OK I feel fairly confident I might figured out the issue.
The debugger gives us a good lead here.
Code:
BugCheck 1000007E, {ffffffffc0000094, fffff960007a5577, fffff88004550638, fffff8800454fe90}
Probably caused by : cdd.dll ( cdd!PresentWorkerThread+20b )
Using !error we are presented with the NTSTATUS code. (NTSTATUS codes usually start with a c00000xxx).
Code:
!error c0000094
Error code: (NTSTATUS) 0xc0000094 (3221225620) - {EXCEPTION} Integer division by zero.
We can see a division by zero which is a no no. < This is what the author should be looking into,
where and why does it happen.
Where did it happen?
If we unassemble the previouse cdd.dll function by using the u we get more information.
Code:
u cdd!PresentWorkerThread+20b
cdd!PresentWorkerThread+0x20b:
fffff960`007a5577 48f7f1 div rax,rcx
fffff960`007a557a 418bc8 mov ecx,r8d
fffff960`007a557d 483bc1 cmp rax,rcx
fffff960`007a5580 488987d8070000 mov qword ptr [rdi+7D8h],rax
fffff960`007a5587 7f09 jg cdd!PresentWorkerThread+0x226 (fffff960`007a5592)
fffff960`007a5589 4181f8400d0300 cmp r8d,30D40h
fffff960`007a5590 760a jbe cdd!PresentWorkerThread+0x230 (fffff960`007a559c)
fffff960`007a5592 838f2008000010 or dword ptr [rdi+820h],10h
Dumping the CPU registers gives us the following.
Code:
r
rax=0000000000989680 rbx=fffffa800ce16880 rcx=0000000000000000
rdx=0000000000000000 rsi=fffffa8010856b30 rdi=fffff900c1e2c020
rip=fffff960007a5577 rsp=fffff88002b0d870 rbp=0000000000000080
r8=0000000000026161 r9=fffff88002b0d950 r10=0000000000000000
r11=fffffa800ce16880 r12=0000000000000000 r13=0000000000000000
r14=0000000000000001 r15=fffff80003c01080
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
cdd!PresentWorkerThread+0x20b:
fffff960`007a5577 48f7f1 div rax,rcx
We see that the division is between the rax and rcx when rcx is zero.