Crash Dump Analysis Patterns (Part 8b)
This is an example of Hidden Exception pattern in kernel space:
0: kd> !thread
THREAD fffffa800d4bf9c0 Cid 0e88.56e0 Teb: 000007fffffd8000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap fffff8a001e91950
Owning Process fffffa800b33cb30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 13154529 Ticks: 0
Context Switch Count 1426
UserTime 00:00:00.015
KernelTime 00:00:00.124
Win32 Start Address 0x0000000077728d20
Stack Init fffff8800a83fdb0 Current fffff8800a83eb90
Base fffff8800a840000 Limit fffff8800a83a000 Call 0
Priority 10 BasePriority 10 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
[…]
0: kd> dps fffff8800a83a000 fffff8800a840000
[...]
fffff880`0a83e180 fffff880`0a83ea10
fffff880`0a83e188 fffff880`0a83e6d0
fffff880`0a83e190 fffff880`0a83e968
fffff880`0a83e198 fffff800`016c88cf nt!KiDispatchException+0×16f
fffff880`0a83e1a0 fffff880`0a83e968
fffff880`0a83e1a8 fffff880`0a83e1d0
fffff880`0a83e1b0 fffff880`00000000
fffff880`0a83e1b8 00000000`00000000
fffff880`0a83e1c0 00000000`00000000
fffff880`0a83e1c8 00000000`00000000
[…]
0: kd> .cxr fffff880`0a83e1d0
rax=0000000000000009 rbx=fffffa800d4c1de0 rcx=0000000000000000
rdx=fffff8800a83ece0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800016ad74f rsp=fffff8800a83eba0 rbp=00000000a000000c
r8=fffff8800a83ecd8 r9=fffff8800a83ecc0 r10=0000000000000000
r11=fffff8800a83ed58 r12=0000000000000000 r13=0000000000000000
r14=fffffa800d4bf9c0 r15=fffffa800d4c1ea0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!IopCompleteRequest+0x12f:
fffff800`016ad74f 48894108 mov qword ptr [rcx+8],rax ds:002b:00000000`00000008=????????????????
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
September 9th, 2016 at 1:19 pm
Another example:
0: kd> k
# ChildEBP RetAddr
00 8078aefc 8281db8c hal!READ_PORT_USHORT+0×8
01 8078af0c 8281dcf5 hal!HalpCheckPowerButton+0×2e
02 8078af10 8292cdde hal!HaliHaltSystem+0×7
03 8078af5c 8292dc79 nt!KiBugCheckDebugBreak+0×73
04 8078b320 8292cc24 nt!KeBugCheck2+0xa7f
05 8078b340 82a5a49b nt!KeBugCheckEx+0×1e
06 8078bc90 828fe9c9 nt!PspSystemThreadStartup+0xde
07 00000000 00000000 nt!KiThreadStartup+0×19
0: kd> !thread
THREAD 863475f8 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
DeviceMap 8d6080c0
Owning Process 863478d0 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 2624 Ticks: 7 (0:00:00:00.109)
Context Switch Count 1025 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:03.962
Win32 Start Address nt!Phase1Initialization (0×829dd53b)
Stack Init 8078bed0 Current 8078b890 Base 8078c000 Limit 80789000 Call 0
Priority 31 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8078aefc 8281db8c 00001000 00000000 8078af5c hal!READ_PORT_USHORT+0×8 (FPO: [1,0,0])
8078af0c 8281dcf5 8292cdde 2b2952aa 807c960c hal!HalpCheckPowerButton+0×2e (FPO: [Non-Fpo])
8078af10 8292cdde 2b2952aa 807c960c 00000000 hal!HaliHaltSystem+0×7 (FPO: [0,0,0])
8078af5c 8292dc79 00000004 00000000 00000000 nt!KiBugCheckDebugBreak+0×73
8078b320 8292cc24 0000007e c0000005 8cc14540 nt!KeBugCheck2+0xa7f
8078b340 82a5a49b 0000007e c0000005 8cc14540 nt!KeBugCheckEx+0×1e
8078bc90 828fe9c9 829dd53b 80806cb0 00000000 nt!PspSystemThreadStartup+0xde
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0×19
0: kd> dps 80789000 8078c000
80789000 00000000
80789004 00000000
80789008 00000000
8078900c 00000000
…
8078b46c 00000000
8078b470 8078b880
8078b474 82902277 nt!KiDispatchException+0×17c
8078b478 8078b89c
8078b47c 8078b480
8078b480 00010017
8078b484 00000000
8078b488 00000000
8078b48c 00000000
8078b490 00000000
…
0: kd> .cxr 8078b480
eax=00000000 ebx=87428554 ecx=8078b998 edx=00000000 esi=871121d0 edi=0000008c
eip=8cc11340 esp=8078b964 ebp=8078ba28 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210292
Driver+0×1340:
8cc11340 ff5000 call dword ptr [eax] ds:0023:00000000=????????