I have a crash dump with a PAGE_FAULT_IN_NONPAGED_AREA bugcheck. It's a memory write to an invalid address. It gives me an address of the instruction that executed a memory write. I can see some assembly instructions that were executing there, but that address is nowhere in the range of loaded modules that I can get from running the lm command.
Any suggestions how to determine what driver that executable code belongs to?
ln <address>
For instance
0: kd> ln @rip
(fffff806`976b9270) nt!DbgBreakPointWithStatus | (fffff806`976b9272) nt!DbgBreakPointWithStatusEnd
Exact matches:
@rod_widdowson thanks. I tried that. It gives me nothing.
Even after a reload?
I'll defer to real experts at that stage but I'd start getting stressed about code writing to executable memory and then executing it (which is what I'd do if I wanted to start being unpleasant to your machine).
Does !pool report the memory as being in pool? Or maybe its on a stack somewhere?
The callstack is just two addresses. This one and another one before it. Both without symbols. !pool doesn't return anything on them either, or that it is not a valid pool.
As for your first assumption, there are some drivers that execute code in allocated memory pages. Like nt debugger for instance, as well as crashdmp.sys to name a few.