N
Nabil_
Guest
Microsoft (R) Windows Debugger Version 10.0.17134.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\King\Desktop\090918-18109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17415.x86fre.winblue_r4.141028-1500
Machine Name:
Kernel base = 0x81209000 PsLoadedModuleList = 0x81408418
Debug session time: Sun Sep 9 13:50:30.037 2018 (UTC + 6:00)
System Uptime: 0 days 1:17:13.573
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
..................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {0, 2, 1, 81308cf4}
Probably caused by : kbdclass.sys ( kbdclass!KeyboardClassServiceCallback+e8 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81308cf4, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 9600.17415.x86fre.winblue_r4.141028-1500
DUMP_TYPE: 2
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_P1: 0
BUGCHECK_P2: 2
BUGCHECK_P3: 1
BUGCHECK_P4: ffffffff81308cf4
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 814376f4
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from 81437f38
GetUlongPtrFromAddress: unable to read from 81437a90
Unable to get NonPagedPoolStart
Unable to get PagedPoolStart
00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!memmove+124
81308cf4 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
CPU_COUNT: 1
CPU_MHZ: 899
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3d
CPU_STEPPING: 4
CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 1F'00000000 (cache) 0'00000000 (init)
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: DESKTOP-NDA48UI
ANALYSIS_SESSION_TIME: 09-09-2018 13:55:29.0502
ANALYSIS_VERSION: 10.0.17134.1 x86fre
LAST_CONTROL_TRANSFER: from 8fefea65 to 81308cf4
STACK_TEXT:
82743988 8fefea65 00000000 9b13fe2c 0000000c nt!memmove+0x124
827439c4 8fee91d5 953a5240 9b13fe2c 8f916e28 kbdclass!KeyboardClassServiceCallback+0xe8
82743a28 812579a6 91f0cc64 01f0ca00 00000000 i8042prt!I8042KeyboardIsrDpc+0x197
82743ae0 812575c6 82743b28 00000000 89bfabc0 nt!KiExecuteAllDpcs+0x216
82743c04 8131a3d0 00000000 00000000 00000000 nt!KiRetireDpcList+0xf6
82743c08 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38
THREAD_SHA1_HASH_MOD_FUNC: 558f74cd3a91bcbe19983f1b7c0528b4b6e14e68
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 161173af8eb4dad35d375cfca10e81c430366625
THREAD_SHA1_HASH_MOD: 96f30bfb09b4cbb871d97a7ed1a187f4d9e602f3
FOLLOWUP_IP:
kbdclass!KeyboardClassServiceCallback+e8
8fefea65 8b4510 mov eax,dword ptr [ebp+10h]
FAULT_INSTR_CODE: 3310458b
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: kbdclass!KeyboardClassServiceCallback+e8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: kbdclass
IMAGE_NAME: kbdclass.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 543353ac
IMAGE_VERSION: 6.3.9600.17393
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: e8
FAILURE_BUCKET_ID: AV_kbdclass!KeyboardClassServiceCallback
BUCKET_ID: AV_kbdclass!KeyboardClassServiceCallback
PRIMARY_PROBLEM_CLASS: AV_kbdclass!KeyboardClassServiceCallback
TARGET_TIME: 2018-09-09T07:50:30.000Z
OSBUILD: 9600
OSSERVICEPACK: 17415
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 784
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 WinNt TerminalServer SingleUserTS Personal
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2014-10-29 06:32:39
BUILDDATESTAMP_STR: 141028-1500
BUILDLAB_STR: winblue_r4
BUILDOSVER_STR: 6.3.9600.17415.x86fre.winblue_r4.141028-1500
ANALYSIS_SESSION_ELAPSED_TIME: d87
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_kbdclass!keyboardclassservicecallback
FAILURE_ID_HASH: {2397e1a0-177a-792e-7553-d9653a04afd0}
Followup: MachineOwner
---------
Source code:
#include "ntddk.h""
typedef struct {
PDEVICE_OBJECT LowerKbdDevice;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
PDEVICE_OBJECT MyKbdDevice = NULL;
//ULONG pendingkey = 0;
void Unload(IN PDRIVER_OBJECT DriverObject) {
LARGE_INTEGER interval = { 0 };
PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;
interval.QuadPart = -10 * 1000 * 1000;
IoDetachDevice(((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice);
/*while (pendingkey) {
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}*/
IoDeleteDevice(MyKbdDevice);
DbgPrint("driver Unload \r\n");
}
