server 2008 which is on virtual box

Have you tried this on real hardware?

Also, are you sure you’re running the version of your driver with the
breakpoint? It’s easy to end up loading the wrong version and confusing
yourself. I suggest disassembling your DriverEntry and making sure that the
debug break is indeed present (you can use uf in WinDbg).

-scott
OSR

wrote in message news:xxxxx@ntdev…

Hi,

Thanks to your replies. I added breakpoint (DbgBreakPoint) in DriverEntry,
but then too the system got crashed without entering the DriverEntry
function, I got the same output as above when ran “!analyze -v” in windbg.
Infact when I tested the diskperf driver without making any changes in it,
then too I got the same problem as above and the system crashed, I tried 2-3
other drivers but its continuously crashing.

What I am exactly doing is, I am building the driver on Windows 7(64 bit)
using WDK’s “Build Environments” (x86 Checked Build Environment for Windows
Vista and Windows Server 2008), then I am copying the driver on Windows
server 2008 which is on virtual box and installing the driver through
“*.inf” file. The OS reboots and then crashes after the OS loads a little
bit.

Please anyone of you can suggest now what to do. I tried many times but with
the same result.

Scott_Noone_OSR · April 24, 2013, 9:58am

Sorry to follow up my own post, but I need to clarify…

"Failing is also an option. "

By that I mean, “Failing is also *sometimes* an option.” If a filter driver
fails to initialize then the stack it is filtering will also fail to
initialize, which may be a problem.

-scott
OSR

“Scott Noone” wrote in message news:xxxxx@ntdev…

> Enable an initial breakpoint in the debugger. Then set a breakpoint in
> your DriverEntry and when caught, move EIP to the RET instruction.

What value do you think should be in EAX? 0 means success, but the
bypassing means it wasn’t actually implemented, so among other things the
AddDevice pointer will be NULL.

It’s legal to create a boot start driver that just returns STATUS_SUCCESS
from its DriverEntry (even one registered as a filter). Not very useful, but
it works.

So I would think the correct response would be to set EAX to some
meaningful error value…but which one?

Failing is also an option. The error doesn’t need to be meaningful, you’re
just trying to get the damn thing to not load. I usually do this by using
WinDbg’s assembler:

kd> a nothing!driverentry
8c586010 mov @eax, c0000001
mov @eax, c0000001
8c586015 ret 8
ret 8
8c586018

kd> uf nothing!driverentry
8c586010 mov eax,0C0000001h
8c586015 ret 8

-scott
OSR

wrote in message news:xxxxx@ntdev…

Enable an initial breakpoint in the debugger. Then set a breakpoint in
your DriverEntry and when caught, move EIP to the RET instruction.

What value do you think should be in EAX? 0 means success, but the
bypassing means it wasn’t actually implemented, so among other things the
AddDevice pointer will be NULL.

So I would think the correct response would be to set EAX to some
meaningful error value…but which one?
joe

You can also delete your driver by booting to a recovery mode, then select
command prompt.

Enable DriverVerifier with special pool for your driver.

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Andrew_Scott · April 24, 2013, 10:29am

Hi, Thanks for your replies.

@Mikae- Yes I have turned on boot debugging mode and yes I am using binary compiled with Checked Build Environment in Checked build of Windows.

@Scott Noone- As you told I have used “uf drivername!driverentry” but I got “Could not resolve error in driverentry” and I have loaded the correct driver, infact I have loaded one of the WDK samples i.e “diskperf” but that too failed with the same error. Till now I have tested the driver on virtual box only, on virtual box for Windows 7 everything works fine but the same driver does not work on virtual box for Windows 2008 Standard edition.

Mikae · April 24, 2013, 11:01am

Andrew,

I would test the driver with other environments (another VM, real hardware). If the bug still reproducible, then it could be good to check that you DriverEntry was called. Probably, setting initial break to ‘break on first kernel module load’ may help with catching DriverEntry.

OSR_Community_User · April 24, 2013, 5:21pm

>>driver on Windows server 2008 which is on virtual box

Have you tried this on real hardware?

Also, are you sure you’re running the version of your driver with the
breakpoint? It’s easy to end up loading the wrong version and confusing
yourself. I suggest disassembling your DriverEntry and making sure that
the
debug break is indeed present (you can use uf in WinDbg).

-scott
OSR

wrote in message news:xxxxx@ntdev…

Hi,

Thanks to your replies. I added breakpoint (DbgBreakPoint) in DriverEntry,
but then too the system got crashed without entering the DriverEntry
function, I got the same output as above when ran “!analyze -v” in windbg.
Infact when I tested the diskperf driver without making any changes in it,
then too I got the same problem as above and the system crashed, I tried
2-3
other drivers but its continuously crashing.
*****
What are you doing after you take the breakpoint? The original advice was
to set a breakpoint on DriverEntry, and when taken, reset EIP to the
address of the RET instruction. This is not at all the same as putting in
a DebugBreak call. By the time DebugBreak is taken, the function prologue
sequence has been executed, and if you go directly to the RET instruction,
the stack will be wrong; you have to reset EIP to the start of the
epilogue code.
joe
*****

What I am exactly doing is, I am building the driver on Windows 7(64 bit)
using WDK’s “Build Environments” (x86 Checked Build Environment for
Windows
Vista and Windows Server 2008), then I am copying the driver on Windows
server 2008 which is on virtual box and installing the driver through
“*.inf” file. The OS reboots and then crashes after the OS loads a little
bit.

****
I have no idea what you mean by “crash”. Did you reboot with debugging
enabled? If you issue a DebugBreak and there is no debugger, I believe it
treats this as a fatal error. Did you enable boot tracing? What does
!analyze -v say?
****

Please anyone of you can suggest now what to do. I tried many times but
with
the same result.

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Atul · April 25, 2013, 1:26am

Did you try running your driver with driver verifier? Also, in your
original post, you mention you are developing a volume filter but you seem
to be testing with diskperf (which is a disk filter). What exactly is it
that you are developing, a volume filter or a disk filter?

On Thu, Apr 25, 2013 at 2:50 AM, wrote:

> >>driver on Windows server 2008 which is on virtual box
> >
> > Have you tried this on real hardware?
> >
> > Also, are you sure you’re running the version of your driver with the
> > breakpoint? It’s easy to end up loading the wrong version and confusing
> > yourself. I suggest disassembling your DriverEntry and making sure that
> > the
> > debug break is indeed present (you can use uf in WinDbg).
> >
> > -scott
> > OSR
> >
> > wrote in message news:xxxxx@ntdev…
> >
> > Hi,
> >
> > Thanks to your replies. I added breakpoint (DbgBreakPoint) in
> DriverEntry,
> > but then too the system got crashed without entering the DriverEntry
> > function, I got the same output as above when ran “!analyze -v” in
> windbg.
> > Infact when I tested the diskperf driver without making any changes in
> it,
> > then too I got the same problem as above and the system crashed, I tried
> > 2-3
> > other drivers but its continuously crashing.
>
> What are you doing after you take the breakpoint? The original advice was
> to set a breakpoint on DriverEntry, and when taken, reset EIP to the
> address of the RET instruction. This is not at all the same as putting in
> a DebugBreak call. By the time DebugBreak is taken, the function prologue
> sequence has been executed, and if you go directly to the RET instruction,
> the stack will be wrong; you have to reset EIP to the start of the
> epilogue code.
> joe
>
> >
> > What I am exactly doing is, I am building the driver on Windows 7(64 bit)
> > using WDK’s “Build Environments” (x86 Checked Build Environment for
> > Windows
> > Vista and Windows Server 2008), then I am copying the driver on Windows
> > server 2008 which is on virtual box and installing the driver through
> > “*.inf” file. The OS reboots and then crashes after the OS loads a little
> > bit.
>
>
> I have no idea what you mean by “crash”. Did you reboot with debugging
> enabled? If you issue a DebugBreak and there is no debugger, I believe it
> treats this as a fatal error. Did you enable boot tracing? What does
> !analyze -v say?
>
> >
> > Please anyone of you can suggest now what to do. I tried many times but
> > with
> > the same result.
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > OSR is HIRING!! See http://www.osr.com/careers
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> —
> NTDEV is sponsored by OSR
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Andrew_Scott · April 25, 2013, 9:47am

Hi,

@Mikae : I have already tested the driver first on Windows 7 virtual box and its working fine without any error.

