Hi, all,
I have experienced a very strange bugcheck,
that occurs after page fault in user address space.
The conditions are:
- Windows 2000 workstation
- Installed either patch KB840987 (new kernel 5.0.2195.6952)
- Or the patch KB 885835 (new kernel 5.0.2195.6692)
- Our filter driver creates a process using PsCreateSystemProcess
as “home” for our worker threads. This process is kernel-mode only
and has no image file. - The image file name of the new process in the EPROCESS
is changed by the driver (I know that we should not do this, but …) - An user mode process called the Win32 API CreateToolhelp32Snapshot,
which serves e.g. for enumerating processes.
Analysis:
The CreateToolHelp32snapshot seems to create a thread in every
existing process in the system:
b93d2cc4 804df263 0011f8c8 001f03ff 0011f894 nt!PspCreateThread+0x61b
b93d2d3c 80463f64 0011f8c8 001f03ff 0011f894 nt!NtCreateThread+0x16b
b93d2d3c 77f927b9 0011f8c8 001f03ff 0011f894 nt!KiSystemService+0xc4
0011f584 77faf6ee 0011f8c8 001f03ff 0011f894 ntdll!ZwCreateThread+0xb
0011f8b4 77fa01db 000000a8 00000000 00000001 ntdll!RtlCreateUserThread+0x81
0011f91c 7c51d170 0000005c 00000004 01a20000
ntdll!RtlQueryProcessDebugInformation+0x80
0011f968 7c51c539 00000001 0000005c 0011f988 KERNEL32!ThpCreateRawSnap+0x144
0011f994 004f7414 00000001 0000005c 00f4f008
KERNEL32!CreateToolhelp32Snapshot+0x2a
The bugcheck is caused by the thread in our driver’s process,
which has been created by the call of CreateToolhelp32Snapshot.
The bugcheck is UNEXPECTED_KERNEL_MODE_TRAP,
Stack trace points to some exception handlers
in the NTOSKRNL.exe, but not to any user mode address
The address where the bugcheck occurred is in the user space.
Debugger did not show any content of the page (even in full
memory dump), so I think it is paged out or completely invalid.
This problem does not occur on Windows XP, and it only
appears after installing of the above mentioned patches
(or one of them).
I’m starting to think that this is a bug in the OS.
Do you have any opinion ?
L.