Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar Sorry, I'm not skilled enough to manually add a new exported function to vista 5048 ndis.sys implementing this into ntoskrn8.sys won't do anything since it will never be called from there. making an ndis.sys extender for this version won't work either since we don't have a vista beta DDK to link it to, and the vista RTM version of the ndis.lib library won't link it correctly.
Dietmar Posted June 7, 2022 Posted June 7, 2022 (edited) @Damnation May be it is not so difficult, if we understand how PE Maker and PE_Tool_0.0.5 work. The function KeQueryActiveProcessorCountEx you already integrate in ntoskrn8.sys. The function itself we can take from ndis.sys from win7 sp1, NdisGroupActiveProcessorCount but I also dont know how to extract this function Dietmar PS: Via IdaPro, the HexValues of this Export function in ndis.sys win7 sp1 bit32 are just Beginning with to end .text:0001832A ; Exported entry 200. NdisGroupActiveProcessorCount .text:0001832A .text:0001832A ; =============== S U B R O U T I N E ======================================= .text:0001832A .text:0001832A ; Attributes: bp-based frame .text:0001832A .text:0001832A ; __stdcall NdisGroupActiveProcessorCount(x) .text:0001832A public _NdisGroupActiveProcessorCount@4 .text:0001832A _NdisGroupActiveProcessorCount@4 proc near .text:0001832A ; CODE XREF: ndisCreateReceiveWorkerThreadPool()+42p .text:0001832A mov edi, edi .text:0001832C push ebp .text:0001832D mov ebp, esp .text:0001832F pop ebp .text:00018330 jmp ds:__imp__KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x) .text:00018330 _NdisGroupActiveProcessorCount@4 endp .text:00018330 .text:00018330 ; --------------------------------------------------------------------------- 8B FF 55 8B EC 5D FF 25 B4 F0 04 00 Edited June 7, 2022 by Dietmar
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar I think @Mov AX, 0xDEAD or @daniel_k would know more about adding a new exported function to 5048 ndis.sys since they've done this sort of thing before.
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar I implemented SeCaptureSubjectContextEx and SeAccessCheckFromState in assembly in this version https://ufile.io/8sapwobp please test. If this still doesn't work I'll do the same for NtTraceControl and NtQuerySystemInformationEx
Dietmar Posted June 7, 2022 Posted June 7, 2022 @Damnation Now Bsod goes to ntoskrn8.sys Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - Breakpoint 0 hit e1d6232!DriverEntry: b6a56094 55 push ebp 1: kd> g *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 18:14:34.234 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : ntoskrn8.sys ( ntoskrn8!_imp__SeQueryInformationToken+2 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba551367 ebx=00020019 ecx=ba550090 edx=e1640008 esi=ba553690 edi=8bc3a9c7 eip=b9973072 esp=e8570689 ebp=ba553658 iopl=0 nv up ei pl nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217 ntoskrn8!_imp__SeQueryInformationToken+0x2: b9973072 5e pop esi Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9973072 UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__SeQueryInformationToken+0x2 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__SeQueryInformationToken+2 b9973072 5e pop esi SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__SeQueryInformationToken+2 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629f7012 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!_imp__SeQueryInformationToken+2 BUCKET_ID: 0x7f_8_ntoskrn8!_imp__SeQueryInformationToken+2 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!_imp__sequeryinformationtoken+2 FAILURE_ID_HASH: {ddac3b4e-42a8-11ea-6936-c7f1f378e5c8} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b34d2000 b353f000 e1d6232 (deferred) b35ab000 b3608f00 update (deferred) b3609000 b362b700 ks (deferred) b362c000 b365bc80 rdpdr (deferred) b41cb000 b41cbc00 audstub (deferred) b44c7000 b44d0f80 termdd (deferred) b8e01000 b8e09e00 intelppm (deferred) b92b1000 b92b3280 wmiacpi (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97f3000 b97f6d80 serenum (deferred) b97fb000 b97fec80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec980 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\DE5820ED5A0D4BDDAA0BD990F97C228A1\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba248000 ba254d00 i8042prt (deferred) ba258000 ba267c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba498000 ba49e000 kbdclass (deferred) ba4a0000 ba4a5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba5c0000 ba5c1100 swenum (deferred) Unloaded modules: b44a7000 b44b7000 cdrom.sys b97f7000 b97fa000 Sfloppy.SYS b44b7000 b44c3000 Flpydisk.SYS b3d67000 b3d6e000 Fdc.SYS b6a53000 b6ac0000 e1d6232.sys
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar is this happening in SeQueryInformationToken_inject? or somewhere else?
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar I made some changes to SeQueryInformationToken https://ufile.io/q1o3tltj please test this one.
Dietmar Posted June 7, 2022 Posted June 7, 2022 (edited) @Damnation I just test. When you do a trace in Windbg, it is an endless loop after the driver e1d6232.sys is unloaded This is output from Windbg Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 19:29:10.484 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : hardware ( ntoskrn8!_imp__KeInitializeMutex+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba551367 ebx=00020019 ecx=ba556e90 edx=e1766ea8 esi=ba553690 edi=8bc3a9c7 eip=b9972fef esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 ntoskrn8!_imp__KeInitializeMutex+0x3: b9972fef 80340850 xor byte ptr [eax+ecx],50h ds:0023:74aa81f7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972fef MISALIGNED_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__KeInitializeMutex+0x3 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__KeInitializeMutex+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: hardware IMAGE_NAME: hardware DEBUG_FLR_IMAGE_TIMESTAMP: 0 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:ip_misaligned_ntoskrn8.sys FAILURE_ID_HASH: {dbda5822-4532-65a2-14de-bf4f49b55a8c} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b693b000 b69a8000 e1d6232 (deferred) b6cda000 b6d37f00 update (deferred) b6d38000 b6d5a700 ks (deferred) b6d5b000 b6d8ac80 rdpdr (deferred) b915a000 b9163f80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b9795000 b9797280 wmiacpi (deferred) b97f3000 b97f6d80 serenum (deferred) b97f7000 b97fac80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec900 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\D8662FF0A5A24F3A82813E44885940221\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba1e8000 ba1f0e00 intelppm (deferred) ba298000 ba2a4d00 i8042prt (deferred) ba2a8000 ba2b7c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba4a8000 ba4ae000 kbdclass (deferred) ba4b0000 ba4b5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba624000 ba625100 swenum (deferred) ba683000 ba683c00 audstub (deferred) Unloaded modules: b8dca000 b8dda000 cdrom.sys b883e000 b8841000 Sfloppy.SYS b8dda000 b8de6000 Flpydisk.SYS b8d5a000 b8d61000 Fdc.SYS b9648000 b96b5000 e1d6232.sys Edited June 7, 2022 by Dietmar
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar This was with the most recent version? If it's in an infinite loop, I guess I'll stop working on this for now. Unless you or @Mov AX, 0xDEAD have some ideas for where to go from here?
Dietmar Posted June 7, 2022 Posted June 7, 2022 @Damnation Only the last 2 ntoskrn8.exe gives this Kerneltrap 7F Dietmar
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar I've never heard of it. Although If I want to patched imports I can already use CFF Explorer or PEMaker 0.8.2 for that. 1
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar I just remembered something! I did not update the security_cookie in ndis/netio/msrpc.sys IIRC This might be the cause of the 7F BSOD Give me a few minutes to patch them.
Damnation Posted June 7, 2022 Author Posted June 7, 2022 @Dietmar OK, I changed security_cookie in those files https://ufile.io/072ifs98 hopefully this yields results!
Dietmar Posted June 7, 2022 Posted June 7, 2022 @Damnation Same as before Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 20:53:44.562 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : hardware ( ntoskrn8!_imp__KeInitializeMutex+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba551367 ebx=00020019 ecx=ba55da90 edx=e174daa0 esi=ba553690 edi=8bc3a9c7 eip=b9972fef esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 ntoskrn8!_imp__KeInitializeMutex+0x3: b9972fef 80340850 xor byte ptr [eax+ecx],50h ds:0023:74aaedf7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972fef MISALIGNED_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__KeInitializeMutex+0x3 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__KeInitializeMutex+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: hardware IMAGE_NAME: hardware DEBUG_FLR_IMAGE_TIMESTAMP: 0 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:ip_misaligned_ntoskrn8.sys FAILURE_ID_HASH: {dbda5822-4532-65a2-14de-bf4f49b55a8c} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b5495000 b5502000 e1d6232 (deferred) b5b6a000 b5bc7f00 update (deferred) b5bc8000 b5bea700 ks (deferred) b5c13000 b5c42c80 rdpdr (deferred) b76af000 b76afc00 audstub (deferred) b91c1000 b91caf80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97b9000 b97bb280 wmiacpi (deferred) b97f3000 b97f6d80 serenum (deferred) b97ff000 b9802c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec900 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\D8662FF0A5A24F3A82813E44885940221\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba2c8000 ba2d4d00 i8042prt (deferred) ba2d8000 ba2e7c00 serial (deferred) ba2e8000 ba2f0e00 intelppm (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38da00 mouclass (deferred) ba4b0000 ba4b6000 kbdclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba614000 ba615100 swenum (deferred) Unloaded modules: b8ecb000 b8edb000 cdrom.sys b97f7000 b97fa000 Sfloppy.SYS b8eeb000 b8ef7000 Flpydisk.SYS b8dcb000 b8dd2000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now