@Joseph M. Newcomer: I have added the breakpoint(DbgBreakPoint) in the code in DriverEntry() function and have also added breakpoint in windbg(bu sampledriver!DriverEntry), but both the breakpoints are not triggered. After rebooting, the OS crashes very early during the boot process. Also I have enabled debugging on my target machine using the following commands,

"bcdedit /debug ON
bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /bootdebug on
bcdedit /set halbreakpoint on"

Below is the output that I got on windbg, also includes the output of "!analyze -v", after restarting my machine,

@Atul: Yes I am developing a upper volume filter driver taking diskperf as base and modified it to work as upper volume filter driver. It worked on Windows 7 virtual box but failed on Windows Server 2008. So to check whether other drivers are working properly or not, I also loaded "diskperf" driver as it is without making any changes but it too failed with the same error. I tried to verify my driver using "Driver verifier" on Windows 2008 but it asked me to restart machine after loading the driver and then the OS never restarted again, so was not able to verify it.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Opened \.\pipe\com1
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 6001 x86 compatible target at (Thu Apr 25 19:01:21.365 2013 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\WinDDK\debugsymbols*Symbol information
Executable search path is:
Windows Boot Debugger Kernel Version 6001 UP Free x86 compatible
Machine Name:
Primary image base = 0x00584000 Loaded module list = 0x00684e58
System Uptime: not available
Shutdown occurred at (Thu Apr 25 19:01:27.635 2013 (UTC + 5:30))...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows Server 2008/Windows Vista 6001 x86 compatible target at (Thu Apr 25 19:01:28.185 2013 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\WinDDK\debugsymbols*Symbol information
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 MP (1 procs) Free x86 compatible
Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
Machine Name:
Kernel base = 0x81637000 PsLoadedModuleList = 0x8174ec70
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
81688954 cc int 3
kd> bu sampledriver!DriverEntry
kd> ed nt!Kd_DEFAULT_Mask 0x8
kd> g
*** MUI CM: LCIDselected=409

*** Fatal System Error: 0x00000050
(0x83A00000,0x00000001,0x8168A085,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2008/Windows Vista 6001 x86 compatible target at (Thu Apr 25 19:02:08.837 2013 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
..........................................
Loading User Symbols

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {83a00000, 1, 8168a085, 0}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
816ef514 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 83a00000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 8168a085, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

WRITE_ADDRESS: 83a00000

FAULTING_IP:
nt!memset+45
8168a085 f3ab rep stos dword ptr es:[edi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

CURRENT_IRQL: 2

TRAP_FRAME: 8172ca10 -- (.trap 0xffffffff8172ca10)
ErrCode = 0000000b
eax=00000000 ebx=00000963 ecx=00000400 edx=00000000 esi=83a00000 edi=83a00000
eip=8168a085 esp=8172ca84 ebp=8172cab8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0010 efl=00210206
nt!memset+0x45:
8168a085 f3ab rep stos dword ptr es:[edi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 817042d7 to 816ef514

STACK_TEXT:
8172c564 817042d7 00000003 3a3223fa 00000000 nt!RtlpBreakWithStatusInstruction
8172c5b4 81704dbd 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
8172c980 816dc155 00000050 83a00000 00000001 nt!KeBugCheck2+0x66d
8172c9f8 81691bb4 00000001 83a00000 00000000 nt!MmAccessFault+0x10a
8172c9f8 8168a085 00000001 83a00000 00000000 nt!KiTrap0E+0xdc
8172ca84 8197f164 83a00000 00000000 00001000 nt!memset+0x45
8172cab8 8197ed95 83a00000 00000000 00001000 nt!MxMapVa+0x1f9
8172cae4 8198b069 c041d000 00000000 00000001 nt!MiCreateSparsePfnDatabase+0xc5
8172cb04 8198a236 80806c28 00000000 80806c28 nt!MiCreatePfnDatabase+0x1c1
8172cb4c 8199419f 80806c28 0000bb40 8172ccf0 nt!MmInitNucleus+0x1b7
8172cb5c 81983867 00000000 00000000 81733640 nt!MmInitSystem+0x12
8172ccf0 81900e73 80806c28 3a322b72 823ffc00 nt!InitBootProcessor+0x27f
8172cd3c 817237c9 81733900 81733640 8172d000 nt!KiInitializeKernel+0x65b
00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x319

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiTrap0E+dc
81691bb4 85c0 test eax,eax

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!KiTrap0E+dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12

FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+dc

BUCKET_ID: 0x50_nt!KiTrap0E+dc

Followup: MachineOwner

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Andrew_Scott · April 25, 2013, 9:49am

@Scott Noone: I did what you told to, here is the output, now what to do?

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

kd> a sampledriver!driverentry
8274c010 mov @eax, c0000001
mov @eax, c0000001
*** ERROR: Module load completed but symbols could not be loaded for intelide.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VBoxGuest.sys -
*** ERROR: Module load completed but symbols could not be loaded for spldr.sys
8274c015 ret 8
ret 8
8274c018

kd> uf sampledriver!driverentry
sampledriver!DriverEntry [e:\windows\sampledriver.c @ 360]:
360 8274c010 b8010000c0 mov eax,0C0000001h
360 8274c015 c20800 ret 8

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Scott_Noone_OSR · April 25, 2013, 11:38am

The purpose of that trick is to stop a bad driver from loading. However,
your system is crashing before your driver is called at DriverEntry. Thus,
it’s not actually going to do you any good (I was just clarifying the steps
for the archives).

At this point, I’m stuck on this being a VirtualBox issue until proven
otherwise. Check out the stack:

nt!KiTrap0E+0xdc
nt!memset+0x45
nt!MxMapVa+0x1f9
nt!MiCreateSparsePfnDatabase+0xc5
nt!MiCreatePfnDatabase+0x1c1
nt!MmInitNucleus+0x1b7
nt!MmInitSystem+0x12
nt!InitBootProcessor+0x27f

We are very early in boot and the O/S is doing something to set up the PFN
database (i.e. the database of all RAM in the machine), but crashes with an
invalid page fault. Certainly seems like the kind of thing that could be
caused by a hosed hypervisor.

Try a real machine, VMWare (trial is free), or Hyper-V and see if you have
the same issue.

-scott
OSR

wrote in message news:xxxxx@ntdev…

@Scott Noone: I did what you told to, here is the output, now what to do?

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

kd> a sampledriver!driverentry
8274c010 mov @eax, c0000001
mov @eax, c0000001
*** ERROR: Module load completed but symbols could not be loaded for
intelide.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
VBoxGuest.sys -
*** ERROR: Module load completed but symbols could not be loaded for
spldr.sys
8274c015 ret 8
ret 8
8274c018

kd> uf sampledriver!driverentry
sampledriver!DriverEntry [e:\windows\sampledriver.c @ 360]:
360 8274c010 b8010000c0 mov eax,0C0000001h
360 8274c015 c20800 ret 8

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Tim_Roberts · April 25, 2013, 1:01pm

xxxxx@hotmail.com wrote:

@Joseph M. Newcomer: I have added the breakpoint(DbgBreakPoint) in the code in DriverEntry() function and have also added breakpoint in windbg(bu sampledriver!DriverEntry), but both the breakpoints are not triggered.

??? Are you serious? Where on earth are you looking? Please READ
what you yourself posted:

Kernel base = 0x81637000 PsLoadedModuleList = 0x8174ec70
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
81688954 cc int 3
kd>

WHY do you think the debugger stopped here? Let me give you a hint:
this is your call to DbgBreakPoint!!!

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · April 25, 2013, 5:50pm

If the system crashes before your driver loads, why do you think your
driver is a problem?
joe

Hi,

@Mikae : I have already tested the driver first on Windows 7 virtual box
and its working fine without any error.

@Joseph M. Newcomer: I have added the breakpoint(DbgBreakPoint) in the
code in DriverEntry() function and have also added breakpoint in windbg(bu
sampledriver!DriverEntry), but both the breakpoints are not triggered.
After rebooting, the OS crashes very early during the boot process. Also I
have enabled debugging on my target machine using the following commands,

“bcdedit /debug ON
bcdedit /dbgsettings serial debugport:1 baudrate:115200
bcdedit /bootdebug on
bcdedit /set halbreakpoint on”

Below is the output that I got on windbg, also includes the output of
“!analyze -v”, after restarting my machine,

@Atul: Yes I am developing a upper volume filter driver taking diskperf as
base and modified it to work as upper volume filter driver. It worked on
Windows 7 virtual box but failed on Windows Server 2008. So to check
whether other drivers are working properly or not, I also loaded
“diskperf” driver as it is without making any changes but it too failed
with the same error. I tried to verify my driver using “Driver verifier”
on Windows 2008 but it asked me to restart machine after loading the
driver and then the OS never restarted again, so was not able to verify
it.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \.\pipe\com1
Waiting to reconnect…
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 6001 x86 compatible target at (Thu Apr
25 19:01:21.365 2013 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is:
SRV*C:\WinDDK\debugsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Boot Debugger Kernel Version 6001 UP Free x86 compatible
Machine Name:
Primary image base = 0x00584000 Loaded module list = 0x00684e58
System Uptime: not available
Shutdown occurred at (Thu Apr 25 19:01:27.635 2013 (UTC +
5:30))…unloading all symbol tables.
Waiting to reconnect…
Connected to Windows Server 2008/Windows Vista 6001 x86 compatible target
at (Thu Apr 25 19:01:28.185 2013 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is:
SRV*C:\WinDDK\debugsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 MP (1 procs) Free
x86 compatible
Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
Machine Name:
Kernel base = 0x81637000 PsLoadedModuleList = 0x8174ec70
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
81688954 cc int 3
kd> bu sampledriver!DriverEntry
kd> ed nt!Kd_DEFAULT_Mask 0x8
kd> g
*** MUI CM: LCIDselected=409

