11: kd> !analyze -v
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000740078006c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80030a89894, address which referenced memory
Debugging Details:
* WARNING: Unable to verify timestamp for KeefsSafe64.sys
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 19041.1.amd64fre.vb_release.191206-1406
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: OptiPlex 7090
SYSTEM_SKU: 0A52
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: 1.1.36
BIOS_DATE: 06/22/2021
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 073Y7Y
BASEBOARD_VERSION: A00
DUMP_TYPE: 2
BUGCHECK_P1: 740078006c
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80030a89894
READ_ADDRESS: fffff800314fb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
000000740078006c
CURRENT_IRQL: 2
FAULTING_IP:
nt!RtlpHpVsContextAllocateInternal+b4
fffff800`30a89894 3300 xor eax,dword ptr [rax]
CPU_COUNT: c
CPU_MHZ: a98
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: a7
CPU_STEPPING: 1
CPU_MICROCODE: 6,a7,1,0 (F,M,S,R) SIG: 40'00000000 (cache) 40'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: CGEData.exe
ANALYSIS_SESSION_HOST: DESKTOP-1MOLDIM
ANALYSIS_SESSION_TIME: 11-05-2021 10:51:19.0478
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
TRAP_FRAME: fffffa854737f580 -- (.trap 0xfffffa854737f580)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000740078006c rbx=0000000000000000 rcx=0000000000000000
rdx=ffffdd84f8f03e58 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80030a89894 rsp=fffffa854737f710 rbp=ffffdd84f9000280
r8=fffffa854737f840 r9=0000000000000000 r10=ffffdd84f9000280
r11=fffffa854737f840 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!RtlpHpVsContextAllocateInternal+0xb4:
fffff80030a89894 3300 xor eax,dword ptr [rax] ds:00000074
0078006c=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80030c09169 to fffff80030bf71b0
STACK_TEXT:
fffffa854737f438 fffff800
30c09169 : 000000000000000a 00000074
0078006c 0000000000000002 00000000
00000000 : nt!KeBugCheckEx
fffffa854737f440 fffff800
30c05469 : ffffaf3278d915c6 00000000
00000001 0000000000000a44 ffffc502
00000000 : nt!KiBugCheckDispatch+0x69
fffffa854737f580 fffff800
30a89894 : 0000000000000000 ffffdd84
fbec7d90 fffffa854737faa0 fffff800
30a84de7 : nt!KiPageFault+0x469
fffffa854737f710 fffff800
30a8cf58 : 0000000000000000 fffffa85
000002b0 fffffa854737f851 00000000
000002b0 : nt!RtlpHpVsContextAllocateInternal+0xb4
fffffa854737f770 fffff800
311b11c4 : 0000000000000000 00000000
00000000 000000003130485a fffff800
358076f8 : nt!ExAllocateHeapPool+0x888
fffffa854737f8b0 fffff800
357e08c9 : 0000000080002804 fffffa85
4737fec0 fffff800357cfde0 fffff800
00000000 : nt!ExAllocatePoolWithTag+0x64
fffffa854737f900 fffff800
357cc025 : 00000000005c2434 fffffa85
00000000 0000000000000000 fffff800
30df787e : KeefsSafe64!CreateAcl+0x39 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c @ 43]
fffffa854737f940 fffff800
357cfe88 : ffffdd8507e7d600 ffffdd85
00000001 00000000005c2430 00000000
00000604 : KeefsSafe64!FastIoDeviceControl_CDO+0x2d5 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\devctrl.c @ 319]
fffffa854737fb90 fffff800
30e74f62 : ffffdd8507e7d600 00000000
00010001 00000000005c2430 ffffdd85
00000604 : KeefsSafe64!FastIoDeviceControl+0xa8 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\fastio.c @ 484]
fffffa854737fc20 fffff800
30e74bc6 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!IopXxxControlFile+0x382
fffffa854737fd60 fffff800
30c08bb5 : 0000000000000314 00000000
004dc338 00000000004dc348 00000000
00000008 : nt!NtDeviceIoControlFile+0x56
fffffa854737fdd0 00000000
77281cfc : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
00000000004dcc48 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x77281cfc
THREAD_SHA1_HASH_MOD_FUNC: f5fa85f28a9cea673373cc8b98642bf19c347f80
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 02c04ea31f8cb8b5edc3a34cb952da57193114ab
THREAD_SHA1_HASH_MOD: 9514edbab31c5ff545516eeff7bf17adb5c972f6
FOLLOWUP_IP:
KeefsSafe64!CreateAcl+39 [e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c @ 43]
fffff800`357e08c9 4889442428 mov qword ptr [rsp+28h],rax
FAULT_INSTR_CODE: 24448948
FAULTING_SOURCE_LINE: e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c
FAULTING_SOURCE_FILE: e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c
FAULTING_SOURCE_LINE_NUMBER: 43
FAULTING_SOURCE_CODE:
No source found for 'e:\keefssafe_16_20210827_9.7.0.4\src\ttefs\proc_acl.c'
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: KeefsSafe64!CreateAcl+39
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: KeefsSafe64
IMAGE_NAME: KeefsSafe64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 61792303
STACK_COMMAND: .thread ; .cxr ; kb
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。