Software Diagnostics Library

Crash Dump Analysis Patterns (Part 264)

Interrupts can happen in either kernel or user mode. In the latter case, upon transition to kernel mode, a special memory region in is used for interrupt processing in kernel space, distinct from the thread’s kernel stack, that we call Interrupt Stack. It can also be used for mining Execution Residue.

2: kd> !thread -1 1f THREAD fffffa801a9fa3e0 Cid 0f74.0804 Teb: 000007ffffdf8000 Win32Thread: 0000000000000000 RUNNING on processor 2 Not impersonating DeviceMap fffff88000007400 Owning Process fffffa801a949c10 Image: App.exe Attached Process N/A Image: N/A Wait Start TickCount 81642662 Ticks: 0 Context Switch Count 58671950 IdealProcessor: 4 UserTime 01:33:39.702 KernelTime 00:01:11.401 Win32 Start Address 0x000007fef9b1050c Stack Init fffffa6005af4db0 Current fffffa6005af4950 Base fffffa6005af5000 Limit fffffa6005aef000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`01793b98 fffff800`01a58eee nt!KeBugCheckEx fffffa60`01793ba0 fffff800`01a57dcb nt!KiBugCheckDispatch+0×6e fffffa60`01793ce0 fffffa60`00eb279b nt!KiPageFault+0×20b (TrapFrame @ fffffa60`01793ce0) fffffa60`01793e70 fffffa60`00e62739 tcpip! ?? ::FNODOBFM::`string’+0×3883b fffffa60`01794020 fffffa60`00e62194 tcpip!TcpMatchReceive+0×1b9 fffffa60`01794120 fffffa60`00e52ddd tcpip!TcpPreValidatedReceive+0×2e4 fffffa60`017941c0 fffffa60`00e52e89 tcpip!IppDeliverListToProtocol+0×4d fffffa60`01794280 fffffa60`00e52463 tcpip!IppProcessDeliverList+0×59 fffffa60`017942f0 fffffa60`00e5176c tcpip!IppReceiveHeaderBatch+0×223 fffffa60`017943d0 fffffa60`00e50d54 tcpip!IpFlcReceivePackets+0×8dc fffffa60`017945d0 fffffa60`00e61133 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0×264 fffffa60`017946b0 fffffa60`009a40bc tcpip!FlReceiveNetBufferListChain+0xd3 fffffa60`01794700 fffffa60`0096c8c9 NDIS!ndisMIndicateNetBufferListsToOpen+0xac fffffa60`01794750 fffffa60`008016f7 NDIS!ndisMDispatchReceiveNetBufferLists+0×1d9 fffffa60`01794bd0 fffffa60`02b4e2d3 NDIS!NdisMIndicateReceiveNetBufferLists+0×67 fffffa60`01794c10 fffffa60`02b3de0c Driver+0×152d3 fffffa60`01794de0 fffffa60`02b3df6b Driver+0×4e0c fffffa60`01794e20 fffffa60`02b3e0b3 Driver+0×4f6b fffffa60`01794e60 fffffa60`00801670 Driver+0×50b3 fffffa60`01794ec0 fffff800`01a5d367 NDIS!ndisInterruptDpc+0xc0 fffffa60`01794f40 fffff800`01a5bc35 nt!KiRetireDpcList+0×117 fffffa60`01794fb0 fffff800`01a5ba47 nt!KyRetireDpcList+0×5 (TrapFrame @ fffffa60`01794e70) fffffa60`05af4bf0 fffff800`01aa1b28 nt!KiDispatchInterruptContinue fffffa60`05af4c20 000007fe`f7e5c55a nt!KiDpcInterrupt+0xf8 (TrapFrame @ fffffa60`05af4c20) 00000000`4deae430 00000000`00000000 0×000007fe`f7e5c55a

2: kd> !address fffffa60`01794e60 Usage: Base Address: fffffa60`011ff000 End Address: fffffa60`019dc000 Region Size: 00000000`007dd000 VA Type: SystemDynamicSpace VAD Address: 0×27676e69727473 Commit Charge: 0×244a0f51940 Protection: 0×244a0f51940 [] Memory Usage: Private No Change: yes More info: !vad 0xfffffa60011ff000

2: kd> !address fffffa60`05af4c20 Usage: Stack Base Address: fffffa60`05aef000 End Address: fffffa60`05af5000 Region Size: 00000000`00006000 VA Type: SystemDynamicSpace

2: kd> dpS fffffa60`01793b98 fffffa60`01794fb0 […] fffffa60`05657c3f Driver2+0×4c3f fffffa60`05656369 Driver2+0×3369 […] fffffa60`00801670 NDIS!ndisInterruptDpc+0xc0 fffff800`01a5d367 nt!KiRetireDpcList+0×117 fffff800`01a5bc35 nt!KyRetireDpcList+0×5 fffffa60`008015b0 NDIS!ndisInterruptDpc

2: kd> ub fffffa60`05657c3f Driver2+0×4c25: fffffa60`05657c25 8bf2 mov esi,edx fffffa60`05657c27 33d2 xor edx,edx fffffa60`05657c29 418be8 mov ebp,r8d fffffa60`05657c2c 488bd9 mov rbx,rcx fffffa60`05657c2f 448d4240 lea r8d,[rdx+40h] fffffa60`05657c33 488d48b8 lea rcx,[rax-48h] fffffa60`05657c37 418bf9 mov edi,r9d fffffa60`05657c3a e8010e0000 call Driver2+0×5a40 (fffffa60`05658a40)

2: kd> ub fffffa60`05656369 Driver2+0×334d: fffffa60`0565634d cc int 3 fffffa60`0565634e cc int 3 fffffa60`0565634f cc int 3 fffffa60`05656350 4889542410 mov qword ptr [rsp+10h],rdx fffffa60`05656355 48894c2408 mov qword ptr [rsp+8],rcx fffffa60`0565635a 4883ec58 sub rsp,58h fffffa60`0565635e 488d4c2428 lea rcx,[rsp+28h] fffffa60`05656363 ff15972c0000 call qword ptr [Driver2+0×6000 (fffffa60`05659000)]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Thursday, February 27th, 2020 at 7:01 am and is filed under Crash Dump Analysis, Crash Dump Patterns, x64 Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Crash Dump Analysis Patterns (Part 264)”

Dmitry Vostokov Says:
May 6th, 2021 at 6:15 pm
Another example:

0: kd> k
# Child-SP RetAddr Call Site
00 fffff804`0d4b62a8 fffff804`2535ffed nvlddmkm+0×10f899
01 fffff804`0d4b62b0 fffff804`2535fec8 nvlddmkm+0×12ffed
02 fffff804`0d4b6320 fffff804`2536012c nvlddmkm+0×12fec8
03 fffff804`0d4b6360 fffff804`25496bda nvlddmkm+0×13012c
04 fffff804`0d4b63a0 fffff804`254931b9 nvlddmkm+0×266bda
05 fffff804`0d4b63d0 fffff804`254979b7 nvlddmkm+0×2631b9
06 fffff804`0d4b64f0 fffff804`254b2755 nvlddmkm+0×2679b7
07 fffff804`0d4b65a0 fffff804`25497857 nvlddmkm+0×282755
08 fffff804`0d4b6640 fffff804`254a6ff6 nvlddmkm+0×267857
09 fffff804`0d4b6680 fffff804`254a7430 nvlddmkm+0×276ff6
0a fffff804`0d4b66d0 fffff804`25599015 nvlddmkm+0×277430
0b fffff804`0d4b6720 fffff804`25598af7 nvlddmkm+0×369015
0c fffff804`0d4b67a0 fffff804`25598ce3 nvlddmkm+0×368af7
0d fffff804`0d4b67f0 fffff804`25599d52 nvlddmkm+0×368ce3
0e fffff804`0d4b6870 fffff804`2573f8bc nvlddmkm+0×369d52
0f fffff804`0d4b68d0 fffff804`2533fa4a nvlddmkm+0×50f8bc
10 fffff804`0d4b6900 fffff804`0aa0781e nvlddmkm+0×10fa4a
11 fffff804`0d4b6bb0 fffff804`0aa06b04 nt!KiExecuteAllDpcs+0×30e
12 fffff804`0d4b6d20 fffff804`0abfce85 nt!KiRetireDpcList+0×1f4
13 fffff804`0d4b6fb0 fffff804`0abfcc70 nt!KxRetireDpcList+0×5
14 ffffbd07`7801f0a0 fffff804`0abfc525 nt!KiDispatchInterruptContinue
15 ffffbd07`7801f0d0 fffff804`0abf79b1 nt!KiDpcInterruptBypass+0×25
16 ffffbd07`7801f0e0 fffff804`0aa9328b nt!KiInterruptDispatch+0xb1
17 ffffbd07`7801f270 fffff804`2534ceef nt!KzLowerIrql+0×1b
18 ffffbd07`7801f2a0 fffff804`253653dc nvlddmkm+0×11ceef
19 ffffbd07`7801f2d0 fffff804`25335d99 nvlddmkm+0×1353dc
1a ffffbd07`7801f300 fffff804`25a2f7f9 nvlddmkm+0×105d99
1b ffffbd07`7801f420 fffff804`252eb0f9 nvlddmkm+0×7ff7f9
1c ffffbd07`7801f450 fffff804`252ea9ef nvlddmkm+0xbb0f9
1d ffffbd07`7801f520 fffff804`25e40f7f nvlddmkm+0xba9ef
1e ffffbd07`7801f570 fffff804`1f3f2d6e nvlddmkm+0xc10f7f
1f ffffbd07`7801f640 fffff804`1f3f22bf dxgkrnl!DpiDxgkDdiSetPowerState+0×5a
20 ffffbd07`7801f6a0 fffff804`1f3f31ee dxgkrnl!DpiFdoSetAdapterPowerState+0×15f
21 ffffbd07`7801f760 fffff804`1f3f2641 dxgkrnl!DpiFdoHandleDevicePower+0×2ee
22 ffffbd07`7801f800 fffff804`1f3f3b91 dxgkrnl!DpiFdoDispatchPower+0×21
23 ffffbd07`7801f830 fffff804`25308972 dxgkrnl!DpiDispatchPower+0xe1
24 ffffbd07`7801f950 fffff804`25307a04 nvlddmkm+0xd8972
25 ffffbd07`7801fa40 fffff804`0ab9cb29 nvlddmkm+0xd7a04
26 ffffbd07`7801fa70 fffff804`0ab17e85 nt!PopIrpWorker+0×1d9
27 ffffbd07`7801fb10 fffff804`0abfd498 nt!PspSystemThreadStartup+0×55
28 ffffbd07`7801fb60 00000000`00000000 nt!KiStartSystemThread+0×28
Dmitry Vostokov Says:
September 19th, 2025 at 10:06 am
This extra stack may be a DPC stack. Usually, interrupt processing is done on the same kernel stack except a few interrupts like double fault.

You must be logged in to post a comment.

Crash Dump Analysis Patterns (Part 264)

2 Responses to “Crash Dump Analysis Patterns (Part 264)”

Leave a Reply