none
How to use that Windows Driver Samples - MiniFilter - AVSCAN ? RRS feed

  • Question

  • Hellow, Team.

    My Project code be inserted minifilter sample code, then has BSOD.

    developing code,

    FLT_POSTOP_CALLBACK_STATUS
     sok_post_create (
     __inout PFLT_CALLBACK_DATA Data,
     __in PCFLT_RELATED_OBJECTS FltObjects,
     __in PVOID CompletionContext,
     __in FLT_POST_OPERATION_FLAGS Flags
     )
    {

     NTSTATUS status_csv = STATUS_SUCCESS;
     PAV_INSTANCE_CONTEXT instanceContext = NULL;
     
        PAGED_CODE();
     
        status_csv = FltGetInstanceContext(FltObjects->Instance, (PFLT_CONTEXT*)&instanceContext );    

     if (NT_SUCCESS( status_csv )) 
      DbgPrint({"[Ctx]: CtxPostSetInfo -> Instance context info for volume n\tVolumeName = %wZ", &instanceContext->VolumeName);

      FltReleaseContext( instanceContext );
     }

    Anyone Help Me. appreciate

    Below WinDbg, BSOD Screenshot.

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {ffff8e8f9435b000, 0, fffff80257db7c7e, 0}

    Probably caused by : memory_corruption

    Followup: memory_corruption
    ---------

    nt!DbgBreakPointWithStatus:
    fffff802`57dcba60 cc              int     3
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: ffff8e8f9435b000, memory referenced.
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
    Arg3: fffff80257db7c7e, If non-zero, the instruction address which referenced the bad memory
     address.
    Arg4: 0000000000000000, (reserved)

    Debugging Details:
    ------------------



    • Edited by noblesys Thursday, September 13, 2018 5:56 AM
    Thursday, September 13, 2018 5:25 AM

All replies

  • Give us the full !analyze -v what you gave is no better than saying I had a BSOD what caused it?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Thursday, September 13, 2018 1:59 PM
  • I'm so sorry, And thank you for give us know.

    Do I have that, instanceContext structure must be allowed in memory?

    below, full !analyze -v

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 50, {ffffe68f9e8ca000, 0, fffff800e894ec7e, 0}

    Probably caused by : memory_corruption

    Followup: memory_corruption
    ---------

    nt!DbgBreakPointWithStatus:
    fffff800`e8962a60 cc              int     3
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: ffffe68f9e8ca000, memory referenced.
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
    Arg3: fffff800e894ec7e, If non-zero, the instruction address which referenced the bad memory
     address.
    Arg4: 0000000000000000, (reserved)

    Debugging Details:
    ------------------


    READ_ADDRESS: unable to get nt!MmSpecialPoolStart
    unable to get nt!MmSpecialPoolEnd
    unable to get nt!MmPagedPoolEnd
    unable to get nt!MmNonPagedPoolStart
    unable to get nt!MmSizeOfNonPagedPoolInBytes
     ffffe68f9e8ca000

    FAULTING_IP:
    nt!wcsstr+56
    fffff800`e894ec7e 410fb700        movzx   eax,word ptr [r8]

    MM_INTERNAL_CODE:  0

    DEFAULT_BUCKET_ID:  CODE_CORRUPTION

    BUGCHECK_STR:  AV

    PROCESS_NAME:  wermgr.exe

    CURRENT_IRQL:  2

    ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

    TRAP_FRAME:  ffffa00197898f40 -- (.trap 0xffffa00197898f40)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000043 rbx=0000000000000000 rcx=0000000000000070
    rdx=fffff8022483ac50 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800e894ec7e rsp=ffffa001978990d8 rbp=ffffb18e193324c0
     r8=ffffe68f9e8ca000  r9=ffffee8d7a08f3b0 r10=fffff8022483ac50
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz ac pe nc
    nt!wcsstr+0x56:
    fffff800`e894ec7e 410fb700        movzx   eax,word ptr [r8] ds:ffffe68f`9e8ca000=????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff800e89e696a to fffff800e8962a60

