Debugging Analysis:
Code:
BugCheck 3B, {c0000005, fffff960000d60f7, fffff880021970f0, 0}
Probably caused by : win32k.sys ( win32k!W32pArgumentTable+2db )
Did you roll back the driver?
Code:
7: kd> lmvm atikmdag
Browse full module list
start end module name
fffff880`0f0fd000 fffff880`0fd7d000 atikmdag T (no symbols)
Loaded symbol image file: atikmdag.sys
Image path: \SystemRoot\system32\DRIVERS\atikmdag.sys
Image name: atikmdag.sys
Browse all global symbols functions data
Timestamp: Thu Sep 12 03:08:03 2013 (52312203)
CheckSum: 00C34EED
ImageSize: 00C80000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Code:
fffff880021970f0 -- (.cxr 0xfffff880021970f0)
rax=0000000000000000 rbx=fffffa800cea4160 rcx=0000000000000000
rdx=000000000000002b rsi=000007fefe131010 rdi=0000000000000020
rip=fffff960000d60f7 rsp=fffff88002197ad0 rbp=fffff88002197b60
r8=0000000000000000 r9=00000000253d28f0 r10=fffff960000d616c
r11=000007ffffee0000 r12=000007fffffd9000 r13=000000001e486710
r14=000007ffffee0000 r15=0000000077a82670
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
win32k!W32pArgumentTable+0x2db:
fffff960`000d60f7 0000 add byte ptr [rax],al ds:002b:00000000`00000000=??
Resetting default scope
Code:
7: kd> dg @ds
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- ----------------- ----------------- ---------- - -- -- -- -- --------
002B 00000000`00000000 ffffffff`ffffffff Data RW Ac 0 Bg Pg P Nl 00000c93
The Data Segment is used to store global and static variables declared by the programmer. Static variables are permanent variables which exist for the lifetime of the program like global variables, and therefore will maintain their value among function calls like passing parameters by reference. However, static variables are local to the the block they are declared in.
Code:
7: kd> r @al
Last set context:
al=0
Code:
7: kd> uf win32k!W32pArgumentTable+0x2db
win32k!W32pArgumentTable+0x2db:
fffff960`000d60f7 0000 add byte ptr [rax],al
fffff960`000d60f9 0000 add byte ptr [rax],al
fffff960`000d60fb 0000 add byte ptr [rax],al
fffff960`000d60fd 0000 add byte ptr [rax],al
fffff960`000d60ff 0000 add byte ptr [rax],al
fffff960`000d6101 0000 add byte ptr [rax],al
fffff960`000d6103 0000 add byte ptr [rax],al
fffff960`000d6105 0000 add byte ptr [rax],al
fffff960`000d6107 0008 add byte ptr [rax],cl
fffff960`000d6109 0000 add byte ptr [rax],al
fffff960`000d610b 0000 add byte ptr [rax],al
fffff960`000d610d 0000 add byte ptr [rax],al
fffff960`000d610f 0000 add byte ptr [rax],al
fffff960`000d6111 0000 add byte ptr [rax],al
fffff960`000d6113 0000 add byte ptr [rax],al
fffff960`000d6115 0000 add byte ptr [rax],al
fffff960`000d6117 0000 add byte ptr [rax],al
fffff960`000d6119 0000 add byte ptr [rax],al
fffff960`000d611b 0000 add byte ptr [rax],al
So, the add instruction is being used with a register containing the value of 0, and added to the value stored within the rax register which is used to store integer return values for function calls. The rax register doesn't appear to have a address, and therefore the system may have crashed due to a NULL pointer.