Jump to content

Windows 7 x64

Jeremy

By Jeremy
in Windows 7

 Share

Recommended Posts


cluberti

cluberti

Posted
Posted

Yes, although that sounds like a kernel-only dump. We'll see what we can do - upload it somewhere after zipping it and we'll have a look.

cluberti

cluberti

Posted
Posted

It almost seems like there's some weird play here between Sandboxie, the NTFS.sys filesystem driver, and the fileinfo.sys filter driver (responsible for doing prefetch and superfetch/readyboost).

// Thread at the time of the crash on CPU0:
0: kd> !thread
THREAD fffffa80018d3b60  Cid 0004.0018  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 fffff8a000008c10
Owning Process            fffffa80018bf040       Image:         System
Attached Process          N/A            Image:         N/A
Wait Start TickCount      16652232       Ticks: 0
Context Switch Count      425948             
UserTime                  00:00:00.000
KernelTime                00:00:05.296
Win32 Start Address nt!ExpWorkerThread (0xfffff80002c88050)
Stack Init fffff8800318fdb0 Current fffff8800318f9f0
Base fffff88003190000 Limit fffff8800318a000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0318e8e8 fffff880`0125d3d8 : 00000000`00000024 00000000`001904fb fffff880`0318f8d8 fffff880`0318f130 : nt!KeBugCheckEx
fffff880`0318e8f0 fffff880`01331f80 : fffff880`0128dfc8 fffff880`0318fbe0 fffff880`0318fbe0 fffffa80`01fb8000 : Ntfs! ?? ::FNODOBFM::`string'+0x2cc9
fffff880`0318e930 fffff800`02ca94dc : 00000000`3966744e 00000000`00000000 00000000`00000000 00000000`00000004 : Ntfs! ?? ::NNGAKEGL::`string'+0x7d3d
fffff880`0318e980 fffff800`02ca0bed : fffff880`0128dfbc fffff880`0318fbe0 00000000`00000000 fffff880`0123c000 : nt!_C_specific_handler+0x8c
fffff880`0318e9f0 fffff800`02ca8250 : fffff880`0128dfbc fffff880`0318ea68 fffff880`0318f8d8 fffff880`0123c000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`0318ea20 fffff800`02cb51b5 : fffff880`0318f8d8 fffff880`0318f130 fffff880`00000000 fffff880`0318fc38 : nt!RtlDispatchException+0x410
fffff880`0318f100 fffff800`02c7a542 : fffff880`0318f8d8 fffffa80`01cdd910 fffff880`0318f980 fffff8a0`08db3b40 : nt!KiDispatchException+0x135
fffff880`0318f7a0 fffff800`02c78e4a : 00010000`00005f1c fffff880`012d298e fffff8a0`005f8e00 fffffa80`02568180 : nt!KiExceptionDispatch+0xc2
fffff880`0318f980 fffff880`012e66a7 : fffffa80`01cdd910 fffff800`02e1e5a0 fffff8a0`08db3b40 00000000`00000009 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`0318f980)
fffff880`0318fb10 fffff880`012c038f : fffffa80`01cdd910 fffff8a0`08db3c70 fffff8a0`08db3b40 fffffa80`02568180 : Ntfs!NtfsCommonClose+0x1e7
fffff880`0318fbe0 fffff800`02c88161 : 00000000`00000000 fffff880`012c0200 fffff800`02e80101 00000000`0000000d : Ntfs!NtfsFspClose+0x15f
fffff880`0318fcb0 fffff800`02f1e166 : 00000000`00000000 fffffa80`018d3b60 00000000`00000080 fffffa80`018bf040 : nt!ExpWorkerThread+0x111
fffff880`0318fd40 fffff800`02c59486 : fffff880`009e6180 fffffa80`018d3b60 fffff880`009f0f40 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`0318fd80 00000000`00000000 : fffff880`03190000 fffff880`0318a000 fffff880`0318f9f0 00000000`00000000 : nt!KxStartSystemThread+0x16


// Looks like both CPUs could have caused this crash:
0: kd> !running -it

System Processors: (0000000000000003) 
  Idle Processors: (0000000000000000) (0000000000000000) (0000000000000000) (0000000000000000) 

Prcbs  Current           Next            
  0    fffff80002df3e80  fffffa80018d3b60                    ................

  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
fffff880`0318fb10 fffff880`012c038f Ntfs!NtfsCommonClose+0x1e7
fffff880`0318fbe0 fffff800`02c88161 Ntfs!NtfsFspClose+0x15f
fffff880`0318fcb0 fffff800`02f1e166 nt!ExpWorkerThread+0x111
fffff880`0318fd40 fffff800`02c59486 nt!PspSystemThreadStartup+0x5a
fffff880`0318fd80 00000000`00000000 nt!KxStartSystemThread+0x16

  1    fffff880009e6180  fffffa8001f40b60                    ................