    STACK_TEXT: 
    ffffa001`97898498 fffff800`e89e696a : ffffe68f`9e8ca000 00000000`00000050 ffffa001`97898600 fffff800`e88a9c88 : nt!DbgBreakPointWithStatus
    ffffa001`978984a0 fffff800`e89e6359 : 00000000`00000003 ffffa001`97898600 fffff800`e896a340 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12
    ffffa001`97898500 fffff800`e895d094 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffe68f`9b629720 : nt!KeBugCheck2+0x8a5
    ffffa001`97898c10 fffff800`e89751af : 00000000`00000050 ffffe68f`9e8ca000 00000000`00000000 ffffa001`97898f40 : nt!KeBugCheckEx+0x104
    ffffa001`97898c50 fffff800`e888a72a : 00000000`00000000 00000000`00000000 ffffa001`97898f40 fffff802`247f3a15 : nt! ?? ::FNODOBFM::`string'+0x8fef
    ffffa001`97898d40 fffff800`e89665fc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x9ca
    ffffa001`97898f40 fffff800`e894ec7e : fffff802`247f1b9a ffffb18e`198be7f0 ffffa001`00120196 ffffa001`00000005 : nt!KiPageFault+0x13c
    ffffa001`978990d8 fffff802`247f1b9a : ffffb18e`198be7f0 ffffa001`00120196 ffffa001`00000005 ffffa001`05000060 : nt!wcsstr+0x56
    ffffa001`978990e0 fffff802`228d3d15 : ffffb18e`1ad2dcd8 ffffa001`97899280 00000000`00000000 ffffb18e`00000000 : secure_os!sok_post_create+0x42a [d:\temp\shieldware\csvfs\source\secure_os\filter_callback.cpp @ 487]
    ffffa001`97899230 fffff802`228d3756 : ffffb18e`1ad2dc00 00000000`00000000 00000000`00000000 00000000`00000000 : FLTMGR!FltpPerformPostCallbacks+0x2a5
    ffffa001`97899300 fffff802`228d5299 : ffffb18e`1ad2dc18 ffffb18e`1ad2dc00 ffffb18e`1aa6e5a0 ffffb18e`1aa6e8b0 : FLTMGR!FltpPassThroughCompletionWorker+0x76
    ffffa001`97899340 fffff802`22904065 : fffff802`228f4060 00000000`00000130 00000000`00000000 ffffe68f`9e8c9ed0 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x239
    ffffa001`978993d0 fffff800`e8c14784 : 00000000`00000000 00000000`00000085 ffffb18e`18c34b70 ffffa001`00000000 : FLTMGR!FltpCreate+0x2f5
    ffffa001`97899480 fffff800`e8c1fe02 : fffff800`e8c13dc0 fffff800`e8c13dc0 ffffa001`97899750 ffffb18e`18c1ec50 : nt!IopParseDevice+0x9c4
    ffffa001`97899650 fffff800`e8c014dd : ffffb18e`1814eb01 ffffa001`978998b0 00000000`00000040 ffffb18e`1816bdc0 : nt!ObpLookupObjectName+0x8b2
    ffffa001`97899820 fffff800`e8bfde09 : 000000e4`00000001 ffffb18e`1ab620a8 000000e4`a975d3b8 00000000`00000028 : nt!ObOpenObjectByNameEx+0x1dd
    ffffa001`97899960 fffff800`e8bfd519 : 000000e4`a975d340 00000000`00000000 000000e4`a975d3b8 000000e4`a975d358 : nt!IopCreateFile+0x3d9
    ffffa001`97899a00 fffff800`e8967c93 : 00000000`00000000 00000000`00000001 00000000`00000000 fffff800`00000001 : nt!NtCreateFile+0x79
    ffffa001`97899a90 00007ff8`916058f4 : 00007ff8`8e5fd7bf 00000000`40000000 00000000`00000000 000000e4`a975d4c0 : nt!KiSystemServiceCopyEnd+0x13
    000000e4`a975d2c8 00007ff8`8e5fd7bf : 00000000`40000000 00000000`00000000 000000e4`a975d4c0 00000000`00000002 : ntdll!NtCreateFile+0x14
    000000e4`a975d2d0 00007ff8`8e5fd496 : 00000000`00000000 00007ff8`86d51a30 000000e4`a975d3b0 000001f7`fd88d7b0 : KERNELBASE!CreateFileInternal+0x30f
    000000e4`a975d440 00007ff8`86d254ab : 00000000`00000000 00007ff8`86d51a90 000000e4`a975d3e0 00007ff8`00000003 : KERNELBASE!CreateFileW+0x66
    000000e4`a975d4a0 00007ff8`86cea7ed : 00000000`00000000 000001f7`fd88d7b0 00000000`00000000 000001f7`fde10080 : wer!CIniParser::WriteToFile+0x6b
    000000e4`a975d540 00007ff8`86cf175b : 00000000`00000000 000000e4`a975d610 000001f7`fd88d7b0 000001f7`fde10080 : wer!CReport::WriteReportToFile+0xf1
    000000e4`a975d5c0 00007ff8`86cd8e4c : 00007ff8`86d6f000 00000000`80000000 00000000`00000000 00000000`00000000 : wer!CReportStore::UpdateReportInStore+0x1bb
    000000e4`a975d630 00007ff7`81d81d76 : 000001f7`fd8844d0 000001f7`fd88c110 000001f7`fde1c000 00000000`00000000 : wer!WerpSubmitReportFromStore+0x31c
    000000e4`a975d700 00007ff7`81d82e16 : 00000000`00000001 000001f7`00000002 00000000`00000000 000000e4`00000022 : wermgr!DoCoreUpload+0x2f2
    000000e4`a975d7a0 00007ff7`81d87cc7 : 000001f7`fd8e2d5f 00000000`00000000 00000000`00000000 00000000`00000000 : wermgr!WinMain+0xb62
    000000e4`a975f930 00007ff8`8eaf8364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wermgr!WinMainCRTStartup+0x1b7
    000000e4`a975f9f0 00007ff8`915c5e91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    000000e4`a975fa20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


    STACK_COMMAND:  kb

    CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
        fffff800e8814594-fffff800e8814595  2 bytes - nt!MiDuplicateCloneLeaf+38
     [ 80 fa:00 dc ]
        fffff800e8815250 - nt!MiExpandPagedPool+84 (+0xcbc)
     [ f6:d6 ]
        fffff800e8815462 - nt!MiExpandSystemCache+86 (+0x212)
     [ f6:d6 ]
        fffff800e88154b0-fffff800e88154b1  2 bytes - nt!MiExpandSystemCache+d4 (+0x4e)
     [ fb f6:eb d6 ]
        fffff800e88154ee-fffff800e88154ef  2 bytes - nt!MiExpandSystemCache+112 (+0x3e)
     [ 80 fa:00 dc ]
        fffff800e881551c-fffff800e881551d  2 bytes - nt!MiExpandSystemCache+140 (+0x2e)
     [ 80 fa:00 dc ]
        fffff800e8815f22 - nt!MiExpandPtes+d6 (+0xa06)
     [ f6:d6 ]
        fffff800e881642b - nt!MiMakeProtoAddressValid+3b (+0x509)
     [ f6:d6 ]
        fffff800e8816480-fffff800e8816481  2 bytes - nt!MiMakeProtoAddressValid+90 (+0x55)
     [ 80 fa:00 dc ]
        fffff800e881661f - nt!MiGetWorkingSetInfoList+11f (+0x19f)
     [ f6:d6 ]
        fffff800e88166cf-fffff800e88166d0  2 bytes - nt!MiGetWorkingSetInfoList+1cf (+0xb0)
     [ fb f6:eb d6 ]
        fffff800e88167fb-fffff800e88167fc  2 bytes - nt!MiGetWorkingSetInfoList+2fb (+0x12c)
     [ 80 fa:00 dc ]
        fffff800e8816b3e - nt!MiGetWorkingSetInfoList+63e (+0x343)
     [ f6:d6 ]
        fffff800e8816c1e-fffff800e8816c1f  2 bytes - nt!MiGetWorkingSetInfoList+71e (+0xe0)
     [ 80 fa:00 dc ]
        fffff800e8816ca2-fffff800e8816ca3  2 bytes - nt!MiGetWorkingSetInfoList+7a2 (+0x84)
     [ 80 fa:00 dc ]
        fffff800e8817119 - nt!MmRemoveExecuteGrants+10d (+0x477)
     [ f6:d6 ]
        fffff800e8817149-fffff800e881714a  2 bytes - nt!MmRemoveExecuteGrants+13d (+0x30)
     [ 80 fa:00 dc ]
        fffff800e8817239-fffff800e881723a  2 bytes - nt!MiQueryPfn+15 (+0xf0)
     [ 80 fa:00 dc ]
        fffff800e88172e8 - nt!MiLockProtoPage+50 (+0xaf)
     [ f6:d6 ]
        fffff800e881730e-fffff800e881730f  2 bytes - nt!MiLockProtoPage+76 (+0x26)
     [ 80 fa:00 dc ]
        fffff800e8817580-fffff800e8817581  2 bytes - nt!MiFreeLargePageMemory+60 (+0x272)
     [ 80 fa:00 dc ]
        fffff800e881793c - nt!MiExpandNonPagedPool+1d4 (+0x3bc)
     [ f6:d6 ]
        fffff800e8817a79-fffff800e8817a7a  2 bytes - nt!MiExpandNonPagedPool+311 (+0x13d)
     [ fb f6:eb d6 ]
        fffff800e8817a9a - nt!MiExpandNonPagedPool+332 (+0x21)
     [ f6:d6 ]
        fffff800e8817abc-fffff800e8817abd  2 bytes - nt!MiExpandNonPagedPool+354 (+0x22)
     [ 80 fa:00 dc ]
        fffff800e8817d4a - nt!MiSplitBitmapPages+4e (+0x28e)
     [ f6:d6 ]
        fffff800e8817da4-fffff800e8817da5  2 bytes - nt!MiSplitBitmapPages+a8 (+0x5a)
     [ fb f6:eb d6 ]
        fffff800e8817dff-fffff800e8817e00  2 bytes - nt!MiSplitBitmapPages+103 (+0x5b)
     [ 80 fa:00 dc ]
        fffff800e8818088 - nt!MiConvertWsleHash+68 (+0x289)
     [ f6:d6 ]
        fffff800e88180e5 - nt!MiConvertWsleHash+c5 (+0x5d)
     [ f6:d6 ]
        fffff800e88180ef - nt!MiConvertWsleHash+cf (+0x0a)
     [ f6:d6 ]
        fffff800e88181e9-fffff800e88181ea  2 bytes - nt!MiConvertWsleHash+1c9 (+0xfa)
     [ 80 fa:00 dc ]
        fffff800e88182e8 - nt!MiConvertWsleHash+2c8 (+0xff)
     [ f6:d6 ]
        fffff800e881838d - nt!MiMapNewWorkingSetPage+6d (+0xa5)
     [ f6:d6 ]
        fffff800e88184ec-fffff800e88184ed  2 bytes - nt!MiMapNewWorkingSetPage+1cc (+0x15f)
     [ 80 fa:00 dc ]
        fffff800e8818549-fffff800e881854a  2 bytes - nt!MiMapNewWorkingSetPage+229 (+0x5d)
     [ fb f6:eb d6 ]
        fffff800e8818566-fffff800e8818567  2 bytes - nt!MiMapNewWorkingSetPage+246 (+0x1d)
     [ fb f6:eb d6 ]
        fffff800e881857a - nt!MiMapNewWorkingSetPage+25a (+0x14)
     [ f6:d6 ]
        fffff800e88185a4-fffff800e88185a5  2 bytes - nt!MiMapNewWorkingSetPage+284 (+0x2a)
     [ fb f6:eb d6 ]
        fffff800e88185b6-fffff800e88185b8  3 bytes - nt!MiMapNewWorkingSetPage+296 (+0x12)
     [ 7d fb f6:75 eb d6 ]
        fffff800e88185c5-fffff800e88185c7  3 bytes - nt!MiMapNewWorkingSetPage+2a5 (+0x0f)
     [ 7d fb f6:75 eb d6 ]
        fffff800e88185d7-fffff800e88185da  4 bytes - nt!MiMapNewWorkingSetPage+2b7 (+0x12)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e88185e6-fffff800e88185e9  4 bytes - nt!MiMapNewWorkingSetPage+2c6 (+0x0f)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8818801-fffff800e8818802  2 bytes - nt!MiUnlinkStandbyBatch+41 (+0x21b)
     [ fb f6:eb d6 ]
        fffff800e8818810-fffff800e8818811  2 bytes - nt!MiUnlinkStandbyBatch+50 (+0x0f)
     [ 80 fa:00 dc ]
        fffff800e881882e-fffff800e881882f  2 bytes - nt!MiUnlinkStandbyBatch+6e (+0x1e)
     [ 80 fa:00 dc ]
        fffff800e8818855-fffff800e8818856  2 bytes - nt!MiUnlinkStandbyBatch+95 (+0x27)
     [ 80 fa:00 dc ]
        fffff800e881888d-fffff800e881888e  2 bytes - nt!MiUnlinkStandbyBatch+cd (+0x38)
     [ 80 fa:00 dc ]
        fffff800e8818970-fffff800e8818971  2 bytes - nt!MiUnlinkStandbyBatch+1b0 (+0xe3)
     [ 80 fa:00 dc ]
        fffff800e88189d2 - nt!MiUnlinkStandbyBatch+212 (+0x62)
     [ f6:d6 ]
    WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view  entire output.
        fffff800e8a5e718-fffff800e8a5e719  2 bytes - nt!ExFreePoolWithTag+388
     [ fb f6:eb d6 ]
        fffff800e8a5ebce - nt!ExFreePoolWithTag+83e (+0x4b6)
     [ f6:d6 ]
        fffff800e8a5fc88-fffff800e8a5fc89  2 bytes - nt!ExAllocatePoolWithTag+eb8 (+0x10ba)
     [ fb f6:eb d6 ]
        fffff800e8a5fcbb-fffff800e8a5fcbc  2 bytes - nt!ExAllocatePoolWithTag+eeb (+0x33)
