Kernel Mode Debugging - Scenario 1: Lighting up a third party driver

  • Article

  1. kd> !analyze -v

  2. *******************************************************************************

  3. * Bugcheck Analysis

  4. *******************************************************************************

  5. WORKER_THREAD_RETURNED_AT_BAD_IRQL (e1)

  6. Arguments:

  7. Arg1: 804219e4, address of worker routine (do ln on this to find guilty driver)

  8. Arg2: 00000002, IRQL returned at (should have been 0, but isn't).

  9. Arg3: 819b7328, workitem parameter

  10. Arg4: 819b7328, workitem address

  11. Debugging Details:

  12. FAULTING_IP:

  13. nt!IopProcessWorkItem+0

  14. 804219e4 8b442404 mov eax,dword ptr [esp+4]

  15. DEFAULT_BUCKET_ID: DRIVER_FAULT

  16. BUGCHECK_STR: 0xE1

  17. LAST_CONTROL_TRANSFER: from 80454faf to 80418c8e

  18. STACK_TEXT:

  19. f2453da8 80454faf 819b7328 00000000 00000000 nt!ExpWorkerThread+0xf3

  20. f2453ddc 80468ec2 80418b84 00000001 00000000 nt!PspSystemThreadStartup+0x69

  21. 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

  23. STACK_COMMAND: .bugcheck ; kb

  24. FOLLOWUP_IP:

  25. nt!IopProcessWorkItem+0

  26. 804219e4 8b442404 mov eax,dword ptr [esp+4]

  27. SYMBOL_NAME: nt!IopProcessWorkItem+0

  28. FOLLOWUP_NAME: MachineOwner

  29. MODULE_NAME: nt

  30. IMAGE_NAME: ntoskrnl.exe

  31. DEBUG_FLR_IMAGE_TIMESTAMP: 3ad7ad60

  32. FAILURE_BUCKET_ID: 0xE1_nt!IopProcessWorkItem+0

  33. BUCKET_ID: 0xE1_nt!IopProcessWorkItem+0

  34. Followup: MachineOwner

  35. kd> dps 819b7328

  36. 819b7328 819b7368

  37. 819b732c 000012e6

  38. 819b7330 804219e4 nt!IopProcessWorkItem

  39. 819b7334 819b7328

  40. 819b7338 f21e3c40 ABC+0x3c40

  41. 819b733c 81a19030

  42. 819b7340 819b7328

  43. 819b7344 e1d7d128

  44. 819b7348 e1d7d140

  45. 819b734c c0000000

  46. 819b7350 00000000

  47. 819b7354 00000000

  48. 819b7358 00000000

  49. 819b735c 00310001

  50. 819b7360 02010002

  51. 819b7364 ee657645

  52. 819b7368 819a2c08

  53. 819b736c 00000000

  54. 819b7370 bad0b0b0

  55. 819b7374 02000000

  56. 819b7378 00000001

  57. 819b737c 00000000

  58. 819b7380 81044701

  59. 819b7384 00000000

  60. 819b7388 819b7388

  61. 819b738c 819b7388

  62. 819b7390 00000000

  63. 819b7394 00000000

  64. 819b7398 00000000

  65. 819b739c 00000000

  66. 819b73a0 02018002

  67. 819b73a4 64504443

  68. kd> lmvm cdp

  69. start end module name

  70. f21e0000 f21ee200 ABC (no symbols)

  71.     Loaded symbol image file: ABC.sys

  72.     Image path: \SystemRoot\System32\DRIVERS\ABC.sys

  73.     Image name: ABC.sys

  74.     Timestamp: Tue Jan 08 15:21:57 2002 (3C3B7F15)

  75.     CheckSum: 000193A8

  76.     ImageSize: 0000E200

  77.     Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

  78. kd> .sympath+ c:\temp\symbols\scenario1

  79. kd> .reload

  80. Loading Kernel Symbols

  81. Loading User Symbols

  82. Loading unloaded module list

  83. kd> dps 819b7328

  84. 819b7328 819b7368

  85. 819b732c 000012e6

  86. 819b7330 804219e4 nt!IopProcessWorkItem

  87. 819b7334 819b7328

  88. 819b7338 f21e3c40 cdp!SendCDPPacketRoutine [d:\vob\fmm\ABC\driver\device.cpp @ 209]

  89. 819b733c 81a19030

  90. 819b7340 819b7328

  91. 819b7344 e1d7d128

  92. 819b7348 e1d7d140

  93. 819b734c c0000000

  94. 819b7350 00000000

  95. 819b7354 00000000

  96. 819b7358 00000000

  97. 819b735c 00310001

  98. 819b7360 02010002

  99. 819b7364 ee657645

  100. 819b7368 819a2c08

  101. 819b736c 00000000

  102. 819b7370 bad0b0b0

  103. 819b7374 02000000

  104. 819b7378 00000001

  105. 819b737c 00000000

  106. 819b7380 81044701

  107. 819b7384 00000000

  108. 819b7388 819b7388

  109. 819b738c 819b7388

  110. 819b7390 00000000

  111. 819b7394 00000000

  112. 819b7398 00000000

  113. 819b739c 00000000

  114. 819b73a0 02018002

  115. 819b73a4 64504443