Building Kernel Driver - Memory Access Violation  


  1. phalse
    Posts : 2
    Windows 7 x64
       New #1

    Building Kernel Driver - Memory Access Violation


    I am trying to understand drivers better and have built a very basic one from scratch.
    Code:
    #include <ntddk.h>
VOID onUnload(IN PDRIVER_OBJECT pDriver_Object)
{
    DbgPrint("Unloading Driver\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriver_Object, IN PUNICODE_STRING regPath)
{
    DbgPrint("Driver Loaded");
    (*pDriver_Object).DriverUnload = onUnload;
    return(STATUS_SUCCESS);
}
    I am installing it on a Windows 7 x64 machine with driver signing enforcement off. The driver installs just fine but when I try to start it, I get:
    Code:
    [SC] StartService FAILED 6:
The handle is invalid.
    Upon further investigation with Windbg, I get a:
    Code:
    *** Fatal System Error: 0x0000007e
(0xFFFFFFFFC0000005,0xFFFFF80002C7501D,0xFFFFF88002F89768,0xFFFFF88002F88FC0)
    doing !analyze -v gets me:
    Code:
    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002c7501d, The address that the exception occurred at
Arg3: fffff88002f89768, Exception Record Address
Arg4: fffff88002f88fc0, Context Record Address

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!IopLoadDriver+5ad
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h]

EXCEPTION_RECORD:  fffff88002f89768 -- (.exr 0xfffff88002f89768)
ExceptionAddress: fffff80002c7501d (nt!IopLoadDriver+0x00000000000005ad)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000044
Attempt to read from address 0000000000000044

CONTEXT:  fffff88002f88fc0 -- (.cxr 0xfffff88002f88fc0;r)
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88002f89a08
rdx=fffff88003981000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c7501d rsp=fffff88002f899a0 rbp=0000000020206f49
 r8=fffff88003981000  r9=fffff88002f899a8 r10=00000000c000007b
r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000064
r14=fffffa800f359490 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!IopLoadDriver+0x5ad:
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h] ds:002b:00000000`00000044=????
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88002f89a08
rdx=fffff88003981000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c7501d rsp=fffff88002f899a0 rbp=0000000020206f49
 r8=fffff88003981000  r9=fffff88002f899a8 r10=00000000c000007b
r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000064
r14=fffffa800f359490 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!IopLoadDriver+0x5ad:
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h] ds:002b:00000000`00000044=????
Resetting default scope

PROCESS_NAME:  System

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000044

READ_ADDRESS:  0000000000000044 

FOLLOWUP_IP: 
nt!IopLoadDriver+5ad
fffff800`02c7501d 0fb77044        movzx   esi,word ptr [rax+44h]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80002c75875 to fffff80002c7501d

STACK_TEXT:  
fffff880`02f899a0 fffff800`02c75875 : 00000000`00000001 00000000`00000000 00000000`00000000 fffffa80`0f4195f0 : nt!IopLoadDriver+0x5ad
fffff880`02f89c70 fffff800`0289b161 : fffff800`00000000 ffffffff`80000064 fffff800`02c75820 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff880`02f89cb0 fffff800`02b31166 : 00000000`00000000 fffffa80`0cd99680 00000000`00000080 fffffa80`0cd7e890 : nt!ExpWorkerThread+0x111
fffff880`02f89d40 fffff800`0286c486 : fffff800`02a06e80 fffffa80`0cd99680 fffffa80`0cd99b60 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`02f89d80 00000000`00000000 : fffff880`02f8a000 fffff880`02f84000 fffff880`02f89230 00000000`00000000 : nt!KiStartSystemThread+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!IopLoadDriver+5ad

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc600

IMAGE_VERSION:  6.1.7600.16385

STACK_COMMAND:  .cxr 0xfffff88002f88fc0 ; kb

FAILURE_BUCKET_ID:  X64_0x7E_VRF_nt!IopLoadDriver+5ad

BUCKET_ID:  X64_0x7E_VRF_nt!IopLoadDriver+5ad

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x7e_vrf_nt!ioploaddriver+5ad

FAILURE_ID_HASH:  {9a15ac25-64d6-8f42-e8da-2a5880ae0901}

Followup: MachineOwner
    It seems like windows is not even able to get to my DriverEntry function. Any idea on how to fix this or debug further? Thanks!
      My Computer
    Quote Quote

  3. Gandalf
    Posts : 531
    Microsoft Windows 7 Ultimate 64-bit 7601 Multiprocessor Free Service Pack 1
       New #2

    Is this a programming question or are you trying to download a needed driver?
      My Computer
    Quote Quote

  4. phalse
    Posts : 2
    Windows 7 x64
    Thread Starter
       New #3

    This would be more of a programming question.
      My Computer
    Quote Quote

  6. Gandalf
    Posts : 531
    Microsoft Windows 7 Ultimate 64-bit 7601 Multiprocessor Free Service Pack 1
       New #4

    I've requested this thread to be moved to the Software forum for you.
      My Computer
    Quote Quote

 

  Related Discussions
The current version of VLC is exposed to malware. This is known since November 2014 but was not yet fixed. https://trac.videolan.org/vlc/ticket/13390
EXCEPTION_ACCESS_VIOLATION (C0000005) Shuts me off during flight simulation. Can this be repaired/corrected? Thank you. I am also getting oc0000142 fail. Everything works fine..just annoying.
Am sure the problem is with my OS/PC and not ERUNT.exe ... because on my previous PC - win 7 home (64 bit) I used Erunt many many times without this problem. Used previous (old) Erunt-Setup.exe to install, but after got the error I removed Erunt and downloaded new & installed - same error. Was...
Runtime error (access violation)
in Installation & Setup

Hello, I have a problem during the installion of a software (the software is Battery 4 by Native Instrument) When the installation starts, this error occurs: Runtime error in setup script: Line 438: access violation at address 74A715DA in module 'version.dll'. Read of address 00000004 ...
I am exhausted by using windows-7 operating system. we have tools developed in windows-xp environment. Now we have the plan to migrate all the tools to windows-07 OS. After installing the tools in win-07 machine i am be not able to run the tool because of "Access violation error (with some...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 22:54.
Find Us