11: kd> !analyze -v

• *
• Bugcheck Analysis *
• *

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000740078006c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80030a89894, address which referenced memory

Debugging Details:

* WARNING: Unable to verify timestamp for KeefsSafe64.sys

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 19041.1.amd64fre.vb_release.191206-1406

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: OptiPlex 7090

SYSTEM_SKU: 0A52

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: 1.1.36

BIOS_DATE: 06/22/2021

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 073Y7Y

BASEBOARD_VERSION: A00

DUMP_TYPE: 2

BUGCHECK_P1: 740078006c

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80030a89894

READ_ADDRESS: fffff800314fb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
000000740078006c

CURRENT_IRQL: 2

FAULTING_IP:
nt!RtlpHpVsContextAllocateInternal+b4
fffff800`30a89894 3300 xor eax,dword ptr [rax]

CPU_COUNT: c

CPU_MHZ: a98

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: a7

CPU_STEPPING: 1

CPU_MICROCODE: 6,a7,1,0 (F,M,S,R) SIG: 40'00000000 (cache) 40'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: CGEData.exe

ANALYSIS_SESSION_HOST: DESKTOP-1MOLDIM

ANALYSIS_SESSION_TIME: 11-05-2021 10:51:19.0478

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

TRAP_FRAME: fffffa854737f580 -- (.trap 0xfffffa854737f580)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000740078006c rbx=0000000000000000 rcx=0000000000000000
rdx=ffffdd84f8f03e58 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80030a89894 rsp=fffffa854737f710 rbp=ffffdd84f9000280
r8=fffffa854737f840 r9=0000000000000000 r10=ffffdd84f9000280
r11=fffffa854737f840 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!RtlpHpVsContextAllocateInternal+0xb4:
fffff80030a89894 3300 xor eax,dword ptr [rax] ds:000000740078006c=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80030c09169 to fffff80030bf71b0

STACK_TEXT:
fffffa854737f438 fffff80030c09169 : 000000000000000a 000000740078006c 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffffa854737f440 fffff80030c05469 : ffffaf3278d915c6 0000000000000001 0000000000000a44 ffffc50200000000 : nt!KiBugCheckDispatch+0x69
fffffa854737f580 fffff80030a89894 : 0000000000000000 ffffdd84fbec7d90 fffffa854737faa0 fffff80030a84de7 : nt!KiPageFault+0x469
fffffa854737f710 fffff80030a8cf58 : 0000000000000000 fffffa85000002b0 fffffa854737f851 00000000000002b0 : nt!RtlpHpVsContextAllocateInternal+0xb4
fffffa854737f770 fffff800311b11c4 : 0000000000000000 0000000000000000 000000003130485a fffff800358076f8 : nt!ExAllocateHeapPool+0x888
fffffa854737f8b0 fffff800357e08c9 : 0000000080002804 fffffa854737fec0 fffff800357cfde0 fffff80000000000 : nt!ExAllocatePoolWithTag+0x64
fffffa854737f900 fffff800357cc025 : 00000000005c2434 fffffa8500000000 0000000000000000 fffff80030df787e : KeefsSafe64!CreateAcl+0x39 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c @ 43]
fffffa854737f940 fffff800357cfe88 : ffffdd8507e7d600 ffffdd8500000001 00000000005c2430 0000000000000604 : KeefsSafe64!FastIoDeviceControl_CDO+0x2d5 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\devctrl.c @ 319]
fffffa854737fb90 fffff80030e74f62 : ffffdd8507e7d600 0000000000010001 00000000005c2430 ffffdd8500000604 : KeefsSafe64!FastIoDeviceControl+0xa8 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\fastio.c @ 484]
fffffa854737fc20 fffff80030e74bc6 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x382
fffffa854737fd60 fffff80030c08bb5 : 0000000000000314 00000000004dc338 00000000004dc348 0000000000000008 : nt!NtDeviceIoControlFile+0x56
fffffa854737fdd0 0000000077281cfc : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
00000000004dcc48 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x77281cfc

THREAD_SHA1_HASH_MOD_FUNC: f5fa85f28a9cea673373cc8b98642bf19c347f80

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 02c04ea31f8cb8b5edc3a34cb952da57193114ab

THREAD_SHA1_HASH_MOD: 9514edbab31c5ff545516eeff7bf17adb5c972f6

FOLLOWUP_IP:
KeefsSafe64!CreateAcl+39 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c @ 43]
fffff800`357e08c9 4889442428 mov qword ptr [rsp+28h],rax

FAULT_INSTR_CODE: 24448948

FAULTING_SOURCE_LINE: e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c

FAULTING_SOURCE_FILE: e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c

FAULTING_SOURCE_LINE_NUMBER: 43

FAULTING_SOURCE_CODE:
No source found for 'e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c'

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: KeefsSafe64!CreateAcl+39

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: KeefsSafe64

IMAGE_NAME: KeefsSafe64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 61792303

STACK_COMMAND: .thread ; .cxr ; kb

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。