Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Sysmon BSOD on my Windows 7 x64 :-(
- After some days of logs without reboot, I got a BSOD. It happens during a CreatePipe from ConEmu.exe. (ConEmu create really a lot of pipes).
- I paste you some debug informations can help you (I hope).
- ####################################
- CONTEXT: fffff880078fb7d0 -- (.cxr 0xfffff880078fb7d0;r)
- rax=0000000000000030 rbx=0000000000000030 rcx=fffff8a00e9e84d8
- rdx=000007a2f1a77b89 rsi=fffff880078fc230 rdi=fffffa8005adfa20
- rip=fffff8800149d260 rsp=fffff880078fc1b8 rbp=fffff880078fc2c0
- r8=0000000000000030 r9=0000000000000001 r10=fffffa80032f6288
- r11=fffff8a00e9e84a8 r12=fffff8a00e9e8470 r13=0000000000000002
- r14=fffff8a00e9e84a8 r15=fffff8a00e9e849c
- iopl=0 nv up ei ng nz na pe cy
- cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010283
- SysmonDrv+0x1260:
- fffff880`0149d260 488b440af8 mov rax,qword ptr [rdx+rcx-8] ds:002b:00000043`00460059=????????????????
- STACK_TEXT:
- fffff880`078fc1b8 fffff880`014a0376 : fffffa80`00000608 00000000`000003a8 fffff880`078fc2c0 00000000`000007ff : SysmonDrv+0x1260
- fffff880`078fc1c0 fffff880`014a0492 : 00000000`00000000 fffffa80`05004650 00000000`00000000 fffff8a0`00133b10 : SysmonDrv+0x4376
- fffff880`078fc320 fffff800`02ab8615 : 00000000`00000000 fffff8a0`0c1910d0 fffffa80`06917270 fffff8a0`0641e010 : SysmonDrv+0x4492
- fffff880`078fc350 fffff800`02ace821 : fffffa80`05dc38e3 00000000`00000000 fffffa80`05004650 fffff800`02c4ae80 : nt!IopUnloadSafeCompletion+0x55
- fffff880`078fc390 fffff880`01807627 : fffff8a0`00133b10 fffffa80`05dc3802 00000000`c000000d 00000000`00000000 : nt!IopfCompleteRequest+0x341
- fffff880`078fc480 fffff880`014a4bed : 00000000`00000005 fffffa80`00000000 00000000`00000005 fffff8a0`00133b10 : Npfs!NpFsdCreateNamedPipe+0x403
- fffff880`078fc5a0 fffff800`02dd157b : 00000000`00000005 00000000`00000040 fffffa80`042ba070 fffffa80`042ba108 : SysmonDrv+0x8bed
- fffff880`078fc660 fffff800`02dcd09e : fffffa80`048598f0 00000000`00000000 fffffa80`0615e870 00000000`00000001 : nt!IopParseDevice+0x14e2
- fffff880`078fc7c0 fffff800`02dcdb86 : 00000000`00000000 fffff880`078fc940 fffffa80`00000040 fffffa80`033769f0 : nt!ObpLookupObjectName+0x784
- fffff880`078fc8c0 fffff800`02dcf97c : fffff8a0`0e99b410 00000000`00000000 00000000`00000001 00000000`000007ff : nt!ObOpenObjectByName+0x306
- fffff880`078fc990 fffff800`02d8ebda : 00000000`0305e7c8 00000000`c0100000 00000000`0305f0a0 00000000`0305e7f0 : nt!IopCreateFile+0x2bc
- fffff880`078fca30 fffff800`02d8ecf7 : fffffa80`066321b8 fffffa80`0564de90 fffff800`02c4ae80 00000000`00000001 : nt!IoCreateFile+0x8a
- fffff880`078fcac0 fffff800`02aca6d3 : 00000000`02e49738 fffff880`078fcc60 00000000`00000000 fffff800`02dba7cb : nt!NtCreateNamedPipeFile+0x106
- fffff880`078fcb70 00000000`77a5c71a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
- 00000000`0305e748 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77a5c71a
- ####################################
- Bug occure in the function sub_180001010, the previous layer of call is :
- ####################################
- .text:0000000180004360 mov eax, [rsi+8]
- .text:0000000180004363 mov rdx, [rsi]
- .text:0000000180004366 mov rcx, r14
- .text:0000000180004369 mov r8d, eax
- .text:000000018000436C mov [r15], eax
- .text:000000018000436F mov ebx, eax
- .text:0000000180004371 call sub_180001010
- sub_180001010(v30, v34, v33); <--- Call to the bug (v34 / rsi is corrupted)
- 0: kd> dq rsi
- fffff880`078fc230 00000043`00460031 00000000`00000030
- fffff880`078fc240 fffffa80`037487f0 00000000`00000030
- ####################################
- If you want more details I'm available to you :-)
- Heurs
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement