Let's take a look at this crash dump (unfortunately only a Small Memory dump...):
2: kd> .bugcheck
Bugcheck code 00000024
Arguments 00000000`001904fb fffff880`085866a8 fffff880`08585f00 fffff880`016b1d82
Right, so we have our bug check - NTFS_FILE_SYSTEM (0x24). Big hint, if you see this bug check on a crash dump from a user, chances are it's 50/60% (or more) the fault of either the one security application they have installed (whatever the actual problem with the application is), or user error as far as installing more than one security applications go. It's generally a bad idea to pigeonhole a bug check with a single problem (because it's ridiculous to do so), but I'd personally say over the years 0x24 has been much more of a security software issue than anything else.
2: kd> .exr fffff880`085866a8
ExceptionAddress: fffff880016b1d82 (Ntfs!NtfsRemoveHashEntry+0x00000000000000c2)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
By taking a look at the exception record structure, we can see the direct reason for the exception being thrown that caused the actual crash was an access violation occurring in Ntfs!NtfsRemoveHashEntry. Now that we know why, let's take a look at the context record using the address from our 3rd parameter in the .bugcheck output.
2: kd> .cxr fffff880`08585f00
rax=0000000000000000 rbx=fffff8a00224e050 rcx=0001000000000000
rdx=0000000000000000 rsi=000000001fdefdd9 rdi=fffffa80049be358
rip=fffff880016b1d82 rsp=fffff880085868e0 rbp=00000000000001d9
r8=00000000000003b2 r9=0000000000000000 r10=00000000000003b2
r11=fffff88008586910 r12=0000000000000001 r13=0000000000000000
r14=0000000000000001 r15=fffff8a003533ed0
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
Ntfs!NtfsRemoveHashEntry+0xc2:
fffff880`016b1d82 397110 cmp dword ptr [rcx+10h],esi ds:002b:00010000`00000010=????????
On the instruction regarding Ntfs!NtfsRemoveHashEntry, we can see it was comparing the esi register to the memory at address rcx+10. rcx looks pretty bogus, and just to confirm:
2: kd> !pte 0001000000000000 // Or !pte rcx
VA 0001000000000000
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000000
Unable to get PXE FFFFF6FB7DBED000
WARNING: noncanonical VA, accesses will fault !
So here's the reason why the exception was thrown, it was noncanonical.
Now that we've also instructed the debugger to use the context record as the register context, we can run a k(b,nL,whatever) to get a more detailed stack in our case - even with a Small Memory dump:
2: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
fffff880`085868e0 fffff880`016b224f Ntfs!NtfsRemoveHashEntry+0xc2
fffff880`08586970 fffff880`016b0a24 Ntfs!NtfsDeleteNormalizedName+0x7f
fffff880`085869a0 fffff880`016b4cdb Ntfs!NtfsDeleteScb+0x1f4
fffff880`085869e0 fffff880`0162e343 Ntfs!NtfsRemoveScb+0x5b
fffff880`08586a20 fffff880`016b2a3c Ntfs!NtfsPrepareFcbForRemoval+0x53
fffff880`08586a50 fffff880`01635a52 Ntfs!NtfsTeardownStructures+0xdc
fffff880`08586ad0 fffff880`016c22d3 Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880`08586b10 fffff880`01714d32 Ntfs!NtfsCommonClose+0x353
fffff880`08586be0 fffff800`02ae1561 Ntfs!NtfsFspCloseInternal+0x186
fffff880`08586cb0 fffff800`02d740ca nt!ExpWorkerThread+0x111
fffff880`08586d40 fffff800`02ac8be6 nt!PspSystemThreadStartup+0x5a
fffff880`08586d80 00000000`00000000 nt!KxStartSystemThread+0x16
Not going to put comments, but rather just talk about it. We were starting a system thread which turned out to be a worker thread (as we can see from the ExpWorkerThread function), and from then on go throughout various NT file system calls. Given the fact that it's a worker thread dealing with NTFS tells us we're likely dealing with a driver requiring delayed processing, etc. As we're going through various NTFS calls, we can see we're preparing the File Control Block (FCB) and Stream Control Block (SCB) for removal and deletion. This also tells us if anything, it's a driver working actively with/for the file system.
Looking at the loaded modules list for any drivers actively working with the file system, what do we find? Hint: A lot of Symantec/Norton kernel-mode drivers
2: kd> lmvm SRTSP64
start end module name
fffff880`082d4000 fffff880`08394000 SRTSP64 (deferred)
Image path: SRTSP64.SYS
Image name: SRTSP64.SYS
Timestamp: Tue Mar 29 22:46:12 2011
Here is Symantec's x64 Real Time Storage Protection (SRTSP) driver. This driver is used by Symantec's Auto-Protect feature, which is what scans files under various conditions. You can expect to find this kernel-mode driver on any system with NIS installed, so what's the big deal? The timestamp/date on the driver itself is from March 29th 2011. The time of the bug check is:
Debug session time: Tue Feb 3 23:57:58.466 2015 (UTC - 5:00)
Okay, so we have a kernel-mode driver from/for Norton that's approximately as of this blog post 3.8 years old. That's.... bad. To give the user the absolute ultimate benefit of the doubt, I for a split-second thought that perhaps maybe Symantec really has a kernel-mode driver regarding RTP that's 3.8 years old. Surely there may be hundreds of vulnerabilities, but it's possible.. right? Wrong.
2: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
It's a Windows 7 x64 system, so let's create a test environment really quick and install the latest trial version of NIS.
Ah, that's much better.
Unfortunately, that wasn't the only out of date kernel-mode driver regarding Symantec loaded on this particular system. Let's keep comparing:
2: kd> lmvm SYMDS64
start end module name
fffff880`01279000 fffff880`012ea000 SYMDS64 (deferred)
Image path: SYMDS64.SYS
Image name: SYMDS64.SYS
Timestamp: Tue Dec 07 19:16:58 2010
Symantec's x64 Data Store (SymDS) driver.
2: kd> lmvm SYMEFA64
start end module name
fffff880`014f4000 fffff880`015d8000 SYMEFA64 (deferred)
Image path: SYMEFA64.SYS
Image name: SYMEFA64.SYS
Timestamp: Sun Mar 13 23:20:58 2011
Symantec's x64 Extended File Attributes driver.
2: kd> lmvm SYMEVENT64x86
start end module name
fffff880`01dbf000 fffff880`01df5000 SYMEVENT64x86 (deferred)
Image path: SYMEVENT64x86.SYS
Image name: SYMEVENT64x86.SYS
Timestamp: Thu Mar 24 19:02:36 2011
Symantec's x64 SymEvent driver.
2: kd> lmvm SRTSPX64
start end module name
fffff880`01c2d000 fffff880`01c43000 SRTSPX64 (deferred)
Image path: SRTSPX64.SYS
Image name: SRTSPX64.SYS
Timestamp: Tue Mar 29 22:46:18 2011
Symantec's x64 Real Time Storage Protection (SRTSP - PEL) driver.
2: kd> lmvm SYMNETS
start end module name
fffff880`01d58000 fffff880`01dbf000 SYMNETS (deferred)
Image path: SYMNETS.SYS
Image name: SYMNETS.SYS
Timestamp: Tue Apr 19 18:33:31 2011
Symantec's Network Security WFP driver.
Overall, we can see that all of these Symantec/Norton kernel-mode drivers are not their latest versions. Given the fact that the user's system bug checked Feb 2015 and many of its kernel-mode drivers are 3.8 years (or older) old, we know it's pirated. Remove pirated Norton, crashes stop. Surprise surprise.
Moral of the story: If you really are going to pirate an antivirus, be sure it's actually as up to date as it would be if you paid for it. If you're running an antivirus with kernel-mode drivers from 3.8> years old, the amount of vulnerabilities you're vulnerable to that were patched years ago is pretty high. You're also opening yourself up to becoming infected with old malware that was invalidated if not further developed if it relied on certain EOP (or other) exploits to get around active protection. Also, as you can see here, chances are you'll bug check considering you're also subject to ~3.8> year old driver bugs that have since been patched.
You could alternatively just buy the antivirus. Crazy, I know.
This comment has been removed by the author.
ReplyDeleteThis is download fest event page:https://downloadfestival2019.myevent.com/
ReplyDeletehttps://vidstatus.me/
ReplyDeletevidstatus
vidstatus app
vidstatus songs
vidstatus app download
Great sharing! Thank you for sharing! Keep up the great work mate! Cheers!
DeleteThanks for sharing, very informative blog.
ReplyDeleteReverseEngineering
read this one: https://www.apsense.com/article/beauty-and-the-beast-2017-movie-review-a-must-watch.html
ReplyDeleteNice blog!!!!!!!.
ReplyDeleteReverse Engineering in USA
Hey, this is amazing content. thank you for sharing.
ReplyDeleteReverseEngineering
Thanks for info
ReplyDeleteauto cad drawing
Thank you so much for the wonderful website. Which made my day and got full information about Ac Market. Loved this website and recommended for all the users.
ReplyDeletehttps://acmarket.one/
Ac Market
Ac Market APK
AcMarket
Great sharing! Thank you for sharing! Keep up the great work mate! Cheers!
DeleteGreat sharing! Thank you for sharing! Keep up the great work mate! Cheers!
ReplyDeleteInstall SHAREit App on PC
ReplyDeletedirect download links for each device is given.
Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!
ReplyDeleteLocation
DainTree Residence
daintree residence balance units
whistler grand condo singapore
whistler grand Singapore site plan
whistler grand floor plan plan
jadescape site plan
jadescape condo singapore
jadescape balance unit
I need to thank you for your time for this fantastic reading !!
ReplyDeleteUPLAY365
I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below! คาสิโนออนไลน์
ReplyDeleteGOOD Day !