     [ 80 fa:00 dc ]
        fffff800e8a67f30-fffff800e8a67f32  3 bytes - nt!_guard_dispatch_icall_fptr
     [ 40 94 95:80 27 96 ]
        fffff800e8be024c-fffff800e8be024d  2 bytes - nt!MmDuplicateMemory+230
     [ 80 fa:00 dc ]
        fffff800e8be02a4-fffff800e8be02a5  2 bytes - nt!MmDuplicateMemory+288 (+0x58)
     [ 80 fa:00 dc ]
        fffff800e8be0329-fffff800e8be032a  2 bytes - nt!MmDuplicateMemory+30d (+0x85)
     [ 80 fa:00 dc ]
        fffff800e8be0554-fffff800e8be0555  2 bytes - nt!MmDuplicateMemory+538 (+0x22b)
     [ 80 fa:00 dc ]
        fffff800e8be0b29 - nt!MiMarkKernelPageTablePages+d (+0x5d5)
     [ f6:d6 ]
        fffff800e8be0b7a - nt!MiMarkKernelPageTablePages+5e (+0x51)
     [ f7:d7 ]
        fffff800e8be1078-fffff800e8be1079  2 bytes - nt!MmMarkHiberPhase+70 (+0x4fe)
     [ 80 fa:00 dc ]
        fffff800e8be108f-fffff800e8be1090  2 bytes - nt!MmMarkHiberPhase+87 (+0x17)
     [ 80 fa:00 dc ]
        fffff800e8be168a-fffff800e8be168b  2 bytes - nt!MiMarkHiberNotCachedPages+2a (+0x5fb)
     [ 80 fa:00 dc ]
        fffff800e8be17a2-fffff800e8be17a3  2 bytes - nt!MiMarkNonPagedHiberPhasePages+66 (+0x118)
     [ 80 fa:00 dc ]
        fffff800e8be186e - nt!MiMarkKernelPageTablesHelper+3e (+0xcc)
     [ f6:d6 ]
        fffff800e8be1b1d - nt!MiEnumerateKernelLeafPtes+11 (+0x2af)
     [ f6:d6 ]
        fffff800e8be1b27 - nt!MiEnumerateKernelLeafPtes+1b (+0x0a)
     [ f7:d7 ]
        fffff800e8be4337 - nt!MmInitializeProcessor+3b (+0x2810)
     [ f6:d6 ]
        fffff800e8be8ca3-fffff800e8be8ca4  2 bytes - nt! ?? ::OKHAJAOM::`string'+2b73 (+0x496c)
     [ 80 fa:00 dc ]
        fffff800e8be8d2b-fffff800e8be8d2c  2 bytes - nt! ?? ::OKHAJAOM::`string'+2bfb (+0x88)
     [ 80 fa:00 dc ]
        fffff800e8be8dd3-fffff800e8be8dd4  2 bytes - nt! ?? ::OKHAJAOM::`string'+2ca3 (+0xa8)
     [ 80 fa:00 dc ]
        fffff800e8be8edd-fffff800e8be8ede  2 bytes - nt! ?? ::OKHAJAOM::`string'+2dad (+0x10a)
     [ 80 fa:00 dc ]
        fffff800e8bf1566-fffff800e8bf1567  2 bytes - nt!MmFreeIndependentPages+52
     [ 80 fa:00 dc ]
        fffff800e8bf2716 - nt!MiSelectSystemImageAddress+26 (+0x11b0)
     [ f6:d6 ]
        fffff800e8c03228-fffff800e8c03229  2 bytes - nt!PfpPfnPrioRequest+98 (+0x10b12)
     [ 80 fa:00 dc ]
        fffff800e8c03267-fffff800e8c03268  2 bytes - nt!PfpPfnPrioRequest+d7 (+0x3f)
     [ 80 fa:00 dc ]
        fffff800e8c3013e - nt!MiReturnPageTablePageCommitment+16e (+0x2ced7)
     [ f6:d6 ]
        fffff800e8c31f12-fffff800e8c31f13  2 bytes - nt!MiPfPrepareSequentialReadList+2e2 (+0x1dd4)
     [ 80 fa:00 dc ]
        fffff800e8c34d12-fffff800e8c34d13  2 bytes - nt!MiRelocateImagePfn+72 (+0x2e00)
     [ 80 fa:00 dc ]
        fffff800e8c34d20 - nt!MiRelocateImagePfn+80 (+0x0e)
     [ f6:d6 ]
        fffff800e8c34d3b - nt!MiRelocateImagePfn+9b (+0x1b)
     [ f6:d6 ]
        fffff800e8c369c5-fffff800e8c369c6  2 bytes - nt!MiMapViewOfDataSection+c45 (+0x1c8a)
     [ fb f6:eb d6 ]
        fffff800e8c36a0a-fffff800e8c36a0d  4 bytes - nt!MiMapViewOfDataSection+c8a (+0x45)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8c40aae-fffff800e8c40aaf  2 bytes - nt!MiPfPrepareReadList+4ce (+0xa0a4)
     [ 80 fa:00 dc ]
        fffff800e8c4ef7f-fffff800e8c4ef82  4 bytes - nt!MiInitializeWorkingSetList+f3 (+0xe4d1)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8c4efc1-fffff800e8c4efc2  2 bytes - nt!MiInitializeWorkingSetList+135 (+0x42)
     [ 80 fa:00 dc ]
        fffff800e8c4f014-fffff800e8c4f015  2 bytes - nt!MiInitializeWorkingSetList+188 (+0x53)
     [ 80 fa:00 dc ]
        fffff800e8c5567d-fffff800e8c5567e  2 bytes - nt!MiReleaseProcessReferenceToSessionDataPage+a1 (+0x6669)
     [ 80 fa:00 dc ]
        fffff800e8cafa54-fffff800e8cafa55  2 bytes - nt!MmChangeImageProtection+158 (+0x5a3d7)
     [ 80 fa:00 dc ]
        fffff800e8cafc87-fffff800e8cafc88  2 bytes - nt!MiAllocateDriverPage+9b (+0x233)
     [ 80 fa:00 dc ]
        fffff800e8cafcf2-fffff800e8cafcf3  2 bytes - nt!MiValidateImagePfn+3a (+0x6b)
     [ 80 fa:00 dc ]
        fffff800e8cafd3d - nt!MiValidateImagePfn+85 (+0x4b)
     [ f6:d6 ]
        fffff800e8cb405a-fffff800e8cb405b  2 bytes - nt!MiCreateImageFileMap+fe (+0x431d)
     [ 80 fa:00 dc ]
        fffff800e8cf5b21-fffff800e8cf5b22  2 bytes - nt!MmCreateProcessAddressSpace+1dd (+0x41ac7)
     [ 80 fa:00 dc ]
        fffff800e8cf5bb5 - nt!MmCreateProcessAddressSpace+271 (+0x94)
     [ f6:d6 ]
        fffff800e8cf5cd7-fffff800e8cf5cd8  2 bytes - nt!MmCreateProcessAddressSpace+393 (+0x122)
     [ 80 fa:00 dc ]
        fffff800e8cf7c08 - nt!MiPrefetchDriverPages+24 (+0x1f31)
     [ f6:d6 ]
        fffff800e8cfccdb - nt!MiFreeDriverInitialization+5f (+0x50d3)
     [ f6:d6 ]
        fffff800e8cfceab-fffff800e8cfceac  2 bytes - nt!MiFreeInitializationCode+14f (+0x1d0)
     [ 80 fa:00 dc ]
        fffff800e8d124d3 - nt!MmAllocateIndependentPages+6f (+0x15628)
     [ f6:d6 ]
        fffff800e8d12578-fffff800e8d12579  2 bytes - nt!MmAllocateIndependentPages+114 (+0xa5)
     [ 80 fa:00 dc ]
        fffff800e8d23f79 - nt!MmAllocateMappingAddress+95 (+0x11a01)
     [ f6:d6 ]
        fffff800e8d29a46-fffff800e8d29a49  4 bytes - nt!MiDereferenceSessionFinal+1aa (+0x5acd)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8d327c7-fffff800e8d327c8  2 bytes - nt!MiInitializeDynamicBitmap+ff (+0x8d81)
     [ fb f6:eb d6 ]
        fffff800e8d3280b-fffff800e8d3280d  3 bytes - nt!MiInitializeDynamicBitmap+143 (+0x44)
