when our product updated, the blue Screen happen.
the OS is Win10.
there are the !analyze -v about the minudump
Code: Select all
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\MarkSong\Downloads\BlueScreenView\080217-30140-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: E:\Dev\iMonLope\_build\x86\Release
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 14393 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.321.amd64fre.rs1_release_inmarket.161004-2338
Machine Name:
Kernel base = 0xfffff800`9d80b000 PsLoadedModuleList = 0xfffff800`9db0f080
Debug session time: Wed Aug 2 19:58:44.979 2017 (UTC + 9:00)
System Uptime: 0 days 11:13:45.575
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
....................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck CE, {fffff8019c031730, 10, fffff8019c031730, 0}
*** WARNING: Unable to verify timestamp for mssmbios.sys
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : iMonDefenceX ( iMonDefenceX>+11730 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: fffff8019c031730, memory referenced
Arg2: 0000000000000010, value 0 = read operation, 1 = write operation
Arg3: fffff8019c031730, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, Mm internal code.
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
FAULTING_MODULE: fffff8009d80b000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 0
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
fffff8019c031730
FAULTING_IP:
iMonDefenceX>+11730
fffff801`9c031730 ?? ???
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xCE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8009d98a4cb to fffff8009d9552c0
STACK_TEXT:
ffffb881`b1831498 fffff800`9d98a4cb : 00000000`00000050 fffff801`9c031730 00000000`00000010 ffffb881`b1831790 : nt+0x14a2c0
ffffb881`b18314a0 00000000`00000050 : fffff801`9c031730 00000000`00000010 ffffb881`b1831790 00000000`00000000 : nt+0x17f4cb
ffffb881`b18314a8 fffff801`9c031730 : 00000000`00000010 ffffb881`b1831790 00000000`00000000 00000000`00000000 : 0x50
ffffb881`b18314b0 00000000`00000010 : ffffb881`b1831790 00000000`00000000 00000000`00000000 ffffca00`dc683568 : <Unloaded_iMonDefenceX>+0x11730
ffffb881`b18314b8 ffffb881`b1831790 : 00000000`00000000 00000000`00000000 ffffca00`dc683568 ffff8400`04371630 : 0x10
ffffb881`b18314c0 00000000`00000000 : 00000000`00000000 ffffca00`dc683568 ffff8400`04371630 ffff8400`00000000 : 0xffffb881`b1831790
STACK_COMMAND: kb
FOLLOWUP_IP:
iMonDefenceX>+11730
fffff801`9c031730 ?? ???
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: iMonDefenceX>+11730
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: iMonDefenceX
IMAGE_NAME: iMonDefenceX
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
when we uninject the dll then use the "UninjectAllLibrariesW" Funtion and unload the driver then "StopInjectionDriver" function.
(there is injector.exe that we made and we are using the injector.exe with argument)
and after the product finished the uninjection and unloading the driver,
the updater(nsis) try the two work
1. try to uninject the dll one more time.
2. load the dll and set the data_seg variable if the uninjection and unloading succeed or not.
is there problem on my way to use the madcodehook?? or is there problem with the driver??
Thx.