Kernel Mode Debugging - Scenario 3: Identify the cause of a driver crash

  • Article

  2. Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

  3. Copyright (c) Microsoft Corporation. All rights reserved.

  5. Loading Dump File

  6. Kernel Complete Dump File: Full address space is available

  7. Symbol search path is: SRV*C:\symsrv*https://msdl.microsoft.com/download/symbols

  8. Executable search path is:

  9. Windows 2000 Kernel Version 2195 UP Checked x86 compatible

  10. Product: WinNt

  11. Machine Name:

  12. Kernel base = 0x80400000 PsLoadedModuleList = 0x804d5e20

  13. Debug session time: Mon May 1 22:07:46.721 2000 (GMT-8)

  14. System Uptime: 0 days 0:01:59.231

  15. Loading Kernel Symbols

  16. Loading User Symbols

  17. kd> !analyze -v

  18. *******************************************************************************

  19. * Bugcheck Analysis *

  20. *******************************************************************************

  21. IRQL_NOT_GREATER_OR_EQUAL (9)

  22. Arguments:

  23. Arg1: fe4c275c

  24. Arg2: 00000000

  25. Arg3: 00000000

  26. Arg4: 00000000

  27. Debugging Details:

  28. ------------------

  29. *... comments clipped

  30. DEFAULT_BUCKET_ID: DRIVER_FAULT

  31. BUGCHECK_STR: 0x9

  32. LAST_CONTROL_TRANSFER: from f90a8799 to 804b0c2f

  33. STACK_TEXT:

  34. fc2a0bcc f90a8799 e19a9f50 000000b8 00000190 nt!KefAcquireSpinLockAtDpcLevel+0x3f

  35. WARNING: Stack unwind information not available. Following frames may be wrong.

  36. fc2a0c14 80424606 fe4c26f0 ffb31d48 ffb35c38 ABCDMA+0x799

  37. fc2a0c2c 80541e77 fe4e3a48 80068f7c 80063418 nt!IopfCallDriver+0x4f

  38. fc2a0c60 8056f9fa ffb361d0 fe4c26f0 0012019f nt!IopCloseFile+0x2b3

  39. fc2a0c90 80493505 ffb361d0 00000001 ffb35c00 nt!ObpDecrementHandleCount+0x1e0

  40. fc2a0d4c 804b19ba 00000070 00ba0018 00000000 nt!NtClose+0x295

  41. fc2a0d4c 77f88583 00000070 00ba0018 00000000 nt!KiSystemService+0x10a

  42. 0006ff1c 77e8a70a 00000070 0006ff80 01001a93 ntdll!NtClose+0xb

  43. 0006ff28 01001a93 00000070 00000000 77fb80db KERNEL32!CloseHandle+0x4f

  44. 0006ff80 01001b93 00000002 006a0200 006a0220 ABCDMA+0x1a93

  45. 0006ffc0 77e87903 ffffffff 0012f88f 7ffdf000 ABCDMA+0x1b93

  46. 0006fff0 00000000 01001ac0 00000000 000000c8 KERNEL32!BaseProcessStart+0x3d

  48. STACK_COMMAND: kb

  49. FOLLOWUP_IP:

  50. dummydma+799

  51. f90a8799 8b4d08 mov ecx,dword ptr [ebp+8]

  52. SYMBOL_STACK_INDEX: 1

  53. SYMBOL_NAME: ABCDMA+799

  54. FOLLOWUP_NAME: MachineOwner

  55. MODULE_NAME: ABCDMA

  56. IMAGE_NAME: ABCDMA.sys

  57. DEBUG_FLR_IMAGE_TIMESTAMP: 390e698d

  58. FAILURE_BUCKET_ID: 0x9_dummydma+799

  59. BUCKET_ID: 0x9_ABCDMA+799

  60. Followup: MachineOwner

  61. kd> *get details for faulty driver

  62. kd> !drvobj ABCDMA 2

  63. Driver object (fe4c28c8) is for:

  64.  \Driver\ABCDMA

  65. Dispatch routines:

  66. [00] IRP_MJ_CREATE f90a8614 ABCDMA+0x614

  67. [01] IRP_MJ_CREATE_NAMED_PIPE 8042e25e nt!IopInvalidDeviceRequest

  68. [02] IRP_MJ_CLOSE f90a8614 ABCDMA+0x614

  69. [03] IRP_MJ_READ 8042e25e nt!IopInvalidDeviceRequest

  70. [04] IRP_MJ_WRITE 8042e25e nt!IopInvalidDeviceRequest

  71. [05] IRP_MJ_QUERY_INFORMATION 8042e25e nt!IopInvalidDeviceRequest

  72. [06] IRP_MJ_SET_INFORMATION 8042e25e nt!IopInvalidDeviceRequest

  73. [07] IRP_MJ_QUERY_EA 8042e25e nt!IopInvalidDeviceRequest

  74. [08] IRP_MJ_SET_EA 8042e25e nt!IopInvalidDeviceRequest

  75. [09] IRP_MJ_FLUSH_BUFFERS 8042e25e nt!IopInvalidDeviceRequest

  76. [0a] IRP_MJ_QUERY_VOLUME_INFORMATION 8042e25e nt!IopInvalidDeviceRequest

  77. [0b] IRP_MJ_SET_VOLUME_INFORMATION 8042e25e nt!IopInvalidDeviceRequest

  78. [0c] IRP_MJ_DIRECTORY_CONTROL 8042e25e nt!IopInvalidDeviceRequest

  79. [0d] IRP_MJ_FILE_SYSTEM_CONTROL 8042e25e nt!IopInvalidDeviceRequest

  80. [0e] IRP_MJ_DEVICE_CONTROL f90a891d ABCDMA+0x91d

  81. [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 8042e25e nt!IopInvalidDeviceRequest

