Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64Copyright (c) Mic

1.  
2. Microsoft (R) Windows Debugger Version 6.3.9600.17237 AMD64
3. Copyright (c) Microsoft Corporation. All rights reserved.
4.  
5.  
6. Loading Dump File [C:\Windows\Minidump\020115-22843-01.dmp]
7. Mini Kernel Dump File: Only registers and stack trace are available
8.  
9.  
10. ************* Symbol Path validation summary **************
11. Response Time (ms) Location
12. Deferred symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols
13. Symbol search path is: symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols
14. Executable search path is:
15. Windows 8 Kernel Version 9600 MP (3 procs) Free x64
16. Product: WinNt, suite: TerminalServer SingleUserTS
17. Built by: 9600.16404.amd64fre.winblue_gdr.130913-2141
18. Machine Name:
19. Kernel base = 0xfffff803`a5a77000 PsLoadedModuleList = 0xfffff803`a5d3b990
20. Debug session time: Sun Feb 1 05:06:33.847 2015 (UTC - 8:00)
21. System Uptime: 0 days 1:30:44.225
22. Loading Kernel Symbols
23. .
24.  
25. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
26. Run !sym noisy before .reload to track down problems loading symbols.
27.  
28. ..............................................................
29. ................................................................
30. ............
31. Loading User Symbols
32. Loading unloaded module list
33. ......
34. *******************************************************************************
35. * *
36. * Bugcheck Analysis *
37. * *
38. *******************************************************************************
39.  
40. Use !analyze -v to get detailed debugging information.
41.  
42. BugCheck 7F, {8, ffffd00020648070, ffffd00027eedfd0, fffff803a5e42fb3}
43.  
44. *** WARNING: Unable to verify timestamp for TitanHide.sys
45. *** ERROR: Module load completed but symbols could not be loaded for TitanHide.sys
46. Probably caused by : TitanHide.sys ( TitanHide+3daa )
47.  
48. Followup: MachineOwner
49. ---------
50.  
51. 2: kd> !analyze -v
52. *******************************************************************************
53. * *
54. * Bugcheck Analysis *
55. * *
56. *******************************************************************************
57.  
58. UNEXPECTED_KERNEL_MODE_TRAP (7f)
59. This means a trap occurred in kernel mode, and it's a trap of a kind
60. that the kernel isn't allowed to have/catch (bound trap) or that
61. is always instant death (double fault). The first number in the
62. bugcheck params is the number of the trap (8 = double fault, etc)
63. Consult an Intel x86 family manual to learn more about what these
64. traps are. Here is a *portion* of those codes:
65. If kv shows a taskGate
66. use .tss on the part before the colon, then kv.
67. Else if kv shows a trapframe
68. use .trap on that value
69. Else
70. .trap on the appropriate frame will show where the trap was taken
71. (on x86, this will be the ebp that goes with the procedure KiTrap)
72. Endif
73. kb will then show the corrected stack.
74. Arguments:
75. Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
76. Arg2: ffffd00020648070
77. Arg3: ffffd00027eedfd0
78. Arg4: fffff803a5e42fb3
79.  
80. Debugging Details:
81. ------------------
82.  
83.  
84. BUGCHECK_STR: 0x7f_8
85.  
86. CUSTOMER_CRASH_COUNT: 1
87.  
88. DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
89.  
90. PROCESS_NAME: MsMpEng.exe
91.  
92. CURRENT_IRQL: 0
93.  
94. ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
95.  
96. LAST_CONTROL_TRANSFER: from fffff803a5bd07e9 to fffff803a5bc4ca0
97.  
98. STACK_TEXT:
99. ffffd000`20647f28 fffff803`a5bd07e9 : 00000000`0000007f 00000000`00000008 ffffd000`20648070 ffffd000`27eedfd0 : nt!KeBugCheckEx
100. ffffd000`20647f30 fffff803`a5bce8f4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
101. ffffd000`20648070 fffff803`a5e42fb3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb4
102. ffffd000`27eedfd0 fffff803`a5dfd3db : 00000000`00000000 00000000`00001000 ffffe000`0019a500 00000000`00000000 : nt!ObReferenceObjectByHandleWithTag+0xb3
103. ffffd000`27eee070 fffff800`02203daa : 00000000`00000000 fffff800`02203615 00000000`00000000 00000000`00000000 : nt!NtQueryInformationProcess+0x4fb
104. ffffd000`27eee580 00000000`00000000 : fffff800`02203615 00000000`00000000 00000000`00000000 00000000`00000000 : TitanHide+0x3daa
105.  
106.  
107. STACK_COMMAND: kb
108.  
