Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BSOD: DRIVER_IRQL_NOT_LESS_OR_EQUAL/SYSTEM_THREAD_EXCEPTION_NOT_HANDLED #116

Open
SuibianP opened this issue Sep 17, 2024 · 5 comments
Open

BSOD: DRIVER_IRQL_NOT_LESS_OR_EQUAL/SYSTEM_THREAD_EXCEPTION_NOT_HANDLED #116

SuibianP opened this issue Sep 17, 2024 · 5 comments

Comments

@SuibianP
Copy link

SuibianP commented Sep 17, 2024
edited
Loading

I consistently encountered DRIVER_IRQL_NOT_LESS_OR_EQUAL bugchecks when trying to hook certain third-party drivers on boot and capture data. Manually setting up data capture of the same drivers after boot, however, works without issues. Edit: Also triggered bugcheck once.

WinDbg analysis is dumped below.

I understand that data capture has known stability problems as per https://github.com/MartinDrab/IRPMon/wiki/Monitoring-Drivers-and-Devices. Please feel free to close the issue if the behaviour is expected.

KD !analyze -v 
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffa2820f7ffff0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8031efb240f, address which referenced memory

Debugging Details:
------------------

Unable to load image \SystemRoot\system32\drivers\IRPMon\kbase.dll, Win32 error 0n2
Page 102b2e not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2296

    Key  : Analysis.Elapsed.mSec
    Value: 3907

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 765

    Key  : Analysis.Init.Elapsed.mSec
    Value: 563713

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 115

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0xd1

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xd1

    Key  : Dump.Attributes.AsUlong
    Value: 1800

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 100

    Key  : Failure.Bucket
    Value: AV_kbase!RequestXXXDetectedCreate

    Key  : Failure.Hash
    Value: {f120e0af-e30d-355c-1e47-cbea64654a6b}

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 1417df84

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 21631230

    Key  : Hypervisor.Flags.ValueHex
    Value: 14a10fe

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 3f7

    Key  : SecureKernel.HalpHvciEnabled
    Value: 1

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Version
    Value: 10.0.22621.1


BUGCHECK_CODE:  d1

BUGCHECK_P1: ffffa2820f7ffff0

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8031efb240f

FILE_IN_CAB:  MEMORY.DMP

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


DUMP_FILE_ATTRIBUTES: 0x1800

READ_ADDRESS: unable to get nt!PspSessionIdBitmap
 ffffa2820f7ffff0 Nonpaged pool

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

TRAP_FRAME:  fffff80317837200 -- (.trap 0xfffff80317837200)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffa2820f8000b0 rbx=0000000000000000 rcx=ffffa28231bb3750
rdx=ffffffffddc4c8e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8031efb240f rsp=fffff80317837398 rbp=fffff803178374c9
 r8=0000000000000020  r9=000000000088ecda r10=ffffa281e8601a60
r11=ffffa282e17f4600 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
kbase!RequestXXXDetectedCreate+0x180f:
fffff803`1efb240f 0f106411c0      movups  xmm4,xmmword ptr [rcx+rdx-40h] ds:ffffa282`0f7ffff0=????????????????????????????????
Resetting default scope

