32 bit injection driver crashed

[jacksmith]

We are using madcodehook 3.0.2. One of our QA guys reported that he noticed an XP machine had crashed at some point and left a memory dump. When he posted the dump to us, we found that the crash occurred in the 32-bit madcodehook injection driver. I have pasted the output of Analyze -v below. I can get the memory dump to you.

BAInjDrv32.sys is what we rename "renameme.sys" to. BA_HDCon.exe is the program we use to inject the driver and set the hooks. We call it only when our service starts (typically only on Windows startup) and when the service stops (typically on shutdown).

Please let us know how to proceed. Thanks!

-Jack



BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000040, Attempt to free usermode address to kernel pool
Arg2: 00000000, Starting address
Arg3: 80000000, Start of system address space
Arg4: 00000000, 0

Debugging Details:
------------------

BUGCHECK_STR: 0xc2_40

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: BA_HDCon.exe

LAST_CONTROL_TRANSFER: from 805438ed to 804f8cc5

STACK_TEXT:
b18f187c 805438ed 000000c2 00000040 00000000 nt!KeBugCheckEx+0x1b
b18f18bc 80544a9d 00000000 e2098b70 e10bf678 nt!MiFreePoolPages+0x8b
b18f18fc 80544f77 00000000 00000000 b18f1928 nt!ExFreePoolWithTag+0x1b7
b18f190c b1b85134 00000000 b18f1b44 82037ca8 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
b18f1928 b1b85dcd e2098860 81e15c80 00000001 BAInjDrv32+0x6134
b18f1b64 b1b85f90 e2098860 00000000 00000b64 BAInjDrv32+0x6dcd
b18f1ba4 b1b86583 e2098860 00000b64 b18f1c2f BAInjDrv32+0x6f90
b18f1c08 b1b7fb4d 0022e004 8234c1f8 00000312 BAInjDrv32+0x7583
b18f1c34 804ee129 81d32988 81f34008 806d32d0 BAInjDrv32+0xb4d
b18f1c44 80574e56 81f34078 81e15c80 81f34008 nt!IopfCallDriver+0x31
b18f1c58 80575d11 81d32988 81f34008 81e15c80 nt!IopSynchronousServiceTail+0x70
b18f1d00 8056e57c 0000003c 00000000 00000000 nt!IopXxxControlFile+0x5e7
b18f1d34 8053d6d8 0000003c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b18f1d34 7c90e514 0000003c 00000000 00000000 nt!KiFastCallEntry+0xf8
0012fc98 7c90d28a 7c801675 0000003c 00000000 ntdll!KiFastSystemCallRet
0012fc9c 7c801675 0000003c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0012fcfc 00419869 0000003c 0022e004 001671b8 kernel32!DeviceIoControl+0xdd
0012fd64 0041a030 00000000 00000000 0012fde4 BA_HDCon+0x19869
0012fdac 0041a0d1 00000000 0012fefc ffffff01 BA_HDCon+0x1a030
0012fdc4 0041d8cf 00422474 006200b8 ffffffff BA_HDCon+0x1a0d1
0012fe70 0041e53e 00001b58 00000000 00000000 BA_HDCon+0x1d8cf
0012fe9c 0042127c 00422474 00422414 ffffffff BA_HDCon+0x1e53e
0012fec4 00401171 00422474 00422414 ffffffff BA_HDCon+0x2127c
0012ff7c 00401707 00000002 00613c90 00612e78 BA_HDCon+0x1171
0012ffc0 7c817077 0c7e70a4 0b17dca0 7ffdf000 BA_HDCon+0x1707
0012fff0 00000000 0040186f 00000000 78746341 kernel32!BaseProcessStart+0x23

STACK_COMMAND: kb

FOLLOWUP_IP:
BAInjDrv32+6134
b1b85134 8b150c69b8b1 mov edx,dword ptr [BAInjDrv32+0x790c (b1b8690c)]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: BAInjDrv32+6134

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: BAInjDrv32

IMAGE_NAME: BAInjDrv32.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4d8f4ed5

FAILURE_BUCKET_ID: 0xc2_40_BAInjDrv32+6134

BUCKET_ID: 0xc2_40_BAInjDrv32+6134

Followup: MachineOwner

[madshi]

Can you upload that memory dump somewhere? Or you can also send it to madshi (at) gmail (dot) com. Thx.

Just for my interest: Was this a one time only crash? Or does it happen from time to time? If it was a one time only crash it's probably nothing to get too worried about, but I'd still like to figure out what happened exactly. Not 100% sure if the memory dump will help me there, but I'll give it a try...

[jacksmith]

I will upload the crash dump somewhere and email you with instructions on how to fetch it.

Thanks,
Jack