New
#11
Code:BugCheck 1E, {ffffffffc0000096, fffff80002ea7dda, 0, 0} Probably caused by : ntkrnlmp.exe ( nt!KeStackAttachProcess+1ba )The problem lies with the nt!KeStackAttachProcess, which is a very dangerous function to call and should be used with extreme caution as a result of the difficulties it can cause with IRPs and asynchronous I/O (deadlocks etc.). The function is used to attach a thread to another process' address space, which will explain the the mov instructions being used on both the cr8 and cr3 control registers. These registers can only be called at Ring Level 0.Code:4: kd> k Child-SP RetAddr Call Site fffff880`0335aee8 fffff800`02ec2738 nt!KeBugCheckEx fffff880`0335aef0 fffff800`02e77242 nt! ?? ::FNODOBFM::`string'+0x487ed fffff880`0335b590 fffff800`02e75b4a nt!KiExceptionDispatch+0xc2 fffff880`0335b770 fffff800`02ea7dda nt!KiGeneralProtectionFault+0x10a fffff880`0335b900 fffffa80`081b79c8 nt!KeStackAttachProcess+0x1ba fffff880`0335b980 fffff880`0335ba80 0xfffffa80`081b79c8 fffff880`0335b988 00000000`00000000 0xfffff880`0335ba80
Generally, the cr8 register is used to primarily handle priority of external interrupts (interrupts from I/O devices).Code:4: kd> u nt!KeStackAttachProcess+0x1ba: fffff800`02ea7dda 0f22d8 mov cr3,rax <-- Privileged Instruction (Move data from rax into cr3) fffff800`02ea7ddd 410fb6c4 movzx eax,r12b fffff800`02ea7de1 440f22c0 mov cr8,rax <-- Privileged Instruction (Move data from rax into cr8) fffff800`02ea7de5 48c7452000000000 mov qword ptr [rbp+20h],0 fffff800`02ea7ded 488b7c2460 mov rdi,qword ptr [rsp+60h] fffff800`02ea7df2 4c8b642458 mov r12,qword ptr [rsp+58h] fffff800`02ea7df7 488bac2480000000 mov rbp,qword ptr [rsp+80h] fffff800`02ea7dff 4883c468 add rsp,68h
The cr3 register is used to for virtual addressing, and converting linear addresses into physical addresses using page tables and page table directories etc. This is probably the most relevant instruction for faulting function call. This is in fact where the problem happened.
I believe the CPU may have still been running at User-Mode level (Ring 3) or any level higher than Ring 0, for this exception to have happened.
Code:4: kd> !error ffffffffc0000096 Error code: (NTSTATUS) 0xc0000096 (3221225622) - {EXCEPTION} Privileged instruction.