STACK_TEXT:  
fffff803`178370b8 fffff803`19a2bf29     : 00000000`0000000a ffffa282`0f7ffff0 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff803`178370c0 fffff803`19a27389     : ffffa282`0f800000 ffffa282`fd042790 00000000`00000000 00000000`f43a7d10 : nt!KiBugCheckDispatch+0x69
fffff803`17837200 fffff803`1efb240f     : fffff803`1efabb88 ffffa281`f43a7850 ffffa281`ef1c4010 ffffa281`f43a7888 : nt!KiPageFault+0x489
fffff803`17837398 fffff803`1efabb88     : ffffa281`f43a7850 ffffa281`ef1c4010 ffffa281`f43a7888 ffffa281`ef1c4010 : kbase!RequestXXXDetectedCreate+0x180f
fffff803`178373a0 fffff803`1987b3f4     : ffffa281`ef142060 ffffa281`ef1c4010 ffffa281`f43a7850 00000000`00000000 : kbase!HookHandlerIRPDisptach+0xff8
fffff803`17837450 fffff803`1987b2a7     : ffffa281`ef1c4010 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x134
fffff803`17837530 fffff803`1da03cc6     : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IofCompleteRequest+0x17
fffff803`17837560 fffff803`1da03a51     : ffffa281`ef1c4010 fffff803`00000001 ffffa281`ed3bfdc0 ffffa281`ed2f2220 : Wdf01000!FxRequest::CompleteInternal+0x246 [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 869] 
fffff803`178375f0 fffff803`1da3fafd     : ffffa281`ed2f2220 ffffa281`ed2f2220 ffffa281`ef1c4000 ffffa281`f03f7ba0 : Wdf01000!imp_WdfRequestCompleteWithInformation+0xa1 [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 571] 
fffff803`17837650 fffff803`1da154c9     : ffffa281`ed2f2220 fffff803`1da060b3 fffff803`19600000 ffffa281`fed54840 : Wdf01000!FxRequestBase::CompleteSubmittedNoContext+0x8d [minkernel\wdf\framework\shared\core\fxrequestbase.cpp @ 451] 
fffff803`178376e0 fffff803`1da06b5a     : ffffa281`ed2f2220 ffffa281`fed54701 ffffa281`fed54701 00000000`00000001 : Wdf01000!FxRequestBase::CompleteSubmitted+0xe75d [minkernel\wdf\framework\shared\core\fxrequestbase.cpp @ 523] 
fffff803`17837720 fffff803`1da07285     : ffffa281`ef1c4002 ffffa281`ef1c4010 ffffa281`ef06ad80 ffffa281`ef1c4010 : Wdf01000!FxIoTarget::RequestCompletionRoutine+0xba [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 2393] 
fffff803`17837780 fffff803`198f4c16     : ffffa281`ef06ad80 ffffa281`ef1c4010 ffffa281`ef1c4010 00000000`00000000 : Wdf01000!FxIoTarget::_RequestCompletionRoutine+0x35 [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 2450] 
fffff803`178377b0 fffff803`1987b3f4     : 00000000`00000000 fffff803`17837859 ffffa281`ef1c451b ffffa281`ef06ad80 : nt!IopUnloadSafeCompletion+0x56
fffff803`178377e0 fffff803`1987b2a7     : ffffa281`ef1c4010 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x134
fffff803`178378c0 fffff803`1da03cc6     : 00000000`00000002 00000000`00000000 00000000`00000000 fffff803`1da4267d : nt!IofCompleteRequest+0x17
fffff803`178378f0 fffff803`1da02031     : ffffa281`ef1c4010 00000000`00000001 ffffa281`e6d84b00 ffffa281`ed41a4f0 : Wdf01000!FxRequest::CompleteInternal+0x246 [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 869] 
fffff803`17837980 fffff803`1da01fbf     : 00000000`00000000 ffffa281`eed81440 ffffa281`ed41a690 fffff803`17837a98 : Wdf01000!FxRequest::Complete+0x4d [minkernel\wdf\framework\shared\inc\private\common\FxRequest.hpp @ 806] 
fffff803`178379e0 fffff803`58012ff9     : ffffa281`ed41a4f0 00000000`ffffffff 00000000`00000004 fffff803`17837ab0 : Wdf01000!imp_WdfRequestComplete+0x3f [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 437] 
fffff803`17837a10 fffff803`58011787     : ffffa281`ed41a690 00000000`00000016 ffffa281`ed41a720 fffff803`17837c28 : USBXHCI!Bulk_Transfer_CompleteCancelable+0xc9
fffff803`17837a70 fffff803`58011310     : 00000000`00000004 fffff803`17837be0 00000000`00000000 ffffa281`eed81660 : USBXHCI!Bulk_ProcessTransferEventWithED1+0x463
fffff803`17837b20 fffff803`58009ca9     : 00000000`00000004 fffff803`17837bf8 00000000`00000008 fffff803`17837c00 : USBXHCI!Bulk_EP_TransferEventHandler+0x10
fffff803`17837b50 fffff803`58009318     : ffffa281`e6222cb0 ffffa281`e7556d00 ffffa281`e7796610 ffffa281`e6222cb0 : USBXHCI!Endpoint_TransferEventHandler+0x109
fffff803`17837bb0 fffff803`58008bcc     : 00000000`00000000 00000000`00000000 ffffa281`e6222ab0 00000000`00000000 : USBXHCI!Interrupter_DeferredWorkProcessor+0x738
fffff803`17837cb0 fffff803`1da06d2e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USBXHCI!Interrupter_WdfEvtInterruptDpc+0xc
fffff803`17837ce0 fffff803`1da06cd5     : 00000000`00001601 fffff803`162284d8 ffffa281`e6222ab0 00000000`00000000 : Wdf01000!FxInterrupt::DpcHandler+0x4a [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 79] 
fffff803`17837d10 fffff803`1985338c     : 00000000`00000000 ffffc600`754d5d30 fffff803`00000000 00000000`00989680 : Wdf01000!FxInterrupt::_InterruptDpcThunk+0x35 [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 410] 
fffff803`17837d50 fffff803`19852394     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExecuteAllDpcs+0x42c
fffff803`17838290 fffff803`19a1b00e     : 00000000`00000000 fffff803`16225180 fffff803`1a34d700 ffffa281`f35e0080 : nt!KiRetireDpcList+0x1b4
fffff803`17838540 00000000`00000000     : fffff803`17839000 fffff803`17832000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e


SYMBOL_NAME:  kbase!RequestXXXDetectedCreate+180f

MODULE_NAME: kbase

IMAGE_NAME:  kbase.dll

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  180f

FAILURE_BUCKET_ID:  AV_kbase!RequestXXXDetectedCreate

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {f120e0af-e30d-355c-1e47-cbea64654a6b}

Followup:     MachineOwner
---------
@SuibianP
Copy link
Author

SuibianP commented Sep 17, 2024
edited
Loading

Here is the log of another bugcheck SYSTEM_THREAD_EXCEPTION_NOT_HANDLED. This happened when I tried to set the startup type to SYSTEM instead of BOOT.

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common BugCheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8023f5a0aba, The address that the exception occurred at
Arg3: ffff81002b00e618, Exception Record Address
Arg4: ffff81002b00de30, Context Record Address

Debugging Details:
------------------

Unable to load image \SystemRoot\system32\drivers\IRPMon\kbase.dll, Win32 error 0n2
Page 12fd1f not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullClassPtr

    Key  : AV.Fault
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 3031

    Key  : Analysis.Elapsed.mSec
    Value: 16749

    Key  : Analysis.IO.Other.Mb
    Value: 11

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 2

    Key  : Analysis.Init.CPU.mSec
    Value: 1749

    Key  : Analysis.Init.Elapsed.mSec
    Value: 15039

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 119

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x7e

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x7e

    Key  : Dump.Attributes.AsUlong
    Value: 1800

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 100

    Key  : Failure.Bucket
    Value: AV_kbase!unknown_function

    Key  : Failure.Hash
    Value: {05a83128-d8de-21cc-9292-1125d9f52265}

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 1417df84

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 21631230

    Key  : Hypervisor.Flags.ValueHex
    Value: 14a10fe

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 3f7

    Key  : SecureKernel.HalpHvciEnabled
    Value: 1

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Version
    Value: 10.0.22621.1


BUGCHECK_CODE:  7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff8023f5a0aba

BUGCHECK_P3: ffff81002b00e618

BUGCHECK_P4: ffff81002b00de30

FILE_IN_CAB:  MEMORY.DMP

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


DUMP_FILE_ATTRIBUTES: 0x1800

EXCEPTION_RECORD:  ffff81002b00e618 -- (.exr 0xffff81002b00e618)
ExceptionAddress: fffff8023f5a0aba (kbase+0x0000000000010aba)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 000000000000001c
Attempt to write to address 000000000000001c

CONTEXT:  ffff81002b00de30 -- (.cxr 0xffff81002b00de30)
rax=fffff8023f5a89f0 rbx=0000000000000000 rcx=00000000000004ac
rdx=fffff8023f5a8d00 rsi=ffffd70db2feec40 rdi=0000000000000000
rip=fffff8023f5a0aba rsp=ffff81002b00e850 rbp=ffffd70dbf11a010
 r8=0000000000000000  r9=0000000000000000 r10=00000000ffffffff
r11=0000000000000000 r12=0000000000000000 r13=ffffd70db89f3c00
r14=ffffd70dbcfe2d30 r15=ffffb38bb5a2ad00
iopl=0         nv up ei pl nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050206
kbase+0x10aba:
fffff802`3f5a0aba 894f1c          mov     dword ptr [rdi+1Ch],ecx ds:002b:00000000`0000001c=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


PROCESS_NAME:  System

WRITE_ADDRESS: unable to get nt!PspSessionIdBitmap
 000000000000001c 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  000000000000001c

EXCEPTION_STR:  0xc0000005

LOCK_ADDRESS:  fffff8022825c880 -- (!locks fffff8022825c880)

Resource @ nt!PiEngineLock (0xfffff8022825c880)    Exclusively owned
    Contention Count = 2
    NumberOfExclusiveWaiters = 1
     Threads: ffffd70dafcca040-01<*> 

     Threads Waiting On Exclusive Access:
              ffffd70dafd14040       
1 total locks

PNP_TRIAGE_DATA: 
	Lock address  : 0xfffff8022825c880
	Thread Count  : 1
	Thread address: 0xffffd70dafcca040
	Thread wait   : 0x83e

STACK_TEXT:  
ffff8100`2b00e850 fffff802`3f59b3ce     : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd70d`00000000 : kbase+0x10aba
ffff8100`2b00e890 fffff802`27912695     : 00000000`00000d4e ffffd70d`befbed90 ffffd70d`bf11a010 ffffd70d`bf01a040 : kbase+0xb3ce
ffff8100`2b00eac0 fffff802`29791342     : 00000000`00000000 fffff802`280ab67d 00000000`00000040 00000000`00000001 : nt!IofCallDriver+0x55
ffff8100`2b00eb00 fffff802`297910db     : ffffd70d`b236d8b0 00000000`00000007 ffffd70d`bf11a010 ffffd70d`bf11a560 : ACPI!ACPIIrpDispatchDeviceControl+0xb2
ffff8100`2b00eb40 fffff802`27912695     : 00000000`00000007 ffffd70d`bf11a010 ffffd70d`bf01a040 ffffd70d`bf008488 : ACPI!ACPIDispatchIrp+0xcb
ffff8100`2b00ebc0 fffff802`26445068     : ffffd70d`bf11a010 ffffd70d`bf01a040 ffffd70d`bf008488 00000000`00000000 : nt!IofCallDriver+0x55
ffff8100`2b00ec00 fffff802`2644dd9a     : ffffd70d`bf008488 ffffd70d`b818c770 ffffd70d`bf008488 ffffd70d`bf098050 : usbvideo!USBVideoCallUSBD+0x108
ffff8100`2b00eca0 fffff802`2644a701     : ffffd70d`bf098050 00000000`00000000 fffff802`26484150 ffffd70d`bf008488 : usbvideo!StartUSBVideoDevice+0xca
ffff8100`2b00ed00 fffff802`5595e3e1     : ffffd70d`bf0083c0 ffffd70d`ba671e28 00000000`00000001 00000000`00000200 : usbvideo!USBVideoPnpStart+0x111
ffff8100`2b00ed40 fffff802`5596cab6     : 00000000`00000000 ffffd70d`ba671e28 ffffd70d`bf0083c0 00000000`20707249 : ks!CKsDevice::PnpStart+0xc1
ffff8100`2b00eda0 fffff802`27912695     : ffffd70d`ba671890 ffff8100`2b00eea0 ffffd70d`ba671e70 ffffd70d`bf0e2cc0 : ks!CKsDevice::DispatchPnp+0x416
ffff8100`2b00ee10 fffff802`51971415     : ffffd70d`b6dfc600 ffff8100`2b00f200 ffff8600`62498180 00000000`00000628 : nt!IofCallDriver+0x55
ffff8100`2b00ee50 fffff802`51971133     : ffffd70d`ba671890 ffffd70d`bef82db0 ffffd70d`00000000 ffffd70d`bf0e5830 : ksthunk!CKernelFilterDevice::DispatchIrp+0xf5
ffff8100`2b00eeb0 fffff802`27912695     : ffffd70d`bf0e5830 fffff802`27808d10 00000000`00000013 ffffd70d`b84f5b00 : ksthunk!CKernelFilterDevice::DispatchIrpBridge+0x13
ffff8100`2b00eee0 fffff802`27c886de     : ffffd70d`bf0e5830 ffffd70d`b84f5b30 00000000`00000000 00000000`00000000 : nt!IofCallDriver+0x55
ffff8100`2b00ef20 fffff802`27802ea2     : ffffd70d`bf0e5830 00000000`00000000 ffffd70d`b84f5b30 fffff802`27891f70 : nt!PnpAsynchronousCall+0xe6
ffff8100`2b00ef60 fffff802`278921e8     : 00000000`00000000 ffffd70d`bf0e5830 fffff802`27802690 fffff802`27802690 : nt!PnpSendIrp+0x9e
ffff8100`2b00efd0 fffff802`27cf7293     : ffffd70d`bf0e2c40 00000000`00000000 ffffd70d`b84f5b30 00000000`00000000 : nt!PnpStartDevice+0x88
ffff8100`2b00f060 fffff802`27cf70d5     : ffffd70d`bf0e2c40 00000000`00000000 ffffd70d`afeceaa0 ffffd70d`bf0e2c40 : nt!PnpStartDeviceNode+0xef
ffff8100`2b00f0f0 fffff802`27ccd1a2     : ffffd70d`bf0e2c40 ffff8100`2b00f1a8 ffffd70d`00000000 ffffd70d`afeceaa0 : nt!PipProcessStartPhase1+0x61
ffff8100`2b00f130 fffff802`27d85586     : ffffd70d`b6dfc600 fffff802`27862a01 ffff8100`2b00f240 ffff8100`00000002 : nt!PipProcessDevNodeTree+0x422
ffff8100`2b00f1f0 fffff802`27803359     : 00000001`00000003 ffffd70d`b237bae0 ffffd70d`b6dfc6c0 00000000`00000000 : nt!PiProcessReenumeration+0x92
ffff8100`2b00f240 fffff802`27952355     : ffffd70d`afcca040 ffffd70d`afcc6cf0 fffff802`2834aac0 ffffd70d`00000000 : nt!PnpDeviceActionWorker+0x339
ffff8100`2b00f300 fffff802`27954d47     : ffffd70d`afcca040 00000000`00000127 ffffd70d`afcca040 fffff802`27952200 : nt!ExpWorkerThread+0x155
ffff8100`2b00f4f0 fffff802`27a1b174     : ffff8600`62498180 ffffd70d`afcca040 fffff802`27954cf0 00000000`00000000 : nt!PspSystemThreadStartup+0x57
ffff8100`2b00f540 00000000`00000000     : ffff8100`2b010000 ffff8100`2b009000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34


SYMBOL_NAME:  kbase+10aba

MODULE_NAME: kbase

IMAGE_NAME:  kbase.dll

STACK_COMMAND:  .cxr 0xffff81002b00de30 ; kb

BUCKET_ID_FUNC_OFFSET:  10aba

FAILURE_BUCKET_ID:  AV_kbase!unknown_function

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {05a83128-d8de-21cc-9292-1125d9f52265}

Followup:     MachineOwner
---------

@SuibianP SuibianP changed the title BSOD: DRIVER_IRQL_NOT_LESS_OR_EQUAL BSOD: DRIVER_IRQL_NOT_LESS_OR_EQUAL/SYSTEM_THREAD_EXCEPTION_NOT_HANDLED Sep 17, 2024
@SuibianP
Copy link
Author

This DRIVER_IRQL_NOT_LESS_OR_EQUAL happened immediately when I try to hook usbccgp at runtime. The dump file reveals that the BufferSize got corrupted to the lower DWORD of IrpStack.Context, which led to the access of invalid memory at

IRPMon/kbase/hook-handlers.c

Line 1281 in 983d656

memcpy(completionRequest + 1, loggedData.Buffer, completionRequest->DataSize); 

0: kd> !address ffffb988`74fffff0
...
Usage:                  
Base Address:           ffff8384`5a7c0000
End Address:            ffffcb00`00000000
Region Size:            0000477b`a5840000
VA Type:                SystemRange
0: kd> ?? completionRequest->DataSize
unsigned int64 0x52f28150
0: kd> ?? loggedData
struct _DATA_LOGGER_RESULT
   +0x000 Buffer           : 0xffffb988`3bfc9b10 Void
   +0x008 BufferSize       : 0x52f28150
   +0x010 BufferMdl        : (null) 
   +0x018 Stripped         : 0 ''
   +0x019 BufferAllocated  : 0 ''
0: kd> ?? ((PIRP_COMPLETION_CONTEXT)Context)->StackLocation
struct _IO_STACK_LOCATION
   +0x000 MajorFunction    : 0xf ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0 ''
   +0x003 Control          : 0xe0 ''
   +0x008 Parameters       : <anonymous-tag>
   +0x028 DeviceObject     : 0xffffb988`2bc52530 _DEVICE_OBJECT
   +0x030 FileObject       : (null) 
   +0x038 CompletionRoutine : 0xfffff805`896454d0     long  hidusb!HumGetSetReportCompletion+0
   +0x040 Context          : 0xffffb988`52f28150 Void
0: kd> db 0xffffb988`52f28150
ffffb988`52f28150  88 00 08 00 00 00 00 00-c8 e4 60 d4 77 46 00 00  ..........`.wF..
ffffb988`52f28160  00 00 00 00 00 00 00 00-f0 2b 9f 2b 88 b9 ff ff  .........+.+....
ffffb988`52f28170  0a 00 00 00 5a 00 00 00-81 71 f2 52 88 b9 ff ff  ....Z....q.R....
ffffb988`52f28180  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffb988`52f28190  08 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffb988`52f281a0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffb988`52f281b0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffb988`52f281c0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0: kd> ?? ((PIRP_COMPLETION_CONTEXT)Context)->StackLocation.Parameters.DeviceIoControl
struct <anonymous-tag>
   +0x000 OutputBufferLength : 0x52f28150
   +0x008 InputBufferLength : 0
   +0x010 IoControlCode    : 0x220003
   +0x018 Type3InputBuffer : (null) 
0: kd> ?? Irp
struct _IRP * 0xffffb988`643f48a0
   +0x000 Type             : 0n6
   +0x002 Size             : 0x6b8
   +0x008 MdlAddress       : (null) 
   +0x010 Flags            : 0x60030
   +0x018 AssociatedIrp    : <anonymous-tag>
   +0x020 ThreadListEntry  : _LIST_ENTRY [ 0xffffb988`2eabd5c0 - 0xffffb988`2eabd5c0 ]
   +0x030 IoStatus         : _IO_STATUS_BLOCK
   +0x040 RequestorMode    : 1 ''
   +0x041 PendingReturned  : 0x1 ''
   +0x042 StackCount       : 21 ''
   +0x043 CurrentLocation  : 20 ''
   +0x044 Cancel           : 0 ''
   +0x045 CancelIrql       : 0 ''
   +0x046 ApcEnvironment   : 0 ''
   +0x047 AllocationFlags  : 0x1 ''
   +0x048 UserIosb         : 0x000000fd`957ff9c0 _IO_STATUS_BLOCK
   +0x050 UserEvent        : 0xffffb988`60fddbe0 _KEVENT
   +0x058 Overlay          : <anonymous-tag>
   +0x068 CancelRoutine    : (null) 
   +0x070 UserBuffer       : 0xffffb988`3bfc9b10 Void
   +0x078 Tail             : <anonymous-tag>

@SuibianP
Copy link
Author

SuibianP commented Nov 7, 2024

The issue seems consistently reproducible here, and each time the length is the lower half of the Context pointer. As it is in DISPATCH_LEVEL, the catch-all __except block could not trigger.

I wonder if MmProbeAndLockPages would help in this case, and more importantly, why the length is went astray in the first place.

@MartinDrab could you kindly take a look?

@MartinDrab
Copy link
Owner

Hello,
yes, capturing request data is (by design) unstable. It follows rules used to store data in standard IRPs (read, write, device control etc.), however, certain types of devices do not follow them (direct scsi/sata requests for example). I will try to look into it in few days.

@SuibianP
Copy link
Author

SuibianP commented Nov 7, 2024

Thanks for the information!

Please bear with me for asking out of curiosity — how does normal upper filter drivers of the problematic drivers work if those IRP structures are non-standard and undocumented (as far as I can search)?

Also, having read Request Monitoring and IrpTracker homepage, I am wondering if filter driver would be a better choice compared to hooking, for use cases where payload data rather than raw IRP packet content is of greater interest? What would be some potential drawbacks other than the loss of precise IRP contents and overheads?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MartinDrab @SuibianP