archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/sdktools/debuggers/exts/extdll/bugcheck.cpp

2521 lines
72 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1992-2001 Microsoft Corporation
  5. Module Name:
  7. bugcheck.cpp
  9. Abstract:
  11. WinDbg Extension Api
  13. Environment:
  15. User Mode.
  17. Revision History:
  19. Andre Vachon (andreva)
  21. bugcheck analyzer.
  23. --*/
  25. #include "precomp.h"
  27. #pragma hdrstop
  29. extern BUGDESC_APIREFS g_BugDescApiRefs[];
  30. extern ULONG g_NumBugDescApiRefs;
  32. PSTR g_PoolRegion[DbgPoolRegionMax] = {
  33. "Unknown", // DbgPoolRegionUnknown,
  34. "Special pool", // DbgPoolRegionSpecial,
  35. "Paged pool", // DbgPoolRegionPaged,
  36. "Nonpaged pool", // DbgPoolRegionNonPaged,
  37. "Pool code", // DbgPoolRegionCode,
  38. "Nonpaged pool expansion", // DbgPoolRegionNonPagedExpansion,
  39. };
  41. /*
  42. Get the description record for a bugcheck code.
  43. */
  45. BOOL
  46. GetBugCheckDescription(
  47. PBUGCHECK_ANALYSIS Bc
  48. )
  49. {
  50. ULONG i;
  51. for (i=0; i<g_NumBugDescApiRefs; i++) {
  52. if (g_BugDescApiRefs[i].Code == Bc->Code) {
  53. (g_BugDescApiRefs[i].pExamineRoutine)(Bc);
  54. return TRUE;
  55. }
  56. }
  57. return FALSE;
  58. }
  60. void
  61. PrintBugDescription(
  62. PBUGCHECK_ANALYSIS pBugCheck
  63. )
  64. {
  65. LPTSTR Name = pBugCheck->szName;
  66. LPTSTR Description = pBugCheck->szDescription;
  68. if (!Name)
  69. {
  70. Name = "Unknown bugcheck code";
  71. }
  73. if (!Description)
  74. {
  75. Description = "Unknown bugcheck description\n";
  76. }
  78. dprintf("%s (%lx)\n%s", Name, pBugCheck->Code, Description);
  80. dprintf("Arguments:\n");
  81. for (ULONG i=0; i<4; i++) {
  82. dprintf("Arg%lx: %p",i+1,pBugCheck->Args[i]);
  83. if (pBugCheck->szParamsDesc[i]) {
  84. dprintf(", %s", pBugCheck->szParamsDesc[i]);
  85. }
  86. dprintf("\n");
  87. }
  88. }
  90. BOOL
  91. SaveImageName(
  92. DebugFailureAnalysis* Analysis,
  93. LPSTR DriverName)
  94. {
  95. PCHAR BaseName = strrchr(DriverName, '\\');
  97. if (BaseName)
  98. {
  99. BaseName++;
  100. }
  101. else
  102. {
  103. BaseName = DriverName;
  104. }
  106. if (*BaseName)
  107. {
  108. Analysis->SetString(DEBUG_FLR_IMAGE_NAME, BaseName);
  110. //
  111. // Just create a best guess module name because I don't think
  112. // the driver name returned by theOs is guaranteed to be in
  113. // the loaded module list (it could be unlaoded)
  114. //
  116. PCHAR EndName;
  118. if (EndName = strrchr(DriverName, '.'))
  119. {
  120. *EndName = 0;
  121. }
  123. Analysis->SetString(DEBUG_FLR_MODULE_NAME, BaseName);
  125. return TRUE;
  126. }
  128. return FALSE;
  129. }
  133. BOOL
  134. ReadUnicodeString(
  135. ULONG64 Address,
  136. PWCHAR Buffer,
  137. ULONG BufferSize,
  138. PULONG StringSize)
  139. {
  140. UNICODE_STRING64 uStr;
  141. UNICODE_STRING32 uStr32;
  142. ULONG res;
  144. if (!Buffer) {
  145. return FALSE;
  146. }
  147. if (!IsPtr64()) {
  149. if (!ReadMemory(Address, &uStr32, sizeof(uStr32), &res)) {
  150. return FALSE;
  151. }
  152. uStr.Length = uStr32.Length;
  153. uStr.MaximumLength = uStr32.MaximumLength;
  154. uStr.Buffer = (ULONG64) (LONG64) (LONG) uStr32.Buffer;
  155. } else {
  156. if (!ReadMemory(Address, &uStr, sizeof(uStr), &res)) {
  157. return FALSE;
  158. }
  160. }
  161. if (StringSize) {
  162. *StringSize = uStr.Length;
  163. }
  164. uStr.Length = (USHORT) min(BufferSize - 2, uStr.Length);
  166. if (!ReadMemory(uStr.Buffer, Buffer, uStr.Length, &res)) {
  167. return FALSE;
  168. }
  169. return TRUE;
  170. }
  174. /*
  175. Add driver name to CrashInfo if a KiBugCheckReferences a valid name
  176. */
  177. BOOL
  178. AddBugcheckDriver(
  179. DebugFailureAnalysis* Analysis,
  180. BOOL bUnicodeString,
  181. BOOL bUnicodeData,
  182. ULONG64 BugCheckDriver
  183. )
  184. {
  185. CHAR DriverName[MAX_PATH];
  187. if (Analysis->Get(DEBUG_FLR_IMAGE_NAME))
  188. {
  189. return FALSE;
  190. }
  192. if (!BugCheckDriver)
  193. {
  194. //
  195. // This contains a pointer to the unicode string.
  196. //
  198. BugCheckDriver = GetExpression("NT!KiBugCheckDriver");
  200. if (BugCheckDriver)
  201. {
  202. ReadPointer(BugCheckDriver, &BugCheckDriver);
  203. }
  204. }
  206. if (BugCheckDriver)
  207. {
  208. ULONG length = 0;
  209. BOOL success;
  210. ULONG size;
  211. ULONG res;
  213. ZeroMemory(DriverName, sizeof(DriverName));
  215. if (bUnicodeString)
  216. {
  217. success = ReadUnicodeString(BugCheckDriver,
  218. (PWCHAR) &DriverName[0],
  219. sizeof(DriverName), &length);
  220. }
  221. else
  222. {
  223. size = bUnicodeData ? 2 : 1;
  225. while (ReadMemory(BugCheckDriver + length,
  226. DriverName + length,
  227. size,
  228. &res) &&
  229. (res == size) &&
  230. *(DriverName + length))
  231. {
  232. length += size;
  233. }
  234. success = (length > 0);
  235. }
  237. if (success)
  238. {
  239. DriverName[length] = 0;
  241. if (bUnicodeData)
  242. {
  243. wchr2ansi((PWCHAR) DriverName, DriverName);
  244. DriverName[length / 2] = 0;
  245. }
  247. return SaveImageName(Analysis, DriverName);
  248. }
  249. }
  251. return FALSE;
  252. }
  255. BOOL
  256. BcGetDriverNameFromIrp(
  257. DebugFailureAnalysis* Analysis,
  258. ULONG64 Irp,
  259. ULONG64 DevObj,
  260. ULONG64 DrvObj
  261. )
  262. {
  263. if (Irp != 0)
  264. {
  265. DEBUG_IRP_INFO IrpInfo;
  266. PGET_IRP_INFO GetIrpInfo;
  268. if (g_ExtControl->GetExtensionFunction(0, "GetIrpInfo", (FARPROC*)&GetIrpInfo) == S_OK)
  269. {
  270. IrpInfo.SizeOfStruct = sizeof(IrpInfo);
  271. if (GetIrpInfo &&
  272. ((*GetIrpInfo)(g_ExtClient,Irp, &IrpInfo) == S_OK))
  273. {
  274. DevObj = IrpInfo.CurrentStack.DeviceObject;
  275. Analysis->SetUlong64(DEBUG_FLR_DEVICE_OBJECT, DevObj);
  276. }
  277. }
  279. }
  281. if (DevObj != 0)
  282. {
  283. DEBUG_DEVICE_OBJECT_INFO DevObjInfo;
  284. PGET_DEVICE_OBJECT_INFO GetDevObjInfo;
  286. if (g_ExtControl->GetExtensionFunction(0, "GetDevObjInfo", (FARPROC*)&GetDevObjInfo) == S_OK)
  287. {
  288. DevObjInfo.SizeOfStruct = sizeof(DEBUG_DEVICE_OBJECT_INFO);
  289. if (GetDevObjInfo &&
  290. ((*GetDevObjInfo)(g_ExtClient,DevObj, &DevObjInfo) == S_OK))
  291. {
  292. DrvObj = DevObjInfo.DriverObject;
  293. Analysis->SetUlong64(DEBUG_FLR_DRIVER_OBJECT, DrvObj);
  294. }
  295. }
  296. }
  298. if (DrvObj)
  299. {
  300. DEBUG_DRIVER_OBJECT_INFO DrvObjInfo;
  301. PGET_DRIVER_OBJECT_INFO GetDrvObjInfo;
  303. if (g_ExtControl->GetExtensionFunction(0, "GetDrvObjInfo",
  304. (FARPROC*)&GetDrvObjInfo) == S_OK)
  305. {
  306. DrvObjInfo.SizeOfStruct = sizeof(DEBUG_DRIVER_OBJECT_INFO);
  307. if (GetDrvObjInfo &&
  308. ((*GetDrvObjInfo)(g_ExtClient,DrvObj, &DrvObjInfo) == S_OK))
  309. {
  310. if (AddBugcheckDriver(Analysis, FALSE, TRUE,
  311. DrvObjInfo.DriverName.Buffer))
  312. {
  313. return TRUE;
  314. }
  315. }
  317. CHAR DriverName[MAX_PATH];
  319. if (g_ExtSymbols->GetModuleNames(DEBUG_ANY_ID,
  320. DrvObjInfo.DriverStart,
  321. DriverName,
  322. sizeof(DriverName),
  323. NULL,
  324. NULL, 0, NULL,
  325. NULL, 0, NULL) == S_OK)
  326. {
  327. return SaveImageName(Analysis, DriverName);
  328. }
  329. }
  330. }
  332. return FALSE;
  333. }
  336. ULONG64
  337. BcTargetKernelAddressStart(
  338. void
  339. )
  340. {
  341. switch (g_TargetMachine)
  342. {
  343. case IMAGE_FILE_MACHINE_I386:
  344. return 0x80000000;
  345. case IMAGE_FILE_MACHINE_AMD64:
  346. // return 0x80000000000UI64;
  347. case IMAGE_FILE_MACHINE_IA64:
  348. return 0x2000000000000000UI64;
  349. }
  350. return 0;
  351. }
  353. BOOL
  354. BcIsCpuOverClocked(
  355. void
  356. )
  357. {
  358. struct _IntelCPUSpeeds
  359. {
  360. union
  361. {
  362. ULONG CpuId;
  363. struct
  364. {
  365. ULONG Stepping:8;
  366. ULONG Model:8;
  367. ULONG Family:16;
  368. } s;
  369. };
  370. ULONG Mhz;
  371. } IntelSpeeds[] = {
  372. {0x06060d, 350},
  373. //{0x060702, 450},
  374. {0x060702, 500},
  375. //{0x060703, 450},
  376. //{0x060703, 500},
  377. //{0x060703, 550},
  378. //{0x060703, 533},
  379. {0x060703, 600},
  380. //{0x060801, 500},
  381. //{0x060801, 533},
  382. //{0x060801, 550},
  383. //{0x060801, 600},
  384. //{0x060801, 650},
  385. //{0x060801, 667},
  386. //{0x060801, 700},
  387. //{0x060801, 733},
  388. //{0x060801, 750},
  389. {0x060801, 800},
  390. //{0x060803, 500},
  391. //{0x060803, 533},
  392. //{0x060803, 550},
  393. //{0x060803, 600},
  394. //{0x060803, 650},
  395. //{0x060803, 667},
  396. //{0x060803, 700},
  397. //{0x060803, 733},
  398. //{0x060803, 750},
  399. //{0x060803, 800},
  400. //{0x060803, 850},
  401. //{0x060803, 866},
  402. //{0x060803, 933},
  403. {0x060803, 1000},
  404. //{0x060806, 600},
  405. //{0x060806, 650},
  406. //{0x060806, 667},
  407. //{0x060806, 700},
  408. //{0x060806, 733},
  409. //{0x060806, 750},
  410. //{0x060806, 800},
  411. //{0x060806, 850},
  412. //{0x060806, 866},
  413. //{0x060806, 900},
  414. //{0x060806, 933},
  415. {0x060806, 1000},
  416. //{0x06080A, 700},
  417. //{0x06080A, 733},
  418. //{0x06080A, 750},
  419. //{0x06080A, 800},
  420. //{0x06080A, 850},
  421. //{0x06080A, 866},
  422. //{0x06080A, 933},
  423. //{0x06080A, 1100},
  424. {0x06080A, 1130},
  425. //{0x060B01, 1000},
  426. //{0x060B01, 1130},
  427. //{0x060B01, 1200},
  428. {0x060B01, 1260},
  429. {0, 0},
  430. };
  431. PROCESSORINFO ProcInfo;
  432. ULONG Processor;
  433. ULONG64 Prcb;
  434. HRESULT Hr;
  435. ULONG Mhz;
  436. ULONG Number;
  437. ULONG CpuType;
  438. ULONG CpuStep;
  439. DEBUG_PROCESSOR_IDENTIFICATION_ALL IdAll;
  441. if (g_TargetMachine != IMAGE_FILE_MACHINE_I386)
  442. {
  443. return FALSE;
  444. }
  446. if (!Ioctl(IG_KD_CONTEXT, &ProcInfo, sizeof(ProcInfo)))
  447. {
  448. return FALSE;
  449. }
  451. Processor = ProcInfo.Processor;
  453. Hr = g_ExtData->ReadProcessorSystemData(Processor,
  454. DEBUG_DATA_KPRCB_OFFSET,
  455. &Prcb,
  456. sizeof(Prcb),
  457. NULL);
  458. if (Hr != S_OK)
  459. {
  460. return FALSE;
  461. }
  463. if (g_ExtData->
  464. ReadProcessorSystemData(Processor,
  465. DEBUG_DATA_PROCESSOR_IDENTIFICATION,
  466. &IdAll, sizeof(IdAll), NULL) != S_OK)
  467. {
  468. return FALSE;
  469. }
  471. if (g_ExtData->
  472. ReadProcessorSystemData(Processor,
  473. DEBUG_DATA_PROCESSOR_SPEED,
  474. &Mhz, sizeof(Mhz), NULL) != S_OK)
  475. {
  476. return FALSE;
  478. }
  481. {
  482. ULONG Speed;
  483. ULONG CpuId;
  485. CpuId = (IdAll.X86.Family << 16) + (IdAll.X86.Model << 8) + IdAll.X86.Stepping;
  487. if (!strcmp(IdAll.X86.VendorString, "GenuineIntel"))
  488. {
  489. for (ULONG i=0; IntelSpeeds[i].CpuId !=0; ++i)
  490. {
  491. if (IntelSpeeds[i].CpuId == CpuId)
  492. {
  493. //
  494. // If the part is within 2% of the MHz, it's OK.
  495. //
  496. if (Mhz > (IntelSpeeds[i].Mhz * 1.02))
  497. {
  498. return TRUE;
  499. }
  500. }
  501. }
  502. }
  503. }
  505. return FALSE;
  506. }
  509. HRESULT
  510. ExtGetPoolData(
  511. ULONG64 Pool,
  512. PDEBUG_POOL_DATA pPoolData
  513. )
  514. {
  515. PGET_POOL_DATA pGetPoolData = NULL;
  517. if (g_ExtControl->
  518. GetExtensionFunction(0, "GetPoolData",
  519. (FARPROC*)&pGetPoolData) == S_OK &&
  520. pGetPoolData)
  521. {
  522. return (*pGetPoolData)(g_ExtClient, Pool, pPoolData);
  523. }
  524. return E_FAIL;
  525. }
  527. #define DECL_GETINFO(bcname) \
  528. void \
  529. GetInfoFor##bcname ( \
  530. PBUGCHECK_ANALYSIS Bc, \
  531. KernelDebugFailureAnalysis* Analysis \
  532. )
  535. //DUPINFOCASE( DRIVER_IRQL_NOT_LESS_OR_EQUAL ); //0xD1
  536. DECL_GETINFO( IRQL_NOT_LESS_OR_EQUAL ) // (0xA)
  537. /*
  538. * Parameters
  539. *
  540. * Parameter 1 Memory referenced
  541. * Parameter 2 IRQL Value
  542. * Parameter 3 0 - Read 1 - Write
  543. * Parameter 4 Address that referenced the memory
  544. *
  545. *
  546. * Special Case
  547. *
  548. * If Parameter 3 is nonzero and equal to Parameter 1, this means that
  549. * a worker routine returned at a raised IRQL.
  550. * In this case:
  551. *
  552. * Parameter 1 Address of work routine
  553. * Parameter 2 IRQL at time of reference
  554. * Parameter 3 Address of work routine
  555. * Parameter 4 Work item
  556. *
  557. */
  558. {
  559. if ((Bc->Args[0] == Bc->Args[2]) && Bc->Args[2])
  560. {
  561. // special case
  562. Analysis->SetUlong64(DEBUG_FLR_WORKER_ROUTINE, Bc->Args[2]);
  563. Analysis->SetUlong64(DEBUG_FLR_WORK_ITEM, Bc->Args[3]);
  564. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  565. return;
  566. }
  568. Analysis->SetUlong64(Bc->Args[2] ?
  569. DEBUG_FLR_WRITE_ADDRESS : DEBUG_FLR_READ_ADDRESS,
  570. Bc->Args[0]);
  571. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  572. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[3]);
  574. if (Bc->Args[0] == Bc->Args[3] &&
  575. Bc->Args[2] == 0)
  576. {
  577. Analysis->SetString(DEBUG_FLR_BUGCHECK_SPECIFIER, "_CODE_AV");
  578. }
  580. }
  582. DECL_GETINFO( MEMORY_MANAGEMENT ) // 0x1A
  583. {
  584. CHAR BugCheckStr[20];
  586. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, Bc->Args[0]);
  587. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  588. }
  591. DECL_GETINFO( KMODE_EXCEPTION_NOT_HANDLED ) // (1e)
  592. {
  593. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_CODE, Bc->Args[0]);
  594. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[1]);
  595. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_PARAMETER1, Bc->Args[2]);
  596. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_PARAMETER2, Bc->Args[3]);
  597. if ((ULONG)Bc->Args[0] == STATUS_ACCESS_VIOLATION)
  598. {
  599. Analysis->SetUlong64(Bc->Args[2] ?
  600. DEBUG_FLR_WRITE_ADDRESS : DEBUG_FLR_READ_ADDRESS,
  601. Bc->Args[3]);
  602. }
  603. }
  606. DECL_GETINFO( FAT_FILE_SYSTEM ) // 0x23
  607. {
  608. ULONG64 ExR = 0, CxR = 0;
  609. ULONG64 KernAddrStart;
  612. KernAddrStart = BcTargetKernelAddressStart();
  614. if (Bc->Args[1] > KernAddrStart) {
  615. ExR = Bc->Args[1];
  616. }
  617. if (Bc->Args[2] > KernAddrStart) {
  618. CxR = Bc->Args[2];
  619. }
  621. if (ExR) {
  622. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_RECORD, ExR);
  623. }
  624. if (CxR) {
  625. Analysis->SetUlong64(DEBUG_FLR_CONTEXT, CxR);
  626. }
  627. }
  629. DECL_GETINFO( PANIC_STACK_SWITCH ) // 0x2b
  630. {
  631. Analysis->SetUlong64(DEBUG_FLR_TRAP_FRAME, Bc->Args[0]);
  632. }
  634. DECL_GETINFO( SYSTEM_SERVICE_EXCEPTION ) // 0x3b
  635. {
  636. Analysis->SetUlong64(DEBUG_FLR_CONTEXT, Bc->Args[2]);
  637. }
  639. DECL_GETINFO( MULTIPLE_IRP_COMPLETE_REQUESTS ) // 0x44
  640. {
  641. Analysis->SetUlong64(DEBUG_FLR_IRP_ADDRESS, Bc->Args[0]);
  642. }
  644. DECL_GETINFO( SESSION3_INITIALIZATION_FAILED ) // 0x6f
  645. {
  646. CHAR BugCheckStr[20];
  648. sprintf(BugCheckStr, "0x%lX_%lX", Bc->Code, Bc->Args[0]);
  649. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  650. }
  653. DECL_GETINFO( PROCESS_HAS_LOCKED_PAGES ) // 0x76
  654. {
  655. Analysis->SetUlong64(DEBUG_FLR_PROCESS_OBJECT, Bc->Args[1]);
  657. Analysis->SetString(DEBUG_FLR_DEFAULT_BUCKET_ID, "DRIVER_FAULT_0x76");
  659. #if 0
  660. Analysis->SetString(DEBUG_FLR_INTERNAL_SOLUTION_TEXT,
  661. "An unknown driver has left locked pages in the kernel"
  662. ".\nUsing the registry editor, set HKLM\\SYSTEM\\"
  663. "CurrentControlSet\\Control\\Session Manager\\"
  664. "Memory Management\\TrackLockedPages to a DWORD value"
  665. " of 1, and then reboot the machine.\n\n"
  666. "If the problem reproduces, the "
  667. "guilty driver will now be identifiable.\n");
  668. #endif
  669. }
