Crash Dump Analysis Patterns (Part 152c)
This is a variant of Handled Exception pattern in kernel space (similar to user and managed spaces). The crash dump was the same as in Hidden Exception in kernel space pattern:
fffff880`0a83d910 00000000`00000000
fffff880`0a83d918 fffff6fc`40054fd8
fffff880`0a83d920 fffff880`0a83dca0
fffff880`0a83d928 fffff800`016bcc1c nt!_C_specific_handler+0xcc
fffff880`0a83d930 00000000`00000000
fffff880`0a83d938 00000000`00000000
fffff880`0a83d940 00000000`00000000
fffff880`0a83d948 00000000`00000000
fffff880`0a83d950 fffff800`0189ee38 nt!BBTBuffer <PERF> (nt+0x280e38)
fffff880`0a83d958 fffff880`0a83e940
fffff880`0a83d960 fffff800`016ad767 nt!IopCompleteRequest+0x147
fffff880`0a83d968 fffff880`0a83de40
fffff880`0a83d970 fffff800`01665e40 nt!_GSHandlerCheck_SEH
fffff880`0a83d978 fffff800`017e5338 nt!_imp_NtOpenSymbolicLinkObject+0xfe30
fffff880`0a83d980 fffff880`0a83e310
fffff880`0a83d988 00000000`00000000
fffff880`0a83d990 00000000`00000000
fffff880`0a83d998 fffff800`016b42dd nt!RtlpExecuteHandlerForException+0xd
fffff880`0a83d9a0 fffff800`017d7d0c nt!_imp_NtOpenSymbolicLinkObject+0×2804
fffff880`0a83d9a8 fffff880`0a83eab0
fffff880`0a83d9b0 00000000`00000000
0: kd> ub fffff800`016b42dd
nt!RtlpExceptionHandler+0x24:
fffff800`016b42c4 cc int 3
fffff800`016b42c5 cc int 3
fffff800`016b42c6 cc int 3
fffff800`016b42c7 cc int 3
fffff800`016b42c8 0f1f840000000000 nop dword ptr [rax+rax]
nt!RtlpExecuteHandlerForException:
fffff800`016b42d0 4883ec28 sub rsp,28h
fffff800`016b42d4 4c894c2420 mov qword ptr [rsp+20h],r9
fffff800`016b42d9 41ff5130 call qword ptr [r9+30h]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -