Debugging Stop 0x4A - User-Mode and IRQL Levels

Okay, here's another debugging example which has quite a simple methodology, a driver has returned to User-Mode while the IRQL Level was above PASSIVE_LEVEL or Level 0.


The first parameter indicates the IRQL Level of the processor, in which in this case is Level 2 or DISPATCH_LEVEL. The first parameter indicates the address of the system call in which the driver has returned from.

The main point to remember is that all threads which run in User-Mode run at the IRQL Level of 0, this is ensure that no User-Mode thread has a higher interrupt priority than any Kernel-Mode threads. In case, you wondering which cases a User-Mode application may need to call into Kernel-Mode, a good listing of examples can be found here - User-Mode Interactions: Guidelines for Kernel-Mode Drivers

The stack does not reveal much, apart from this:

The stack simply reveals a function in User-Mode calling the nt!KiServiceExit2 routine, which is a internal Kernel routine.


The use of dd command in a stack can be found here - [Advanced] Principles of debugging

The driver which seems to be causing the problem is related to the Bitdefender program.


I understand, this was a very short and brief tutorial, but to be honest there isn't much behind this bugcheck apart from what I have already explained.

Happy Halloween!

Comments

Post a Comment

Popular posts from this blog

Debugging Stop 0x1E - Finding the Exception Record Address in the Stack

Image
This is going to be a very short blog post, just to demonstrate how to find the Exception Record address in the stack, and how many times it seems to appear within the call stack. Interestingly, but not unsurprisingly, the exception code wasn't passed to any of the exception handlers in the call stack. The blue highlighting is the address of the exception record, and the green highlighting is the address of the trap frame which contains the last saved context. The !exchain extension shows all the exception handlers in the call stack. The _CONTEXT data structure can show us the saved registers from the trap frame. Please note I've omitted this data structure to the main registers.
Read more

Windows Access Tokens - !token and _TOKEN

Image
Windows needs to ensure that untrusted code and untrusted users aren't accessing important areas of the operating system, and creating problems which would ultimately lead to a vast number of BSODs. Windows manages this through Access Tokens which are used to identify the security context of a process/thread and a user. Access Tokens take two main forms: a Primary access token and a Impersonation access token. The Access Token additionally has two important features which are integral to security validation: SIDs (Security Identifiers) and a Privilege Array which contains the privileges allowed for that object. The token type can be found within a enumeration called TOKEN_TYPE.   The data structure can be found under the TokenType field within the _TOKEN structure. The Primary type determines the security context of the process for the currently logged on user, and the Impersonation type allows a thread to temporarily use a different security context. The Token type can also ...
Read more

Virtual to Physical Address Translation (Part 3)

Image
All the pages resident in physical memory are manged by the PFN Database or Page Frame Number Database. The PFN is used to describe the page state of each page, and the number of references to this page. Page States The page states can be found in a enumeration called _MMLISTS: Zeroed - The page already is free and already contains 0's, or has been freed and being zeroed. Free - The page is free, but may still contain data since the Dirty bit could have not been set, therefore these pages are zeroed before being marked as a user page for user-mode processes. Standby - The page has been recently been removed from the working set of a process, and as a result is currently in Transition. The page hasn't been written to or modified since removal and transfer to the hard disk, but the PTE (Invalid) may still refer to the physical page. Modified - The page has been recently removed from the working set of a process, but has been written to and modified before it was written to th...
Read more