  672. DECL_GETINFO( KERNEL_STACK_INPAGE_ERROR ) // 0x77
  673. {
  674. CHAR BugCheckStr[20];
  676. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, Bc->Args[0]);
  677. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  678. Analysis->SetUlong(DEBUG_FLR_STATUS_CODE, (ULONG)Bc->Args[0]);
  680. switch ((ULONG) Bc->Args[0])
  681. {
  682. case 0xc000009c: // (STATUS_DEVICE_DATA_ERROR)
  683. case 0xC000016A: // (STATUS_DISK_OPERATION_FAILED)
  684. Analysis->SetUlong(DEBUG_FLR_DISK_HARDWARE_ERROR, 1);
  685. break;
  686. default:
  687. break;
  688. }
  689. }
  691. DECL_GETINFO( KERNEL_DATA_INPAGE_ERROR ) // 0x7A
  692. {
  693. CHAR BugCheckStr[20];
  695. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, Bc->Args[1]);
  696. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  697. Analysis->SetUlong(DEBUG_FLR_STATUS_CODE, (ULONG) Bc->Args[1]);
  699. switch ( (ULONG) Bc->Args[1])
  700. {
  701. case 0xC000000E: case 0xC000009C:
  702. case 0xC000009D: case 0xC0000185:
  703. Analysis->SetUlong(DEBUG_FLR_DISK_HARDWARE_ERROR, 1);
  704. break;
  705. default:
  706. break;
  707. }
  709. }
  711. DECL_GETINFO( SYSTEM_THREAD_EXCEPTION_NOT_HANDLED ) // (7e)
  712. {
  713. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_CODE, Bc->Args[0]);
  714. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[1]);
  715. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_PARAMETER1, Bc->Args[2]);
  716. Analysis->SetUlong64(DEBUG_FLR_CONTEXT, Bc->Args[3]);
  717. }
  719. DECL_GETINFO( BUGCODE_NDIS_DRIVER ) //0x7c
  720. {
  721. ULONG64 DriverAddr, DriverBase;
  723. DriverAddr = 0;
  725. g_ExtSymbols->Reload("ndis.sys");
  726. switch (Bc->Args[0])
  727. {
  728. case 1: case 2: case 3:
  729. case 5: case 6: case 7: case 8: case 9:
  730. // Args[1] - A pointer to Miniport block. !ndiskd.miniport on this pointer for more info.
  731. GetFieldValue(Bc->Args[1], "ndis!NDIS_MINIPORT_BLOCK", "SavedSendHandler", DriverAddr);
  732. if (!DriverAddr)
  733. {
  734. GetFieldValue(Bc->Args[1], "ndis!NDIS_MINIPORT_BLOCK", "SavedSendPacketsHandler", DriverAddr);
  735. }
  736. break;
  737. case 4:
  738. // Arg[1] - a pointer to ndis!NDIS_M_DRIVER_BLOCK
  740. GetFieldValue(Bc->Args[1], "ndis!NDIS_M_DRIVER_BLOCK", "MiniportCharacteristics.InitializeHandler", DriverAddr);
  741. break;
  742. default:
  743. break;
  744. }
  745. if (DriverAddr &&
  746. (g_ExtSymbols->GetModuleByOffset(DriverAddr, 0, NULL, &DriverBase) == S_OK))
  747. {
  748. if (DriverBase)
  749. {
  750. Analysis->SetUlong64(DEBUG_FLR_FAULTING_MODULE, DriverBase);
  751. }
  752. }
  754. return ;
  755. }
  758. DECL_GETINFO( UNEXPECTED_KERNEL_MODE_TRAP ) // (7f)
  759. // It would be good to have TSS or TRAP address as exception parameter
  760. {
  761. DEBUG_STACK_FRAME stk[MAX_STACK_FRAMES];
  762. ULONG frames, i;
  763. CHAR BugCheckStr[20];
  765. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, Bc->Args[0]);
  766. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  768. if ((g_TargetMachine == IMAGE_FILE_MACHINE_I386) &&
  769. (g_ExtControl->GetStackTrace(0, 0, 0, stk, MAX_STACK_FRAMES,
  770. &frames ) == S_OK))
  771. {
  772. for (i=0; i<frames; ++i)
  773. {
  774. if (stk[i].FuncTableEntry)
  775. {
  776. PFPO_DATA FpoData = (PFPO_DATA)stk[i].FuncTableEntry;
  777. if (FpoData->cbFrame == FRAME_TSS)
  778. {
  779. Analysis->SetUlong64(DEBUG_FLR_TSS,
  780. (ULONG)stk[i].Reserved[1]);
  781. break;
  782. }
  783. // KiSystemService always has a trap frame - thats normal
  784. else if ( (FpoData->cbFrame == FRAME_TRAP) &&
  785. !FaIsFunctionAddr(stk[i].InstructionOffset,
  786. "KiSystemService"))
  787. {
  788. Analysis->SetUlong64(DEBUG_FLR_TRAP_FRAME,
  789. (ULONG)stk[i].Reserved[2]);
  790. break;
  791. }
  792. //if (FaIsFunctionAddr(stk[i].InstructionOffset, "KiTrap"))
  793. //{
  794. // TrapFrame = stk[i].FrameOffset;
  795. // break;
  796. //}
  797. }
  798. }
  799. }
  800. }
  803. DECL_GETINFO( KERNEL_MODE_EXCEPTION_NOT_HANDLED ) // (8e)
  804. {
  805. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_CODE, Bc->Args[0]);
  806. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[1]);
  807. Analysis->SetUlong64(DEBUG_FLR_TRAP_FRAME, Bc->Args[2]);
  808. }
  810. DECL_GETINFO( MACHINE_CHECK_EXCEPTION ) // 0x9C
  811. {
  812. DEBUG_PROCESSOR_IDENTIFICATION_ALL IdAll;
  813. CHAR BugCheckStr[4+5+17+3]; // space for vendor string, etc.
  814. PROCESSORINFO ProcInfo;
  815. ULONG64 Prcb;
  816. PCHAR Architecture;
  817. PCHAR Vendor;
  818. ULONG Processor;
  819. HRESULT Hr;
  821. if (!Ioctl(IG_KD_CONTEXT, &ProcInfo, sizeof(ProcInfo)))
  822. {
  823. return;
  824. }
  826. Processor = ProcInfo.Processor;
  828. //
  829. // Make sure we can find the PRCB before we ask for identification
  830. // information that would've been acquired from the PRCB.
  831. //
  833. Hr = g_ExtData->ReadProcessorSystemData(Processor,
  834. DEBUG_DATA_KPRCB_OFFSET,
  835. &Prcb,
  836. sizeof(Prcb),
  837. NULL);
  838. if (Hr != S_OK)
  839. {
  840. return;
  841. }
  843. Hr = g_ExtData->ReadProcessorSystemData(Processor,
  844. DEBUG_DATA_PROCESSOR_IDENTIFICATION,
  845. &IdAll,
  846. sizeof(IdAll),
  847. NULL);
  848. if (Hr != S_OK)
  849. {
  850. return;
  851. }
  853. switch (g_TargetMachine) {
  854. case IMAGE_FILE_MACHINE_I386:
  855. Architecture = "IA32";
  856. Vendor = IdAll.X86.VendorString;
  857. break;
  858. case IMAGE_FILE_MACHINE_IA64:
  859. Architecture = "IA64";
  860. Vendor = IdAll.Ia64.VendorString;
  861. break;
  862. case IMAGE_FILE_MACHINE_AMD64:
  863. Architecture = "AMD64";
  864. Vendor = IdAll.Amd64.VendorString;
  865. break;
  866. default:
  867. // use the standard bugcheck string
  868. return;
  869. }
  870. sprintf(BugCheckStr, "0x%lX_%s_%s", Bc->Code, Architecture, Vendor);
  871. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  872. }
  874. DECL_GETINFO( USER_MODE_HEALTH_MONITOR ) // 0x9E
  875. {
  876. if (Bc->Args[0])
  877. {
  878. ULONG result;
  879. CHAR ImageName[MAX_PATH];
  881. Analysis->SetUlong64(DEBUG_FLR_PROCESS_OBJECT, Bc->Args[0]);
  883. //
  884. // Second parameter (which is actually a string within the EPROCESS)
  885. // is the name of the image.
  886. //
  887. if (ReadMemory(Bc->Args[2], ImageName, sizeof(ImageName), &result) &&
  888. result)
  889. {
  890. ImageName[MAX_PATH-1]=0;
  891. ImageName[result]=0;
  892. SaveImageName(Analysis, ImageName);
  893. }
  894. }
  895. }
  897. DECL_GETINFO( DRIVER_POWER_STATE_FAILURE ) // 0x9F
  898. {
  899. ULONG64 DevObj = Bc->Args[2];
  900. ULONG64 DrvObj = Bc->Args[3];
  901. ULONG SubCode = (ULONG) Bc->Args[0];
  903. if (SubCode)
  904. {
  905. Analysis->SetUlong64(DEBUG_FLR_DRVPOWERSTATE_SUBCODE, SubCode);
  906. }
  908. if (DrvObj)
  909. {
  910. Analysis->SetUlong64(DEBUG_FLR_DRIVER_OBJECT, DrvObj);
  911. BcGetDriverNameFromIrp(Analysis, 0, 0, DrvObj);
  912. }
  914. if (DevObj)
  915. {
  916. Analysis->SetUlong64(DEBUG_FLR_DEVICE_OBJECT, DevObj);
  917. if (!DrvObj)
  918. {
  919. BcGetDriverNameFromIrp(Analysis, 0, DevObj, 0);
  920. }
  921. }
  922. }
  924. DECL_GETINFO( ACPI_BIOS_ERROR ) // 0xa5
  925. {
  926. switch (Bc->Args[0])
  927. {
  928. case 0x03 :
  929. Analysis->SetUlong64(DEBUG_FLR_ACPI_OBJECT, Bc->Args[1]);
  930. break;
  932. case 0x04 :
  933. case 0x05 :
  934. case 0x06 :
  935. case 0x07 :
  936. case 0x08 :
  937. case 0x09 :
  938. case 0x0A :
  939. case 0x0C :
  940. Analysis->SetUlong64(DEBUG_FLR_ACPI_OBJECT, Bc->Args[2]);
  941. // fallthrough
  943. case 0x01 :
  944. case 0x02 :
  945. case 0x0B :
  946. case 0x0D :
  947. case 0x10 :
  948. Analysis->SetUlong64(DEBUG_FLR_ACPI_EXTENSION, Bc->Args[1]);
  949. break;
  951. case 0x11 :
  952. if (Bc->Args[1] == 6)
  953. {
  954. // The machine fail to transition into ACPI mode
  955. CHAR BugCheckStr[40];
  957. sprintf(BugCheckStr, "0x%lx_FAILED_ACPI_TRANSITION", Bc->Code);
  958. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  959. }
  960. break;
  961. case 0x10001 :
  962. case 0x10002 :
  963. case 0x10003 :
  964. Analysis->SetUlong64(DEBUG_FLR_DEVICE_OBJECT, Bc->Args[1]);
  965. Analysis->SetUlong64(DEBUG_FLR_ACPI_OBJECT, Bc->Args[3]);
  966. break;
  968. case 0x10005 :
  969. case 0x10006 :
  970. Analysis->SetUlong64(DEBUG_FLR_ACPI_OBJECT, Bc->Args[1]);
  971. break;
  973. default:
  974. break;
  975. }
  976. }
  979. DECL_GETINFO( SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION ) // (c1)
  980. {
  981. Analysis->SetUlong(DEBUG_FLR_ANALYZAABLE_POOL_CORRUPTION, 1);
  982. Analysis->SetUlong64(DEBUG_FLR_SPECIAL_POOL_CORRUPTION_TYPE, Bc->Args[3]);
  983. }
  986. DECL_GETINFO( BAD_POOL_CALLER ) // 0xC2
  987. {
  988. DEBUG_POOL_DATA PoolData = {0};
  989. CHAR BugcheckStr[20] = {0};
  991. sprintf(BugcheckStr, "0x%lx_%lx", BAD_POOL_CALLER, (ULONG) Bc->Args[0]);
  992. if (Bc->Args[0] == 7)
  993. {
  994. // Double free
  995. if (!(Bc->Args[3] & 0x7))
  996. {
  997. // likely to be a valid address
  999. Analysis->SetUlong(DEBUG_FLR_ANALYZAABLE_POOL_CORRUPTION, 1);
  1001. PoolData.SizeofStruct = sizeof(DEBUG_POOL_DATA);
  1003. if (ExtGetPoolData(Bc->Args[3], &PoolData) == S_OK)
  1004. {
  1005. if (isprint(PoolData.PoolTag & 0xff) &&
  1006. isprint((PoolData.PoolTag >> 8) & 0xff))
  1007. {
  1008. CHAR PoolTag[8] = {0};
  1009. sprintf(PoolTag,"%c%c%c%c",
  1010. #define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
  1011. PP(PoolData.PoolTag),
  1012. PP(PoolData.PoolTag >> 8),
  1013. PP(PoolData.PoolTag >> 16),
  1014. PP((PoolData.PoolTag&~0x80000000) >> 24)
  1015. #undef PP
  1016. );
  1017. // seems like a valid pooltag
  1018. Analysis->SetString(DEBUG_FLR_FREED_POOL_TAG, PoolTag);
  1019. CatString(BugcheckStr, "_", sizeof(BugcheckStr));
  1020. CatString(BugcheckStr, PoolTag, sizeof(BugcheckStr));
  1021. }
  1022. }
  1024. }
  1025. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugcheckStr);
  1026. }
  1027. else if ((Bc->Args[0] >= 0x40) && (Bc->Args[0] < 0x60))
  1028. {
  1029. if (Bc->Args[1] == 0)
  1030. {
  1031. Analysis->SetUlong(DEBUG_FLR_ANALYZAABLE_POOL_CORRUPTION, 1);
  1032. }
  1033. } else
  1034. {
  1035. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugcheckStr);
  1036. }
  1038. }
  1041. DECL_GETINFO( DRIVER_VERIFIER_DETECTED_VIOLATION ) // 0xC4
  1042. /*
  1043. * Parameters
  1044. *
  1045. * Parameter 1 subclass of violation
  1046. * Parameter 2, 3, 4 vary depending on parameter 1
  1047. *
  1048. */
  1049. {
  1050. ULONG64 BadDriverAddr;
  1051. ULONG64 DriverNameAddr;
  1052. ULONG res;
  1053. ULONG ParamCount = 0;
  1055. CHAR BugCheckStr[20];
  1057. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, Bc->Args[0]);
  1058. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  1061. Analysis->SetUlong(DEBUG_FLR_ANALYZAABLE_POOL_CORRUPTION, 1);
  1063. if ((BadDriverAddr = GetExpression("nt!ViBadDriver")) &&
  1064. ReadPointer(BadDriverAddr, &DriverNameAddr))
  1065. {
  1066. AddBugcheckDriver(Analysis, TRUE, TRUE, DriverNameAddr);
  1067. }
  1069. switch (Bc->Args[0])
  1070. {
  1071. case 0x00 : // caller is trying to allocate zero bytes
  1072. case 0x01 : // caller is trying to allocate paged pool at DISPATCH_LEVEL or above
  1073. case 0x02 : // caller is trying to allocate nonpaged pool at an IRQL above DISPATCH_LEVEL
  1074. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1075. // 3 - pool type
  1076. // 4 - number of bytes
  1077. break;
  1078. case 0x03 : // caller is trying to allocate more than one page of mustsucceed pool, but one page is the maximum allowed by this API.
  1079. break;
  1081. case 0x10 : // caller is freeing a bad pool address
  1082. Analysis->SetUlong64(DEBUG_FLR_POOL_ADDRESS, Bc->Args[1]); // bad pool address
  1083. break;
  1085. case 0x11 : // caller is trying to free paged pool at DISPATCH_LEVEL or above
  1086. case 0x12 : // caller is trying to free nonpaged pool at an IRQL above DISPATCH_LEVEL
  1087. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1088. Analysis->SetUlong64(DEBUG_FLR_POOL_ADDRESS, Bc->Args[3]);
  1089. // 3 - pool type
  1090. break;
  1092. case 0x13 : // the pool the caller is trying to free is already free.
  1093. case 0x14 : // the pool the caller is trying to free is already free.
  1094. // 2 - line number
  1095. // 3 - pool header
  1096. // 4 - pool header contents
  1097. Analysis->SetUlong64(DEBUG_FLR_POOL_ADDRESS, Bc->Args[3]);
  1098. break;
  1100. case 0x15 : // the pool the caller is trying to free contains an active timer.
  1101. // 2 - timer entry
  1102. // 3 - pool type
  1103. // 4 - pool address being freed
  1104. Analysis->SetUlong64(DEBUG_FLR_POOL_ADDRESS, Bc->Args[3]);
  1105. break;
  1107. case 0x16 : // the pool the caller is trying to free is a bad address.
  1108. Analysis->SetUlong64(DEBUG_FLR_POOL_ADDRESS, Bc->Args[2]);
  1109. break;
  1110. // 2 - line number
  1112. case 0x17 : // the pool the caller is trying to free contains an active ERESOURCE.
  1113. // 2 - resource entry
  1114. // 3 - pool type
  1115. Analysis->SetUlong64(DEBUG_FLR_POOL_ADDRESS, Bc->Args[3]);
  1116. break;
  1118. case 0x30 : // raising IRQL to an invalid level,
  1119. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1120. Analysis->SetUlong64(DEBUG_FLR_REQUESTED_IRQL, Bc->Args[2]);
  1121. break;
  1123. case 0x31 : // lowering IRQL to an invalid level,
  1124. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1125. Analysis->SetUlong64(DEBUG_FLR_REQUESTED_IRQL, Bc->Args[2]);
  1126. // 4 - 0 means the new IRQL is bad, 1 means the IRQL is invalid inside a DPC routine
  1127. break;
  1129. case 0x32 : // releasing a spinlock when not at DISPATCH_LEVEL.
  1130. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1131. // 3 - spinlock address
  1132. break;
  1134. case 0x33 : // acquiring a fast mutex when not at APC_LEVEL or below.
  1135. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1136. break;
  1137. // 3 - fast mutex address
  1139. case 0x34 : // releasing a fast mutex when not at APC_LEVEL.
  1140. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1141. break;
  1142. // 3 - thread APC disable count, 4 == fast mutex address
  1144. case 0x35 : // kernel is releasing a spinlock when not at DISPATCH_LEVEL.
  1145. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1146. Analysis->SetUlong64(DEBUG_FLR_PREVIOUS_IRQL, Bc->Args[3]);
  1147. break;
  1148. // 3 - spinlock address, 4 == old irql.
  1150. case 0x36 : // kernel is releasing a queued spinlock when not at DISPATCH_LEVEL.
  1151. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1152. Analysis->SetUlong64(DEBUG_FLR_PREVIOUS_IRQL, Bc->Args[3]);
  1153. break;
  1154. // 3 - spinlock number,
  1156. case 0x37 : // a resource is being acquired but APCs are not disabled.
  1157. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1158. break;
  1159. // 3 - thread APC disable count,
  1160. // 4 - resource.
  1162. case 0x38 : // a resource is being released but APCs are not disabled.
  1163. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1164. break;
  1165. // 3 - thread APC disable count,
  1166. // 4 - resource.
  1168. case 0x39 : // a mutex is being acquired unsafe, but irql is not APC_LEVEL on entry.
  1169. case 0x3A : // a mutex is being released unsafe, but irql is not APC_LEVEL on entry.
  1170. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1171. break;
  1172. // 3 - thread APC disable count,
  1173. // 4 - mutex.
  1175. case 0x3B : // KeWaitXxx routine is being called at DISPATCH_LEVEL or higher.
  1176. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1177. break;
  1178. // 3 - object to wait on,
  1179. // 4 - time out parameter.
  1181. case 0x3E : // KeLeaveCriticalRegion is being called for a thread that never entered a critical region.
  1182. // Current stack analysis will give followup
  1183. break;
  1185. case 0x40 : // acquiring a spinlock when not at DISPATCH_LEVEL.
  1186. case 0x41 : // releasing a spinlock when not at DISPATCH_LEVEL.
  1187. case 0x42 : // acquiring a spinlock when caller is already above DISPATCH_LEVEL.
