DRIVER_IRQL_NOT_LESS_OR_EQUAL on WIN7X64 with HyperHide_2021-07-19

Loading Dump File [C:\Windows\Minidump\072121-11247-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv* Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.24384.amd64fre.win7sp1_ldr_escrow.190220-1800 Machine Name: Kernel base = 0xfffff80005251000 PsLoadedModuleList = 0xfffff8000548ac90 Debug session time: Wed Jul 21 13:33:27.203 2021 (UTC + 8:00) System Uptime: 0 days 0:01:57.592 Loading Kernel Symbols

1: kd> !analyze -v

*
Bugcheck Analysis *
*

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: fffff88003b80000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff8800307ab03, address which referenced memory

Debugging Details:

*** WARNING: Unable to verify timestamp for airhv.sys fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock GetUlongPtrFromAddress: unable to read from fffff800054ee300

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 3

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on WIN-3TVJD1ASNOS

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 11

Key  : Analysis.Memory.CommitPeak.Mb
Value: 68

Key  : Analysis.System
Value: CreateObject

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: d1

BUGCHECK_P1: fffff88003b80000

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8800307ab03

READ_ADDRESS: fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock Unable to get MmSystemRangeStart GetUlongPtrFromAddress: unable to read from fffff800054ee2f0 GetUlongPtrFromAddress: unable to read from fffff800054ee4a8 fffff88003b80000

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: vmtoolsd.exe

TRAP_FRAME: fffffa8031432cd0 -- (.trap 0xfffffa8031432cd0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=000000000000f5d8 rdx=000000000000fed0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8800307ab03 rsp=fffffa8031432e60 rbp=fffffa8031bff810 r8=000000000000fec0 r9=0000000000000020 r10=0000000000000718 r11=fffffa8031432e68 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up di pl nz na pe nc airhv+0x9b03: fffff880`0307ab03 f36e rep outs dx,byte ptr [rsi] Resetting default scope

BAD_STACK_POINTER: fffffa8031432b88

STACK_TEXT:
fffffa8031432b88 fffff800052f2f69 : 000000000000000a fffff88003b80000 0000000000000002 0000000000000000 : nt!KeBugCheckEx fffffa8031432b90 fffff800052f0d88 : 0000000000000000 fffff88003b80000 0000000000000000 fffff88003b7f718 : nt!KiBugCheckDispatch+0x69 fffffa8031432cd0 fffff8800307ab03 : fffff80005264d0f fffff88000000001 000000007ff4c718 0000000000000000 : nt!KiPageFault+0x448 fffffa8031432e60 fffff80005264d0f : fffff88000000001 000000007ff4c718 0000000000000000 fffff8a001937ce0 : airhv+0x9b03 fffffa8031432e68 fffff88000000001 : 000000007ff4c718 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 : nt!MmCreateMdl+0xb7 fffffa8031432e70 000000007ff4c718 : 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 : 0xfffff88000000001 fffffa8031432e78 0000000000000000 : fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 fffff880`0307a15d : 0x7ff4c718

SYMBOL_NAME: airhv+9b03

MODULE_NAME: airhv

IMAGE_NAME: airhv.sys

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: X64_0xD1_STACKPTR_ERROR_airhv+9b03

OS_VERSION: 7.1.7601.24384

BUILDLAB_STR: win7sp1_ldr_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {7ac92028-be9a-ed12-5957-bd8308811d0f}

Air14 / HyperHide

DRIVER_IRQL_NOT_LESS_OR_EQUAL on WIN7X64 with HyperHide_2021-07-19 #10

Debugging Details:

Followup: MachineOwner