Windows Kernel Driver - Memory Access Exception

Question

Windows Kernel Driver - Memory Access Exception

I am trying to understand drivers better and have built a very basic one from scratch.

#include <ntddk.h>
VOID onUnload(IN PDRIVER_OBJECT pDriver_Object)
{
    DbgPrint("Unloading Driver\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriver_Object, IN PUNICODE_STRING regPath)
{
    DbgPrint("Driver Loaded");
    (*pDriver_Object).DriverUnload = onUnload;
    return(STATUS_SUCCESS);
}

I am installing it on a Windows 7 x64 machine with driver signing enforcement off. The driver installs just fine but when I try to start it, I get:

[SC] StartService FAILED 6:
The handle is invalid.

Upon further investigation with Windbg, I get a:

*** Fatal System Error: 0x0000007e
(0xFFFFFFFFC0000005,0xFFFFF80002C7501D,0xFFFFF88002F89768,0xFFFFF88002F88FC0)

doing !analyze -v gets me:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002c7501d, The address that the exception occurred at
Arg3: fffff88002f89768, Exception Record Address
Arg4: fffff88002f88fc0, Context Record Address

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!IopLoadDriver+5ad
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h]

EXCEPTION_RECORD:  fffff88002f89768 -- (.exr 0xfffff88002f89768)
ExceptionAddress: fffff80002c7501d (nt!IopLoadDriver+0x00000000000005ad)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000044
Attempt to read from address 0000000000000044

CONTEXT:  fffff88002f88fc0 -- (.cxr 0xfffff88002f88fc0;r)
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88002f89a08
rdx=fffff88003981000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c7501d rsp=fffff88002f899a0 rbp=0000000020206f49
 r8=fffff88003981000  r9=fffff88002f899a8 r10=00000000c000007b
r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000064
r14=fffffa800f359490 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!IopLoadDriver+0x5ad:
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h] ds:002b:00000000`00000044=????
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88002f89a08
rdx=fffff88003981000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c7501d rsp=fffff88002f899a0 rbp=0000000020206f49
 r8=fffff88003981000  r9=fffff88002f899a8 r10=00000000c000007b
r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000064
r14=fffffa800f359490 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!IopLoadDriver+0x5ad:
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h] ds:002b:00000000`00000044=????
Resetting default scope

PROCESS_NAME:  System

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000044

READ_ADDRESS:  0000000000000044 

FOLLOWUP_IP: 
nt!IopLoadDriver+5ad
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80002c75875 to fffff80002c7501d

STACK_TEXT:  
fffff880`02f899a0 fffff800`02c75875 : 00000000`00000001 00000000`00000000 00000000`00000000 fffffa80`0f4195f0 : nt!IopLoadDriver+0x5ad
fffff880`02f89c70 fffff800`0289b161 : fffff800`00000000 ffffffff`80000064 fffff800`02c75820 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff880`02f89cb0 fffff800`02b31166 : 00000000`00000000 fffffa80`0cd99680 00000000`00000080 fffffa80`0cd7e890 : nt!ExpWorkerThread+0x111
fffff880`02f89d40 fffff800`0286c486 : fffff800`02a06e80 fffffa80`0cd99680 fffffa80`0cd99b60 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`02f89d80 00000000`00000000 : fffff880`02f8a000 fffff880`02f84000 fffff880`02f89230 00000000`00000000 : nt!KiStartSystemThread+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!IopLoadDriver+5ad

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc600

IMAGE_VERSION:  6.1.7600.16385

STACK_COMMAND:  .cxr 0xfffff88002f88fc0 ; kb

FAILURE_BUCKET_ID:  X64_0x7E_VRF_nt!IopLoadDriver+5ad

BUCKET_ID:  X64_0x7E_VRF_nt!IopLoadDriver+5ad

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x7e_vrf_nt!ioploaddriver+5ad

FAILURE_ID_HASH:  {9a15ac25-64d6-8f42-e8da-2a5880ae0901}

Followup: MachineOwner

It seems like windows is not even able to get to my DriverEntry function. Any idea on how to fix this or debug further? Thanks!

windbg

windows-kernel

kmdf

asked on Stack Overflow Apr 23, 2014 by

user3557422 • edited Apr 24, 2014 by

Evgenii Gostiukhin

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0