Monday, April 19, 2010

A Case of Mysterious Memory Corruption

Hi, this is Chad from the OEM team. You may remember me from such posts as “Debugging a bluescreen at home.”

Some time ago I debugged a bluescreen on a friend’s home computer, and I thought the results were interesting enough to share. My friend had an older Windows XP system that had been experiencing random crashes for a while. I had looked at a memory dump or two, and while there wasn’t enough information to pinpoint a specific cause, I noticed what appeared to be pool corruption, so I recommended he enable Driver Verifier against all third-party drivers on the system in an effort to track down the offending driver.

(You can learn more about Driver Verifier in the following Knowledge Base article: “Using Driver Verifier to identify issues with Windows drivers for advanced users”).

With Verifier enabled the machine crashed with a bugcheck, and I debugged the memory dump. As always, I start with the “!analyze -v” command:

1: kd> !analyze -v

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 88328eac, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 86c6929b, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

READ_ADDRESS:  88328eac Special pool
FAULTING_IP:
+5283c2a1
86c6929b 8b423c          mov     eax,dword ptr [edx+3Ch]

MM_INTERNAL_CODE:  0
DEFAULT_BUCKET_ID:  DRIVER_FAULT_DELL
BUGCHECK_STR:  0xD5
PROCESS_NAME:  services.exe

Read more: Ntdebugging Blog

Posted via email from jasper22's posterous