Jump to content

Windows 7 x64


Jeremy

Recommended Posts


It almost seems like there's some weird play here between Sandboxie, the NTFS.sys filesystem driver, and the fileinfo.sys filter driver (responsible for doing prefetch and superfetch/readyboost).

// Thread at the time of the crash on CPU0:
0: kd> !thread
THREAD fffffa80018d3b60 Cid 0004.0018 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap fffff8a000008c10
Owning Process fffffa80018bf040 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 16652232 Ticks: 0
Context Switch Count 425948
UserTime 00:00:00.000
KernelTime 00:00:05.296
Win32 Start Address nt!ExpWorkerThread (0xfffff80002c88050)
Stack Init fffff8800318fdb0 Current fffff8800318f9f0
Base fffff88003190000 Limit fffff8800318a000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`0318e8e8 fffff880`0125d3d8 : 00000000`00000024 00000000`001904fb fffff880`0318f8d8 fffff880`0318f130 : nt!KeBugCheckEx
fffff880`0318e8f0 fffff880`01331f80 : fffff880`0128dfc8 fffff880`0318fbe0 fffff880`0318fbe0 fffffa80`01fb8000 : Ntfs! ?? ::FNODOBFM::`string'+0x2cc9
fffff880`0318e930 fffff800`02ca94dc : 00000000`3966744e 00000000`00000000 00000000`00000000 00000000`00000004 : Ntfs! ?? ::NNGAKEGL::`string'+0x7d3d
fffff880`0318e980 fffff800`02ca0bed : fffff880`0128dfbc fffff880`0318fbe0 00000000`00000000 fffff880`0123c000 : nt!_C_specific_handler+0x8c
fffff880`0318e9f0 fffff800`02ca8250 : fffff880`0128dfbc fffff880`0318ea68 fffff880`0318f8d8 fffff880`0123c000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`0318ea20 fffff800`02cb51b5 : fffff880`0318f8d8 fffff880`0318f130 fffff880`00000000 fffff880`0318fc38 : nt!RtlDispatchException+0x410
fffff880`0318f100 fffff800`02c7a542 : fffff880`0318f8d8 fffffa80`01cdd910 fffff880`0318f980 fffff8a0`08db3b40 : nt!KiDispatchException+0x135
fffff880`0318f7a0 fffff800`02c78e4a : 00010000`00005f1c fffff880`012d298e fffff8a0`005f8e00 fffffa80`02568180 : nt!KiExceptionDispatch+0xc2
fffff880`0318f980 fffff880`012e66a7 : fffffa80`01cdd910 fffff800`02e1e5a0 fffff8a0`08db3b40 00000000`00000009 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`0318f980)
fffff880`0318fb10 fffff880`012c038f : fffffa80`01cdd910 fffff8a0`08db3c70 fffff8a0`08db3b40 fffffa80`02568180 : Ntfs!NtfsCommonClose+0x1e7
fffff880`0318fbe0 fffff800`02c88161 : 00000000`00000000 fffff880`012c0200 fffff800`02e80101 00000000`0000000d : Ntfs!NtfsFspClose+0x15f
fffff880`0318fcb0 fffff800`02f1e166 : 00000000`00000000 fffffa80`018d3b60 00000000`00000080 fffffa80`018bf040 : nt!ExpWorkerThread+0x111
fffff880`0318fd40 fffff800`02c59486 : fffff880`009e6180 fffffa80`018d3b60 fffff880`009f0f40 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`0318fd80 00000000`00000000 : fffff880`03190000 fffff880`0318a000 fffff880`0318f9f0 00000000`00000000 : nt!KxStartSystemThread+0x16


// Looks like both CPUs could have caused this crash:
0: kd> !running -it

System Processors: (0000000000000003)
Idle Processors: (0000000000000000) (0000000000000000) (0000000000000000) (0000000000000000)

Prcbs Current Next
0 fffff80002df3e80 fffffa80018d3b60 ................

*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
fffff880`0318fb10 fffff880`012c038f Ntfs!NtfsCommonClose+0x1e7
fffff880`0318fbe0 fffff800`02c88161 Ntfs!NtfsFspClose+0x15f
fffff880`0318fcb0 fffff800`02f1e166 nt!ExpWorkerThread+0x111
fffff880`0318fd40 fffff800`02c59486 nt!PspSystemThreadStartup+0x5a
fffff880`0318fd80 00000000`00000000 nt!KxStartSystemThread+0x16

1 fffff880009e6180 fffffa8001f40b60 ................

Child-SP RetAddr Call Site
fffff880`0318fb10 fffff880`012c038f Ntfs!NtfsCommonClose+0x1e7
fffff880`0318fbe0 fffff800`02c88161 Ntfs!NtfsFspClose+0x15f
fffff880`0318fcb0 fffff800`02f1e166 nt!ExpWorkerThread+0x111
fffff880`0318fd40 fffff800`02c59486 nt!PspSystemThreadStartup+0x5a
fffff880`0318fd80 00000000`00000000 nt!KxStartSystemThread+0x16


// Looking at system info to make sure this is a real dual-core box:
0: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.2, DMIVersion 34, Size=1217]
BiosVendor = Phoenix Technologies, LTD
BiosVersion = 6.00 PG
BiosReleaseDate = 04/06/2006
SystemManufacturer =
SystemProductName =
SystemVersion =
BaseBoardManufacturer = DFI Corp,LTD
BaseBoardProduct = LP NF4 Series
BaseBoardVersion = 1.0

0: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2400
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ AMD64 Family 15 Model 43 Stepping 1
ProcessorNameString = REG_SZ AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
VendorIdentifier = REG_SZ AuthenticAMD


// File System filters loaded that would be in play if ntfs.sys is performing FCB operations:
0: kd> !filters

Filter List: fffffa8004e73b70 "Frame 1"
FLT_FILTER: fffffa8004e87010 "luafv" "135000"
FLT_INSTANCE: fffffa8004e8f010 "luafv" "135000"
FLT_FILTER: fffffa8004d342b0 "SbieDrv" "86900"
FLT_INSTANCE: fffffa8004d4f600 "SbieDrv Instance" "86900"
FLT_INSTANCE: fffffa8004d4fb50 "SbieDrv Instance" "86900"
FLT_INSTANCE: fffffa80053af010 "SbieDrv Instance" "86900"
FLT_INSTANCE: fffffa8005052cf0 "SbieDrv Instance" "86900"
FLT_INSTANCE: fffffa8004e01cf0 "SbieDrv Instance" "86900"
FLT_INSTANCE: fffffa8001e85670 "SbieDrv Instance" "86900"
Filter List: fffffa80022a26e0 "Frame 0"
FLT_FILTER: fffffa80022a3be0 "FileInfo" "45000"
FLT_INSTANCE: fffffa8002434010 "FileInfo" "45000"
FLT_INSTANCE: fffffa80024c9bb0 "FileInfo" "45000"
FLT_INSTANCE: fffffa8002643bb0 "FileInfo" "45000"
FLT_INSTANCE: fffffa80053afa00 "FileInfo" "45000"
FLT_INSTANCE: fffffa80053d5bb0 "FileInfo" "45000"
FLT_INSTANCE: fffffa8001e91bb0 "FileInfo" "45000"


// Looks like you just installed the very latest Sandboxie driver:
0: kd> lmvm SbieDrv
start end module name
fffff880`052a7000 fffff880`052cd000 SbieDrv (deferred)
Image path: \??\C:\Program Files\Sandboxie\SbieDrv.sys
Image name: SbieDrv.sys
Timestamp: Sun Jul 04 05:50:33 2010 (4C305969)
CheckSum: 0002BC56
ImageSize: 00026000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4


// After walking pool and memory, I came across this being accessed at the time:
0: kd> dc fffffa80023914b0
fffffa80`023914b0 053a2540 fffffa80 04bd6e30 fffffa80 @%:.....0n......
fffffa80`023914c0 04bf23a0 fffffa80 00000000 00000000 .#..............
fffffa80`023914d0 00000000 fffffa80 00060001 00000000 ................
fffffa80`023914e0 023914e0 fffffa80 023914e0 fffffa80 ..9.......9.....
fffffa80`023914f0 00000000 00000000 023914f8 fffffa80 ..........9.....
fffffa80`02391500 023914f8 fffffa80 03cd7578 fffff880 ..9.....xu......
fffffa80`02391510 00170006 7866744e 00000000 500066e0 ....Ntfx.....f.P
fffffa80`02391520 050296e0 fffffa80 01a276a0 fffffa80 .........v......

0: kd> !pool fffffa8002391510 2
Pool page fffffa8002391510 region is Nonpaged pool
*fffffa80023914a0 size: 1e0 previous size: 80 (Free) *FIPc
Pooltag FIPc : FileInfo FS-filter Prefetch Context, Binary : fileinfo.sys

0: kd> lmvm fileinfo
start end module name
fffff880`010ae000 fffff880`010c2000 fileinfo (pdb symbols) d:\symbols\fileinfo.pdb\99DAA03EB2014EFE91E56C3EF9ADE0F01\fileinfo.pdb
Loaded symbol image file: fileinfo.sys
Image path: \SystemRoot\system32\drivers\fileinfo.sys
Image name: fileinfo.sys
Timestamp: Mon Jul 13 19:34:25 2009 (4A5BC481)
CheckSum: 00015644
ImageSize: 00014000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Given this info, it almost looks like there's some confusion here between NTFS.sys decrementing the FCB to remove it from the lock list, but we crashed before the IRP could be created. I also see the prefetch filter involved, so I'm wondering if something on the system is overwriting memory (for what it's worth, NTFS.sys tried to write to 0xFFFFFFFFFFFFFFFF, which of course is going to fail) because this should really never happen. Someone (specifically, likely some filter or system security driver) is working behind the scenes on IRP generation. Given what Sandboxie does, I'm quite curious as to what the system would do without that installed...

Link to comment
Share on other sites

It's hard to say if sandboxie is a part of it or not - the only thing I can say is that the prefetch was running at the time, so unless your removable drive is being used as a superfetch cache, I'm not sure what happened 100%. It could just be a timing issue you'll never see again, honestly - it's very hard to say.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...