109. FOLLOWUP_IP:
110. TitanHide+3daa
111. fffff800`02203daa ?? ???
112.  
113. SYMBOL_STACK_INDEX: 5
114.  
115. SYMBOL_NAME: TitanHide+3daa
116.  
117. FOLLOWUP_NAME: MachineOwner
118.  
119. MODULE_NAME: TitanHide
120.  
121. IMAGE_NAME: TitanHide.sys
122.  
123. DEBUG_FLR_IMAGE_TIMESTAMP: 54ce23e4
124.  
125. FAILURE_BUCKET_ID: 0x7f_8_TitanHide+3daa
126.  
127. BUCKET_ID: 0x7f_8_TitanHide+3daa
128.  
129. ANALYSIS_SOURCE: KM
130.  
131. FAILURE_ID_HASH_STRING: km:0x7f_8_titanhide+3daa
132.  
133. FAILURE_ID_HASH: {e682804c-9a59-aca7-4ba8-4482ed18d520}
134.  
135. Followup: MachineOwner
136. ---------
137.  
138. 2: kd> !analyze -v
139. *******************************************************************************
140. * *
141. * Bugcheck Analysis *
142. * *
143. *******************************************************************************
144.  
145. UNEXPECTED_KERNEL_MODE_TRAP (7f)
146. This means a trap occurred in kernel mode, and it's a trap of a kind
147. that the kernel isn't allowed to have/catch (bound trap) or that
148. is always instant death (double fault). The first number in the
149. bugcheck params is the number of the trap (8 = double fault, etc)
150. Consult an Intel x86 family manual to learn more about what these
151. traps are. Here is a *portion* of those codes:
152. If kv shows a taskGate
153. use .tss on the part before the colon, then kv.
154. Else if kv shows a trapframe
155. use .trap on that value
156. Else
157. .trap on the appropriate frame will show where the trap was taken
158. (on x86, this will be the ebp that goes with the procedure KiTrap)
159. Endif
160. kb will then show the corrected stack.
161. Arguments:
162. Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
163. Arg2: ffffd00020648070
164. Arg3: ffffd00027eedfd0
165. Arg4: fffff803a5e42fb3
166.  
167. Debugging Details:
168. ------------------
169.  
170.  
171. BUGCHECK_STR: 0x7f_8
172.  
173. CUSTOMER_CRASH_COUNT: 1
174.  
175. DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
176.  
177. PROCESS_NAME: MsMpEng.exe
178.  
179. CURRENT_IRQL: 0
180.  
181. ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
182.  
183. LAST_CONTROL_TRANSFER: from fffff803a5bd07e9 to fffff803a5bc4ca0
184.  
185. STACK_TEXT:
186. ffffd000`20647f28 fffff803`a5bd07e9 : 00000000`0000007f 00000000`00000008 ffffd000`20648070 ffffd000`27eedfd0 : nt!KeBugCheckEx
187. ffffd000`20647f30 fffff803`a5bce8f4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
188. ffffd000`20648070 fffff803`a5e42fb3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb4
189. ffffd000`27eedfd0 fffff803`a5dfd3db : 00000000`00000000 00000000`00001000 ffffe000`0019a500 00000000`00000000 : nt!ObReferenceObjectByHandleWithTag+0xb3
190. ffffd000`27eee070 fffff800`02203daa : 00000000`00000000 fffff800`02203615 00000000`00000000 00000000`00000000 : nt!NtQueryInformationProcess+0x4fb
191. ffffd000`27eee580 00000000`00000000 : fffff800`02203615 00000000`00000000 00000000`00000000 00000000`00000000 : TitanHide+0x3daa
192.  
193.  
194. STACK_COMMAND: kb
195.  
196. FOLLOWUP_IP:
197. TitanHide+3daa
198. fffff800`02203daa ?? ???
199.  
200. SYMBOL_STACK_INDEX: 5
201.  
202. SYMBOL_NAME: TitanHide+3daa
203.  
204. FOLLOWUP_NAME: MachineOwner
205.  
206. MODULE_NAME: TitanHide
207.  
208. IMAGE_NAME: TitanHide.sys
209.  
210. DEBUG_FLR_IMAGE_TIMESTAMP: 54ce23e4
211.  
212. FAILURE_BUCKET_ID: 0x7f_8_TitanHide+3daa
213.  
214. BUCKET_ID: 0x7f_8_TitanHide+3daa
215.  
216. ANALYSIS_SOURCE: KM
217.  
218. FAILURE_ID_HASH_STRING: km:0x7f_8_titanhide+3daa
219.  
220. FAILURE_ID_HASH: {e682804c-9a59-aca7-4ba8-4482ed18d520}
221.  
222. Followup: MachineOwner
223. ---------
224.  
225.  
226. ************* Symbol Path validation summary **************
227. Response Time (ms) Location
228. Deferred symsrv*symsrv.dll*c:\localsymbols*http://msdl.microsoft.com/download/symbols
229. OK C:\Users\Admin\Desktop\TitanHide
230. 2: kd> .reload
231. Loading Kernel Symbols
232. .
233.  
234. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
235. Run !sym noisy before .reload to track down problems loading symbols.
236.  
237. ..............................................................
238. ................................................................
239. ............
240. Loading User Symbols
241. Loading unloaded module list
242. ......
243. 2: kd> !analyze -v
244. *******************************************************************************
245. * *
246. * Bugcheck Analysis *
247. * *
248. *******************************************************************************
249.  
250. UNEXPECTED_KERNEL_MODE_TRAP (7f)
251. This means a trap occurred in kernel mode, and it's a trap of a kind
252. that the kernel isn't allowed to have/catch (bound trap) or that
253. is always instant death (double fault). The first number in the
254. bugcheck params is the number of the trap (8 = double fault, etc)
255. Consult an Intel x86 family manual to learn more about what these
256. traps are. Here is a *portion* of those codes:
257. If kv shows a taskGate
258. use .tss on the part before the colon, then kv.
259. Else if kv shows a trapframe
260. use .trap on that value
261. Else
262. .trap on the appropriate frame will show where the trap was taken
263. (on x86, this will be the ebp that goes with the procedure KiTrap)
264. Endif
265. kb will then show the corrected stack.
266. Arguments:
267. Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
268. Arg2: ffffd00020648070
269. Arg3: ffffd00027eedfd0
270. Arg4: fffff803a5e42fb3
271.  
272. Debugging Details:
273. ------------------
274.  
275.  
276. BUGCHECK_STR: 0x7f_8
277.  
278. CUSTOMER_CRASH_COUNT: 1
279.  
280. DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
281.  
282. PROCESS_NAME: MsMpEng.exe
283.  
284. CURRENT_IRQL: 0
285.  
286. ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
287.  
288. LAST_CONTROL_TRANSFER: from fffff803a5bd07e9 to fffff803a5bc4ca0
289.  
290. STACK_COMMAND: kb
291.  
292. FOLLOWUP_IP:
293. TitanHide!Undocumented::NtQueryInformationProcess+3a [c:\codeblocks\titanhide\titanhide\undocumented.cpp @ 219]
294. fffff800`02203daa 4883c438 add rsp,38h
295.  
296. FAULTING_SOURCE_LINE: c:\codeblocks\titanhide\titanhide\undocumented.cpp
297.  
298. FAULTING_SOURCE_FILE: c:\codeblocks\titanhide\titanhide\undocumented.cpp
299.  
300. FAULTING_SOURCE_LINE_NUMBER: 219
301.  
302. SYMBOL_STACK_INDEX: 5
303.  
304. SYMBOL_NAME: TitanHide!Undocumented::NtQueryInformationProcess+3a
305.  
306. FOLLOWUP_NAME: MachineOwner
307.  
308. MODULE_NAME: TitanHide
309.  
310. IMAGE_NAME: TitanHide.sys
311.  
312. DEBUG_FLR_IMAGE_TIMESTAMP: 54ce23e4
313.  
314. BUCKET_ID_FUNC_OFFSET: 3a
315.  
316. FAILURE_BUCKET_ID: 0x7f_8_TitanHide!Undocumented::NtQueryInformationProcess
317.  
318. BUCKET_ID: 0x7f_8_TitanHide!Undocumented::NtQueryInformationProcess
319.  
320. ANALYSIS_SOURCE: KM
321.  
322. FAILURE_ID_HASH_STRING: km:0x7f_8_titanhide!undocumented::ntqueryinformationprocess
323.  
324. FAILURE_ID_HASH: {85872395-8fd7-ddba-12c6-664a7e60789c}
325.  
326. Followup: MachineOwner
327. ---------
328.  
329. 2: kd> lmvm TitanHide
330. start end module name
331. fffff800`02200000 fffff800`0228c000 TitanHide (private pdb symbols) c:\users\admin\desktop\titanhide\TitanHide.pdb
332. Loaded symbol image file: TitanHide.sys
333. Mapped memory image file: c:\users\admin\desktop\titanhide\TitanHide.sys
334. Image path: \??\c:\windows\system32\drivers\TitanHide.sys
335. Image name: TitanHide.sys
336. Timestamp: Sun Feb 01 05:02:28 2015 (54CE23E4)
337. CheckSum: 0000DC91
338. ImageSize: 0008C000
339. Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4