L
Loster++
Guest
[COLOR=rgba(30, 30, 30, 1)]Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\cosmi\Desktop\bepis\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`70c00000 PsLoadedModuleList = 0xfffff803`7182a490
Debug session time: Wed Apr 14 19:50:31.505 2021 (UTC + 2:00)
System Uptime: 1 days 1:21:49.112
Loading Kernel Symbols
...............................................................
................................................................
.............................Page 7e7fbb not present in the dump file. Type ".hh dbgerr004" for details
...................................
..................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000001`0034a018). Type ".hh dbgerr001" for details
Loading unloaded module list
..........................
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]nt!KeBugCheckEx:
fffff803`70ff5c50 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd60e`c446ee30=0000000000000109
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a01b67a3d8d9b2, Reserved
Arg2: b3b727edf65a484a, Reserved
Arg3: fffff80375040000, Failure type dependent information
Arg4: 000000000000002c, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
2b : Modification of a function or .pdata
2c : Image integrity corruption
2d : Processor misconfiguration
2e : Type 5 process list corruption
2f : Process shadow corruption
30 : Retpoline code page corruption
101 : General pool corruption
102 : Modification of win32k.sys
Debugging Details:
------------------
Unable to load image \SystemRoot\System32\Drivers\Ntfs.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Ntfs.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2687
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3597
Key : Analysis.Init.CPU.mSec
Value: 843
Key : Analysis.Init.Elapsed.mSec
Value: 43849
Key : Analysis.Memory.CommitPeak.Mb
Value: 80
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 109
BUGCHECK_P1: a3a01b67a3d8d9b2
BUGCHECK_P2: b3b727edf65a484a
BUGCHECK_P3: fffff80375040000
BUGCHECK_P4: 2c
BLACKBOXBSD: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxbsd[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXNTFS: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxntfs[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXPNP: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxpnp[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXWINLOGON: 1
PROCESS_NAME: csrss.exe
STACK_TEXT:
ffffd60e`c446ee28 00000000`00000000 : 00000000`00000109 a3a01b67`a3d8d9b2 b3b727ed`f65a484a fffff803`75040000 : nt!KeBugCheckEx
MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]Ntfs
[/COLOR][COLOR=rgba(30, 30, 30, 1)]IMAGE_NAME: Ntfs.sys
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: 0x109_2c_IMAGE_Ntfs.sys
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {1ac1cef4-57d0-75db-be0a-7f8b6ff55cb8}
Followup: MachineOwner
---------
[/COLOR]
Continue reading...
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\cosmi\Desktop\bepis\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`70c00000 PsLoadedModuleList = 0xfffff803`7182a490
Debug session time: Wed Apr 14 19:50:31.505 2021 (UTC + 2:00)
System Uptime: 1 days 1:21:49.112
Loading Kernel Symbols
...............................................................
................................................................
.............................Page 7e7fbb not present in the dump file. Type ".hh dbgerr004" for details
...................................
..................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000001`0034a018). Type ".hh dbgerr001" for details
Loading unloaded module list
..........................
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]nt!KeBugCheckEx:
fffff803`70ff5c50 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd60e`c446ee30=0000000000000109
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a01b67a3d8d9b2, Reserved
Arg2: b3b727edf65a484a, Reserved
Arg3: fffff80375040000, Failure type dependent information
Arg4: 000000000000002c, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
2b : Modification of a function or .pdata
2c : Image integrity corruption
2d : Processor misconfiguration
2e : Type 5 process list corruption
2f : Process shadow corruption
30 : Retpoline code page corruption
101 : General pool corruption
102 : Modification of win32k.sys
Debugging Details:
------------------
Unable to load image \SystemRoot\System32\Drivers\Ntfs.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Ntfs.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2687
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3597
Key : Analysis.Init.CPU.mSec
Value: 843
Key : Analysis.Init.Elapsed.mSec
Value: 43849
Key : Analysis.Memory.CommitPeak.Mb
Value: 80
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 109
BUGCHECK_P1: a3a01b67a3d8d9b2
BUGCHECK_P2: b3b727edf65a484a
BUGCHECK_P3: fffff80375040000
BUGCHECK_P4: 2c
BLACKBOXBSD: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxbsd[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXNTFS: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxntfs[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXPNP: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxpnp[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXWINLOGON: 1
PROCESS_NAME: csrss.exe
STACK_TEXT:
ffffd60e`c446ee28 00000000`00000000 : 00000000`00000109 a3a01b67`a3d8d9b2 b3b727ed`f65a484a fffff803`75040000 : nt!KeBugCheckEx
MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]Ntfs
[/COLOR][COLOR=rgba(30, 30, 30, 1)]IMAGE_NAME: Ntfs.sys
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: 0x109_2c_IMAGE_Ntfs.sys
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {1ac1cef4-57d0-75db-be0a-7f8b6ff55cb8}
Followup: MachineOwner
---------
[/COLOR]
Continue reading...