*** Fatal System Error: 0x00000050
(0x83A00000,0x00000001,0x8168A085,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2008/Windows Vista 6001 x86 compatible target
at (Thu Apr 25 19:02:08.837 2013 (UTC + 5:30)), ptr64 FALSE
Loading Kernel Symbols
…
Loading User Symbols

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {83a00000, 1, 8168a085, 0}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
816ef514 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: 83a00000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 8168a085, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

WRITE_ADDRESS: 83a00000

FAULTING_IP:
nt!memset+45
8168a085 f3ab rep stos dword ptr es:[edi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

CURRENT_IRQL: 2

TRAP_FRAME: 8172ca10 – (.trap 0xffffffff8172ca10)
ErrCode = 0000000b
eax=00000000 ebx=00000963 ecx=00000400 edx=00000000 esi=83a00000
edi=83a00000
eip=8168a085 esp=8172ca84 ebp=8172cab8 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0010
efl=00210206
nt!memset+0x45:
8168a085 f3ab rep stos dword ptr es:[edi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 817042d7 to 816ef514

STACK_TEXT:
8172c564 817042d7 00000003 3a3223fa 00000000
nt!RtlpBreakWithStatusInstruction
8172c5b4 81704dbd 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
8172c980 816dc155 00000050 83a00000 00000001 nt!KeBugCheck2+0x66d
8172c9f8 81691bb4 00000001 83a00000 00000000 nt!MmAccessFault+0x10a
8172c9f8 8168a085 00000001 83a00000 00000000 nt!KiTrap0E+0xdc
8172ca84 8197f164 83a00000 00000000 00001000 nt!memset+0x45
8172cab8 8197ed95 83a00000 00000000 00001000 nt!MxMapVa+0x1f9
8172cae4 8198b069 c041d000 00000000 00000001
nt!MiCreateSparsePfnDatabase+0xc5
8172cb04 8198a236 80806c28 00000000 80806c28 nt!MiCreatePfnDatabase+0x1c1
8172cb4c 8199419f 80806c28 0000bb40 8172ccf0 nt!MmInitNucleus+0x1b7
8172cb5c 81983867 00000000 00000000 81733640 nt!MmInitSystem+0x12
8172ccf0 81900e73 80806c28 3a322b72 823ffc00 nt!InitBootProcessor+0x27f
8172cd3c 817237c9 81733900 81733640 8172d000 nt!KiInitializeKernel+0x65b
00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x319

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiTrap0E+dc
81691bb4 85c0 test eax,eax

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!KiTrap0E+dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12

FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+dc

BUCKET_ID: 0x50_nt!KiTrap0E+dc

Followup: MachineOwner

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · April 25, 2013, 5:58pm

see below…

@Scott Noone: I did what you told to, here is the output, now what to do?

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

kd> a sampledriver!driverentry
8274c010 mov @eax, c0000001
mov @eax, c0000001
*** ERROR: Module load completed but symbols could not be loaded for
intelide.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for VBoxGuest.sys -
*** ERROR: Module load completed but symbols could not be loaded for
spldr.sys
8274c015 ret 8
ret 8
8274c018

kd> uf sampledriver!driverentry
sampledriver!DriverEntry [e:\windows\sampledriver.c @ 360]:
360 8274c010 b8010000c0 mov eax,0C0000001h
360 8274c015 c20800 ret 8
*****
Pretty simple DriverEntry…

NTSTATUS DriverEntry(…parameters…)
{
return STATUS_something_that_is_0C0000001;
}

It is also clear you are building a free build of your driver with
optimization on, and I see no instance of the DebugBreak call here…

It would be useful to see the source code, but that two-instruction
sequence makes it pretty clear that it is an optimized build representing
the source code I showed.
joe

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer