mchInjDrv BSOD on Windows 2003 with chk modules

c++ / delphi package - dll injection and api hooking
Post Reply
AlexVolynkin
Posts: 1
Joined: Fri Oct 31, 2008 4:26 pm

mchInjDrv BSOD on Windows 2003 with chk modules

Post by AlexVolynkin »

While verifing our code on Windows 2003 server, we have come across a bsod that involves madshi hook.

BSOD is caused by mchInjDrv and only appears on checked builds of ntoskrnl.exe (5.2.3790.3959) and halaacpi.dll (5.2.3790.3959) available from WindowsServer2003-KB914961-SP2-x86-DEBUG-ENU.exe

madshi hook (madCodeHook 2.2h) is installed.

This only happens on Win 2003, WinXP works OK.

Here's crush dump analysis:

kd> !analyze -v

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: 80000003, The exception code that was not handled
Arg2: 8115478d, The address that the exception occurred at
Arg3: f6dc66e4, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

Page 16689 not present in the dump file. Type ".hh dbgerr004" for details
Page 16770 not present in the dump file. Type ".hh dbgerr004" for details

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

FAULTING_IP:
nt!DebugService+1b
8115478d cc int 3

TRAP_FRAME: f6dc66e4 -- (.trap 0xfffffffff6dc66e4)
ErrCode = 00000000
eax=00000002 ebx=f6dc67cc ecx=8114e368 edx=00000056 esi=8114e369 edi=00000002
eip=8115478e esp=f6dc6758 ebp=f6dc676c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!DebugService+0x1c:
8115478e 5b pop ebx
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: winlogon.exe

CURRENT_IRQL: 0

ASSERT_DATA: Tag != 0

ASSERT_FILE_LOCATION: d:\nt\base\ntos\ex\pool.c at Line 1839

LAST_CONTROL_TRANSFER: from 810426eb to 81038ba5

STACK_TEXT:
f6dc676c 81154803 00000002 8114e368 00000056 nt!DebugService+0x1c
f6dc6788 8114c40c f6dc679c f6dc67a4 8117be5e nt!DebugPrompt+0x21
f6dc67ac 8114e444 8114e368 f6dc67cc 00000002 nt!DbgPrompt+0x3c
f6dc6aa0 8117c325 8117be5e 8117be42 0000072f nt!RtlAssert+0x5c
f6dc6b00 f7a91341 00000001 00000971 00000000 nt!ExAllocatePoolWithTag+0x29
WARNING: Stack unwind information not available. Following frames may be wrong.
f6dc6b40 f7a913a7 80807246 00000418 82431d88 mchInjDrv+0x341
f6dc6b70 813ae50a 00000170 000006c4 00000001 mchInjDrv+0x3a7
f6dc6cc8 813af88b 0006ed9c 001f03ff 00000000 nt!PspCreateThread+0x5ec
f6dc6d3c 8116b805 0006ed9c 001f03ff 00000000 nt!NtCreateThread+0x111
f6dc6d3c 7c8285ec 0006ed9c 001f03ff 00000000 nt!KiFastCallEntry+0x135
0006f244 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND: .trap 0xfffffffff6dc66e4 ; kb

FOLLOWUP_IP:
nt!ExAllocatePoolWithTag+29
8117c325 81fb42494720 cmp ebx,20474942h

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!ExAllocatePoolWithTag+29

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45d70b8a

FAILURE_BUCKET_ID: 0x8E_nt!ExAllocatePoolWithTag+29

BUCKET_ID: 0x8E_nt!ExAllocatePoolWithTag+29

Followup: MachineOwner
---------


Clearly, the BSOD was because of 'int 3' in nt and would not happen on fre builds, but something caused an assertion.
Post Reply