Mirror driver in Visual Studio 2012

NTDEV
1

Please help with a mirror driver. I use Visual Studio 2012, WDK 8 and template from WDK 7.1 When I converting a template of the driver, compile, and deploy to remote computer, so miniport start with no problems. But when I reset the system, they fall into a blue screen on the first instruction of the driver (dll). I’m trying to find a solution for two weeks, but without success.

Thanks.

There is the kernel log:

KDTARGET: Refreshing KD connection
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for mirror.sys on Build 7600 BCuuBYrbyhC9d8VTr0kBsH
*
*******************************************************************************
Mirrored Driver VideoPort [Driver Entry]
FindAdapter Called.
Mirror Sample: Not used ‘MirrorGetChildDescriptor’.
Initialize Called.
Mirror Sample: Not used ‘MirrorGetChildDescriptor’.

*** Fatal System Error: 0x000000be
(0xA5F3C858,0xB3E2B021,0xA4CDB614,0x0000000B)

.
Break instruction exception - code 80000003 (first chance)
Connected to Windows 7 7600 x86 compatible target at (Wed Jul 17 23:20:17.517 2013 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck BE, {a5f3c858, b3e2b021, a4cdb614, b}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
82889554 cc int 3
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: a5f3c858, Virtual address for the attempted write.
Arg2: b3e2b021, PTE contents.
Arg3: a4cdb614, (reserved)
Arg4: 0000000b, (reserved)

Debugging Details:

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xBE

PROCESS_NAME: csrss.exe

CURRENT_IRQL: 2

TRAP_FRAME: a4cdb614 – (.trap 0xffffffffa4cdb614)
ErrCode = 00000003
eax=a5c00000 ebx=a5f3c858 ecx=a4cdb6a0 edx=a5d5f406 esi=99d0c07e edi=99d0c1b0
eip=a5c00003 esp=a4cdb688 ebp=a4cdb6b3 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
mirror_a5c00000!DebugPrint (mirror_a5c00000+0x3):
a5c00003 0003 add byte ptr [ebx],al ds:0023:a5f3c858=67
Resetting default scope

LAST_CONTROL_TRANSFER: from 828fbc9d to 82889554

STACK_TEXT:
a4cdb164 828fbc9d 00000003 c5f6daa7 00000065 nt!RtlpBreakWithStatusInstruction
a4cdb1b4 828fc799 00000003 b3e2b021 00000000 nt!KiBugCheckDebugBreak+0x1c
a4cdb578 828a3aa3 000000be a5f3c858 b3e2b021 nt!KeBugCheck2+0x68b
a4cdb5fc 828648c8 00000001 a5f3c858 00000000 nt!MmAccessFault+0x106
a4cdb5fc a5c00003 00000001 a5f3c858 00000000 nt!KiTrap0E+0xdc
a4cdb6b3 d5fcf1a4 b8f008a5 000001ff b90c8800 mirror_a5c00000!DebugPrint (mirror_a5c00000+0x3)
WARNING: Frame IP not in any known module. Following frames may be wrong.
a4cdb6b7 b8f008a5 000001ff b90c8800 b917e0ff 0xd5fcf1a4
a4cdb6bb 00000000 b90c8800 b917e0ff 000000ff 0xb8f008a5

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiTrap0E+dc
828648c8 85c0 test eax,eax

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!KiTrap0E+dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5147d3b2

FAILURE_BUCKET_ID: 0xBE_VRF_nt!KiTrap0E+dc

BUCKET_ID: 0xBE_VRF_nt!KiTrap0E+dc

Followup: MachineOwner

2

On Fri, Aug 9, 2013 at 6:32 AM, wrote:

> mirror_a5c00000!DebugPrint (mirror_a5c00000+0x3)

Dude, use a debugger and figure out what is broken in your DebugPrint call.

Mark Roddy

3

It was the first thing I tried. This error occurs when the driver is initialized - even before the function is called in reality. When I use the debugger, I can see only the disassembly…

Lukas

4

First, make sure that you have correct symbols for your driver and
system. Can you also post output from ‘u a5c00003’ - it seems like the
code that’s being executed is corrupted or eip register got trashed
somehow.

Kris

On Fri, Aug 9, 2013 at 8:56 PM, wrote:
> It was the first thing I tried. This error occurs when the driver is initialized - even before the function is called in reality. When I use the debugger, I can see only the disassembly…
>
> Lukas
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kris

5

Actually I’m pretty sure that the code being executed (starting at
a5c00000) is basically beginning of your “mirror” driver executable
image. If this is indeed the case then if you should see PE headers
(eg. first two bytes should be MZ signature) - just execute ‘db
a5c00000’ in debugger. And I bet that referenced a5f3c858 address is
either part of your or some other executable (so this page is most
likely marked as read-only hence the bugcheck). And again if you have
correct symbols loaded you can check closest matching symbol (if this
address is within any executable image range) with ‘ln a5f3c858’
command.

You still need to have more meaningful call stack to see where this
call is made in the first place. I would also strongly recommend
running Driver Verifier (just have it enabled always during driver
development & part of QA process) and making thorough code review.

