B
bbgManu
Guest
GoodMorning
unfortunately I get frequent blue screen errors, the last one has an error DRIVER_OVERRAN_STACK_BUFFER (f7)
I opened the minidump file in WinDbg and the result is this :
Microsoft (R) Windows Debugger Version 10.0.18972.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\091719-8468-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff800`6e600000 PsLoadedModuleList = 0xfffff800`6ea475b0
Debug session time: Tue Sep 17 08:28:57.922 2019 (UTC + 2:00)
System Uptime: 0 days 18:21:30.611
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff800`6e7c10a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff68e`1f4377a0=00000000000000f7
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00007c68fb99bc06, Actual security check cookie from the stack
Arg2: 00007c68fb39bc06, Expected security check cookie
Arg3: ffff8397043643f9, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on PCMANUELE
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 32
Key : Analysis.Memory.CommitPeak.Mb
Value: 69
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: f7
BUGCHECK_P1: 7c68fb99bc06
BUGCHECK_P2: 7c68fb39bc06
BUGCHECK_P3: ffff8397043643f9
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 00007c68fb39bc06 found 00007c68fb99bc06
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
fffff68e`1f437798 fffff800`6e87c1f5 : 00000000`000000f7 00007c68`fb99bc06 00007c68`fb39bc06 ffff8397`043643f9 : nt!KeBugCheckEx
fffff68e`1f4377a0 fffff800`6e622186 : 00005475`899f6f64 00005475`899f6f64 ffff930f`dd91e010 00000000`00000000 : nt!_report_gsfailure+0x25
fffff68e`1f4377e0 fffff800`6e62158e : 00000000`00000003 00000000`00000002 ffff930f`dd91e100 00000000`00000008 : nt!PpmIdleExecuteTransition+0xa56
fffff68e`1f437b00 fffff800`6e7c4ba8 : ffffffff`00000000 ffffbb01`54340180 ffff930f`e9fd7080 00000000`00001586 : nt!PoIdle+0x36e
fffff68e`1f437c60 00000000`00000000 : fffff68e`1f438000 fffff68e`1f432000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x48
SYMBOL_NAME: nt!_report_gsfailure+25
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.18362.356
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 25
FAILURE_BUCKET_ID: 0xF7_TWO_BIT_MISSING_GSFRAME_nt!_report_gsfailure
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {f51a552f-12ee-f12d-33e2-004ce080333a}
Followup: MachineOwner
---------
I don't understand anything, if someone can give me some indication, even from other forums if it's off-topic here.
thanks a lot
Fabrizio
More...
unfortunately I get frequent blue screen errors, the last one has an error DRIVER_OVERRAN_STACK_BUFFER (f7)
I opened the minidump file in WinDbg and the result is this :
Microsoft (R) Windows Debugger Version 10.0.18972.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\091719-8468-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff800`6e600000 PsLoadedModuleList = 0xfffff800`6ea475b0
Debug session time: Tue Sep 17 08:28:57.922 2019 (UTC + 2:00)
System Uptime: 0 days 18:21:30.611
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff800`6e7c10a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff68e`1f4377a0=00000000000000f7
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00007c68fb99bc06, Actual security check cookie from the stack
Arg2: 00007c68fb39bc06, Expected security check cookie
Arg3: ffff8397043643f9, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on PCMANUELE
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 32
Key : Analysis.Memory.CommitPeak.Mb
Value: 69
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: f7
BUGCHECK_P1: 7c68fb99bc06
BUGCHECK_P2: 7c68fb39bc06
BUGCHECK_P3: ffff8397043643f9
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 00007c68fb39bc06 found 00007c68fb99bc06
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
fffff68e`1f437798 fffff800`6e87c1f5 : 00000000`000000f7 00007c68`fb99bc06 00007c68`fb39bc06 ffff8397`043643f9 : nt!KeBugCheckEx
fffff68e`1f4377a0 fffff800`6e622186 : 00005475`899f6f64 00005475`899f6f64 ffff930f`dd91e010 00000000`00000000 : nt!_report_gsfailure+0x25
fffff68e`1f4377e0 fffff800`6e62158e : 00000000`00000003 00000000`00000002 ffff930f`dd91e100 00000000`00000008 : nt!PpmIdleExecuteTransition+0xa56
fffff68e`1f437b00 fffff800`6e7c4ba8 : ffffffff`00000000 ffffbb01`54340180 ffff930f`e9fd7080 00000000`00001586 : nt!PoIdle+0x36e
fffff68e`1f437c60 00000000`00000000 : fffff68e`1f438000 fffff68e`1f432000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x48
SYMBOL_NAME: nt!_report_gsfailure+25
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.18362.356
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 25
FAILURE_BUCKET_ID: 0xF7_TWO_BIT_MISSING_GSFRAME_nt!_report_gsfailure
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {f51a552f-12ee-f12d-33e2-004ce080333a}
Followup: MachineOwner
---------
I don't understand anything, if someone can give me some indication, even from other forums if it's off-topic here.
thanks a lot
Fabrizio
More...