SysnativeBSODApps - additional check 'drivers found in stack'

[niemiro]

No problem on the time taken. I've only encountered that one .dmp so far that caused problems. Thanks for putting it together.

FAILURE: Dump file is corrupt.

Did you add that message? If so, nice!

Yep, thanks :) I added some simple tests for dump corruption and a failure message if detected (basically, just seeing if the memory addresses can be successfully retrieved, and if they are plausible). I then output the raw data incase an analyst can recover anything useful from it. Here the address to _KTHREAD is corrupt, so the stack base and limits are meaningless, but maybe other times they won't be.

I will upload the source code soon, but there is nothing very interesting or reusable in it. Sadly, nothing magic here

 

[niemiro]

I uploaded the latest version of the apps, but I'll warn that they are a little slower due to the symbols checking. I am working on a better method for symbols errors to distinguish between when symbols are possibly wrong and when they are definitely wrong. I also want to fix that the apps check symbol errors for each user command even if the symbols could not be fixed in a previous command...

The symbols checking for user commands is still a work in progress, but it should at least be robust now with the new methods. BETA: Sysnative BSOD Processing Apps 2.1.2.7.

I know this is sort of irrelevant now, as your app is working amazingly, but I just came across something which might or might not help you with similar things in the future. It is not exactly what you are after, but I shall post here anyway for the benefit of all: http://www.wintellect.com/cs/blogs/...an-undocumented-windbg-extension-command.aspx

 

[niemiro]

I will clean up this thread and split off my extension tomorrow. For tonight, a new version. There have been quite a few changes in this version. Some stuff has moved around, but nothing has been removed. Even if it looks like some functionality has been removed, it has just been moved under a different argument, or whatever.

I would like to thank writhziden in particular for his comments and suggestions on my extension which helped me to make many of the improvements seen in this version.



Firstly, the standard name of the .dll has changed from niemiro to sysnative. However, as ever, this can be changed to anything you so desire. Please feel free to do so.

The main reason for this was twofold. Firstly, this is a team effort, not really "mine". Secondly, my username is hard to spell :lol:



Secondly, rawstack and auto_errrec are quite long to type out if you are using these manually in dump files in WinDBG. So...

I have created a shorter alias for each. rawstack can now be invoked with just rs, and auto_errrec with just ae, e.g. !sysnative.ae or !sysnative.rs -dc



Thirdly, !sysnative.rawstack and !sysnative.rawstack -dps used to be identical. No longer so. -dps remains unchanged, for those of you who prefer the old style output, or want to dig further into a dump, e.g. to look for stack trashing. This functionality will never be removed. But, I don't think that we scrutinise the rawstack for corruption most of the time, so a more concise default output may be appreciated. The full version still exists, but is no longer the default. Please let me know if you object to this change, and I will see what can be done. So, the change...?

• Now, only lines which map to a valid symbol are displayed. All other formerly blank lines (in the symbol column) are now not displayed.
• In addition, the first reference to each distinct driver is now shown in bold for attention.

To show you exactly what I mean by this, take a look at some example output below (column alignment is maintained by the extension, lost by the forum):

Read More:

0: kd> !sysnative.rawstack
0xffffffff`c1d1c00c 0xffffffff`81f1108f dump_dumpata!IdeDumpWaitOnRequest+0x15
0xffffffff`c1d1c01c 0xffffffff`81f111af dump_dumpata!IdeDumpWritePending+0xc1
0xffffffff`c1d1c034 0xffffffff`81f11562 dump_dumpata!IdeDumpWrite+0x14
0xffffffff`c1d1c04c 0xffffffff`81f04b0c crashdmp!CrashdmpWriteRoutine+0x38
0xffffffff`c1d1c058 0xffffffff`81f08270 crashdmp!Context+0x20
0xffffffff`c1d1c060 0xffffffff`81f039d9 crashdmp!WritePageSpanToDisk+0x161
0xffffffff`c1d1c06c 0xffffffff`81f08270 crashdmp!Context+0x20
0xffffffff`c1d1c0f0 0xffffffff`81f04ad4 crashdmp!CrashdmpWriteRoutine+0x0
0xffffffff`c1d1c124 0xffffffff`81f04207 crashdmp!WriteKernelDump+0x8f
0xffffffff`c1d1c138 0xffffffff`81f08270 crashdmp!Context+0x20
0xffffffff`c1d1c158 0xffffffff`81f04433 crashdmp!DumpWrite+0x11b
0xffffffff`c1d1c164 0xffffffff`82d66790 nt!KeBugCheckAddPagesCallbackListHead+0x0
0xffffffff`c1d1c174 0xffffffff`81f0315b crashdmp!CrashdmpWrite+0x53
0xffffffff`c1d1c178 0xffffffff`81f08200 crashdmp!StrInitPortDriver+0x20
0xffffffff`c1d1c180 0xffffffff`82cdd0bf nt!IoWriteCrashDump+0x26c
0xffffffff`c1d1c184 0xffffffff`81f082b4 crashdmp!Context+0x64
0xffffffff`c1d1c18c 0xffffffff`82d2d004 nt!KiInitialPCR+0x404
0xffffffff`c1d1c194 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1c1b0 0xffffffff`82cdd122 nt!IoSetDumpRange+0x0
0xffffffff`c1d1c1b4 0xffffffff`82cdd22b nt!IoFreeDumpRange+0x0
0xffffffff`c1d1c1c0 0xffffffff`82d68e60 nt!IopTriageDumpDataBlocks+0x0
0xffffffff`c1d1c1c4 0xffffffff`82c52711 nt! ?? ::FNODOBFM::`string'+0x1
0xffffffff`c1d1c1d4 0xffffffff`8329b019 BOOTVID!VidDisplayString+0x111
0xffffffff`c1d1c1dc 0xffffffff`82cc1c6c nt!_except_handler4+0x0
0xffffffff`c1d1c1ec 0xffffffff`82ce1e6d nt!KeBugCheck2+0x9fb
0xffffffff`c1d1c1f8 0xffffffff`82d66790 nt!KeBugCheckAddPagesCallbackListHead+0x0
0xffffffff`c1d1c1fc 0xffffffff`82d66790 nt!KeBugCheckAddPagesCallbackListHead+0x0
0xffffffff`c1d1c218 0xffffffff`82d2cd20 nt!KiInitialPCR+0x120
0xffffffff`c1d1c258 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1c310 0xffffffff`82d2cd20 nt!KiInitialPCR+0x120
0xffffffff`c1d1c320 0xffffffff`82d39f84 nt!KiHardwareTrigger+0x0
0xffffffff`c1d1c328 0xffffffff`82ce0e9c nt!KeBugCheckEx+0x1e
0xffffffff`c1d1c55c 0xffffffff`8948cf8a tcpip!TcpExitReceiveDpc+0x61
0xffffffff`c1d1c570 0xffffffff`89493002 tcpip!TcpPreValidatedReceive+0x29b
0xffffffff`c1d1c580 0xffffffff`892cce06 NETIO!FsbFree+0x73
0xffffffff`c1d1c594 0xffffffff`89513724 tcpip!Ipv6Global+0x277c
0xffffffff`c1d1c59c 0xffffffff`89510f02 tcpip!Ipv4pMtuTable+0x16
0xffffffff`c1d1c5a0 0xffffffff`89510f02 tcpip!Ipv4pMtuTable+0x16
0xffffffff`c1d1c5a4 0xffffffff`89513724 tcpip!Ipv6Global+0x277c
0xffffffff`c1d1c5a8 0xffffffff`89513702 tcpip!Ipv6Global+0x275a
0xffffffff`c1d1c5b0 0xffffffff`83019ba9 hal!KfLowerIrql+0x61
0xffffffff`c1d1c5b4 0xffffffff`89510fa8 tcpip!Ipv6Global+0x0
0xffffffff`c1d1c5b8 0xffffffff`89513702 tcpip!Ipv6Global+0x275a
0xffffffff`c1d1c5c4 0xffffffff`82ce0e9c nt!KeBugCheckEx+0x1e
0xffffffff`c1d1c5d0 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1c5e4 0xffffffff`82e0b096 nt!PspSystemThreadStartup+0xde
0xffffffff`c1d1c5f0 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1c5fc 0xffffffff`82c7c444 nt!_EH4_CallFilterFunc+0x12
0xffffffff`c1d1c608 0xffffffff`82c58d48 nt! ?? ::FNODOBFM::`string'+0x31c8
0xffffffff`c1d1c610 0xffffffff`82cc1cf9 nt!_except_handler4+0x8e
0xffffffff`c1d1c628 0xffffffff`82c58d58 nt! ?? ::FNODOBFM::`string'+0x31d8
0xffffffff`c1d1c638 0xffffffff`82c7a602 nt!ExecuteHandler2+0x26
0xffffffff`c1d1c650 0xffffffff`82c7a616 nt!ExecuteHandler2+0x3a
0xffffffff`c1d1c65c 0xffffffff`82c7a5d4 nt!ExecuteHandler+0x24
0xffffffff`c1d1c670 0xffffffff`82cc1c6c nt!_except_handler4+0x0
0xffffffff`c1d1c680 0xffffffff`82cae348 nt!RtlDispatchException+0xb6
0xffffffff`c1d1c694 0xffffffff`82cc1c6c nt!_except_handler4+0x0
0xffffffff`c1d1c6cc 0xffffffff`83019ba9 hal!KfLowerIrql+0x61
0xffffffff`c1d1c6dc 0xffffffff`82cac078 nt!KeContextFromKframes+0x302
0xffffffff`c1d1c6f4 0xffffffff`89510fa8 tcpip!Ipv6Global+0x0
0xffffffff`c1d1c704 0xffffffff`82cb6fdd nt!KiDispatchException+0x16d
0xffffffff`c1d1c714 0xffffffff`82cb6fec nt!KiDispatchException+0x17c
0xffffffff`c1d1c784 0xffffffff`83019ba9 hal!KfLowerIrql+0x61
0xffffffff`c1d1c794 0xffffffff`8948a3b0 tcpip!IppSendDatagramsCommon+0x69b
0xffffffff`c1d1c7d8 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1c7ec 0xffffffff`89485744 tcpip!TcpBeginTcbSend+0x12aa
0xffffffff`c1d1c810 0xffffffff`89487491 tcpip!IpNlpSendDatagrams+0x4b
0xffffffff`c1d1c81c 0xffffffff`89510fa8 tcpip!Ipv6Global+0x0
0xffffffff`c1d1c830 0xffffffff`8947f1cb tcpip!IppSlowSendDatagram+0x31
0xffffffff`c1d1c8bc 0xffffffff`8947d0a8 tcpip!IpNlpFastSendDatagram+0x1067
0xffffffff`c1d1c91c 0xffffffff`83019ba9 hal!KfLowerIrql+0x61
0xffffffff`c1d1c92c 0xffffffff`830177ab hal!KfReleaseSpinLock+0xb
0xffffffff`c1d1c930 0xffffffff`8947e193 tcpip!TcpTcbSend+0x8c3
0xffffffff`c1d1c93c 0xffffffff`8947e1a2 tcpip!TcpTcbSend+0x8d2
0xffffffff`c1d1ca04 0xffffffff`82cb6ee7 nt!KiDispatchException+0x77
0xffffffff`c1d1ca0c 0xffffffff`82cb6eef nt!KiDispatchException+0x7f
0xffffffff`c1d1ca20 0xffffffff`892f77fe NETIO!StreamFreeNetBufferList+0x16
0xffffffff`c1d1ca30 0xffffffff`892f23a7 NETIO!StreamRequestNetBufferListCompletionFn+0xb7
0xffffffff`c1d1ca40 0xffffffff`892d05cc NETIO!NetioDereferenceNetBufferList+0xa2
0xffffffff`c1d1ca48 0xffffffff`892fd004 NETIO!WPP_GLOBAL_Control+0x0
0xffffffff`c1d1ca4c 0xffffffff`892f3055 NETIO!WfpFreeToPerProcessorLookasideList+0x42
0xffffffff`c1d1ca54 0xffffffff`892f30c0 NETIO!StreamFreeInspectionCallContxt+0x13
0xffffffff`c1d1ca64 0xffffffff`892f3888 NETIO!WfpStreamInspectSend+0xff
0xffffffff`c1d1ca74 0xffffffff`8947ac46 tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0x157
0xffffffff`c1d1ca94 0xffffffff`8947ebd3 tcpip!TcpEnqueueTcbSend+0x3ca
0xffffffff`c1d1cab4 0xffffffff`8947ebe5 tcpip!TcpEnqueueTcbSend+0x3dc
0xffffffff`c1d1cac4 0xffffffff`a4fbffc0 fastfat!_except_handler4+0x0
0xffffffff`c1d1cae0 0xffffffff`82c9db23 nt!MiLocateAddress+0x41
0xffffffff`c1d1caf4 0xffffffff`82c9db78 nt!MiCheckVirtualAddress+0x42
0xffffffff`c1d1cb1c 0xffffffff`82cc1c6c nt!_except_handler4+0x0
0xffffffff`c1d1cb2c 0xffffffff`82c40e66 nt!CommonDispatchException+0x4a
0xffffffff`c1d1cb50 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1cb74 0xffffffff`81fb13ad srv2!SrvGetSessionSecurityContext+0x36
0xffffffff`c1d1cb84 0xffffffff`82c43468 nt!KiTrap0E+0xdc
0xffffffff`c1d1cb94 0xffffffff`82c40e1a nt!KiExceptionExit+0x192
0xffffffff`c1d1cb9c 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1cbb4 0xffffffff`82e2407e nt!ObReferenceObjectByHandleWithTag+0xf6
0xffffffff`c1d1cc00 0xffffffff`82c94039 nt!IoGetAttachedDevice+0xc
0xffffffff`c1d1cc10 0xffffffff`82c8fc22 nt!IoGetRelatedDeviceObject+0x70
0xffffffff`c1d1cc24 0xffffffff`81fab465 srv2!BuildCoreOfSyncIoRequest+0x3f
0xffffffff`c1d1cc38 0xffffffff`81fb0229 srv2!SrvSnapIssueIoctl+0x30
0xffffffff`c1d1cc74 0xffffffff`81fb0309 srv2!SrvShareGetEpicForVolume+0x22
0xffffffff`c1d1cc90 0xffffffff`81fb0f6f srv2!SrvShareRefreshSnapShots+0x5a
0xffffffff`c1d1cca8 0xffffffff`81faf718 srv2!Smb2ValidateProviderCallback+0x6aa
0xffffffff`c1d1ccc0 0xffffffff`81fb1156 srv2!SrvShareEnumerateSnapShots+0x36
0xffffffff`c1d1cccc 0xffffffff`81fa4000 srv2!WPP_GLOBAL_Control+0x0
0xffffffff`c1d1ccd4 0xffffffff`81fb7caa srv2!Smb2ExecuteIoctl+0x22e
0xffffffff`c1d1cce4 0xffffffff`81fa3720 srv2!WPP_ThisDir_CTLGUID_Srv2Log+0x10
0xffffffff`c1d1ccf0 0xffffffff`81fa9477 srv2!SrvProcessPacket+0xba
0xffffffff`c1d1cd0c 0xffffffff`81fa8467 srv2!SrvProcWorkerThread+0x2db
0xffffffff`c1d1cd20 0xffffffff`82c8177a nt!KiSwapKernelStackAndExit+0x15a
0xffffffff`c1d1cd54 0xffffffff`82e0b056 nt!PspSystemThreadStartup+0x9e
0xffffffff`c1d1cd84 0xffffffff`82cc1c6c nt!_except_handler4+0x0
0xffffffff`c1d1cd94 0xffffffff`82cb31a9 nt!KiThreadStartup+0x19
0xffffffff`c1d1cd98 0xffffffff`81fa818c srv2!SrvProcWorkerThread+0x0

Source code is also included. Some of the commented out code needs a slight tidy up in places, but that should be done for the next version.

As ever, your honest feedback or suggestions on these changes, positive or negative, will be received with gratitude and carefully considered.

I hope you like it,

Richard

 

[writhziden]

Thanks Richard!! :-}

 

[niemiro]

Thanks Richard!! :-}

No problem :)

 

[jcgriff2]

I forgot about Dependency Walker -- been a few years.

Thanks!

 

[niemiro]

Version 1.5

Further improved corrupt dump file detection.

 

[writhziden]

Version 1.5

Further improved corrupt dump file detection.

It seems one of the updates to the forums erased the attachment here. I have misplaced this version, though I can probably find it if I dig around through all my backups over the years. If you would also need to dig for it, I won't ask you to go through that much trouble, but I thought I'd ask anyway:

@niemiro I don't imagine you still have this somewhere easy to find?

EDIT: I remembered I have a laptop sitting in our basement from the last time I was doing Sysnative troubleshooting work in 2019, and I was able to find this in its file history from an old backup.