Kris

On Sat, Aug 10, 2013 at 12:52 AM, Krzysztof Uchronski
wrote:
> First, make sure that you have correct symbols for your driver and
> system. Can you also post output from ‘u a5c00003’ - it seems like the
> code that’s being executed is corrupted or eip register got trashed
> somehow.
>
> Kris
>
> On Fri, Aug 9, 2013 at 8:56 PM, wrote:
>> It was the first thing I tried. This error occurs when the driver is initialized - even before the function is called in reality. When I use the debugger, I can see only the disassembly…
>>
>> Lukas
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> –
> Kris


Kris

6

> Please help with a mirror driver. I use Visual Studio 2012, WDK 8 and

template from WDK 7.1 When I converting a template of the driver,
compile, and deploy to remote computer, so miniport start with no
problems. But when I reset the system, they fall into a blue screen on the
first instruction of the driver (dll). I’m trying to find a solution for
two weeks, but without success.

Thanks.

There is the kernel log:

KDTARGET: Refreshing KD connection
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for mirror.sys on Build 7600
BCuuBYrbyhC9d8VTr0kBsH
*
*******************************************************************************
Mirrored Driver VideoPort [Driver Entry]
FindAdapter Called.
Mirror Sample: Not used ‘MirrorGetChildDescriptor’.
Initialize Called.
Mirror Sample: Not used ‘MirrorGetChildDescriptor’.

*** Fatal System Error: 0x000000be
(0xA5F3C858,0xB3E2B021,0xA4CDB614,0x0000000B)

.
Break instruction exception - code 80000003 (first chance)
Connected to Windows 7 7600 x86 compatible target at (Wed Jul 17
23:20:17.517 2013 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols



Loading User Symbols

Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck BE, {a5f3c858, b3e2b021, a4cdb614, b}

Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
82889554 cc int 3
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on
the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: a5f3c858, Virtual address for the attempted write.
Arg2: b3e2b021, PTE contents.
Arg3: a4cdb614, (reserved)
Arg4: 0000000b, (reserved)

Debugging Details:

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xBE

PROCESS_NAME: csrss.exe

CURRENT_IRQL: 2

TRAP_FRAME: a4cdb614 – (.trap 0xffffffffa4cdb614)
ErrCode = 00000003
eax=a5c00000 ebx=a5f3c858 ecx=a4cdb6a0 edx=a5d5f406 esi=99d0c07e
edi=99d0c1b0
eip=a5c00003 esp=a4cdb688 ebp=a4cdb6b3 iopl=0 nv up ei ng nz na
po nc

One observation here: note that eip=eax+3

You have not said if this code is optimized or not; I suspect optimization
because a common trick in optimized code is to do
mov r, subroutine address
call [r]

And I suspect that in this case, r is eax.
But it could also be the case that eax, which is the value-return
register, got stored on the stack, and due to a buffer overrun, was
written into the location where the return address had been stored; thus,
when the RET insrtuction was executed, it jumped to this random location,
and the data looked like a 3-byte instruction that was trying to store
something, so, although it was random data, it was executed, tried to do
something nonsensical, and died. So you need to examine 0xa5c00000 to see
what instruction(s) appear there, as well as checking for buffer overruns.

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
mirror_a5c00000!DebugPrint (mirror_a5c00000+0x3):

It seems that the debugger cannot decompile the instruction, making it all
the more likely this is not a valid instruction address

> a5c00003 0003 add byte ptr [ebx],al
> ds:0023:a5f3c858=67
> Resetting default scope

ebx is probably nonsense, and therefore refers to a write-protected address

>
> LAST_CONTROL_TRANSFER: from 828fbc9d to 82889554
>
> STACK_TEXT:
> a4cdb164 828fbc9d 00000003 c5f6daa7 00000065
> nt!RtlpBreakWithStatusInstruction
> a4cdb1b4 828fc799 00000003 b3e2b021 00000000 nt!KiBugCheckDebugBreak+0x1c
> a4cdb578 828a3aa3 000000be a5f3c858 b3e2b021 nt!KeBugCheck2+0x68b
> a4cdb5fc 828648c8 00000001 a5f3c858 00000000 nt!MmAccessFault+0x106
> a4cdb5fc a5c00003 00000001 a5f3c858 00000000 nt!KiTrap0E+0xdc
> a4cdb6b3 d5fcf1a4 b8f008a5 000001ff b90c8800 mirror_a5c00000!DebugPrint
> (mirror_a5c00000+0x3)
> WARNING: Frame IP not in any known module. Following frames may be wrong.

Either you have no symbols, or the wrong symbols; in either case, fix this
so this output has meaning

> a4cdb6b7 b8f008a5 000001ff b90c8800 b917e0ff 0xd5fcf1a4
> a4cdb6bb 00000000 b90c8800 b917e0ff 000000ff 0xb8f008a5
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt!KiTrap0E+dc
> 828648c8 85c0 test eax,eax
>
> SYMBOL_STACK_INDEX: 4
>
> SYMBOL_NAME: nt!KiTrap0E+dc
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrpamp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 5147d3b2
>
> FAILURE_BUCKET_ID: 0xBE_VRF_nt!KiTrap0E+dc
>
> BUCKET_ID: 0xBE_VRF_nt!KiTrap0E+dc
>
> Followup: MachineOwner
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

I found the solution error occurred during the conversion project. see: http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/3bafde3f-64eb-4c5e-843b-8b38ab03d9ed/xddm-mirror-driver-under-windows-8