ReplyDeleteUSA Fresh & Verified SSN Leads with best connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number |Address | State | City | Zip | Phone Number | Account Number | Bank NAME
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE & FRESH CC FULLZ ALSO AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact Information 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
ReplyDeletejual obat aborsi di malaysia
jual obat aborsi di hongkong
jual obat aborsi di singapura
jual obat aborsi di medan
jual obat aborsi di banda aceh
jual obat aborsi di lampung
jual obat aborsi di pekanbaru
jual obat aborsi di padang
jual obat aborsi di palembang
jual obat aborsi di jambi
jual obat aborsi di samarinda
jual obat aborsi di balikpapan
jual obat aborsi di pontianak
jual obat aborsi di banjarmasin
jual obat aborsi di bontang
jual obat aborsi di tarakan
jual obat aborsi di palangkaraya
jual obat aborsi di banjarbaru
jual obat aborsi di singkawang
jual obat aborsi di makassar
jual obat aborsi di manado
jual obat aborsi di palu
jual obat aborsi di kendari
jual obat aborsi di palopo
jual obat aborsi di tomohon
jual obat aborsi di gorontalo
jual obat aborsi di toli-toli
jual obat aborsi di denpasar
jual obat aborsi di ubud
jual obat aborsi di kutai
jual obat aborsi di bedugul
jual obat aborsi di singaraja
jual obat aborsi di kupang
jual obat aborsi di lombok
jual obat aborsi di mataram
jual obat aborsi di sumbawa
jual obat aborsi di jayapura
jual obat aborsi di sorong
حقيبة ظهر
ReplyDeleteالوان خشبية
الوان البشرة
قلم فحم
ادوات رسم
طقم فحم
سكتش بوك
كفرز
لاصق لوحات
Pinoy Teleserye
ReplyDeleteThat’s an interesting perspective on antivirus – especially for a layman like me. I didn’t know that antiviruses can make your system vulnerable. Anyway, due to lack of technical knowledge, I cannot understand the complete details. I will take my brothers help to understand this better. Right now, I have to find an Affordable Phd Thesis Help service and outsource my thesis to them. I am off to search for one. Meanwhile, I am leaving this tab open so I don’t forget to discuss this with my brother.
ReplyDeleteinformation and also style, which includes a incredibly bendable topography.
ReplyDeleteThanks for the post and effort! Please keep sharing more such blog.
카지노사이트
바카라사이트
바카라게임사이트
Hello Dear, are you in fact visiting this web page regularly, if so then you will without doubt take nice experience.
ReplyDelete바카라사이트
안전카지노사이트
바카라
It's actually a great and useful piece of information. I am glad that you shared this helpful info with us. Thanks for sharing.
ReplyDelete토토사이트
프로토
먹튀검증
whoah this weblog is great i like studying your posts. Keep up the great work!
ReplyDelete토토
스포츠중계
토토사이트
I experienced reading this post. The whole blog is very nice found some good stuff and good information here. Thank you for sharing this article. Kindly Visit our Website:- Verizon Email Not Working
ReplyDeleteOne of the most popular network for watching pinoyflix shows all over the Philippines is GMA 7.
ReplyDeletewe know today: real-time, on-demand protection against the latest online threats with the help of Norton technical support UK. https://www.antivirussupportuk.com/norton-technical-support-uk
ReplyDeleteSlot เว็บ ตรง มองดูไม่เสริมเติมกว่า PG SLOT 2022 เว็บของพวกเรา นําเสนอเกมสล็อตที่นานัปการซึ่งจะทําให้ท่านเพลินใจได้นานหลายชั่วโมง นี่เป็นคุณประโยชน์บางประการของการเล่นเกม
ReplyDeleteGreat survey, I'm sure you're getting a great response. I also wanna talk about best football books for coaches.
ReplyDeleteDiscover the leading Fertility Centre in Delhi, where cutting-edge technology and compassionate care come together to help couples achieve their dream of parenthood. Located in the heart of the city, our fertility centre offers a wide range of advanced treatments and procedures, tailored to meet the unique needs of each individual or couple. Our team of highly skilled and experienced fertility specialists is dedicated to providing personalized care and support throughout your journey.
ReplyDeleteWith state-of-the-art facilities and a patient-cantered approach, we strive to make your experience as comfortable and successful as possible. Trust our fertility centre in Delhi to provide you with the highest quality care and the best chance of starting or expanding your family.
Asking questions are genuinely good thing if you
ReplyDeleteare not understanding something fully, however this post offers
fastidious understanding even.
This article is genuinely a nice one it helps new web users, who are wishing for blogging.
ReplyDeleteGreat internet site! It looks very expert! Keep up the
ReplyDeletegood work!
I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept. Thank you for the post. I also wanna talk about best workforce management software.
ReplyDeleteMove faster with beautiful, responsive UI components and website templates with modern design, 100% free and open-source. https://www.bardui.com/
ReplyDelete