Air14/HyperHide

Crash with HyperHide_2021-06-13

Closed this issue · 1 comments

TinyOra commented

Loading Dump File [C:\Windows\Minidump\062621-23977-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24441.amd64fre.win7sp1_ldr.190418-1735
Machine Name:
Kernel base = 0xfffff80006808000 PsLoadedModuleList = 0xfffff80006a41c90
Debug session time: Sat Jun 26 23:37:11.662 2021 (UTC + 8:00)
System Uptime: 0 days 1:21:39.427
Loading Kernel Symbols
...............................................................
................................................................
..................................................
Loading User Symbols
Loading unloaded module list
..........
For analysis of this file, run !analyze -v
3: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:

  1. A driver has inadvertently or deliberately modified critical kernel code
    or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
  2. A developer attempted to set a normal kernel breakpoint using a kernel
    debugger that was not attached when the system was booted. Normal breakpoints,
    "bp", can only be set if the debugger is attached at boot time. Hardware
    breakpoints, "ba", can be set at any time.
  3. A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
    Arguments:
    Arg1: a3a039d8a7a328fd, Reserved
    Arg2: b3b7465efa213a23, Reserved
    Arg3: 00000000c0000080, Failure type dependent information
    Arg4: 0000000000000007, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification
    8 : Object type
    9 : A processor IVT
    a : Modification of a system service function
    b : A generic session data region
    c : Modification of a session function or .pdata
    d : Modification of an import table
    e : Modification of a session import table
    f : Ps Win32 callout modification
    10 : Debug switch routine modification
    11 : IRP allocator modification
    12 : Driver call dispatcher modification
    13 : IRP completion dispatcher modification
    14 : IRP deallocator modification
    15 : A processor control register
    16 : Critical floating point control register modification
    17 : Local APIC modification
    18 : Kernel notification callout modification
    19 : Loaded module list modification
    1a : Type 3 process list corruption
    1b : Type 4 process list corruption
    1c : Driver object corruption
    1d : Executive callback object modification
    1e : Modification of module padding
    1f : Modification of a protected process
    20 : A generic data region
    21 : A page hash mismatch
    22 : A session page hash mismatch
    23 : Load config directory modification
    24 : Inverted function table modification
    25 : Session configuration modification
    26 : An extended processor control register
    27 : Type 1 pool corruption
    28 : Type 2 pool corruption
    29 : Type 3 pool corruption
    2a : Type 4 pool corruption
    2b : Modification of a function or .pdata
    2c : Image integrity corruption
    2d : Processor misconfiguration
    2e : Type 5 process list corruption
    2f : Process shadow corruption
    30 : Retpoline code page corruption
    101 : General pool corruption
    102 : Modification of win32k.sys

Debugging Details:

fffff800069ea0e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff80006aa5300

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 1

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on XU-PC

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 1

Key  : Analysis.Memory.CommitPeak.Mb
Value: 66

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 109

BUGCHECK_P1: a3a039d8a7a328fd

BUGCHECK_P2: b3b7465efa213a23

BUGCHECK_P3: c0000080

BUGCHECK_P4: 7

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

STACK_TEXT:
fffff88004d08498 0000000000000000 : 0000000000000109 a3a039d8a7a328fd b3b7465efa213a23 00000000c0000080 : nt!KeBugCheckEx

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: BAD_STACK_0x109

OS_VERSION: 7.1.7601.24441

BUILDLAB_STR: win7sp1_ldr

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {b4d7023a-05c3-49b2-3ea4-6240fe57d90e}

Followup: MachineOwner

Air14 commented

Fixed

  • 👍1