One of my system crashed on
UNEXPECTED_KERNEL_MODE_TRAP every time on reboot.
The memory dump file is as follow:
the driver cause system crash hooked on registry key.
Can I get this conclusion from this dupm?
Before the registry is hooked, First driver call
ZwOpenKey(). OS trap this ZwOpenKey(). After that,
second driver hooked on ZeOpenKey(). When first
ZwOpenKey() return, it call second driver hook
function. After second driver hook finished its
function, it tried to pass itself to ZwOpenKey()
again. That crashed the system. Am I right or not?
kd> !analyze -v
******************************************************
Bugcheck Analysis
******************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it’s a
trap of a kind
that the kernel isn’t allowed to have/catch (bound
trap) or that
is always instant death (double fault). The first
number in the
bugcheck parens is the number of the trap (8 = double
fault, etc)
Consult an Intel x86 family manual to learn more about
what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then
kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where
the trap was taken
(on x86, this will be the ebp that goes with
the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
BUGCHECK_STR: 0x7f_8
TSS: 00000028 – (.tss 28)
eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
esi=823bdbf8 edi=82321638
eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
nt!_SEH_prolog+0x1a:
804e2455 53 push ebx
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 80564713 to 804e2455
STACK_TEXT:
ef178020 80564713 823bdbf8 80563300 80563300
nt!_SEH_prolog+0x1a
ef178058 8056b390 80563300 823bdbf8 00000000
nt!ObCreateObject+0x79
ef1780b4 805677a0 e1a9e008 007ebd38 00000000
nt!CmpDoOpen+0x121
ef1782ac 8056316c 007ebd38 00000000 81e2a260
nt!CmpParseKey+0x558
ef178334 8056729a 00000000 ef178374 00000240
nt!ObpLookupObjectName+0x56a
ef178388 80567bfd 00000000 823bdbf8 00000000
nt!ObOpenObjectByName+0xeb
ef17845c f882240d ef178fa8 82000000 ef178d1c
nt!NtOpenKey+0x1af
ef178c78 804de7ec ef178fa8 82000000 ef178d1c
grddrvr!HookRegOpenKey+0x4d
ef178c78 804dd019 ef178fa8 82000000 ef178d1c
nt!KiFastCallEntry+0xf8
ef178cfc 80595907 ef178fa8 82000000 ef178d1c
nt!ZwOpenKey+0x11
ef178f5c 8059570d 00000000 e2665b88 00000000
nt!RtlpGetRegistryHandle+0x15d
ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
nt!RtlQueryRegistryValues+0x1d
WARNING: Stack unwind information not available.
Following frames may be wrong.
ef179068 f8176ebf 00000000 f8171960 f817194c
ialmkchw+0x63ca
ef1799b0 f815f11b 8221e358 ef1799cc 00000000
ialmnt5+0x11ebf
ef179a74 804e37f7 8221e040 81e03a20 00000008
VIDEOPRT!pVideoPortDispatch+0xabf
ef179b1c 8054a938 8218006a e272ec9a 82180008
nt!IopfCallDriver+0x31
ef179b64 805a31ca ef17a63c ef17a6cc 00000000
nt!ExFreePoolWithTag+0x676
ef179b9c 805802ce e27bfc58 823bdb00 82180008
nt!CmpQueryKeyName+0xe4
ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
nt!ObQueryNameString+0xe0
ffffffff 00000000 00000000 00000000 00000000
nt!CmpFindValueByNameFromCache+0xde
ef17b758 80565cec ef17b874 ef17b878 ef17b848
nt!KiCallUserMode+0x4
ef17b7b4 bf84036e 0000000a ef17b8b0 00000088
nt!KeUserModeCallback+0x87
ef17bacc bf813f63 bc682228 00000001 00000000
win32k!SfnINLPCREATESTRUCT+0x41f
ef17bb14 bf814155 0a682228 00000001 00000000
win32k!xxxSendMessageToClient+0x176
ef17bb60 bf80f53e bc682228 00000001 00000000
win32k!xxxSendMessageTimeout+0x1a6
ef17bb84 bf84104b bc682228 00000001 00000000
win32k!xxxSendMessage+0x1b
ef17bc6c bf83ee67 00000000 00000000 bc6821a8
win32k!xxxCreateWindowEx+0xbce
ef17bd20 804de7ec 80000000 ef17bcec ef17bce0
win32k!NtUserCreateWindowEx+0x1c1
ef17bd20 7c90eb94 80000000 ef17bcec ef17bce0
nt!KiFastCallEntry+0xf8
0012f764 00000000 00000000 00000000 00000000
0x7c90eb94
FOLLOWUP_IP:
grddrvr!HookRegOpenKey+4d
f882240d 8985f8f7ffff mov [ebp-0x808],eax
SYMBOL_STACK_INDEX: 7
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: grddrvr!HookRegOpenKey+4d
MODULE_NAME: grddrvr
IMAGE_NAME: grddrvr.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 427a599e
STACK_COMMAND: .tss 28 ; kb
BUCKET_ID: 0x7f_8_grddrvr!HookRegOpenKey+4d
Followup: MachineOwner
kd> .tss 28
eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
esi=823bdbf8 edi=82321638
eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
nt!_SEH_prolog+0x1a:
804e2455 53 push ebx
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
ef178020 80564713 823bdbf8 80563300 80563300
nt!_SEH_prolog+0x1a
ef178058 8056b390 80563300 823bdbf8 00000000
nt!ObCreateObject+0x79
ef1780b4 805677a0 e1a9e008 007ebd38 00000000
nt!CmpDoOpen+0x121
ef1782ac 8056316c 007ebd38 00000000 81e2a260
nt!CmpParseKey+0x558
ef178334 8056729a 00000000 ef178374 00000240
nt!ObpLookupObjectName+0x56a
ef178388 80567bfd 00000000 823bdbf8 00000000
nt!ObOpenObjectByName+0xeb
ef17845c f882240d ef178fa8 82000000 ef178d1c
nt!NtOpenKey+0x1af
ef178c78 804de7ec ef178fa8 82000000 ef178d1c
grddrvr!HookRegOpenKey+0x4d
ef178c78 804dd019 ef178fa8 82000000 ef178d1c
nt!KiFastCallEntry+0xf8 (FPO: [0,0] trapfram at
ef178c8c
ef178cfc 80595907 ef178fa8 82000000 ef178d1c
nt!ZwOpenKey+0x11
ef178f5c 8059570d 00000000 e2665b88 00000000
nt!RtlpGetRegistryHandle+0x15d
ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
nt!RtlQueryRegistryValues+0x1d
WARNING: Stack unwind information not available.
Following frames may be wrong.
ef179068 f8176ebf 00000000 f8171960 f817194c
ialmkchw+0x63ca
ef1799b0 f815f11b 8221e358 ef1799cc 00000000
ialmnt5+0x11ebf
ef179a74 804e37f7 8221e040 81e03a20 00000008
VIDEOPRT!pVideoPortDispatch+0xabf
ef179b1c 8054a938 8218006a e272ec9a 82180008
nt!IopfCallDriver+0x31
ef179b64 805a31ca ef17a63c ef17a6cc 00000000
nt!ExFreePoolWithTag+0x676
ef179b9c 805802ce e27bfc58 823bdb00 82180008
nt!CmpQueryKeyName+0xe4
ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
nt!ObQueryNameString+0xe0
ffffffff 00000000 00000000 00000000 00000000
nt!CmpFindValueByNameFromCache+0xde