API tools faq
paste
cakemaker

PageFault analysis sample

cakemaker
Jun 17th, 2025
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.43 KB | Fixit | 0 0
raw download clone embed print report
  1. Note: "--...--" replaces parts you can sanitize if you wish.
  2.  
  3.  
  4.  
  5.  
  6. Microsoft (R) Windows Debugger Version 10.0.26100.1 AMD64
  7. ^^^^^^^^^^^^^ output of your windbg version, classic and "new" have their own sets of bugs
  8.  
  9. --...--
  10.  
  11. Windows 10 Kernel Version 26100 MP (4 procs) Free x64
  12. Product: WinNt, suite: TerminalServer SingleUserTS
  13. Kernel base = 0xfffff802`cdc00000 PsLoadedModuleList = 0xfffff802`ceaf4770
  14.  
  15. --...--
  16.  
  17. 1: kd> !analyze -v
  18. *******************************************************************************
  19. * *
  20. * Bugcheck Analysis *
  21. * *
  22. *******************************************************************************
  23.  
  24. PAGE_FAULT_IN_NONPAGED_AREA (50)
  25. Invalid system memory was referenced. This cannot be protected by try-except.
  26. Typically the address is just plain bad or it is pointing at freed memory.
  27. Arguments:
  28. Arg1: fffffffffffffa8b, memory referenced.
  29. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
  30. Arg3: fffff8026410aeb8, If non-zero, the instruction address which referenced the bad memory address.
  31. Arg4: 0000000000000002, (reserved)
  32.  
  33. Debugging Details:
  34. ------------------
  35.  
  36. --...--
  37.  
  38. TRAP_FRAME: fffff607c4792380 -- (.trap 0xfffff607c4792380)
  39. NOTE: The trap frame does not contain all registers.
  40. Some register values may be zeroed or incorrect.
  41. rax=fffffffffffffa88 rbx=0000000000000000 rcx=fffffffffffffa88
  42. rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
  43. rip=fffff8026410aeb8 rsp=fffff607c4792510 rbp=fffff607c47958c0
  44. r8=ffffe58b2efb5a50 r9=00000000000000c2 r10=ffffe58b2d100140
  45. r11=ffff8481d4b83000 r12=0000000000000000 r13=0000000000000000
  46. r14=0000000000000000 r15=0000000000000000
  47. iopl=0 nv up ei pl zr na po nc
  48. blabla!blablabla:
  49. fffff802`6410aeb8 8a4003 mov al,byte ptr [rax+3] ds:ffffffff`fffffa8b=??
  50. Resetting default scope
  51.  
  52.  
  53. --...--
  54.  
  55. VVVVVVVVVVVVVVVVV exec the .trap command from above ^^^^
  56.  
  57.  
  58. 1: kd> .trap 0xfffff607c4792380
  59. NOTE: The trap frame does not contain all registers.
  60. Some register values may be zeroed or incorrect.
  61. rax=fffffffffffffa88 rbx=0000000000000000 rcx=fffffffffffffa88
  62. rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
  63. rip=fffff8026410aeb8 rsp=fffff607c4792510 rbp=fffff607c47958c0
  64. r8=ffffe58b2efb5a50 r9=00000000000000c2 r10=ffffe58b2d100140
  65. r11=ffff8481d4b83000 r12=0000000000000000 r13=0000000000000000
  66. r14=0000000000000000 r15=0000000000000000
  67. iopl=0 nv up ei pl zr na po nc
  68. blabla!blablabla:
  69. fffff802`6410aeb8 8a4003 mov al,byte ptr [rax+3] ds:ffffffff`fffffa8b=??
  70.  
  71. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ we can see valid volatile regs
  72.  
  73.  
  74. 1: kd> .cxr; k
  75.  
  76. # Child-SP RetAddr Call Site
  77. 00 fffff607`c4792118 fffff802`cdf80bb5 nt!KeBugCheckEx
  78. 01 fffff607`c4792120 fffff802`cde2daaf nt!MiSystemFault+0x735
  79. 02 fffff607`c4792210 fffff802`ce2821cb nt!MmAccessFault+0x2ff
  80. 03 fffff607`c4792380 fffff802`6410aeb8 nt!KiPageFault+0x38b
  81. 04 fffff607`c4792510 fffff802`6410ab86 blabla!blablabla
  82. <something-something-more>
  83.  
  84. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  85. in this case relevant frame number is **4**, (before the KiPageFault), so exec this:
  86.  
  87.  
  88. 1: kd> .frame /c /r 4
  89. 04 fffff607`c4792510 fffff802`6410ab86 blabla!blablabla
  90. rax=fffffffffffffa88 rbx=ffffe58b33102000 rcx=fffffffffffffa88
  91. rdx=0000000000000000 rsi=ffffe58b3aa59bad rdi=ffffe58b2efc3e20
  92. rip=fffff8026410aeb8 rsp=fffff607c4792510 rbp=fffff607c47958c0
  93. r8=ffffe58b2efb5a50 r9=00000000000000c2 r10=ffffe58b2d100140
  94. r11=ffff8481d4b83000 r12=0000000000000000 r13=ffffe58b3207ade0
  95. r14=ffffe58b33102000 r15=ffffffff80002398
  96. iopl=0 nv up ei pl zr na po nc
  97. cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040246
  98. blabla!blablabla:
  99. fffff802`6410aeb8 8a4003 mov al,byte ptr [rax+3] ds:002b:ffffffff`fffffa8b=??
  100.  
  101. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ we can see valid non-volatile regs
  102.  
  103.  
  104. 1: kd> ub . L10; u . L10
  105. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ give some exec context
  106. <something-something>
  107.  
  108.  
  109. 1: kd> uf .
  110. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ more exec context so as not to request it back and forth
  111. <something-something>
  112.  
  113.  
  114. 1: kd> dps @rsp L800
  115. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ just dump stack data (optional, but can give more info)
  116. <something-something>
Tags: Dump Analysis sample pagefault CrashDump bugcheck
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!