BSOD on Windows 10 #13
Description
Hi,
I got BSOD on Windows 10.
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff802bc932524, Address of the instruction which caused the bugcheck
Arg3: ffffe08f1ba66ae0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
FAULTING_IP:
injdrv+2524
fffff802`bc932524 48394110 cmp qword ptr [rcx+10h],rax
MODULE_NAME: injdrv
IMAGE_NAME: injdrv.sys
This is the callstack:
0: kd> kp
Child-SP RetAddr Call Site
00 ffffe08f1ba66208 fffff802bd45b669 nt!KeBugCheckEx
01 ffffe08f1ba66210 fffff802bd45abbc nt!KiBugCheckDispatch+0x69
02 ffffe08f1ba66350 fffff802bd4533ad nt!KiSystemServiceHandler+0x7c
03 ffffe08f1ba66390 fffff802bd35b126 nt!RtlpExecuteHandlerForException+0xd
04 ffffe08f1ba663c0 fffff802bd35cc23 nt!RtlDispatchException+0x416
05 ffffe08f1ba66ab0 fffff802bd45b742 nt!KiDispatchException+0x1f3
06 ffffe08f1ba67160 fffff802bd4582c5 nt!KiExceptionDispatch+0xc2
07 ffffe08f1ba67340 fffff802bc932524 nt!KiPageFault+0x405
*** WARNING: Unable to verify timestamp for injdrv.sys
08 ffffe08f1ba674d0 fffff802bc9327f3 injdrv!InjFindInjectionInfo(void * ProcessId = 0x00000000000020ac)+0x34 [c:\working\injdrv\injlib.c @ 1093] 09 ffffe08f1ba674f0 fffff802bd7f2efe injdrv!InjLoadImageNotifyRoutine(struct _UNICODE_STRING * FullImageName = 0xffff91889adea688 "\Windows\System32\msvcrt.dll", void * ProcessId = 0x00000000000020ac, struct _IMAGE_INFO * ImageInfo = 0xffffe08f1ba676c0)+0x23 [c:\working\injdrv\injlib.c @ 1340]
0a ffffe08f1ba675b0 fffff802bd7f19f4 nt!PsCallImageNotifyRoutines+0x12e
0b ffffe08f1ba67610 fffff802bd7a1721 nt!MiMapViewOfImageSection+0x734
0c ffffe08f1ba67790 fffff802bd7a0e7b nt!MiMapViewOfSection+0x3c1
0d ffffe08f1ba678e0 fffff802bd45b143 nt!NtMapViewOfSection+0x12b
0e ffffe08f1ba67a10 00007ff9f867aea4 nt!KiSystemServiceCopyEnd+0x13
0f 00000070e8c7e6e8 0000000000000000 0x00007ff9`f867aea4
Checking the source code I found that it is in:
PINJ_INJECTION_INFO
NTAPI
InjFindInjectionInfo(
In HANDLE ProcessId
)
{
PLIST_ENTRY NextEntry = InjInfoListHead.Flink;
while (NextEntry != &InjInfoListHead)
{
PINJ_INJECTION_INFO InjectionInfo = CONTAINING_RECORD(NextEntry,
INJ_INJECTION_INFO,
ListEntry);
if (InjectionInfo->ProcessId == ProcessId)
{
return InjectionInfo;
}
NextEntry = NextEntry->Flink;
}
return NULL;
}
It only happened once.
What could be the cause of the problem?
Maybe the page fault while in the function for memory that should not be paged?