  82. [10] IRP_MJ_SHUTDOWN 8042e25e nt!IopInvalidDeviceRequest

  83. [11] IRP_MJ_LOCK_CONTROL 8042e25e nt!IopInvalidDeviceRequest

  84. [12] IRP_MJ_CLEANUP f90a8751 ABCDMA+0x751

  85. [13] IRP_MJ_CREATE_MAILSLOT 8042e25e nt!IopInvalidDeviceRequest

  86. [14] IRP_MJ_QUERY_SECURITY 8042e25e nt!IopInvalidDeviceRequest

  87. [15] IRP_MJ_SET_SECURITY 8042e25e nt!IopInvalidDeviceRequest

  88. [16] IRP_MJ_POWER f90aac4b ABCDMA+0x2c4b

  89. [17] IRP_MJ_SYSTEM_CONTROL f90aaeac ABCDMA+0x2eac

  90. [18] IRP_MJ_DEVICE_CHANGE 8042e25e nt!IopInvalidDeviceRequest

  91. [19] IRP_MJ_QUERY_QUOTA 8042e25e nt!IopInvalidDeviceRequest

  92. [1a] IRP_MJ_SET_QUOTA 8042e25e nt!IopInvalidDeviceRequest

  93. [1b] IRP_MJ_PNP f90aa364 ABCDMA+0x2364

  94. kd> * 0x9_ABCDMA+799 ... means we have no symbols ... ret address f90a8799

  95. kd> ?ABCDMA

  96. Evaluate expression: -116752384 = f90a8000

  97. kd> ?f90a8799-ABCDMAEvaluate expression: 1945 = 00000799

  98. kd> * 751 is in closest proximity of 799

  99. kd> !irp 80068f7c

  100. IRP signature does not match, probably not an IRP

  101. kd> * does not work, because IopfCallDriver is (f)ast and uses registers, not call stack

  102. kd> !irp ffb31d48

  103. Irp is active with 2 stacks 2 is current (= 0xffb31ddc)

  104.  No Mdl Thread fe3272f0: Irp stack trace.

  105.      cmd flg cl Device File Completion-Context

  106.  [ 0, 0] 0 0 00000000 00000000 00000000-00000000

  107. Args: 00000000 00000000 00000000 00000000

  108. >[ 12, 0] 0 0 fe4c26f0 ffb35c38 00000000-00000000

  109.         \Driver\ABCDMA

  110.    Args: 00000000 00000000 00000000 00000000

  111. kd> * 12 is entry point in driver, 12 == cleanup

  112. kd> *------------

  113. kd> !thread

  114. THREAD fe3272f0 Cid 27c.2b8 Teb: 7ffde000 Win32Thread: e1bae008 RUNNING

  115. IRP List:

  116.     ffb31d48: (0006,00b8) Flags: 00000404 Mdl: 00000000

  117. Not impersonating

  118. Owning Process ffb361d0

  119. Wait Start TickCount 11906 Elapsed Ticks: 0

  120. Context Switch Count 985 LargeStack

  121. UserTime 0:00:00.0020

  122. KernelTime 0:00:01.0111

  123. Start Address KERNEL32!BaseProcessStartThunk (0x77e878c1)

  124. Win32 Start Address ABCDMA (0x01001ac0)

  125. Stack Init fc2a1000 Current fc2a076c Base fc2a1000 Limit fc29d000 Call 0

  126. Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0

  127. ChildEBP RetAddr Args to Child

  128. fc2a0bcc f90a8799 e19a9f50 000000b8 00000190 nt!KefAcquireSpinLockAtDpcLevel+0x3f

  129. fc2a0c14 80424606 fe4c26f0 ffb31d48 ffb35c38 ABCDMA+0x799

  130. fc2a0c2c 80541e77 fe4e3a48 80068f7c 80063418 nt!IopfCallDriver+0x4f

  131. fc2a0c60 8056f9fa ffb361d0 fe4c26f0 0012019f nt!IopCloseFile+0x2b3

  132. fc2a0c90 80493505 ffb361d0 00000001 ffb35c00 nt!ObpDecrementHandleCount+0x1e0

  133. fc2a0d4c 804b19ba 00000070 00ba0018 00000000 nt!NtClose+0x295

  134. fc2a0d4c 77f88583 00000070 00ba0018 00000000 nt!KiSystemService+0x10a

  135. 0006ff1c 77e8a70a 00000070 0006ff80 01001a93 ntdll!NtClose+0xb

  136. 0006ff28 01001a93 00000070 00000000 77fb80db KERNEL32!CloseHandle+0x4f

  137. 0006ff80 01001b93 00000002 006a0200 006a0220 ABCDMA+0x1a93

  138. 0006ffc0 77e87903 ffffffff 0012f88f 7ffdf000 ABCDMA+0x1b93

  139. 0006fff0 00000000 01001ac0 00000000 000000c8 KERNEL32!BaseProcessStart+0x3d

  140. kd> !irp ffb31d48

  141. Irp is active with 2 stacks 2 is current (= 0xffb31ddc)

  142.  No Mdl Thread fe3272f0: Irp stack trace.

  143.      cmd flg cl Device File Completion-Context

  144.  [ 0, 0] 0 0 00000000 00000000 00000000-00000000

  145. Args: 00000000 00000000 00000000 00000000

  146. >[ 12, 0] 0 0 fe4c26f0 ffb35c38 00000000-00000000

  147.         \Driver\ABCDMA   Args: 00000000 00000000 00000000 00000000

  148. kd> *-------------