Hello Scott
It’s happend always in the same moment, when a use excel aplication
after encryptation and only when I encrypt a determinated extension
("*. "), I do not know what is the problem I was trying looking for
the error with prefast, verifier, and reverting to version. I try
verifier with ntoskrnl, but its didnt me new information, maybe I have
to chage the cofiguration or add more modules, actually is special
pool and irql.
Any advice?
Thanks!
This is the Full Analyze -v output
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ccf00000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8058ceb8, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
READ_ADDRESS: ccf00000
FAULTING_IP:
nt!HvpGetCellMapped+12b
8058ceb8 8a18 mov bl,byte ptr [eax]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
BUGCHECK_STR: 0x50
PROCESS_NAME: winlogon.exe
TRAP_FRAME: b7b1b83c – (.trap 0xffffffffb7b1b83c)
ErrCode = 00000000
eax=ccf00000 ebx=e1019231 ecx=e2a4180c edx=cce6beb0 esi=89a2ab60 edi=00000eb0
eip=8058ceb8 esp=b7b1b8b0 ebp=b7b1b8f8 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
nt!HvpGetCellMapped+0x12b:
8058ceb8 8a18 mov bl,byte ptr [eax] ds:0023:ccf00000=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 80532747 to 804e3592
STACK_TEXT:
b7b1b38c 80532747 00000003 ccf00000 00000000 nt!RtlpBreakWithStatusInstruction
b7b1b3d8 8053321e 00000003 8066dfc8 c0333c00 nt!KiBugCheckDebugBreak+0x19
b7b1b7b8 8053380e 00000050 ccf00000 00000000 nt!KeBugCheck2+0x574
b7b1b7d8 805241a0 00000050 ccf00000 00000000 nt!KeBugCheckEx+0x1b
b7b1b824 804e1718 00000000 ccf00000 00000000 nt!MmAccessFault+0x6f5
b7b1b824 8058ceb8 00000000 ccf00000 00000000 nt!KiTrap0E+0xcc
b7b1b8f8 80570c9a 89a2ab60 0022aeb0 9ac4afb8 nt!HvpGetCellMapped+0x12b
b7b1b93c 80570e31 e10834b8 00000000 00000000 nt!CmEnumerateKey+0x2f
b7b1b9cc 804de7ec 800005b0 00000000 00000000 nt!NtEnumerateKey+0x1ea
b7b1b9cc 804dcc59 800005b0 00000000 00000000 nt!KiFastCallEntry+0xf8
b7b1ba5c 805db7f4 800005b0 00000000 00000000 nt!ZwEnumerateKey+0x11
b7b1bb04 805b1267 b7825ae0 00000000 00000000 nt!IopGetDeviceInterfaces+0x5bb
b7b1bb24 b7816701 b7825ae0 00000000 00000000 nt!IoGetDeviceInterfaces+0x39
b7b1bb50 b7817374 b7b1bb74 b7b1bb78 00000000 wdmaud!OpenSysAudio+0x20
b7b1bb80 b7817813 00000000 0000000e 00000001 wdmaud!OpenSysAudioPin+0x24
b7b1bbbc b7816a83 00000092 0000000e 89368df0 wdmaud!OpenWavePin+0x3e2
b7b1bbe8 b7816382 8db04f48 89368df0 00000000 wdmaud!Dispatch_OpenPin+0xb7
b7b1bc10 804e37f7 00000010 89221000 806ef2a4 wdmaud!SoundDispatch+0x430
b7b1bc20 8066bec5 9557ef90 8066e00f 8db04f48 nt!IopfCallDriver+0x31
b7b1bc44 80567f81 8db04fdc 9557ef90 8db04f48 nt!IovCallDriver+0xa0
b7b1bc58 8057aa9f 94938f10 8db04f48 9557ef90 nt!IopSynchronousServiceTail+0x70
b7b1bd00 8058efd7 000004b8 000001b4 00000000 nt!IopXxxControlFile+0x611
b7b1bd34 804de7ec 000004b8 000001b4 00000000 nt!NtDeviceIoControlFile+0x2a
b7b1bd34 7c91e506 000004b8 000001b4 00000000 nt!KiFastCallEntry+0xf8
018bfb58 7c91d26c 7c8016c2 000004b8 000001b4 ntdll!KiIntSystemCall+0x6
018bfb5c 7c8016c2 000004b8 000001b4 00000000 ntdll!NtDeviceIoControlFile+0xc
018bfbbc 72ca4523 000004b8 001d8014 00130e88 kernel32!DeviceIoControl+0x78
018bfc04 72ca13ea 00130e88 00000010 019000ec
wdmaud_72ca0000!wdmaudIoControl+0x96
018bfc28 72ca1ee8 00130e88 019000ec 018bfcb0 wdmaud_72ca0000!wdmaudOpenDev+0x5f
018bfc64 72ca1ad4 001554d0 018bfcc8 018bfcb0 wdmaud_72ca0000!waveOpen+0x13d
018bfc88 76b05349 00000000 00000005 018bfcc8 wdmaud_72ca0000!wodMessage+0xb9
018bfcd8 72c91810 01966f2c 00139f08 019000ec WINMM!waveOutOpen+0x2a2
018bfd1c 72c91b94 00000000 019000ec 00000000 msacm32!mapDriverOpenWave+0x100
018bfd44 72c912a1 00000000 00000000 018bfda8 msacm32!mapWaveOpen+0x1b1
018bfd68 76b05349 00000000 00000005 018bfda8 msacm32!wodMessage+0x77
018bfdb8 76b058be 76b20104 00150c18 019000ec WINMM!waveOutOpen+0x2a2
018bfe08 76b055e6 00e5003c 80010003 018bfe50 WINMM!soundOpen+0x75
018bfe18 76b05658 00e5003c 80010003 018bfee8 WINMM!soundPlay+0x1e
018bfe50 76b04f12 0013fcd0 80010003 00000000 WINMM!sndMessage+0x72
018bfe80 7e398734 00010078 000003cc 80010003 WINMM!mmWndProc+0x112
018bfeac 7e398816 76b04d6b 00010078 000003cc USER32!InternalCallWinProc+0x28
018bff14 7e3989cd 00000000 76b04d6b 00010078
USER32!UserCallWinProcCheckWow+0x150
018bff74 7e3996c7 018bff98 00000001 018bffb4 USER32!DispatchMessageWorker+0x306
018bff84 76b04e48 018bff98 00000200 0000002b USER32!DispatchMessageA+0xf
018bffb4 7c80b713 000004d4 00000200 0000002b WINMM!mciwindow+0x77
018bffec 00000000 76b04dca 000004d4 00000000 kernel32!BaseThreadStart+0x37
STACK_COMMAND: kb
FOLLOWUP_IP:
wdmaud!OpenSysAudio+20
b7816701 3bc6 cmp eax,esi
SYMBOL_STACK_INDEX: d
SYMBOL_NAME: wdmaud!OpenSysAudio+20
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: wdmaud
IMAGE_NAME: wdmaud.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48025c3e
FAILURE_BUCKET_ID: 0x50_VRFK_wdmaud!OpenSysAudio+20
BUCKET_ID: 0x50_VRFK_wdmaud!OpenSysAudio+20
Followup: MachineOwner
2010/8/27 Scott Noone :
> Not enough information to go on here to make a guess (you don’t even provide
> the full !analyze -v output). Is this 100% reproducible? Does it always
> crash in the same place or in different places? You have Verifier on for
> your driver, have you tried enabling it for ntoskrnl as well? Does your
> driver Prefast clean?
>
> -scott
>
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Martin Eduardo” wrote in message
> news:xxxxx@ntfsd…
>>
>> Hello Maxim
>>
>> Thanks for the reply,
>> But what can make this corruption?
>> what do you mean? Could be it only reading files or maybe could it
>> come from string management or irp treatment?Maybe dynamic memory
>> management problem?
>> Because I don know where look for this error?
>>
>> Thanks you,
>>
>> Best Regards,
>> Martin Eduardo Mu?oz
>>
>> 2010/8/25 Maxim S. Shatskih :
>>>
>>> ? Your minifilter can cause random corruptions to the data being read,
>>> especially in paging IO.
>>>
>>> –
>>> Maxim S. Shatskih
>>> Windows DDK MVP
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>> “Martin Eduardo” wrote in message
>>> news:xxxxx@ntfsd…
>>>>
>>>> Hello,
>>>>
>>>> I am developing a minifilter, and I am getting this error:
>>>>
>>>> I have driver verifier active, I dont know why, could anybody help me?
>>>>
>>>>
>>>> any ideas?
>>>>
>>>> Here i attach the windbg error output:
>>>>
>>>> Probably caused by : ntoskrnl.exe ( nt!HvpGetCellMapped+12b )
>>>>
>>>> Followup: MachineOwner
>>>> ---------
>>>>
>>>> nt!RtlpBreakWithStatusInstruction:
>>>> 804e3592 cc ? ? ? ? ? ? ?int ? ? 3
>>>> ERROR: Module load completed but symbols could not be loaded for
>>>> EXCEL.EXE
>>>> ERROR: Symbol file could not be found. ?Defaulted to export
>>>> symbols for VBoxDisp.dll -
>>>> ERROR: Symbol file could not be found. ?Defaulted to export
>>>> symbols for VBoxSF.sys -
>>>> kd> !analyze -v
>>>>
>>>>****************************************************************************
>>>> * *
>>>> * ? ? ? ? ? ? ? ? ? ? ? ?Bugcheck Analysis *
>>>> * *
>>>>
>>>> *******************************************************************************
>>>>
>>>> PAGE_FAULT_IN_NONPAGED_AREA (50)
>>>> Invalid system memory was referenced. ?This cannot be protected by
>>>> try-except,
>>>> it must be protected by a Probe. ?Typically the address is just plain
>>>> bad or it
>>>> is pointing at freed memory.
>>>> Arguments:
>>>> Arg1: cd880000, memory referenced.
>>>> Arg2: 00000000, value 0 = read operation, 1 = write operation.
>>>> Arg3: 8058ceb8, If non-zero, the instruction address which referenced
>>>> the bad memory
>>>> address.
>>>> Arg4: 00000000, (reserved)
>>>>
>>>> Debugging Details:
>>>> ------------------
>>>>
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> For our schedule of debugging and file system seminars
>>> (including our new fs mini-filter seminar) visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>