  1188. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1189. break;
  1190. // 3 - spinlock address
  1192. case 0x51 : // freeing memory where the caller has written past the end of the allocation overwriting our stored bytecount.
  1193. case 0x52 : // freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address.
  1194. case 0x53 : // freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address.
  1195. case 0x54 : // freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address.
  1196. case 0x59 : // freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address.
  1197. Analysis->SetUlong64(DEBUG_FLR_WRITE_ADDRESS, Bc->Args[1]);
  1198. break;
  1200. case 0x60 : // A driver has forgotten to free its pool allocations prior to unloading.
  1201. case 0x61 : // A driver is unloading and allocating memory (in another thread) at the same time.
  1202. // In both cases ViBadDriver should be set.
  1203. break;
  1205. case 0x70 : // MmProbeAndLockPages called when not at DISPATCH_LEVEL or below.
  1206. case 0x71 : // MmProbeAndLockProcessPages called when not at DISPATCH_LEVEL or below.
  1207. case 0x72 : // MmProbeAndLockSelectedPages called when not at DISPATCH_LEVEL or below.
  1208. case 0x73 : // MmMapIoSpace called when not at DISPATCH_LEVEL or below.
  1209. case 0x74 : // MmMapLockedPages called when not at DISPATCH_LEVEL or below.
  1210. case 0x75 : // MmMapLockedPages called when not at APC_LEVEL or below.
  1211. case 0x76 : // MmMapLockedPagesSpecifyCache called when not at DISPATCH_LEVEL or below.
  1212. case 0x77 : // MmMapLockedPagesSpecifyCache called when not at APC_LEVEL or below.
  1213. case 0x78 : // MmUnlockPages called when not at DISPATCH_LEVEL or below.
  1214. case 0x79 : // MmUnmapLockedPages called when not at DISPATCH_LEVEL or below.
  1215. case 0x7A : // MmUnmapLockedPages called when not at APC_LEVEL or below.
  1216. case 0x7B : // MmUnmapIoSpace called when not at APC_LEVEL or below.
  1217. case 0x7C : // MmUnlockPages called with an MDL whose pages were never successfully locked.
  1218. case 0x7D : // MmUnlockPages called with an MDL whose pages are from nonpaged pool - these should never be unlocked.
  1219. case 0x80 : // KeSetEvent called when not at DISPATCH_LEVEL or below.
  1220. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1221. break;
  1223. case 0x81 : // MmMapLockedPages called without MDL_MAPPING_CAN_FAIL
  1224. break;
  1226. }
  1227. }
  1230. DECL_GETINFO( DRIVER_CAUGHT_MODIFYING_FREED_POOL ) // (c6)
  1231. /*
  1232. An attempt was made to access freed pool memory. The faulty component is
  1233. displayed in the current kernel stack.
  1234. Arguments:
  1235. Arg1: memory referenced
  1236. Arg2: value 0 = read operation, 1 = write operation
  1237. Arg3: previous mode.
  1238. Arg4: 4.
  1239. */
  1240. {
  1241. DEBUG_POOL_DATA PoolData;
  1243. Analysis->SetUlong64(Bc->Args[1] ?
  1244. DEBUG_FLR_WRITE_ADDRESS : DEBUG_FLR_READ_ADDRESS,
  1245. Bc->Args[0]);
  1246. Analysis->SetUlong64(DEBUG_FLR_PREVIOUS_MODE, Bc->Args[2]);
  1247. }
  1249. DECL_GETINFO( TIMER_OR_DPC_INVALID ) // (c7)
  1250. /*
  1251. *
  1252. * This is issued if a kernel timer or DPC is found somewhere in
  1253. * memory where it is not permitted.
  1254. *
  1255. * Bugcheck Parameters
  1256. *
  1257. * Parameter 1 0: Timer object 1: DPC object 2: DPC routine
  1258. * Parameter 2 Address of object
  1259. * Parameter 3 Beginning of memory range checked
  1260. * Parameter 4 End of memory range checked
  1261. *
  1262. * This condition is usually caused by a driver failing to cancel a
  1263. * timer or DPC before freeing the memory where it resides.
  1264. */
  1265. {
  1267. ULONG PtrSize = IsPtr64() ? 8 : 4;
  1268. ULONG64 ObjAddress;
  1269. CHAR Buffer[MAX_PATH];
  1270. ULONG64 Disp;
  1272. ObjAddress = Bc->Args[1];
  1274. switch (Bc->Args[0]) {
  1275. case 0: //Timer object
  1276. ULONG DpcOffsetInTimer;
  1277. if (GetFieldOffset("nt!_KTIMER", "Dpc", &DpcOffsetInTimer))
  1278. {
  1279. // we don't have types
  1280. DpcOffsetInTimer = 0x10 + PtrSize*4;
  1281. }
  1282. if (!ReadPointer(ObjAddress + DpcOffsetInTimer, &ObjAddress))
  1283. {
  1284. // fail
  1285. break;
  1286. }
  1287. // Fall thru
  1288. case 1:
  1289. ULONG DeferredRoutinOffsetInKDPC;
  1290. if (GetFieldOffset("nt!_KDPC", "DeferredRoutine", &DeferredRoutinOffsetInKDPC))
  1291. {
  1292. DeferredRoutinOffsetInKDPC = 4 + PtrSize*2;
  1293. }
  1294. if (!ReadPointer(ObjAddress + DeferredRoutinOffsetInKDPC, &ObjAddress))
  1295. {
  1296. // fail
  1297. break;
  1298. }
  1299. // Fall thru
  1300. case 2:
  1302. if (FaGetSymbol(ObjAddress, Buffer, &Disp, sizeof(Buffer)))
  1303. {
  1304. Analysis->SetUlong64(DEBUG_FLR_INVALID_DPC_FOUND, ObjAddress);
  1305. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, ObjAddress);
  1306. }
  1307. break;
  1308. }
  1309. }
  1312. DECL_GETINFO( DRIVER_VERIFIER_IOMANAGER_VIOLATION ) // (c9)
  1313. {
  1314. ULONG64 DeviceObject = 0;
  1316. Analysis->SetUlong64(DEBUG_FLR_DRIVER_VERIFIER_IO_VIOLATION_TYPE,
  1317. Bc->Args[0]);
  1319. switch (Bc->Args[0])
  1320. {
  1321. case 0x1:
  1322. // "Invalid IRP passed to IoFreeIrp";
  1323. case 0x2:
  1324. // "IRP still associated with a thread at IoFreeIrp";
  1325. case 0x3:
  1326. // "Invalid IRP passed to IoCallDriver";
  1327. Analysis->SetUlong64(DEBUG_FLR_IRP_ADDRESS, Bc->Args[1]);
  1328. break;
  1330. case 0x4:
  1331. // "Invalid Device object passed to IoCallDriver";
