Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
- Copyright (c) Microsoft Corporation. All rights reserved.
- Loading Dump File [C:\Windows\Minidump\020115-22843-01.dmp]
- Mini Kernel Dump File: Only registers and stack trace are available
- ************* Symbol Path validation summary **************
- Response Time (ms) Location
- Deferred symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols
- Symbol search path is: symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols
- Executable search path is:
- Windows 8 Kernel Version 9600 MP (3 procs) Free x64
- Product: WinNt, suite: TerminalServer SingleUserTS
- Built by: 9600.16404.amd64fre.winblue_gdr.130913-2141
- Machine Name:
- Kernel base = 0xfffff803`a5a77000 PsLoadedModuleList = 0xfffff803`a5d3b990
- Debug session time: Sun Feb 1 05:06:33.847 2015 (UTC - 8:00)
- System Uptime: 0 days 1:30:44.225
- Loading Kernel Symbols
- .
- Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
- Run !sym noisy before .reload to track down problems loading symbols.
- ..............................................................
- ................................................................
- ............
- Loading User Symbols
- Loading unloaded module list
- ......
- *******************************************************************************
- * *
- * Bugcheck Analysis *
- * *
- *******************************************************************************
- Use !analyze -v to get detailed debugging information.
- BugCheck 7F, {8, ffffd00020648070, ffffd00027eedfd0, fffff803a5e42fb3}
- *** WARNING: Unable to verify timestamp for TitanHide.sys
- *** ERROR: Module load completed but symbols could not be loaded for TitanHide.sys
- Probably caused by : TitanHide.sys ( TitanHide+3daa )
- Followup: MachineOwner
- ---------
- 2: kd> !analyze -v
- *******************************************************************************
- * *
- * Bugcheck Analysis *
- * *
- *******************************************************************************
- UNEXPECTED_KERNEL_MODE_TRAP (7f)
- This means a trap occurred in kernel mode, and it's a trap of a kind
- that the kernel isn't allowed to have/catch (bound trap) or that
- is always instant death (double fault). The first number in the
- bugcheck params is the number of the trap (8 = double fault, etc)
- Consult an Intel x86 family manual to learn more about what these
- traps are. Here is a *portion* of those codes:
- If kv shows a taskGate
- use .tss on the part before the colon, then kv.
- Else if kv shows a trapframe
- use .trap on that value
- Else
- .trap on the appropriate frame will show where the trap was taken
- (on x86, this will be the ebp that goes with the procedure KiTrap)
- Endif
- kb will then show the corrected stack.
- Arguments:
- Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
- Arg2: ffffd00020648070
- Arg3: ffffd00027eedfd0
- Arg4: fffff803a5e42fb3
- Debugging Details:
- ------------------
- BUGCHECK_STR: 0x7f_8
- CUSTOMER_CRASH_COUNT: 1
- DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
- PROCESS_NAME: MsMpEng.exe
- CURRENT_IRQL: 0
- ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
- LAST_CONTROL_TRANSFER: from fffff803a5bd07e9 to fffff803a5bc4ca0
- STACK_TEXT:
- ffffd000`20647f28 fffff803`a5bd07e9 : 00000000`0000007f 00000000`00000008 ffffd000`20648070 ffffd000`27eedfd0 : nt!KeBugCheckEx
- ffffd000`20647f30 fffff803`a5bce8f4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
- ffffd000`20648070 fffff803`a5e42fb3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb4
- ffffd000`27eedfd0 fffff803`a5dfd3db : 00000000`00000000 00000000`00001000 ffffe000`0019a500 00000000`00000000 : nt!ObReferenceObjectByHandleWithTag+0xb3
- ffffd000`27eee070 fffff800`02203daa : 00000000`00000000 fffff800`02203615 00000000`00000000 00000000`00000000 : nt!NtQueryInformationProcess+0x4fb
- ffffd000`27eee580 00000000`00000000 : fffff800`02203615 00000000`00000000 00000000`00000000 00000000`00000000 : TitanHide+0x3daa
- STACK_COMMAND: kb
- FOLLOWUP_IP:
- TitanHide+3daa
- fffff800`02203daa ?? ???
