Hi,
I’m experiencing one of the most famost UNEXPECTED_KERNEL_MODE_TRAP,
EXCEPTION_DOUBLE_FAULT when my driver is running in combination with
Symantec’s AV.
The stacktrace and debug cleary (included below) show that I’m running
out of stack space (esp=e789c0cc, ebp=e789c104).
I know Symantec is using some (weird?) stack switching techniques. What
are the possibilities in this case, other than not running Symantec, to
increase stack size ? Does anybody know of some registry entry to
increase Symantec’s stack size ? Or do I just have to trim down my code
?
Thanks, Bartjan.
Last set context:
eax=00000000 ebx=00001000 ecx=e2328da8 edx=e789c4f4 esi=e2328da8
edi=811242e8
eip=bff6dae0 esp=e789c0cc ebp=e789c104 iopl=0 nv up ei pl nz ac
pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
Fastfat!FatCheckFreeDirentBitmap:
bff6dae0 55 push ebp
ChildEBP RetAddr Args to Child
00 e789c0c8 bff6846c 811242e8 e2328da8 811242e8
Fastfat!FatCheckFreeDirentBitmap
01 e789c104 bff66058 811242e8 e2328da8 e789c4e4
Fastfat!FatOpenDirectoryFile+0x4a
02 e789c128 bff6634e 811242e8 e2328da8 00000000
Fastfat!FatReadDirectoryFile+0x20
03 e789c208 bff68ff3 811242e8 e2328da8 e789c984
Fastfat!FatLocateDirent+0x11a
04 e789c9e0 bff650d7 811242e8 bd5a0e70 8145aa30
Fastfat!FatCommonCreate+0xab3
05 e789ca24 8052d790 8145aa30 bd5a0e70 bd5a0e70
Fastfat!FatFsdCreate+0x79
06 e789ca70 8052cf55 5ad0de0b bd5a0fdc bd5a0e70
nt!IovSpecialIrpCallDriver+0xcd
07 e789ca8c fcd5746c 811fff00 811fff00 811f9600 nt!IovCallDriver+0x31
08 e789cb04 fcd5755a 811fff00 bd5a0e70 80063124
ThTrac2k!ThTrackHookRoutine(_DEVICE_OBJECT* HookDevice = 811fff00 ,
_IRP* Irp = bd5a0e70 )+0x10a0
[x:\source\vss\x-tra\agent\driver\winnt\thtrack.c @ 1331]
09 e789cb28 8052d790 811fff00 bd5a0e70 e789cee0
ThTrac2k!ThTrackDispatch(_DEVICE_OBJECT* DeviceObject = 811fff00 , _IRP*
Irp = bd5a0e70 )+0x32 [x:\source\vss\x-tra\agent\driver\winnt\thtrack.c
@ 1414]
0a e789cb74 8049c7cf 8049c2a5 811ffee8 e789ce64
nt!IovSpecialIrpCallDriver+0xcd
0b e789ccfc 8044f0f2 811fff00 00000000 e789cda8 nt!IopParseDevice+0xa04
0c e789cd68 8049a7fb 00000000 e789ce00 00000040
nt!ObpLookupObjectName+0x4c4
0d e789ce78 8049caab 00000000 00000000 61726700
nt!ObOpenObjectByName+0xc5
0e e789cf4c 8049a61f e789d100 00120089 e789d070 nt!IoCreateFile+0x3ec
0f e789cf8c 80462cf1 e789d100 00120089 e789d070 nt!NtCreateFile+0x2e
10 e789cf8c 804009d1 e789d100 00120089 e789d070 nt!KiSystemService+0xc4
11 e789d030 fcd40277 e789d100 00120089 e789d070 nt!ZwCreateFile+0xb
12 e789d090 fcd406f2 bd586ecc e789d100 00120089
ThTrac2k!ts_CreateFile(_UNICODE_STRING* ObjectName = bd586ecc , void**
FileHandle = e789d100 , unsigned long DesiredAccess = 0x120089,
_IO_STATUS_BLOCK* IoStatusBlock = e789d104 , _LARGE_INTEGER*
AllocationSize = 00000000 , unsigned long FileAttributes = 0x80,
unsigned long ShareAccess = 1, unsigned long Disposition = 1, unsigned
long CreateOptions = 0x50, void* EaBuffer = 00000000 , unsigned long
EaLength = 0, int CreateFileType = 0, void* ExtraCreateParameters =
00000000 , unsigned long Options = 0x300)+0x415
[x:\source\vss\x-tra\agent\driver\winnt\file_io.c @ 474]
13 e789d124 fcd44fee bd586ec0 e789d160 bd57ee48
ThTrac2k!ts_OpenFileForRead(tagTSFileObj* pFileObj = bd586ec0 , unsigned
long* dwError = e789d160 )+0x10a
[x:\source\vss\x-tra\agent\driver\winnt\file_io.c @ 561]
14 e789d154 fcd4b73a bd582f10 00000001 bd57ee48
ThTrac2k!ts_FileObjGetEntry(THTRACK_COMPLETE_CONTEXT* pThTrackContext =
bd582f10 , unsigned char bCanCreateNewEntry = 0x1 ‘’)+0x52a
[x:\source\vss\x-tra\agent\driver\winnt\fileobj.c @ 1222]
15 e789d180 fcd57051 bd582f10 8114ac90 8114ac90
ThTrac2k!ThTrackCreateBefore(void* Context = bd582f10 )+0x50
[x:\source\vss\x-tra\agent\driver\winnt\irpcreat.c @ 42]
16 e789d1fc fcd5755a 8114ac90 bd57ee48 80063124
ThTrac2k!ThTrackHookRoutine(_DEVICE_OBJECT* HookDevice = 8114ac90 ,
_IRP* Irp = bd57ee48 )+0xc85
[x:\source\vss\x-tra\agent\driver\winnt\thtrack.c @ 1248]
17 e789d220 8052d790 8114ac90 bd57ee48 bd57ee48
ThTrac2k!ThTrackDispatch(_DEVICE_OBJECT* DeviceObject = 8114ac90 , _IRP*
Irp = bd57ee48 )+0x32 [x:\source\vss\x-tra\agent\driver\winnt\thtrack.c
@ 1414]
18 e789d26c 8052cf55 fcca104c e789d2e4 00000000
nt!IovSpecialIrpCallDriver+0xcd
19 e789d288 fcc9725a 00000000 e789d2e4 00000000 nt!IovCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be
wrong.
1a e789d2b0 fcc99e71 8114ac90 8117caf0 e789d2e4 SYMEVENT+0x125a
1b b1b40fa0 b19e2770 6a6a6a00 00000000 00000000
SYMEVENT!SYMEvent_Operation+0x335
1c fcc96708 fcc99d9a fcc99d9f fcc97bcf fcc97bcf 0xb19e2770
1d fcc99c4a 000000aa 082444f6 56077401 ffd01ae8
SYMEVENT!SYMEvent_Operation+0x25e