Child-SP          RetAddr           Call Site
fffff880`0318fb10 fffff880`012c038f Ntfs!NtfsCommonClose+0x1e7
fffff880`0318fbe0 fffff800`02c88161 Ntfs!NtfsFspClose+0x15f
fffff880`0318fcb0 fffff800`02f1e166 nt!ExpWorkerThread+0x111
fffff880`0318fd40 fffff800`02c59486 nt!PspSystemThreadStartup+0x5a
fffff880`0318fd80 00000000`00000000 nt!KxStartSystemThread+0x16


// Looking at system info to make sure this is a real dual-core box:
0: kd> !sysinfo machineid 
Machine ID Information [From Smbios 2.2, DMIVersion 34, Size=1217]
BiosVendor = Phoenix Technologies, LTD
BiosVersion = 6.00 PG
BiosReleaseDate = 04/06/2006
SystemManufacturer =  
SystemProductName =  
SystemVersion =  
BaseBoardManufacturer = DFI Corp,LTD 
BaseBoardProduct = LP NF4 Series
BaseBoardVersion = 1.0        

0: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2400
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ AMD64 Family 15 Model 43 Stepping 1
ProcessorNameString = REG_SZ AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
VendorIdentifier = REG_SZ AuthenticAMD


// File System filters loaded that would be in play if ntfs.sys is performing FCB operations:
0: kd> !filters

Filter List: fffffa8004e73b70 "Frame 1" 
   FLT_FILTER: fffffa8004e87010 "luafv" "135000"
      FLT_INSTANCE: fffffa8004e8f010 "luafv" "135000"
   FLT_FILTER: fffffa8004d342b0 "SbieDrv" "86900"
      FLT_INSTANCE: fffffa8004d4f600 "SbieDrv Instance" "86900"
      FLT_INSTANCE: fffffa8004d4fb50 "SbieDrv Instance" "86900"
      FLT_INSTANCE: fffffa80053af010 "SbieDrv Instance" "86900"
      FLT_INSTANCE: fffffa8005052cf0 "SbieDrv Instance" "86900"
      FLT_INSTANCE: fffffa8004e01cf0 "SbieDrv Instance" "86900"
      FLT_INSTANCE: fffffa8001e85670 "SbieDrv Instance" "86900"
Filter List: fffffa80022a26e0 "Frame 0" 
   FLT_FILTER: fffffa80022a3be0 "FileInfo" "45000"
      FLT_INSTANCE: fffffa8002434010 "FileInfo" "45000"
      FLT_INSTANCE: fffffa80024c9bb0 "FileInfo" "45000"
      FLT_INSTANCE: fffffa8002643bb0 "FileInfo" "45000"
      FLT_INSTANCE: fffffa80053afa00 "FileInfo" "45000"
      FLT_INSTANCE: fffffa80053d5bb0 "FileInfo" "45000"
      FLT_INSTANCE: fffffa8001e91bb0 "FileInfo" "45000"


// Looks like you just installed the very latest Sandboxie driver:
0: kd> lmvm SbieDrv
start             end                 module name
fffff880`052a7000 fffff880`052cd000   SbieDrv    (deferred)             
    Image path: \??\C:\Program Files\Sandboxie\SbieDrv.sys
    Image name: SbieDrv.sys
    Timestamp:        Sun Jul 04 05:50:33 2010 (4C305969)
    CheckSum:         0002BC56
    ImageSize:        00026000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


// After walking pool and memory, I came across this being accessed at the time:
0: kd> dc fffffa80023914b0 
fffffa80`023914b0  053a2540 fffffa80 04bd6e30 fffffa80  @%:.....0n......
fffffa80`023914c0  04bf23a0 fffffa80 00000000 00000000  .#..............
fffffa80`023914d0  00000000 fffffa80 00060001 00000000  ................
fffffa80`023914e0  023914e0 fffffa80 023914e0 fffffa80  ..9.......9.....
fffffa80`023914f0  00000000 00000000 023914f8 fffffa80  ..........9.....
fffffa80`02391500  023914f8 fffffa80 03cd7578 fffff880  ..9.....xu......
fffffa80`02391510  00170006 7866744e 00000000 500066e0  ....Ntfx.....f.P
fffffa80`02391520  050296e0 fffffa80 01a276a0 fffffa80  .........v......

0: kd> !pool fffffa8002391510 2
Pool page fffffa8002391510 region is Nonpaged pool
*fffffa80023914a0 size:  1e0 previous size:   80  (Free)      *FIPc
		Pooltag FIPc : FileInfo FS-filter Prefetch Context, Binary : fileinfo.sys

0: kd> lmvm fileinfo
start             end                 module name
fffff880`010ae000 fffff880`010c2000   fileinfo   (pdb symbols)          d:\symbols\fileinfo.pdb\99DAA03EB2014EFE91E56C3EF9ADE0F01\fileinfo.pdb
    Loaded symbol image file: fileinfo.sys
    Image path: \SystemRoot\system32\drivers\fileinfo.sys
    Image name: fileinfo.sys
    Timestamp:        Mon Jul 13 19:34:25 2009 (4A5BC481)
    CheckSum:         00015644
    ImageSize:        00014000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Given this info, it almost looks like there's some confusion here between NTFS.sys decrementing the FCB to remove it from the lock list, but we crashed before the IRP could be created. I also see the prefetch filter involved, so I'm wondering if something on the system is overwriting memory (for what it's worth, NTFS.sys tried to write to 0xFFFFFFFFFFFFFFFF, which of course is going to fail) because this should really never happen. Someone (specifically, likely some filter or system security driver) is working behind the scenes on IRP generation. Given what Sandboxie does, I'm quite curious as to what the system would do without that installed...

cluberti

cluberti

Posted
Posted

It's hard to say if sandboxie is a part of it or not - the only thing I can say is that the prefetch was running at the time, so unless your removable drive is being used as a superfetch cache, I'm not sure what happened 100%. It could just be a timing issue you'll never see again, honestly - it's very hard to say.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...