name of driver that caused crash (again)

James_Harper · March 4, 2011, 6:24am

I know I asked this recently, but poking around the docs I saw “If the
driver responsible for the error can be identified, its name is printed
on the blue screen and stored in memory at the location
(PUNICODE_STRING) KiBugCheckDriver”

Is KiBugCheckDriver accessible from code from the bug check callback in
any way, or only from the debugger? I tried adding it as an extern but
the linker failed to find it. Could it be possible to find it
dynamically?

From a sample of 1 debugger instance, I notice it is at the address of
KiBugCheckData - 0x10… could that be relied on?

Thanks

James

Volodymyr_M_Shcherbyna-2 · March 7, 2011, 12:24pm

Why do you need this? You can’t store it anyway in bug check callback because you are executed at HIGH_LEVEL (you can use READ_PORT_XXX ; READ_REGISTER_XXX, WRITE_PORT_XXX, and WRITE_REGISTER_XXX to store data on device, but this is not the most useful solution).

An easier way will be to analyse generated dump file.