kryptoguard.com
  • Home
  • What We Do
  • What We Think
    • KryptoGuard™ Blog
    • KryptoGuard™ Developer Zone Blog
  • Who We Are
  • KryptoGuard™ Technology Initiative
    • What is it?
    • Do I Qualify?
  • KryptoGuard™ Technology Services
    • What is it?
    • Can you help?

​KryptoGuard™ Developer Zone

BSOD - Windows 10 Pro and Intel Audio Driver

6/19/2018

0 Comments

 
Recently I encountered a BSOD on a Windows 10 Pro system.  The BSOD appear to point at an Intel audio driver.  I only took a cursory look at the problem as the problem neither appear to be in the stack we  own nor did it impede my work or repeat itself enough to warrant any more of my time.  Below is some minimal information pertaining to the crash, if it should interest relevant folks.  For access to the crash dump, please use the form here to make a request or email to info_at_kryptoguard.com

Basic crash information - 

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80828e04096, The address that the exception occurred at
Arg3: fffff486e9b9a848, Exception Record Address
Arg4: fffff486e9b9a090, Context Record Address

Information pertaining to the module (in question) -

> lmvm IntcDAud
Browse full module list
start             end                 module name
fffff808`28dc0000 fffff808`28e88000   IntcDAud   (no symbols)          
    Loaded symbol image file: IntcDAud.sys
    Image path: \SystemRoot\system32\DRIVERS\IntcDAud.sys
    Image name: IntcDAud.sys
    Browse all global symbols  functions  data
    Timestamp:        Wed Dec  6 10:01:50 2017 (5A28065E)
    CheckSum:         000CEEC0
    ImageSize:        000C8000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Offending stack and trap frame -

!thread
THREAD ffffce8c470a2700  Cid 0004.2d9c  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 ffffa60f1ac18bc0
Owning Process            ffffce8c3bd12440       Image:         System
Attached Process          N/A            Image:         N/A
Wait Start TickCount      34652705       Ticks: 0
Context Switch Count      42             IdealProcessor: 0            
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address IntcDAud (0xfffff80828e3fd50)
Stack Init fffff486e9b9ad90 Current fffff486e9b99660
Base fffff486e9b9b000 Limit fffff486e9b95000 Call 0000000000000000
Priority 15 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff486`e9b99888 fffff800`70bc6cac : 00000000`0000007e ffffffff`c0000005 fffff808`28e04096 fffff486`e9b9a848 : nt!KeBugCheckEx
fffff486`e9b99890 fffff800`70b8dc3f : 00000000`00000003 00000000`00000000 fffff486`e9b95000 fffff486`e9b9b000 : nt!PspSystemThreadStartup$filt$0+0x44
fffff486`e9b998d0 fffff800`70bb8c0d : 00000000`00000000 fffff486`e9b99a70 fffff486`e9b99f30 00000000`00000293 : nt!_C_specific_handler+0x9f
fffff486`e9b99940 fffff800`70a6fae6 : fffff486`e9b99a70 fffff486`e9b99f30 00000000`00000004 fffff486`e9b9a848 : nt!RtlpExecuteHandlerForException+0xd
fffff486`e9b99970 fffff800`70a70f03 : fffff486`e9b9a848 fffff486`e9b9a590 fffff486`e9b9a848 00000000`00000000 : nt!RtlDispatchException+0x416
fffff486`e9b9a060 fffff800`70bc0f42 : 00000000`00000000 00000000`00000000 fffff486`e9b9a7e8 00000000`00000000 : nt!KiDispatchException+0x1f3
fffff486`e9b9a710 fffff800`70bbdabf : 00000000`00000001 fffff808`28ddd00f fffff808`28ddd048 ffffce8c`41e9c1c4 : nt!KiExceptionDispatch+0xc2
fffff486`e9b9a8f0 fffff808`28e04096 : ffffce8c`41e9c100 ffffce8c`41e9c000 00000000`00000000 fffff808`28ddd00f : nt!KiPageFault+0x3ff (TrapFrame @ fffff486`e9b9a8f0)
fffff486`e9b9aa80 fffff808`28e33053 : ffffce8c`41e9c010 fffff486`00000003 ffffce8c`41e9c720 00000000`00000000 : IntcDAud+0x44096
fffff486`e9b9aab0 fffff808`28e33870 : 00000000`00000000 fffff808`00000010 ffffce8c`41e9c2b8 00000000`00000001 : IntcDAud+0x73053
fffff486`e9b9ab40 fffff808`28e19a53 : ffffce8c`41eb3ae0 00000000`00000000 00000000`00000001 00000000`00000000 : IntcDAud+0x73870
fffff486`e9b9ab90 fffff808`28e41aa3 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff808`28e3f4ac : IntcDAud+0x59a53
fffff486`e9b9abf0 fffff808`28e3f96c : ffffce8c`41ea4010 00000000`00000004 00000000`00000000 ffffce8c`3bd12440 : IntcDAud+0x81aa3
fffff486`e9b9ac40 fffff808`28e3ffdb : ffffffff`fffcf2c0 ffffffff`fffcf2c0 ffffffff`fffcf2c0 ffffffff`00000000 : IntcDAud+0x7f96c
fffff486`e9b9ac70 fffff808`28e3fd9b : ffffffff`fffcf2c0 ffffce8c`41ea4010 00000000`00000080 fffff808`28e3fd50 : IntcDAud+0x7ffdb
fffff486`e9b9ace0 fffff800`70afccb7 : ffffce8c`470a2700 fffff808`28e3fd50 ffffffff`ffffffff ffffffff`ffffffff : IntcDAud+0x7fd9b
fffff486`e9b9ad10 fffff800`70bb77d6 : fffff800`7007d180 ffffce8c`470a2700 fffff800`70afcc70 ffffffff`ffffffff : nt!PspSystemThreadStartup+0x47
fffff486`e9b9ad60 00000000`00000000 : fffff486`e9b9b000 fffff486`e9b95000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

0: kd> .trap fffff486`e9b9a8f0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff486e9b9aaa8 rbx=0000000000000000 rcx=fffff80828ddfc00
rdx=0000000000000003 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80828e04096 rsp=fffff486e9b9aa80 rbp=fffff486e9b9ab00
 r8=ffffe30112900180  r9=0000000000000000 r10=0000000000000004
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
IntcDAud+0x44096:
fffff808`28e04096 40387e18        cmp     byte ptr [rsi+18h],dil ds:00000000`00000018=??

Preliminary analysis (tentative/based on cursory look) - It is quite possible the content (at certain offset) of the data at address fffff808`28ddd048 passed on (via RCX register) by the third Intel frame above (IntcDAud+0x73870), which when dereferenced later (at the crashing line above) maybe the cause.

0 Comments



Leave a Reply.

    Author

    Founder of KryptoGuard™ technology initiative, product and services.

    Archives

    June 2021
    April 2021
    December 2020
    July 2020
    June 2019
    November 2018
    October 2018
    August 2018
    July 2018
    June 2018

    Categories

    All
    Debuggers
    Device Driver
    Intel
    OllyDbg
    PHP
    Windows

    RSS Feed

Site powered by Weebly. Managed by SiteGround
Photo used under Creative Commons from wocintechchat.com
  • Home
  • What We Do
  • What We Think
    • KryptoGuard™ Blog
    • KryptoGuard™ Developer Zone Blog
  • Who We Are
  • KryptoGuard™ Technology Initiative
    • What is it?
    • Do I Qualify?
  • KryptoGuard™ Technology Services
    • What is it?
    • Can you help?