NTSTATUS DispatchPass(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
IoCopyCurrentIrpStackLocationToNext(Irp);
return IoCallDriver((((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice), Irp);
}
NTSTATUS ReadComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context) {
PKEYBOARD_INPUT_DATA Keys = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
int structnum = Irp->IoStatus.Information / sizeof(PKEYBOARD_INPUT_DATA);
int i;
if (Irp->IoStatus.Status == STATUS_SUCCESS) {
for (i = 0; i < structnum; i++) {
DbgPrint("The Key Is %x\n", Keys.MakeCode);
}
}
if(Irp->PendingReturned) {
IoMarkIrpPending(Irp);
}
//pendingkey--;
return Irp->IoStatus.Status;
}
NTSTATUS DispatchRead(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp, ReadComplete, NULL, TRUE, TRUE, TRUE);
//pendingkey++;
return IoCallDriver((((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice), Irp);
}
NTSTATUS MyAttachDevice(PDRIVER_OBJECT DriverObject) {
NTSTATUS status;
UNICODE_STRING TargetDevice = RTL_CONSTANT_STRING(L"\\Device\\KeyboardClass0");
status = IoCreateDevice(DriverObject,
sizeof(DEVICE_EXTENSION),
NULL, FILE_DEVICE_KEYBOARD,
0, FALSE, &MyKbdDevice);
if (!NT_SUCCESS(status)) {
return status;
}
MyKbdDevice->Flags |= DO_BUFFERED_IO;
MyKbdDevice->Flags &= DO_DEVICE_INITIALIZING;
RtlZeroMemory(MyKbdDevice->DeviceExtension, sizeof(DEVICE_EXTENSION));
status = IoAttachDevice(MyKbdDevice, &TargetDevice, &((PDEVICE_EXTENSION)MyKbdDevice->DeviceExtension)->LowerKbdDevice);
if (!NT_SUCCESS(status)) {
IoDeleteDevice(MyKbdDevice);
return status;
}
return STATUS_SUCCESS;
}
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
UNREFERENCED_PARAMETER(RegistryPath);
UNREFERENCED_PARAMETER(DriverObject);
NTSTATUS status;
int i;
DriverObject->DriverUnload = Unload;
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction = DispatchPass;
}
DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;
DbgPrint("Hello Driver\r\n");
status = MyAttachDevice(DriverObject);
if (!NT_SUCCESS(status)) {
DbgPrint("attaching is failing");
return status;
}
else {
KdPrint(("Attaching Succeeds \r\n"));
}
return status;
}
Continue reading...
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\King\Desktop\090918-18109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17415.x86fre.winblue_r4.141028-1500
Machine Name:
Kernel base = 0x81209000 PsLoadedModuleList = 0x81408418
Debug session time: Sun Sep 9 13:50:30.037 2018 (UTC + 6:00)
System Uptime: 0 days 1:17:13.573
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
..................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {0, 2, 1, 81308cf4}
Probably caused by : kbdclass.sys ( kbdclass!KeyboardClassServiceCallback+e8 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81308cf4, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 9600.17415.x86fre.winblue_r4.141028-1500
DUMP_TYPE: 2
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_P1: 0
BUGCHECK_P2: 2
BUGCHECK_P3: 1
BUGCHECK_P4: ffffffff81308cf4
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 814376f4
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from 81437f38
GetUlongPtrFromAddress: unable to read from 81437a90
Unable to get NonPagedPoolStart
Unable to get PagedPoolStart
00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!memmove+124
81308cf4 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax
CPU_COUNT: 1
CPU_MHZ: 899
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3d
CPU_STEPPING: 4
CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 1F'00000000 (cache) 0'00000000 (init)
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: DESKTOP-NDA48UI
ANALYSIS_SESSION_TIME: 09-09-2018 13:55:29.0502
ANALYSIS_VERSION: 10.0.17134.1 x86fre
LAST_CONTROL_TRANSFER: from 8fefea65 to 81308cf4
STACK_TEXT:
82743988 8fefea65 00000000 9b13fe2c 0000000c nt!memmove+0x124
827439c4 8fee91d5 953a5240 9b13fe2c 8f916e28 kbdclass!KeyboardClassServiceCallback+0xe8
82743a28 812579a6 91f0cc64 01f0ca00 00000000 i8042prt!I8042KeyboardIsrDpc+0x197
82743ae0 812575c6 82743b28 00000000 89bfabc0 nt!KiExecuteAllDpcs+0x216
82743c04 8131a3d0 00000000 00000000 00000000 nt!KiRetireDpcList+0xf6
82743c08 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38
