Blue Screen when unload the driver

c++ / delphi package - dll injection and api hooking

Blue Screen when unload the driver

Postby marcusssong » Wed Aug 02, 2017 1:07 pm

hello!

when our product updated, the blue Screen happen.

the OS is Win10.

there are the !analyze -v about the minudump

Code: Select all
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\MarkSong\Downloads\BlueScreenView\080217-30140-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: E:\Dev\iMonLope\_build\x86\Release
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 14393 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.321.amd64fre.rs1_release_inmarket.161004-2338
Machine Name:
Kernel base = 0xfffff800`9d80b000 PsLoadedModuleList = 0xfffff800`9db0f080
Debug session time: Wed Aug  2 19:58:44.979 2017 (UTC + 9:00)
System Uptime: 0 days 11:13:45.575
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck CE, {fffff8019c031730, 10, fffff8019c031730, 0}

*** WARNING: Unable to verify timestamp for mssmbios.sys
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
Probably caused by : iMonDefenceX ( iMonDefenceX>+11730 )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: fffff8019c031730, memory referenced
Arg2: 0000000000000010, value 0 = read operation, 1 = write operation
Arg3: fffff8019c031730, If non-zero, the instruction address which referenced the bad memory
   address.
Arg4: 0000000000000000, Mm internal code.

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT: 
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: fffff8009d80b000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  0

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 fffff8019c031730

FAULTING_IP:
iMonDefenceX>+11730
fffff801`9c031730 ??              ???

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xCE

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff8009d98a4cb to fffff8009d9552c0

STACK_TEXT: 
ffffb881`b1831498 fffff800`9d98a4cb : 00000000`00000050 fffff801`9c031730 00000000`00000010 ffffb881`b1831790 : nt+0x14a2c0
ffffb881`b18314a0 00000000`00000050 : fffff801`9c031730 00000000`00000010 ffffb881`b1831790 00000000`00000000 : nt+0x17f4cb
ffffb881`b18314a8 fffff801`9c031730 : 00000000`00000010 ffffb881`b1831790 00000000`00000000 00000000`00000000 : 0x50
ffffb881`b18314b0 00000000`00000010 : ffffb881`b1831790 00000000`00000000 00000000`00000000 ffffca00`dc683568 : <Unloaded_iMonDefenceX>+0x11730
ffffb881`b18314b8 ffffb881`b1831790 : 00000000`00000000 00000000`00000000 ffffca00`dc683568 ffff8400`04371630 : 0x10
ffffb881`b18314c0 00000000`00000000 : 00000000`00000000 ffffca00`dc683568 ffff8400`04371630 ffff8400`00000000 : 0xffffb881`b1831790


STACK_COMMAND:  kb

FOLLOWUP_IP:
iMonDefenceX>+11730
fffff801`9c031730 ??              ???

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  iMonDefenceX>+11730

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: iMonDefenceX

IMAGE_NAME:  iMonDefenceX

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------


the original our product included madcodehook v4.0.0 and the new our product included madcodehook v4.0.3.

when we uninject the dll then use the "UninjectAllLibrariesW" Funtion and unload the driver then "StopInjectionDriver" function.
(there is injector.exe that we made and we are using the injector.exe with argument)

and after the product finished the uninjection and unloading the driver,
the updater(nsis) try the two work
1. try to uninject the dll one more time.
2. load the dll and set the data_seg variable if the uninjection and unloading succeed or not.

is there problem on my way to use the madcodehook?? or is there problem with the driver??

Thx.
Attachments
080217-30140-01.zip
(84.47 KiB) Downloaded 9 times
marcusssong
 
Posts: 16
Joined: Wed Apr 26, 2017 1:14 pm

Re: Blue Screen when unload the driver

Postby madshi » Wed Aug 02, 2017 1:41 pm

Which driver version did the blue screen occur with? 4.0.0 or 4.0.3?

Can you reproduce the problem at will, or was it a one-time-only blue screen?
madshi
Site Admin
 
Posts: 9439
Joined: Sun Mar 21, 2004 5:25 pm

Re: Blue Screen when unload the driver

Postby marcusssong » Wed Aug 02, 2017 4:52 pm

the problem happend v4.0.0 and i didnt try to reproduce the problem.

because the problem PC is a our customer PC so if you want me to reproduce the problem then I will contact the customer and ask for cooperation.

but i dont know it can or not.

and also when i test in my PC then it works well too.

after blue screen and reboot, it works well.

Thx.
marcusssong
 
Posts: 16
Joined: Wed Apr 26, 2017 1:14 pm

Re: Blue Screen when unload the driver

Postby madshi » Wed Aug 02, 2017 5:38 pm

In the 4.0.0 release version the driver had a couple of bugs, one of which could (in rare situations) produce a bluescreen. I think this specific problem should not occur with 4.0.3.
madshi
Site Admin
 
Posts: 9439
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: ngidalov and 6 guests