Help with windbg crash and OS crash while debugging

WINDBG
1

Hello,
I am trying to debug a malware which is x86 based using Windbg x86. While doing that, whenever I put an access break point on $peb using “ba r 1 $peb” and hit go, the OS freezes and reboots. I tried to see the dump file and the error code is 139 (KERNEL_SECURITY_CHECK_FAILURE) and previously it was error code 3b.

Out of curiosity, I Tried to debug Calc.exe (x64) version using Windbg x64 and the break point was hit and OS didnt crash. But when I did the same with Calc.exe (x86 version) using Windbg x86 the OS freezes and reboots.

Please help. I downloaded the symbols for x86 and x64 and loaded them as required and I am using Windows 10 (1903 build).
This is the dump analysis by windbg.

Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\minidump\110721-43234-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred .sympath cachec:\MySymbols
Deferred srvhttps://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath cachec:\MySymbols;srvhttps://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8066e600000 PsLoadedModuleList = 0xfffff8066ea43290
Debug session time: Sun Nov 7 21:50:29.675 2021 (UTC + 5:30)
System Uptime: 0 days 0:33:22.509
Loading Kernel Symbols



Loading User Symbols
Loading unloaded module list

************* Path validation summary **************
Response Time (ms) Location
Deferred .sympath cachec:\MySymbols
Deferred srvhttps://msdl.microsoft.com/download/symbols
OK c:\sym
For analysis of this file, run !analyze -v
1: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread’s stack pointer was outside the legal stack
extents for the thread.
Arg2: ffffc9002be57ff0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffc9002be57f48, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 8828

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 48338

Key  : Analysis.Init.CPU.mSec
Value: 4968

Key  : Analysis.Init.Elapsed.mSec
Value: 93114

Key  : Analysis.Memory.CommitPeak.Mb
Value: 78

Key  : FailFast.Name
Value: INCORRECT_STACK

Key  : FailFast.Type
Value: 4

Key  : WER.OS.Branch
Value: 19h1_release

Key  : WER.OS.Timestamp
Value: 2019-03-18T12:02:00Z

Key  : WER.OS.Version
Value: 10.0.18362.1

BUGCHECK_CODE: 139

BUGCHECK_P1: 4

BUGCHECK_P2: ffffc9002be57ff0

BUGCHECK_P3: ffffc9002be57f48

BUGCHECK_P4: 0

TRAP_FRAME: ffffc9002be57ff0 – (.trap 0xffffc9002be57ff0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffed0c143a5000 rbx=0000000000000000 rcx=0000000000000004
rdx=ffffed0c143ab000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8066e84e703 rsp=ffffc9002be58180 rbp=ffffc9002be586f0
r8=ffffed0c143ab000 r9=ffffc9002be58701 r10=ffffb2040a1e4080
r11=000000000067fa34 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl zr na po nc
nt!RtlpGetStackLimitsEx+0x126937:
fffff806`6e84e703 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffc9002be57f48 – (.exr 0xffffc9002be57f48)
ExceptionAddress: fffff8066e84e703 (nt!RtlpGetStackLimitsEx+0x0000000000126937)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000004
Subcode: 0x4 FAST_FAIL_INCORRECT_STACK

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: calc.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000004

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffffc9002be57cc8 fffff8066e7ce469 : 0000000000000139 0000000000000004 ffffc9002be57ff0 ffffc9002be57f48 : nt!KeBugCheckEx
ffffc9002be57cd0 fffff8066e7ce890 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffc9002be57e10 fffff8066e7ccc1f : fffff8066e72e6b8 fffff8066ea0a614 ffffc9002be587d0 0000000000000000 : nt!KiFastFailDispatch+0xd0
ffffc9002be57ff0 fffff8066e84e703 : 0000000000000000 00000000000002a9 0005e5cc00ab2000 000000000010001f : nt!KiRaiseSecurityCheckFailure+0x31f
ffffc9002be58180 fffff8066e821056 : 000000000000008e 0000000000000000 ffffc9002be586f0 00007fff00000003 : nt!RtlpGetStackLimitsEx+0x126937
ffffc9002be581b0 fffff8066e6b865e : ffffed0c143aa8b8 ffffc9002be58e30 ffffed0c143aa8b8 0000000000d51b60 : nt!RtlDispatchException+0x16cdb6
ffffc9002be58900 fffff8066e7bd682 : 006f006f0062005f 00740074002e0074 0000000000000066 006f006f0062005c : nt!KiDispatchException+0x16e
ffffc9002be58fb0 fffff8066e7bd650 : fffff8066e7ce596 0000000000000000 0000000000000000 0000000000000000 : nt!KxExceptionDispatchOnExceptionStack+0x12
ffffed0c143aa778 fffff8066e7ce596 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiExceptionDispatchOnExceptionStackContinue
ffffed0c143aa780 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiExceptionDispatch+0x116

SYMBOL_NAME: nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.18362.30

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_nt!KiFastFailDispatch

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {1971a9b0-b7ec-89bf-0a51-10ac52818da5}

Followup: MachineOwner