     [ 7d fb f6:75 eb d6 ]
        fffff800e8d3281d-fffff800e8d32820  4 bytes - nt!MiInitializeDynamicBitmap+155 (+0x12)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8d32909 - nt!MiInitializeDynamicBitmap+241 (+0xec)
     [ f6:d6 ]
        fffff800e8d3294a-fffff800e8d3294b  2 bytes - nt!MiInitializeDynamicBitmap+282 (+0x41)
     [ 80 fa:00 dc ]
        fffff800e8d32db9 - nt!MiSessionCreateInternal+12d (+0x46f)
     [ f6:d6 ]
        fffff800e8d33016-fffff800e8d33017  2 bytes - nt!MiMapNewSession+c2 (+0x25d)
     [ 80 fa:00 dc ]
        fffff800e8d3302a-fffff800e8d3302b  2 bytes - nt!MiMapNewSession+d6 (+0x14)
     [ fb f6:eb d6 ]
        fffff800e8d33033-fffff800e8d33035  3 bytes - nt!MiMapNewSession+df (+0x09)
     [ 7d fb f6:75 eb d6 ]
        fffff800e8d330c9-fffff800e8d330cc  4 bytes - nt!MiMapNewSession+175 (+0x96)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8d3312e-fffff800e8d33130  3 bytes - nt!MiMapNewSession+1da (+0x65)
     [ 7d fb f6:75 eb d6 ]
        fffff800e8d33143-fffff800e8d33144  2 bytes - nt!MiMapNewSession+1ef (+0x15)
     [ 80 fa:00 dc ]
        fffff800e8d33157-fffff800e8d33158  2 bytes - nt!MiMapNewSession+203 (+0x14)
     [ fb f6:eb d6 ]
        fffff800e8d331a5-fffff800e8d331a6  2 bytes - nt!MiMapNewSession+251 (+0x4e)
     [ 80 fa:00 dc ]
        fffff800e8d3320d-fffff800e8d3320e  2 bytes - nt!MiMapNewSession+2b9 (+0x68)
     [ fb f6:eb d6 ]
        fffff800e8d33246-fffff800e8d33248  3 bytes - nt!MiMapNewSession+2f2 (+0x39)
     [ 7d fb f6:75 eb d6 ]
        fffff800e8d3325b-fffff800e8d3325e  4 bytes - nt!MiMapNewSession+307 (+0x15)
     [ be 7d fb f6:ba 75 eb d6 ]
        fffff800e8d3c912 - nt!MiReleaseDriverPtes+42 (+0x96b7)
     [ f6:d6 ]
        fffff800e8d3ca06 - nt!MiReleaseDriverPtes+136 (+0xf4)
     [ f6:d6 ]
    WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view  entire output.
    3588 errors : !nt (fffff800e8814594-fffff800e8e7a776)

    MODULE_NAME: memory_corruption

    IMAGE_NAME:  memory_corruption

    FOLLOWUP_NAME:  memory_corruption

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    MEMORY_CORRUPTOR:  LARGE

    FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

    BUCKET_ID:  MEMORY_CORRUPTION_LARGE

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:memory_corruption_large

    FAILURE_ID_HASH:  {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

    Followup: memory_corruption
    ---------

    Friday, September 14, 2018 6:03 AM
  • Current complier WDK 7.1.

    Do I need, WDK 8.1 or WDK 10 Update??

    Monday, September 17, 2018 12:39 AM
  • No you need to setup Windbg and debug the problem.  


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, September 18, 2018 12:24 AM