10 Common Mistakes in Memory Analysis (Part 5)
Sometimes not paying attention to all aspects of default analysis makes it difficult to consider an alternative troubleshooting hypothesis. Here is a sample of !analyze -v output showing massive patching (hooked functions pattern) by DriverA module:
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8092d47f, The address that the exception occurred at
Arg3: f5205b14, Trap Frame
Arg4: 00000000
[...]
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80822a49-80822a4d 5 bytes - nt!NtYieldExecution
[ 8b ff 55 8b ec:e9 14 3a 95 76 ]
80823c11-80823c14 4 bytes - nt!KeFlushProcessTb+2c (+0x11c8)
[ 69 76 82 80:88 ff ff ff ]
80823c17-80823c1a 4 bytes - nt!KeFlushProcessTb+32 (+0x06)
[ dd 40 01 00:b5 34 b3 76 ]
8083771f-80837725 7 bytes - nt!KeAcquireQueuedSpinLockAtDpcLevel+1b (+0x13b08)
[ f7 41 04 01 00 00 00:e9 c4 f9 b1 76 cc cc ]
80840945-8084094a 6 bytes - nt!KxFlushEntireTb+9 (+0x9226)
[ ff 15 1c 10 80 80:e9 65 67 b1 76 cc ]
80845fe0-80845fe3 4 bytes - nt!KeFlushSingleTb+49 (+0x569b)
[ 14 1d ff ff:dd 10 b1 76 ]
80845fe5 - nt!KeFlushSingleTb+4e (+0x05)
[ b9:c3 ]
8084722d-80847230 4 bytes - nt!KeFlushMultipleTb+45 (+0x1248)
[ 5e e3 82 80:14 00 00 00 ]
80847233-80847236 4 bytes - nt!KeFlushMultipleTb+4b (+0x06)
[ c1 0a ff ff:99 fe b0 76 ]
808c039c-808c039e 3 bytes - nt!NtSetContextThread
[ 8b ff 55:e9 31 5f ]
808c03a0 - nt!NtSetContextThread+4 (+0x04)
[ ec:76 ]
808e3184-808e3188 5 bytes - nt!NtCreateProcess (+0x22de4)
[ 8b ff 55 8b ec:e9 0b 31 89 76 ]
808f6ad0-808f6ad6 7 bytes - nt!NtLoadKeyEx (+0x1394c)
[ 6a 70 68 98 4b 81 80:e9 e7 f8 87 76 90 90 ]
8090c66f-8090c675 7 bytes - nt!NtDeleteValueKey (+0x15b9f)
[ 6a 44 68 60 f0 81 80:e9 c4 9c 86 76 90 90 ]
8090e36c-8090e370 5 bytes - nt!NtTerminateProcess (+0x1cfd)
[ 8b ff 55 8b ec:e9 34 81 86 76 ]
80915342-80915346 5 bytes - nt!NtDeleteKey (+0x6fd6)
[ 8b ff 55 8b ec:e9 c7 0f 86 76 ]
80918114-80918118 5 bytes - nt!NtOpenThread (+0x2dd2)
[ 68 c4 00 00 00:e9 53 e1 85 76 ]
80921eac-80921eb2 7 bytes - nt!NtEnumerateKey (+0x9d98)
[ 6a 48 68 f0 f9 82 80:e9 f5 44 85 76 90 90 ]
80922578-8092257e 7 bytes - nt!NtEnumerateValueKey (+0x6cc)
[ 6a 48 68 10 fc 82 80:e9 13 3e 85 76 90 90 ]
80922efd-80922f01 5 bytes - nt!NtNotifyChangeKey (+0x985)
[ 8b ff 55 8b ec:e9 e4 34 85 76 ]
809246fb-809246ff 5 bytes - nt!NtOpenProcess (+0x17fe)
[ 68 c8 00 00 00:e9 58 1b 85 76 ]
8092c8a0-8092c8a4 5 bytes - nt!NtCreateKey (+0x81a5)
[ 68 c0 00 00 00:e9 55 9a 84 76 ]
8092f3a6-8092f3ac 7 bytes - nt!NtSetValueKey (+0x2b06)
[ 6a 58 68 a0 f6 82 80:e9 a3 6f 84 76 90 90 ]
8092fa88-8092fa8c 5 bytes - nt!NtCreateFile (+0x6e2)
[ 8b ff 55 8b ec:e9 ab 69 84 76 ]
80931311-80931315 5 bytes - nt!NtOpenKey (+0x1889)
[ 68 ac 00 00 00:e9 d0 4f 84 76 ]
809316ed-809316f3 7 bytes - nt!NtQueryValueKey (+0x3dc)
[ 6a 60 68 80 90 84 80:e9 72 4c 84 76 90 90 ]
8093470f-80934715 7 bytes - nt!NtQueryKey (+0x3022)
[ 6a 58 68 c8 97 84 80:e9 0e 1d 84 76 90 90 ]
809354fa-80935500 7 bytes - nt!NtMapViewOfSection (+0xdeb)
[ 6a 38 68 80 a2 84 80:e9 77 0f 84 76 90 90 ]
80935785-80935789 5 bytes - nt!NtUnmapViewOfSection (+0x28b)
[ 8b ff 55 8b ec:e9 02 0d 84 76 ]
8093ba96-8093ba9c 7 bytes - nt!NtProtectVirtualMemory (+0x6311)
[ 6a 44 68 40 03 85 80:e9 b1 a9 83 76 90 90 ]
8093c86d-8093c871 5 bytes - nt!NtSetInformationProcess (+0xdd7)
[ 68 08 01 00 00:e9 4c 9a 83 76 ]
8093ce6b-8093ce71 7 bytes - nt!NtCreateProcessEx (+0x5fe)
[ 6a 0c 68 58 0e 85 80:e9 38 94 83 76 90 90 ]
80978fef-80978ff5 7 bytes - nt!NtQueryMultipleValueKey (+0x3c184)
[ 6a 48 68 f0 f9 86 80:e9 86 d3 7f 76 90 90 ]
80979775-8097977b 7 bytes - nt!NtRenameKey (+0x786)
[ 6a 3c 68 38 fa 86 80:e9 a8 cb 7f 76 90 90 ]
80979caf-80979cb3 5 bytes - nt!NtRestoreKey (+0x53a)
[ 8b ff 55 8b ec:e9 46 c7 7f 76 ]
8097a11c-8097a120 5 bytes - nt!NtUnloadKey (+0x46d)
[ 8b ff 55 8b ec:e9 b1 c2 7f 76 ]
8097a139-8097a13d 5 bytes - nt!NtReplaceKey (+0x1d)
[ 8b ff 55 8b ec:e9 d0 c2 7f 76 ]
197 errors : !nt (80822a49-8097a13d)
MODULE_NAME: DriverA
IMAGE_NAME: DriverA.sys
MEMORY_CORRUPTOR: PATCH_DriverA
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_DriverA
BUCKET_ID: MEMORY_CORRUPTION_PATCH_DriverA
However, when we look at the stack trace, we would see that BSOD happened when accessing registry while updating drivers:
FAULTING_IP:
nt!HvpGetCellMapped+97
8092d47f 8b4604 mov eax,dword ptr [esi+4]
TRAP_FRAME: f5205b14 -- (.trap 0xfffffffff5205b14)
ErrCode = 00000000
eax=e1021000 ebx=e101a3b8 ecx=00000003 edx=89214988 esi=00000100 edi=00000000
eip=8092d47f esp=f5205b88 ebp=f5205bfc iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!HvpGetCellMapped+0×97:
8092d47f 8b4604 mov eax,dword ptr [esi+4] ds:0023:00000104=????????
Resetting default scope
PROCESS_NAME: updatedrivers.exe
STACK_TEXT:
f52056e0 8085bb9f 0000008e c0000005 8092d47f nt!KeBugCheckEx+0x1b
f5205aa4 808346b4 f5205ac0 00000000 f5205b14 nt!KiDispatchException+0x3a2
f5205b0c 80834668 f5205bfc 8092d47f badb0d00 nt!CommonDispatchException+0x4a
f5205b98 8092d559 e101a3b8 e63a8e40 0010fc18 nt!Kei386EoiHelper+0x186
f5205bfc 80920fcd e101a3b8 00610052 3b9aca07 nt!HvpGetCellMapped+0×36a
f5205c20 8092248b e63a8e40 e22b4794 00000000 nt!CmpGetValueKeyFromCache+0xa4
f5205cc0 80922649 e63a8e40 00000000 00000001 nt!CmEnumerateValueKey+0×45a
f5205d44 80833bdf 00000058 00000000 00000001 nt!NtEnumerateValueKey+0×1c9
f5205d44 7c9485ec 00000058 00000000 00000001 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
001290fc 00000000 00000000 00000000 00000000 0×7c9485ec
So an alternative hypothesis to pursue would be some sort of registry corruption after driver updates.
- Dmitry Vostokov @ DumpAnalysis.org -