- SYMBOL_STACK_INDEX: 5
- SYMBOL_NAME: TitanHide+3daa
- FOLLOWUP_NAME: MachineOwner
- MODULE_NAME: TitanHide
- IMAGE_NAME: TitanHide.sys
- DEBUG_FLR_IMAGE_TIMESTAMP: 54ce23e4
- FAILURE_BUCKET_ID: 0x7f_8_TitanHide+3daa
- BUCKET_ID: 0x7f_8_TitanHide+3daa
- ANALYSIS_SOURCE: KM
- FAILURE_ID_HASH_STRING: km:0x7f_8_titanhide+3daa
- FAILURE_ID_HASH: {e682804c-9a59-aca7-4ba8-4482ed18d520}
- Followup: MachineOwner
- ---------
- 2: kd> !analyze -v
- *******************************************************************************
- * *
- * Bugcheck Analysis *
- * *
- *******************************************************************************
- UNEXPECTED_KERNEL_MODE_TRAP (7f)
- This means a trap occurred in kernel mode, and it's a trap of a kind
- that the kernel isn't allowed to have/catch (bound trap) or that
- is always instant death (double fault). The first number in the
- bugcheck params is the number of the trap (8 = double fault, etc)
- Consult an Intel x86 family manual to learn more about what these
- traps are. Here is a *portion* of those codes:
- If kv shows a taskGate
- use .tss on the part before the colon, then kv.
- Else if kv shows a trapframe
- use .trap on that value
- Else
- .trap on the appropriate frame will show where the trap was taken
- (on x86, this will be the ebp that goes with the procedure KiTrap)
- Endif
- kb will then show the corrected stack.
- Arguments:
- Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
- Arg2: ffffd00020648070
- Arg3: ffffd00027eedfd0
- Arg4: fffff803a5e42fb3
- Debugging Details:
- ------------------
- BUGCHECK_STR: 0x7f_8
- CUSTOMER_CRASH_COUNT: 1
- DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
- PROCESS_NAME: MsMpEng.exe
- CURRENT_IRQL: 0
- ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
- LAST_CONTROL_TRANSFER: from fffff803a5bd07e9 to fffff803a5bc4ca0
- STACK_TEXT:
- ffffd000`20647f28 fffff803`a5bd07e9 : 00000000`0000007f 00000000`00000008 ffffd000`20648070 ffffd000`27eedfd0 : nt!KeBugCheckEx
- ffffd000`20647f30 fffff803`a5bce8f4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
- ffffd000`20648070 fffff803`a5e42fb3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb4
- ffffd000`27eedfd0 fffff803`a5dfd3db : 00000000`00000000 00000000`00001000 ffffe000`0019a500 00000000`00000000 : nt!ObReferenceObjectByHandleWithTag+0xb3
- ffffd000`27eee070 fffff800`02203daa : 00000000`00000000 fffff800`02203615 00000000`00000000 00000000`00000000 : nt!NtQueryInformationProcess+0x4fb
- ffffd000`27eee580 00000000`00000000 : fffff800`02203615 00000000`00000000 00000000`00000000 00000000`00000000 : TitanHide+0x3daa
- STACK_COMMAND: kb
- FOLLOWUP_IP:
- TitanHide+3daa
- fffff800`02203daa ?? ???
- SYMBOL_STACK_INDEX: 5
- SYMBOL_NAME: TitanHide+3daa
- FOLLOWUP_NAME: MachineOwner
- MODULE_NAME: TitanHide
- IMAGE_NAME: TitanHide.sys
- DEBUG_FLR_IMAGE_TIMESTAMP: 54ce23e4
- FAILURE_BUCKET_ID: 0x7f_8_TitanHide+3daa
- BUCKET_ID: 0x7f_8_TitanHide+3daa
- ANALYSIS_SOURCE: KM
- FAILURE_ID_HASH_STRING: km:0x7f_8_titanhide+3daa
- FAILURE_ID_HASH: {e682804c-9a59-aca7-4ba8-4482ed18d520}
- Followup: MachineOwner
- ---------
- ************* Symbol Path validation summary **************
- Response Time (ms) Location
- Deferred symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols
- OK C:\Users\Admin\Desktop\TitanHide
- 2: kd> .reload
- Loading Kernel Symbols
- .
- Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
- Run !sym noisy before .reload to track down problems loading symbols.
- ..............................................................
- ................................................................
- ............
- Loading User Symbols
- Loading unloaded module list
- ......
- 2: kd> !analyze -v
- *******************************************************************************
- * *
- * Bugcheck Analysis *
- * *
- *******************************************************************************
- UNEXPECTED_KERNEL_MODE_TRAP (7f)
- This means a trap occurred in kernel mode, and it's a trap of a kind
- that the kernel isn't allowed to have/catch (bound trap) or that
- is always instant death (double fault). The first number in the
- bugcheck params is the number of the trap (8 = double fault, etc)
- Consult an Intel x86 family manual to learn more about what these
- traps are. Here is a *portion* of those codes:
- If kv shows a taskGate
- use .tss on the part before the colon, then kv.
- Else if kv shows a trapframe
- use .trap on that value
- Else
- .trap on the appropriate frame will show where the trap was taken
- (on x86, this will be the ebp that goes with the procedure KiTrap)
- Endif
- kb will then show the corrected stack.
- Arguments:
- Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
- Arg2: ffffd00020648070
- Arg3: ffffd00027eedfd0
- Arg4: fffff803a5e42fb3
- Debugging Details:
- ------------------
- BUGCHECK_STR: 0x7f_8
- CUSTOMER_CRASH_COUNT: 1
- DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
- PROCESS_NAME: MsMpEng.exe
- CURRENT_IRQL: 0
- ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
- LAST_CONTROL_TRANSFER: from fffff803a5bd07e9 to fffff803a5bc4ca0
- STACK_COMMAND: kb
- FOLLOWUP_IP:
- TitanHide!Undocumented::NtQueryInformationProcess+3a [c:\codeblocks\titanhide\titanhide\undocumented.cpp @ 219]
- fffff800`02203daa 4883c438 add rsp,38h
- FAULTING_SOURCE_LINE: c:\codeblocks\titanhide\titanhide\undocumented.cpp
- FAULTING_SOURCE_FILE: c:\codeblocks\titanhide\titanhide\undocumented.cpp
- FAULTING_SOURCE_LINE_NUMBER: 219
- SYMBOL_STACK_INDEX: 5
- SYMBOL_NAME: TitanHide!Undocumented::NtQueryInformationProcess+3a
- FOLLOWUP_NAME: MachineOwner
- MODULE_NAME: TitanHide
- IMAGE_NAME: TitanHide.sys
- DEBUG_FLR_IMAGE_TIMESTAMP: 54ce23e4
- BUCKET_ID_FUNC_OFFSET: 3a
- FAILURE_BUCKET_ID: 0x7f_8_TitanHide!Undocumented::NtQueryInformationProcess
- BUCKET_ID: 0x7f_8_TitanHide!Undocumented::NtQueryInformationProcess
- ANALYSIS_SOURCE: KM
- FAILURE_ID_HASH_STRING: km:0x7f_8_titanhide!undocumented::ntqueryinformationprocess
- FAILURE_ID_HASH: {85872395-8fd7-ddba-12c6-664a7e60789c}
- Followup: MachineOwner
- ---------
- 2: kd> lmvm TitanHide
- start end module name
- fffff800`02200000 fffff800`0228c000 TitanHide (private pdb symbols) c:\users\admin\desktop\titanhide\TitanHide.pdb
- Loaded symbol image file: TitanHide.sys
- Mapped memory image file: c:\users\admin\desktop\titanhide\TitanHide.sys
- Image path: \??\c:\windows\system32\drivers\TitanHide.sys
- Image name: TitanHide.sys
- Timestamp: Sun Feb 01 05:02:28 2015 (54CE23E4)
- CheckSum: 0000DC91
- ImageSize: 0008C000
- Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement