System crash - IRQL_NOT_LESS_OR_EQUAL - Keyboard driver

Microsoft (R) Windows Debugger Version 10.0.17134.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\King\Desktop\090918-18109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17415.x86fre.winblue_r4.141028-1500
Machine Name:
Kernel base = 0x81209000 PsLoadedModuleList = 0x81408418
Debug session time: Sun Sep 9 13:50:30.037 2018 (UTC + 6:00)
System Uptime: 0 days 1:17:13.573
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.




Loading User Symbols
Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {0, 2, 1, 81308cf4}

Probably caused by : kbdclass.sys ( kbdclass!KeyboardClassServiceCallback+e8 )

Followup: MachineOwner

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81308cf4, address which referenced memory

Debugging Details:

KEY_VALUES_STRING: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 9600.17415.x86fre.winblue_r4.141028-1500

DUMP_TYPE: 2

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_P1: 0

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: ffffffff81308cf4

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 814376f4
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from 81437f38
GetUlongPtrFromAddress: unable to read from 81437a90
Unable to get NonPagedPoolStart
Unable to get PagedPoolStart
00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!memmove+124
81308cf4 89448ff4 mov dword ptr [edi+ecx*4-0Ch],eax

CPU_COUNT: 1

CPU_MHZ: 899

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3d

CPU_STEPPING: 4

CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 1F’00000000 (cache) 0’00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

ANALYSIS_SESSION_HOST: DESKTOP-NDA48UI

ANALYSIS_SESSION_TIME: 09-09-2018 13:55:29.0502

ANALYSIS_VERSION: 10.0.17134.1 x86fre

LAST_CONTROL_TRANSFER: from 8fefea65 to 81308cf4

STACK_TEXT:
82743988 8fefea65 00000000 9b13fe2c 0000000c nt!memmove+0x124
827439c4 8fee91d5 953a5240 9b13fe2c 8f916e28 kbdclass!KeyboardClassServiceCallback+0xe8
82743a28 812579a6 91f0cc64 01f0ca00 00000000 i8042prt!I8042KeyboardIsrDpc+0x197
82743ae0 812575c6 82743b28 00000000 89bfabc0 nt!KiExecuteAllDpcs+0x216
82743c04 8131a3d0 00000000 00000000 00000000 nt!KiRetireDpcList+0xf6
82743c08 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x38

THREAD_SHA1_HASH_MOD_FUNC: 558f74cd3a91bcbe19983f1b7c0528b4b6e14e68

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 161173af8eb4dad35d375cfca10e81c430366625

THREAD_SHA1_HASH_MOD: 96f30bfb09b4cbb871d97a7ed1a187f4d9e602f3

FOLLOWUP_IP:
kbdclass!KeyboardClassServiceCallback+e8
8fefea65 8b4510 mov eax,dword ptr [ebp+10h]

FAULT_INSTR_CODE: 3310458b

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: kbdclass!KeyboardClassServiceCallback+e8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: kbdclass

IMAGE_NAME: kbdclass.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 543353ac

IMAGE_VERSION: 6.3.9600.17393

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: e8

FAILURE_BUCKET_ID: AV_kbdclass!KeyboardClassServiceCallback

BUCKET_ID: AV_kbdclass!KeyboardClassServiceCallback

PRIMARY_PROBLEM_CLASS: AV_kbdclass!KeyboardClassServiceCallback

TARGET_TIME: 2018-09-09T07:50:30.000Z

OSBUILD: 9600

OSSERVICEPACK: 17415

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 8.1

OSEDITION: Windows 8.1 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2014-10-29 06:32:39

BUILDDATESTAMP_STR: 141028-1500

BUILDLAB_STR: winblue_r4

BUILDOSVER_STR: 6.3.9600.17415.x86fre.winblue_r4.141028-1500

ANALYSIS_SESSION_ELAPSED_TIME: d87

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_kbdclass!keyboardclassservicecallback

FAILURE_ID_HASH: {2397e1a0-177a-792e-7553-d9653a04afd0}

Followup: MachineOwner

Source code:

#include “ntddk.h”"

typedef struct {
PDEVICE_OBJECT LowerKbdDevice;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;

typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

PDEVICE_OBJECT MyKbdDevice = NULL;
//ULONG pendingkey = 0;

void Unload(IN PDRIVER_OBJECT DriverObject) {

LARGE_INTEGER interval = { 0 };

PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;
interval.QuadPart = -10 * 1000 * 1000;
IoDetachDevice(((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice);
/*while (pendingkey) {
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}*/
IoDeleteDevice(MyKbdDevice);
DbgPrint(“driver Unload \r\n”);

}

NTSTATUS DispatchPass(PDEVICE_OBJECT DeviceObject, PIRP Irp) {

IoCopyCurrentIrpStackLocationToNext(Irp);
return IoCallDriver((((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice), Irp);

}

NTSTATUS ReadComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context) {

PKEYBOARD_INPUT_DATA Keys = (PKEYBOARD_INPUT_DATA)Irp->AssociatedIrp.SystemBuffer;
int structnum = Irp->IoStatus.Information / sizeof(PKEYBOARD_INPUT_DATA);
int i;
if (Irp->IoStatus.Status == STATUS_SUCCESS) {
for (i = 0; i < structnum; i++) {
DbgPrint(“The Key Is %x\n”, Keys[i].MakeCode);
}
}
if(Irp->PendingReturned) {
IoMarkIrpPending(Irp);
}

//pendingkey–;
return Irp->IoStatus.Status;
}

NTSTATUS DispatchRead(PDEVICE_OBJECT DeviceObject, PIRP Irp) {

IoCopyCurrentIrpStackLocationToNext(Irp);

IoSetCompletionRoutine(Irp, ReadComplete, NULL, TRUE, TRUE, TRUE);

//pendingkey++;
return IoCallDriver((((PDEVICE_EXTENSION)DeviceObject->DeviceExtension)->LowerKbdDevice), Irp);

}

NTSTATUS MyAttachDevice(PDRIVER_OBJECT DriverObject) {
NTSTATUS status;

UNICODE_STRING TargetDevice = RTL_CONSTANT_STRING(L"\Device\KeyboardClass0");
status = IoCreateDevice(DriverObject,
sizeof(DEVICE_EXTENSION),
NULL, FILE_DEVICE_KEYBOARD,
0, FALSE, &MyKbdDevice);

if (!NT_SUCCESS(status)) {
return status;
}

MyKbdDevice->Flags |= DO_BUFFERED_IO;
MyKbdDevice->Flags &= DO_DEVICE_INITIALIZING;

RtlZeroMemory(MyKbdDevice->DeviceExtension, sizeof(DEVICE_EXTENSION));

status = IoAttachDevice(MyKbdDevice, &TargetDevice, &((PDEVICE_EXTENSION)MyKbdDevice->DeviceExtension)->LowerKbdDevice);

if (!NT_SUCCESS(status)) {
IoDeleteDevice(MyKbdDevice);
return status;
}
return STATUS_SUCCESS;
}

extern “C” NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {

UNREFERENCED_PARAMETER(RegistryPath);
UNREFERENCED_PARAMETER(DriverObject);

NTSTATUS status;
int i;
DriverObject->DriverUnload = Unload;

for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {

DriverObject->MajorFunction[i] = DispatchPass;
}

DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;

DbgPrint(“Hello Driver\r\n”);
status = MyAttachDevice(DriverObject);

if (!NT_SUCCESS(status)) {
DbgPrint(“attaching is failing”);
return status;
}
else {
KdPrint((“Attaching Succeeds \r\n”));
}

return status;
}

Very nice.

Did you have a question associated with this, or were you merely posting this as some sort of abstract art? I can appreciate all sorts of art…

Peter
OSR
@OSRDrivers