THREAD_SHA1_HASH_MOD_FUNC: 558f74cd3a91bcbe19983f1b7c0528b4b6e14e68
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 161173af8eb4dad35d375cfca10e81c430366625
THREAD_SHA1_HASH_MOD: 96f30bfb09b4cbb871d97a7ed1a187f4d9e602f3
FOLLOWUP_IP:
kbdclass!KeyboardClassServiceCallback+e8
8fefea65 8b4510 mov eax,dword ptr [ebp+10h]
FAULT_INSTR_CODE: 3310458b
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: kbdclass!KeyboardClassServiceCallback+e8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: kbdclass
IMAGE_NAME: kbdclass.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 543353ac
IMAGE_VERSION: 6.3.9600.17393
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: e8
FAILURE_BUCKET_ID: AV_kbdclass!KeyboardClassServiceCallback
BUCKET_ID: AV_kbdclass!KeyboardClassServiceCallback
PRIMARY_PROBLEM_CLASS: AV_kbdclass!KeyboardClassServiceCallback
TARGET_TIME: 2018-09-09T07:50:30.000Z
OSBUILD: 9600
OSSERVICEPACK: 17415
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 784
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 WinNt TerminalServer SingleUserTS Personal
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2014-10-29 06:32:39
BUILDDATESTAMP_STR: 141028-1500
BUILDLAB_STR: winblue_r4
BUILDOSVER_STR: 6.3.9600.17415.x86fre.winblue_r4.141028-1500
ANALYSIS_SESSION_ELAPSED_TIME: d87
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_kbdclass!keyboardclassservicecallback
FAILURE_ID_HASH: {2397e1a0-177a-792e-7553-d9653a04afd0}
Followup: MachineOwner
---------
Source code:
#include "ntddk.h""
typedef struct {
PDEVICE_OBJECT LowerKbdDevice;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
PDEVICE_OBJECT MyKbdDevice = NULL;
//ULONG pendingkey = 0;
void Unload(IN PDRIVER_OBJECT DriverObject) {
LARGE_INTEGER interval = { 0 };
PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;
interval.QuadPart = -10 * 1000 * 1000;
IoDetachDevice(((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice);
/*while (pendingkey) {
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}*/
IoDeleteDevice(MyKbdDevice);
DbgPrint("driver Unload \r\n");
}
NTSTATUS DispatchPass(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
IoCopyCurrentIrpStackLocationToNext(Irp);
return IoCallDriver((((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice), Irp);
}
NTSTATUS ReadComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context) {
PKEYBOARD_INPUT_DATA Keys = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
int structnum = Irp->IoStatus.Information / sizeof(PKEYBOARD_INPUT_DATA);
int i;
if (Irp->IoStatus.Status == STATUS_SUCCESS) {
for (i = 0; i < structnum; i++) {
DbgPrint("The Key Is %x\n", Keys.MakeCode);
}
}
if(Irp->PendingReturned) {
IoMarkIrpPending(Irp);
}
//pendingkey--;
return Irp->IoStatus.Status;
}
NTSTATUS DispatchRead(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine(Irp, ReadComplete, NULL, TRUE, TRUE, TRUE);
//pendingkey++;
return IoCallDriver((((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice), Irp);
}
NTSTATUS MyAttachDevice(PDRIVER_OBJECT DriverObject) {
NTSTATUS status;
UNICODE_STRING TargetDevice = RTL_CONSTANT_STRING(L"\\Device\\KeyboardClass0");
status = IoCreateDevice(DriverObject,
sizeof(DEVICE_EXTENSION),
NULL, FILE_DEVICE_KEYBOARD,
0, FALSE, &MyKbdDevice);
if (!NT_SUCCESS(status)) {
return status;
}
MyKbdDevice->Flags |= DO_BUFFERED_IO;
MyKbdDevice->Flags &= DO_DEVICE_INITIALIZING;
RtlZeroMemory(MyKbdDevice->DeviceExtension, sizeof(DEVICE_EXTENSION));
status = IoAttachDevice(MyKbdDevice, &TargetDevice, &((PDEVICE_EXTENSION)MyKbdDevice->DeviceExtension)->LowerKbdDevice);
if (!NT_SUCCESS(status)) {
IoDeleteDevice(MyKbdDevice);
return status;
}
return STATUS_SUCCESS;
}
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
UNREFERENCED_PARAMETER(RegistryPath);
UNREFERENCED_PARAMETER(DriverObject);
NTSTATUS status;
int i;
DriverObject->DriverUnload = Unload;
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction = DispatchPass;
}
DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;
DbgPrint("Hello Driver\r\n");
status = MyAttachDevice(DriverObject);
if (!NT_SUCCESS(status)) {
DbgPrint("attaching is failing");
return status;
}
else {
KdPrint(("Attaching Succeeds \r\n"));
}
return status;
}
Continue reading...