Skip to content

Instantly share code, notes, and snippets.

@FWidm

FWidm/gist:193ec9d85748d4ddd5075de82059a67b

Created July 15, 2018 18:16
Show Gist options
  • Save FWidm/193ec9d85748d4ddd5075de82059a67b to your computer and use it in GitHub Desktop.
Save FWidm/193ec9d85748d4ddd5075de82059a67b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
Microsoft (R) Windows Debugger Version 10.0.17674.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 17134 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff803`0aa94000 PsLoadedModuleList = 0xfffff803`0ae4e1f0
Debug session time: Sun Jul 15 19:37:44.385 2018 (UTC + 2:00)
System Uptime: 0 days 10:45:21.076
Loading Kernel Symbols
...............................................................
....Page 34fd6 not present in the dump file. Type ".hh dbgerr004" for details
............................................................
....................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000070`42216018). Type ".hh dbgerr001" for details
Loading unloaded module list
.........
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck F7, {ffffcdd81edff110, 25f4ae9c42d, fffffda0b5163bd2, 0}
Page 16a555 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : nvlddmkm.sys ( nvlddmkm+1b9306 )
Followup: MachineOwner
---------
nt!KeBugCheckEx:
fffff803`0ac2c430 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffcd84`1edfe260=00000000000000f7
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ffffcdd81edff110, Actual security check cookie from the stack
Arg2: 0000025f4ae9c42d, Expected security check cookie
Arg3: fffffda0b5163bd2, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804
SYSTEM_MANUFACTURER: Gigabyte Technology Co., Ltd.
SYSTEM_PRODUCT_NAME: X470 AORUS ULTRA GAMING
SYSTEM_SKU: Default string
SYSTEM_VERSION: Default string
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: F3g
BIOS_DATE: 05/10/2018
BASEBOARD_MANUFACTURER: Gigabyte Technology Co., Ltd.
BASEBOARD_PRODUCT: X470 AORUS ULTRA GAMING-CF
BASEBOARD_VERSION: x.x
DUMP_TYPE: 1
BUGCHECK_P1: ffffcdd81edff110
BUGCHECK_P2: 25f4ae9c42d
BUGCHECK_P3: fffffda0b5163bd2
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 0000025f4ae9c42d found ffffcdd81edff110
CPU_COUNT: 10
CPU_MHZ: e74
CPU_VENDOR: AuthenticAMD
CPU_FAMILY: 17
CPU_MODEL: 8
CPU_STEPPING: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xF7
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: DESKTOP-P8CCI4V
ANALYSIS_SESSION_TIME: 07-15-2018 19:54:01.0156
ANALYSIS_VERSION: 10.0.17674.1000 amd64fre
LAST_CONTROL_TRANSFER: from fffff801393d9306 to fffff8030ac2c430
STACK_TEXT:
ffffcd84`1edfe258 fffff801`393d9306 : 00000000`000000f7 ffffcdd8`1edff110 0000025f`4ae9c42d fffffda0`b5163bd2 : nt!KeBugCheckEx
ffffcd84`1edfe260 fffff801`3933ddf6 : ffff8d05`dc639230 ffffcd84`1edfe3a0 ffffcd84`1edfe930 00000000`00372268 : nvlddmkm+0x1b9306
ffffcd84`1edfe2a0 fffff801`3933f870 : ffff8d05`db4f9000 ffffcd84`1edfe6f0 ffff8d05`dc647540 ffff8d05`db4f9000 : nvlddmkm+0x11ddf6
ffffcd84`1edfe640 fffff801`392ecc12 : 00000000`00000000 ffffcd84`1edfe6d9 ffffcd84`1edfe930 ffff8d05`dc647540 : nvlddmkm+0x11f870
ffffcd84`1edfe670 fffff801`370044ff : fffff801`392ecb7a 00000000`00000100 00000000`00000000 ffff8d05`d78ed8f0 : nvlddmkm+0xccc12
ffffcd84`1edfe740 fffff801`37035619 : ffffcd84`1edff300 ffffbd0a`2c55e750 ffffcd84`1edff198 ffffbd0a`00000002 : dxgkrnl!DXGCONTEXT::Render+0x77f
ffffcd84`1edfee50 ffffd25c`929c8359 : ffffcd84`1edff3b0 00000000`00000000 ffffffff`00000002 00000000`00000000 : dxgkrnl!DxgkCddGdiCommand+0x5b9
ffffcd84`1edff2f0 ffffd25c`929c6dd4 : 00000000`00028b92 00000000`00028b92 ffff8d05`dd6dacb0 ffffd21e`85ef3020 : cdd!CHwCommandBuffer::FlushGdiCommands+0x279
ffffcd84`1edff570 fffff803`0ab78cd7 : ffff8d05`dd6ca080 ffff8d05`dd6ca080 ffffd25c`929c6840 ffffd21e`85ef3020 : cdd!PresentWorkerThread+0x594
ffffcd84`1edffc10 fffff803`0ac338d6 : fffff803`09a77180 ffff8d05`dd6ca080 fffff803`0ab78c90 00000000`00000000 : nt!PspSystemThreadStartup+0x47
ffffcd84`1edffc60 00000000`00000000 : ffffcd84`1ee00000 ffffcd84`1edfa000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
THREAD_SHA1_HASH_MOD_FUNC: d54fdbd4397a7382cbee4c44685652a3cd2c492d
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 35da004f060293df1a02deeba7ea788fb299f38c
THREAD_SHA1_HASH_MOD: 5609009770382e6f8f1fed28e89a5530191190d1
FOLLOWUP_IP:
nvlddmkm+1b9306
fffff801`393d9306 cc int 3
FAULT_INSTR_CODE: 8348cccc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nvlddmkm+1b9306
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nvlddmkm
IMAGE_NAME: nvlddmkm.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5b2fbada
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 1b9306
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_nvlddmkm!unknown_function
BUCKET_ID: 0xF7_MISSING_GSFRAME_nvlddmkm!unknown_function
PRIMARY_PROBLEM_CLASS: 0xF7_MISSING_GSFRAME_nvlddmkm!unknown_function
TARGET_TIME: 2018-07-15T17:37:44.000Z
OSBUILD: 17134
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-07-06 08:57:56
BUILDDATESTAMP_STR: 180410-1804
BUILDLAB_STR: rs4_release
BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804
ANALYSIS_SESSION_ELAPSED_TIME: b28
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xf7_missing_gsframe_nvlddmkm!unknown_function
FAILURE_ID_HASH: {2ffeac14-357b-96a5-98b2-2e606f12e8c0}
Followup: MachineOwner
---------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment