Kernel_Security_check_failure

ayushmaanshrotriya · April 12, 2024, 9:49am

Hey OSR, I am dealing with this crash. Can't understand the possible reason. Need help

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff820a8ee56d90, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff820a8ee56ce8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:

Unable to load image \SystemRoot\system32\DRIVERS\my_driver.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 2343

Key  : Analysis.Elapsed.mSec
Value: 3995

Key  : Analysis.IO.Other.Mb
Value: 0

Key  : Analysis.IO.Read.Mb
Value: 0

Key  : Analysis.IO.Write.Mb
Value: 0

Key  : Analysis.Init.CPU.mSec
Value: 296

Key  : Analysis.Init.Elapsed.mSec
Value: 3157

Key  : Analysis.Memory.CommitPeak.Mb
Value: 98

Key  : Bugcheck.Code.KiBugCheckData
Value: 0x139

Key  : Bugcheck.Code.LegacyAPI
Value: 0x139

Key  : Bugcheck.Code.TargetModel
Value: 0x139

Key  : FailFast.Name
Value: CORRUPT_LIST_ENTRY

Key  : FailFast.Type
Value: 3

Key  : Failure.Bucket
Value: 0x139_3_CORRUPT_LIST_ENTRY_my_driver!AddFilePathToHashMap

Key  : Failure.Hash
Value: {d5adf79d-3f67-6a55-5729-5ce7bd377337}

Key  : Hypervisor.Enlightenments.Value
Value: 0

Key  : Hypervisor.Enlightenments.ValueHex
Value: 0

Key  : Hypervisor.Flags.AnyHypervisorPresent
Value: 0

Key  : Hypervisor.Flags.ApicEnlightened
Value: 0

Key  : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 1

Key  : Hypervisor.Flags.AsyncMemoryHint
Value: 0

Key  : Hypervisor.Flags.CoreSchedulerRequested
Value: 0

Key  : Hypervisor.Flags.CpuManager
Value: 0

Key  : Hypervisor.Flags.DeprecateAutoEoi
Value: 0

Key  : Hypervisor.Flags.DynamicCpuDisabled
Value: 0

Key  : Hypervisor.Flags.Epf
Value: 0

Key  : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0

Key  : Hypervisor.Flags.HardwareMbecAvailable
Value: 1

Key  : Hypervisor.Flags.MaxBankNumber
Value: 0

Key  : Hypervisor.Flags.MemoryZeroingControl
Value: 0

Key  : Hypervisor.Flags.NoExtendedRangeFlush
Value: 0

Key  : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0

Key  : Hypervisor.Flags.Phase0InitDone
Value: 0

Key  : Hypervisor.Flags.PowerSchedulerQos
Value: 0

Key  : Hypervisor.Flags.RootScheduler
Value: 0

Key  : Hypervisor.Flags.SynicAvailable
Value: 0

Key  : Hypervisor.Flags.UseQpcBias
Value: 0

Key  : Hypervisor.Flags.Value
Value: 16908288

Key  : Hypervisor.Flags.ValueHex
Value: 1020000

Key  : Hypervisor.Flags.VpAssistPage
Value: 0

Key  : Hypervisor.Flags.VsmAvailable
Value: 0

Key  : Hypervisor.RootFlags.AccessStats
Value: 0

Key  : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0

Key  : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0

Key  : Hypervisor.RootFlags.DisableHyperthreading
Value: 0

Key  : Hypervisor.RootFlags.HostTimelineSync
Value: 0

Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0

Key  : Hypervisor.RootFlags.IsHyperV
Value: 0

Key  : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0

Key  : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0

Key  : Hypervisor.RootFlags.MceEnlightened
Value: 0

Key  : Hypervisor.RootFlags.Nested
Value: 0

Key  : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0

Key  : Hypervisor.RootFlags.Value
Value: 0

Key  : Hypervisor.RootFlags.ValueHex
Value: 0

Key  : SecureKernel.HalpHvciEnabled
Value: 0

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Version
Value: 10.0.19041.1

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffff820a8ee56d90

BUGCHECK_P3: ffff820a8ee56ce8

BUGCHECK_P4: 0

FILE_IN_CAB: MEMORY.DMP

TRAP_FRAME: ffff820a8ee56d90 -- (.trap 0xffff820a8ee56d90)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8005ecd1408 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffb50427e7ebb8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800456739ab rsp=ffff820a8ee56f20 rbp=fffff8005ecd1400
r8=0000000000000008 r9=0000000000000000 r10=0000000068746170
r11=0000000000001001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
nt!RtlInsertElementGenericTableFull+0x14d0bb:
fffff800`456739ab cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffff820a8ee56ce8 -- (.exr 0xffff820a8ee56ce8)
ExceptionAddress: fffff800456739ab (nt!RtlInsertElementGenericTableFull+0x000000000014d0bb)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

PROCESS_NAME: service_process.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffff820a8ee56a68 fffff80045611729 ffff820a8ee56a70 fffff80045611c90 ffff820a8ee56bb0 fffff8004560fc5d ffff820a8ee56d90 fffff800456739ab ffff820a8ee56f20 fffff800455268cd ffff820a8ee56f50 fffff8005ecc5838 ffff820a8ee56fa0 fffff8005ecc3839 ffff820a8ee56ff0 fffff8005ecc40c5 ffff820a8ee57070 fffff80043e75b87 ffff820a8ee570b0 fffff80043e7545b ffff820a8ee57180 fffff80043e771a2 ffff820a8ee57220 fffff80043ea9f54 ffff820a8ee57290 fffff80045435cf5 ffff820a8ee57340 fffff8004544cac4 ffff820a8ee57380 fffff80045854e0b ffff820a8ee573d0 fffff800458494c7 ffff820a8ee57540 fffff80045851c6a ffff820a8ee57710 fffff80045840e2b ffff820a8ee57840 fffff8004583ef59 ffff820a8ee57900 fffff80045610ef5 ffff820a8ee57990 00007fff858eda84 0000000f8416f688 0000000000000000 : 0000000000000139 0000000000000003 ffff820a8ee56d90 ffff820a8ee56ce8 : nt!KeBugCheckEx
: ffff820a8ee56c50 ffffc6013b9a0b80 0000000000000000 ffffb50423561060 : nt!KiBugCheckDispatch+0x69
: 0000000000000000 fffff80043eab850 000000000000080e 0000000000000000 : nt!KiFastFailDispatch+0xd0
: 0000000000000000 0000000000000000 ffffb50422298738 0000000000000000 : nt!KiRaiseSecurityCheckFailure+0x31d
: 0000000000000000 ffff820a8ee57000 0000000000000030 0000000000000000 : nt!RtlInsertElementGenericTableFull+0x14d0bb
: 00000000c0000001 ffffc6013cd490f8 ffffc6012fdd1800 ffff820a8ee57018 : nt!RtlInsertElementGenericTable+0x4d
: 0000000000000000 000000006abf11ee ffffc6016abf11ee ffffffff80004c3c : my_driver!AddFilePathToHashMap+0xc0 [D:\file.c]
: ffffc6013cd490f8 0000000000000001 000000006abf11ee 0000000000000001 : my_driver!CheckandTagFilewithADS+0x201 [D:\file.c]
: ffffc6013cd49010 0000000000000000 ffffc60128cbf6d0 fffff80000000000 : my_driver!FileScannerPostCreate+0x135 [D:\file.c]
: ffffc6013cd49000 fffff80043ea7e00 0000000000000000 0000000000000000 : FLTMGR!FltpPerformPostCallbacksWorker+0x347
: ffff820a8ee51000 ffff820a8ee58000 0000000000000000 fffff80043e8c490 : FLTMGR!FltpPassThroughCompletionWorker+0xfb
: ffff820a8ee572d0 ffffc6013b9996d8 ffffc6012e129970 0000000000000000 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x322
: 0000000000000000 ffffc6013b0545f0 0000000000000000 0000000000000000 : FLTMGR!FltpCreate+0x324
: 0000000000000003 ffffc6013cd36a30 ffffc6016d4e6f49 fffff8004544ca33 : nt!IofCallDriver+0x55
: ffff820a8ee57640 ffffc6013b0545f0 ffffc6013b999718 0000000000000000 : nt!IoCallDriverWithTracing+0x34
: ffffc6013b0545f0 ffffc6013b0545c0 ffffc6012ffef010 ffffb50416c23f01 : nt!IopParseDevice+0x11bb
: ffffc6012ffef001 ffff820a8ee577a8 0000000000000040 ffffc601204fbc40 : nt!ObpLookupObjectName+0x1117
: ffffc60100000000 0000000f8416f770 0000000000000001 0000000000000000 : nt!ObOpenObjectByNameEx+0x1fa
: 0000000f8416f710 0000000080100080 0000000f8416f770 0000000f8416f718 : nt!IopCreateFile+0x132b
: 0000000000002170 ffff820a8ee57a80 ffffc60128cbf080 ffffc60100000018 : nt!NtCreateFile+0x79
: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007fff`858eda84

FAULTING_SOURCE_LINE: D:\file.c

FAULTING_SOURCE_FILE: D:\file.c

FAULTING_SOURCE_LINE_NUMBER: 924

FAULTING_SOURCE_CODE:
No source found for 'D:\file.c'

SYMBOL_NAME: my_driver!AddFilePathToHashMap+c0

MODULE_NAME: my_driver

IMAGE_NAME: my_driver.sys

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: c0

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_my_driver!AddFilePathToHashMap

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {d5adf79d-3f67-6a55-5729-5ce7bd377337}

Followup: MachineOwner

Scott_Noone_OSR · April 12, 2024, 2:15pm

Your Rtl table is corrupt. Have you enabled Driver Verifier on your driver?

ayushmaanshrotriya · April 13, 2024, 1:58pm

yes. No bsod seen though.