search

tandasat / MemoryMon

Detecting execution of kernel memory where is not backed by any image file
MIT License
252 stars 97 forks source link

VmmpHandleUnexpectedExit BSOD@Launch #6

Open ras12019 opened 5 years ago

ras12019 commented 5 years ago

Windows preview 1903 18885.1001 - Intel i7 - VTx enabled. Having BSOD error at launch. I can't sort out the source tree, the HyperPlatform compiles and run.

FAULTING_SOURCE_FILE:  C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp
FAULTING_SOURCE_LINE_NUMBER:  328
FAULTING_SOURCE_CODE:  
   324: _Use_decl_annotations_ static void VmmpHandleUnexpectedExit(
   325:     GuestContext *guest_context) {
   326:   VmmpDumpGuestState();
   327:   const auto qualification = UtilVmRead(VmcsField::kExitQualification);
>  328:   HYPERPLATFORM_COMMON_BUG_CHECK(HyperPlatformBugCheck::kUnexpectedVmExit,
   329:                                  reinterpret_cast<ULONG_PTR>(guest_context),
   330:                                  guest_context->ip, qualification);
   331: }
   332: 
   333: // MTF VM-exit

Minidump 800kb - https://1drv.ms/u/s!Au4WOPg47f1-gmRtoOolGxVYrAKd MemoryMon.log - https://1drv.ms/u/s!Au4WOPg47f1-gmW5NuL62nm0Nhvm MemoryMon.pdb - https://1drv.ms/u/s!Au4WOPg47f1-gmbXp2U9sAMdnKlA MemoryMon.sys - https://1drv.ms/u/s!Au4WOPg47f1-gmfvyl_OtEvjTuXQ FULL-DUMP-ANALYSIS:

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MANUALLY_INITIATED_CRASH (e2)
The user manually initiated this crash dump.
Arguments:
Arg1: 0000000000000001
Arg2: ffff9b8931ffff10
Arg3: fffff8025bf16164
Arg4: 0000000000000000

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.Elapsed.Sec
    Value: 6

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 66

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  18885.1001.amd64fre.rs_prerelease.190419-1606

SYSTEM_MANUFACTURER:  System manufacturer

SYSTEM_PRODUCT_NAME:  System Product Name

SYSTEM_SKU:  SKU

SYSTEM_VERSION:  System Version

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  3805

BIOS_DATE:  05/16/2018

BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT:  Z170-P

BASEBOARD_VERSION:  Rev X.0x

DUMP_TYPE:  1

BUGCHECK_P1: 1

BUGCHECK_P2: ffff9b8931ffff10

BUGCHECK_P3: fffff8025bf16164

BUGCHECK_P4: 0

CPU_COUNT: 2

CPU_MHZ: fa8

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: C6'00000000 (cache) C6'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0xE2

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ANALYSIS_SESSION_HOST:  DESKTOP-LG854SK

ANALYSIS_SESSION_TIME:  05-02-2019 05:11:56.0216

ANALYSIS_VERSION: 10.0.18869.1002 amd64fre

BAD_STACK_POINTER:  ffff9b8931fffe58

LAST_CONTROL_TRANSFER:  from fffff802673d4025 to fffff8025b9c56c0

STACK_TEXT:  
ffff9b89`31fffe58 fffff802`673d4025 : 00000000`000000e2 00000000`00000001 ffff9b89`31ffff10 fffff802`5bf16164 : nt!KeBugCheckEx
ffff9b89`31fffe60 fffff802`673d4610 : 00000000`fffffff7 00000000`00000000 00000000`00000002 ffff9b89`31ffff10 : MemoryMon!VmmpHandleUnexpectedExit+0x41 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 328] 
ffff9b89`31fffea0 fffff802`673d2b9e : 00000000`00000000 00000000`fffffff7 ffff9b89`31ffff40 00000000`00000000 : MemoryMon!VmmpHandleVmExit+0x4d0 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 309] 
ffff9b89`31fffef0 fffff802`673d1448 : 00000000`80050033 00000181`d0b3ea00 00000181`cee69660 00000181`d0b78a90 : MemoryMon!VmmVmExitHandler+0xae [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 200] 
ffff9b89`31ffff50 00000000`80050033 : 00000181`d0b3ea00 00000181`cee69660 00000181`d0b78a90 00007ffc`6a9c2d78 : MemoryMon!AsmVmmEntryPoint+0x25 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\Arch\x64\x64.asm @ 144] 
ffff9b89`31ffff58 00000181`d0b3ea00 : 00000181`cee69660 00000181`d0b78a90 00007ffc`6a9c2d78 00000000`00000000 : 0x80050033
ffff9b89`31ffff60 00000181`cee69660 : 00000181`d0b78a90 00007ffc`6a9c2d78 00000000`00000000 346dc5d6`3886594b : 0x00000181`d0b3ea00
ffff9b89`31ffff68 00000181`d0b78a90 : 00007ffc`6a9c2d78 00000000`00000000 346dc5d6`3886594b 00000181`d0b11a40 : 0x00000181`cee69660
ffff9b89`31ffff70 00007ffc`6a9c2d78 : 00000000`00000000 346dc5d6`3886594b 00000181`d0b11a40 00000000`00000246 : 0x00000181`d0b78a90
ffff9b89`31ffff78 00000000`00000000 : 346dc5d6`3886594b 00000181`d0b11a40 00000000`00000246 00000000`000002b8 : 0x00007ffc`6a9c2d78

THREAD_SHA1_HASH_MOD_FUNC:  6f499a26c682f490d3cb3e65fb7f3a5f553d7faa

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  c8702d70cc40123ea6955a2ae319dc6196f125d1

THREAD_SHA1_HASH_MOD:  6a1f99879137405b70e720581f4e7dc933530485

FOLLOWUP_IP: 
MemoryMon!VmmpHandleUnexpectedExit+41 [C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp @ 328]
fffff802`673d4025 cc              int     3

FAULT_INSTR_CODE:  48cccccc

FAULTING_SOURCE_LINE:  C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp

FAULTING_SOURCE_FILE:  C:\Users\bruker1\Documents\GitHub\MemoryMon-master\HyperPlatform\HyperPlatform\vmm.cpp

FAULTING_SOURCE_LINE_NUMBER:  328

FAULTING_SOURCE_CODE:  
   324: _Use_decl_annotations_ static void VmmpHandleUnexpectedExit(
   325:     GuestContext *guest_context) {
   326:   VmmpDumpGuestState();
   327:   const auto qualification = UtilVmRead(VmcsField::kExitQualification);
>  328:   HYPERPLATFORM_COMMON_BUG_CHECK(HyperPlatformBugCheck::kUnexpectedVmExit,
   329:                                  reinterpret_cast<ULONG_PTR>(guest_context),
   330:                                  guest_context->ip, qualification);
   331: }
   332: 
   333: // MTF VM-exit

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  MemoryMon!VmmpHandleUnexpectedExit+41

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MemoryMon

IMAGE_NAME:  MemoryMon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5cca5eb0

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  41

FAILURE_BUCKET_ID:  0xE2_STACKPTR_ERROR_MemoryMon!VmmpHandleUnexpectedExit

BUCKET_ID:  0xE2_STACKPTR_ERROR_MemoryMon!VmmpHandleUnexpectedExit

PRIMARY_PROBLEM_CLASS:  0xE2_STACKPTR_ERROR_MemoryMon!VmmpHandleUnexpectedExit

TARGET_TIME:  2019-05-02T03:08:58.000Z

OSBUILD:  18885

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  1978-11-25 11:03:45

BUILDDATESTAMP_STR:  190419-1606

BUILDLAB_STR:  rs_prerelease

BUILDOSVER_STR:  10.0.18885.1001.amd64fre.rs_prerelease.190419-1606

ANALYSIS_SESSION_ELAPSED_TIME:  19e6

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xe2_stackptr_error_memorymon!vmmphandleunexpectedexit

FAILURE_ID_HASH:  {781a428c-6946-179e-f621-27e3af144d53}

Followup:     MachineOwner
---------
tandasat commented 4 years ago

Hey, sorry for this delayed reply.

The issue appears to be something to do with KVA Shadow being enabled, causing invalid-guest-state VM-exit. I do not recall if I encountered this and resolved somewhere else before, but that's a possibility.