I have protected my standard driver just fine. I am trying to manual map other driver through the first one. The issue is that when protecting the driver that I am trying to manual map, I always get access violation (it works flawlessly without protection).
I want to note that I am passing null parameters to the drivers entry point since they are not needed by the mapped driver. Here is the crash dump:
Code: Select all
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: ffffd4025236e222, Address of the instruction which caused the bugcheck
Arg3: ffffc98afeaade70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-LOGEV4U
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 67
Key : Analysis.System
Value: CreateObject
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: ffffd4025236e222
BUGCHECK_P3: ffffc98afeaade70
BUGCHECK_P4: 0
CONTEXT: ffffc98afeaade70 -- (.cxr 0xffffc98afeaade70)
rax=ffffc98afeaa000f rbx=ffffd402586d9080 rcx=000000000000dead
rdx=0000000000000000 rsi=00000001401fa5b7 rdi=ffffd4025236e215
rip=ffffd4025236e222 rsp=ffffc98afeaae870 rbp=ffffc98afeaaeb80
r8=000000ee3774f898 r9=00000001401fa5b7 r10=0000000000000000
r11=ffffc98afeaae9f0 r12=000000ee3774fc68 r13=0000000000000000
r14=fffff800528f13a0 r15=00007ffbba52d650
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050202
ffffd402`5236e222 8b06 mov eax,dword ptr [rsi] ds:002b:00000001`401fa5b7=????????
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
PROCESS_NAME: kdmapper.exe
STACK_TEXT:
ffffc98a`feaad568 fffff800`525ef929 : 00000000`0000003b 00000000`c0000005 ffffd402`5236e222 ffffc98a`feaade70 : nt!KeBugCheckEx
ffffc98a`feaad570 fffff800`525eed7c : ffffc98a`feaae638 fffff800`522e68e0 ffffc98a`feaad760 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffc98a`feaad6b0 fffff800`525e68df : fffff800`525eed00 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceHandler+0x7c
ffffc98a`feaad6f0 fffff800`52432fb7 : ffffc98a`feaadc60 00000000`00000000 ffffc98a`feaaea20 fffff800`525ef348 : nt!RtlpExecuteHandlerForException+0xf
ffffc98a`feaad720 fffff800`5247b226 : ffffc98a`feaae638 ffffc98a`feaae370 ffffc98a`feaae638 ffffd402`5236e215 : nt!RtlDispatchException+0x297
ffffc98a`feaade40 fffff800`525efa6c : ffffc98a`feaae760 00000000`00001000 ffffc98a`feaae6e0 ffff8000`00000000 : nt!KiDispatchException+0x186
ffffc98a`feaae500 fffff800`525ebc03 : 00000000`00000001 00000000`c86a8004 00000000`00000000 fffff800`5251be57 : nt!KiExceptionDispatch+0x12c
ffffc98a`feaae6e0 ffffd402`5236e222 : ffffd402`59452be0 ffffd402`5683d060 00000000`00000003 00000000`00000000 : nt!KiPageFault+0x443
ffffc98a`feaae870 ffffd402`59452be0 : ffffd402`5683d060 00000000`00000003 00000000`00000000 ffffd402`59452be0 : 0xffffd402`5236e222
ffffc98a`feaae878 ffffd402`5683d060 : 00000000`00000003 00000000`00000000 ffffd402`59452be0 ffff6910`0444b0dc : 0xffffd402`59452be0
ffffc98a`feaae880 00000000`00000003 : 00000000`00000000 ffffd402`59452be0 ffff6910`0444b0dc 00000000`00000001 : 0xffffd402`5683d060
ffffc98a`feaae888 00000000`00000000 : ffffd402`59452be0 ffff6910`0444b0dc 00000000`00000001 ffffd402`55b20de8 : 0x3
SYMBOL_NAME: nt!KiSystemServiceHandler+7c
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 7c
FAILURE_BUCKET_ID: 0x3B_c0000005_nt!KiSystemServiceHandler
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {d011f1c6-81ea-e5f8-2759-49ec2e253107}
Followup: MachineOwner
---------
1: kd> u 0xffffd402`59452be0
ffffd402`59452be0 0500d80000 add eax,0D800h
ffffd402`59452be5 0000 add byte ptr [rax],al
ffffd402`59452be7 0060d0 add byte ptr [rax-30h],ah
ffffd402`59452bea 835602d4 adc dword ptr [rsi+2],0FFFFFFD4h
ffffd402`59452bee ff ???
ffffd402`59452bef ff00 inc dword ptr [rax]
ffffd402`59452bf1 0000 add byte ptr [rax],al
ffffd402`59452bf3 0000 add byte ptr [rax],al
1: kd> u ffffd4025236e222
ffffd402`5236e222 8b06 mov eax,dword ptr [rsi]
ffffd402`5236e224 4881c604000000 add rsi,4
ffffd402`5236e22b 41f7c2e1738f21 test r10d,218F73E1h
ffffd402`5236e232 4133c1 xor eax,r9d
ffffd402`5236e235 4184db test r11b,bl
ffffd402`5236e238 41f7c5022c9927 test r13d,27992C02h
ffffd402`5236e23f f9 stc
ffffd402`5236e240 05de4cd507 add eax,7D54CDEh