C
CainFamily
Guest
I have a dmp file. I used windbg to read it. It said:
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Mitchell\Desktop\011221-5968-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`6c200000 PsLoadedModuleList = 0xfffff805`6ce2a2b0
Debug session time: Tue Jan 12 15:46:44.679 2021 (UTC - 5:00)
System Uptime: 0 days 18:38:59.406
Loading Kernel Symbols
...............................................................
................................................................
.............................................................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`6c5f5780 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffffd0b`e54014c0=0000000000000139
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffffd0be54017e0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffffd0be5401738, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3202
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-HJQT5VH
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 22377
Key : Analysis.Memory.CommitPeak.Mb
Value: 85
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: fffffd0be54017e0
BUGCHECK_P3: fffffd0be5401738
BUGCHECK_P4: 0
TRAP_FRAME: fffffd0be54017e0 -- (.trap 0xfffffd0be54017e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff910b9c3d7fe8 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8056c6349cb rsp=fffffd0be5401970 rbp=fffffd0be5401a01
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff780000003b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po cy
nt!KeWaitForSingleObject+0x1d05db:
fffff805`6c6349cb cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffffd0be5401738 -- (.exr 0xfffffd0be5401738)
ExceptionAddress: fffff8056c6349cb (nt!KeWaitForSingleObject+0x00000000001d05db)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: LeagueClient.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffffd0b`e54014b8 fffff805`6c607769 : 00000000`00000139 00000000`00000003 fffffd0b`e54017e0 fffffd0b`e5401738 : nt!KeBugCheckEx
fffffd0b`e54014c0 fffff805`6c607b90 : 00000000`00000001 ffff910b`98f24d00 00000000`00000000 fffff805`6c436264 : nt!KiBugCheckDispatch+0x69
fffffd0b`e5401600 fffff805`6c605f23 : 00000000`0000020c 00000000`00000000 ffff910b`a0073a20 fffff805`6c452f55 : nt!KiFastFailDispatch+0xd0
fffffd0b`e54017e0 fffff805`6c6349cb : 00000000`00000000 fffff805`6c82af81 00000000`00000000 ffff910b`a0073a20 : nt!KiRaiseSecurityCheckFailure+0x323
fffffd0b`e5401970 fffff805`6c82c6a1 : ffff910b`9c3d7fe0 00000000`00000006 00000000`00000001 00000000`00000001 : nt!KeWaitForSingleObject+0x1d05db
fffffd0b`e5401a60 fffff805`6c82c74a : ffff910b`9dbec080 00000000`00000000 00000000`00000000 00000000`0000001c : nt!ObWaitForSingleObject+0x91
fffffd0b`e5401ac0 fffff805`6c6071b8 : ffff910b`9dbec080 ffff910b`9c4e1080 00000000`00000000 00000000`00000000 : nt!NtWaitForSingleObject+0x6a
fffffd0b`e5401b00 00000000`77af1cfc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`0545eef8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77af1cfc
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.685
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3aede96a-54dd-40d6-d4cb-2a161a843851}
Followup: MachineOwner
---------
I just don't know what to do next....
More...
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Mitchell\Desktop\011221-5968-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`6c200000 PsLoadedModuleList = 0xfffff805`6ce2a2b0
Debug session time: Tue Jan 12 15:46:44.679 2021 (UTC - 5:00)
System Uptime: 0 days 18:38:59.406
Loading Kernel Symbols
...............................................................
................................................................
.............................................................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`6c5f5780 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffffd0b`e54014c0=0000000000000139
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffffd0be54017e0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffffd0be5401738, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3202
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-HJQT5VH
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 22377
Key : Analysis.Memory.CommitPeak.Mb
Value: 85
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: fffffd0be54017e0
BUGCHECK_P3: fffffd0be5401738
BUGCHECK_P4: 0
TRAP_FRAME: fffffd0be54017e0 -- (.trap 0xfffffd0be54017e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff910b9c3d7fe8 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8056c6349cb rsp=fffffd0be5401970 rbp=fffffd0be5401a01
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff780000003b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po cy
nt!KeWaitForSingleObject+0x1d05db:
fffff805`6c6349cb cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffffd0be5401738 -- (.exr 0xfffffd0be5401738)
ExceptionAddress: fffff8056c6349cb (nt!KeWaitForSingleObject+0x00000000001d05db)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: LeagueClient.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffffd0b`e54014b8 fffff805`6c607769 : 00000000`00000139 00000000`00000003 fffffd0b`e54017e0 fffffd0b`e5401738 : nt!KeBugCheckEx
fffffd0b`e54014c0 fffff805`6c607b90 : 00000000`00000001 ffff910b`98f24d00 00000000`00000000 fffff805`6c436264 : nt!KiBugCheckDispatch+0x69
fffffd0b`e5401600 fffff805`6c605f23 : 00000000`0000020c 00000000`00000000 ffff910b`a0073a20 fffff805`6c452f55 : nt!KiFastFailDispatch+0xd0
fffffd0b`e54017e0 fffff805`6c6349cb : 00000000`00000000 fffff805`6c82af81 00000000`00000000 ffff910b`a0073a20 : nt!KiRaiseSecurityCheckFailure+0x323
fffffd0b`e5401970 fffff805`6c82c6a1 : ffff910b`9c3d7fe0 00000000`00000006 00000000`00000001 00000000`00000001 : nt!KeWaitForSingleObject+0x1d05db
fffffd0b`e5401a60 fffff805`6c82c74a : ffff910b`9dbec080 00000000`00000000 00000000`00000000 00000000`0000001c : nt!ObWaitForSingleObject+0x91
fffffd0b`e5401ac0 fffff805`6c6071b8 : ffff910b`9dbec080 ffff910b`9c4e1080 00000000`00000000 00000000`00000000 : nt!NtWaitForSingleObject+0x6a
fffffd0b`e5401b00 00000000`77af1cfc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`0545eef8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77af1cfc
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.685
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_nt!KiFastFailDispatch
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3aede96a-54dd-40d6-d4cb-2a161a843851}
Followup: MachineOwner
---------
I just don't know what to do next....
More...