  1332. DeviceObject = Bc->Args[1];
  1333. break;
  1335. case 0x5:
  1336. // "Irql not equal across call to the driver dispatch routine"
  1337. DeviceObject = Bc->Args[1];
  1338. Analysis->SetUlong64(DEBUG_FLR_PREVIOUS_IRQL, Bc->Args[2]);
  1339. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[3]);
  1340. break;
  1342. case 0x6:
  1343. // "IRP passed to IoCompleteRequest contains invalid status"
  1344. // Param 1 = "the status";
  1345. Analysis->SetUlong64(DEBUG_FLR_IRP_ADDRESS, Bc->Args[2]);
  1346. break;
  1348. case 0x7:
  1349. // "IRP passed to IoCompleteRequest still has cancel routine"
  1350. Analysis->SetUlong64(DEBUG_FLR_IRP_CANCEL_ROUTINE, Bc->Args[1]);
  1351. Analysis->SetUlong64(DEBUG_FLR_IRP_ADDRESS, Bc->Args[2]);
  1352. break;
  1354. case 0x8:
  1355. // "Call to IoBuildAsynchronousFsdRequest threw an exce
  1356. DeviceObject = Bc->Args[1];
  1357. Analysis->SetUlong64(DEBUG_FLR_IRP_MAJOR_FN, Bc->Args[2]);
  1358. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_CODE, Bc->Args[3]);
  1359. break;
  1361. case 0x9:
  1362. // "Call to IoBuildDeviceIoControlRequest threw an exce
  1363. DeviceObject = Bc->Args[1];
  1364. Analysis->SetUlong64(DEBUG_FLR_IOCONTROL_CODE, Bc->Args[2]);
  1365. Analysis->SetUlong64(DEBUG_FLR_EXCEPTION_CODE, Bc->Args[3]);
  1366. break;
  1368. case 0x10:
  1369. // "Reinitialization of Device object timer";
  1370. DeviceObject = Bc->Args[1];
  1371. break;
  1373. case 0x12:
  1374. // "Invalid IOSB in IRP at APC IopCompleteRequest (appe
  1375. Analysis->SetUlong64(DEBUG_FLR_IOSB_ADDRESS, Bc->Args[1]);
  1376. break;
  1378. case 0x13:
  1379. // "Invalid UserEvent in IRP at APC IopCompleteRequest
  1380. Analysis->SetUlong64(DEBUG_FLR_INVALID_USEREVENT, Bc->Args[1]);
  1381. break;
  1383. case 0x14:
  1384. // "Irql > DPC at IoCompleteRequest";
  1385. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1386. Analysis->SetUlong64(DEBUG_FLR_IRP_ADDRESS, Bc->Args[2]);
  1387. break;
  1389. }
  1391. if (DeviceObject)
  1392. {
  1393. Analysis->SetUlong64(DEBUG_FLR_DEVICE_OBJECT, DeviceObject);
  1394. BcGetDriverNameFromIrp(Analysis, 0, DeviceObject, 0);
  1395. }
  1398. }
  1400. DECL_GETINFO( PNP_DETECTED_FATAL_ERROR ) // 0xca
  1401. {
  1402. CHAR BugCheckStr[20];
  1403. ULONG64 DeviceObject;
  1405. sprintf(BugCheckStr, "0x%lX_%lX", Bc->Code, Bc->Args[0]);
  1406. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  1407. DeviceObject = Bc->Args[1];
  1409. if (DeviceObject)
  1410. {
  1411. Analysis->SetUlong64(DEBUG_FLR_DEVICE_OBJECT, DeviceObject);
  1412. BcGetDriverNameFromIrp(Analysis, 0, DeviceObject, 0);
  1413. }
  1415. }
  1417. DECL_GETINFO( DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS ) // 0xcb
  1418. {
  1419. Analysis->SetUlong64(DEBUG_FLR_FAULTING_MODULE, Bc->Args[0]);
  1420. }
  1422. DECL_GETINFO( DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS ) //0xce
  1423. {
  1424. Analysis->SetUlong64(Bc->Args[1] ?
  1425. DEBUG_FLR_WRITE_ADDRESS : DEBUG_FLR_READ_ADDRESS,
  1426. Bc->Args[0]);
  1427. if (Bc->Args[2]) {
  1428. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[2]);
  1429. }
  1430. }
  1432. DECL_GETINFO( DRIVER_CORRUPTED_MMPOOL ) // 0xd0
  1433. {
  1434. Analysis->SetUlong64(Bc->Args[2] ?
  1435. DEBUG_FLR_WRITE_ADDRESS : DEBUG_FLR_READ_ADDRESS,
  1436. Bc->Args[0]);
  1437. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Bc->Args[1]);
  1438. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[3]);
  1440. }
  1443. //DUPINFOCASE( PAGE_FAULT_IN_FREED_SPECIAL_POOL ); // 0xCC
  1444. //DUPINFOCASE( PAGE_FAULT_BEYOND_END_OF_ALLOCATION ); // 0xCD
  1445. //DUPINFOCASE( TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE ); // 0xCF
  1446. //DUPINFOCASE( PAGE_FAULT_IN_NONPAGED_AREA ) // 0x50
  1447. //DUPINFOCASE( DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION ) // 0xD6
  1448. DECL_GETINFO( DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL ) // 0xD5
  1449. /*
  1450. * Parameters
  1451. *
  1452. * Parameter 1 Memory referenced
  1453. * Parameter 2 0: Read 1: Write
  1454. * Parameter 3 Address that referenced memory (if known)
  1455. * Parameter 4 Reserved
  1456. *
  1457. */
  1458. {
  1459. CHAR BugCheckStr[30];
  1461. Analysis->SetUlong64(Bc->Args[1] ?
  1462. DEBUG_FLR_WRITE_ADDRESS : DEBUG_FLR_READ_ADDRESS,
  1463. Bc->Args[0]);
  1464. if (Bc->Args[2]) {
  1465. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[2]);
  1466. }
  1467. Analysis->SetUlong64(DEBUG_FLR_MM_INTERNAL_CODE, Bc->Args[3]);
  1469. if (Bc->Args[0] == Bc->Args[2] &&
  1470. Bc->Args[1] == 0)
  1471. {
  1472. Analysis->SetString(DEBUG_FLR_BUGCHECK_SPECIFIER, "_CODE_AV");
  1473. }
  1474. AddBugcheckDriver(Analysis, TRUE, TRUE, 0);
  1475. }
  1478. DECL_GETINFO( MANUALLY_INITIATED_CRASH ) //0xE2, 0xDEADDEAD
  1479. {
  1480. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, "MANUALLY_INITIATED_CRASH");
  1481. }
  1483. DECL_GETINFO( THREAD_STUCK_IN_DEVICE_DRIVER ) // 0xEA
  1484. /*
  1485. * PARAMETERS:
  1486. *
  1487. * 1 - Pointer to a stuck thread object. Do .thread then kb on it to
  1488. * find hung location.
  1489. *
  1490. * 2 - Pointer to a DEFERRED_WATCHDOG object.
  1491. *
  1492. * 3 - Pointer to offending driver name.
  1493. *
  1494. * 4 - Number of times "intercepted" bugcheck 0xEA was hit (see notes).
  1495. */
  1496. {
  1497. Analysis->SetUlong64(DEBUG_FLR_FOLLOWUP_DRIVER_ONLY, 0);
  1498. Analysis->SetUlong64(DEBUG_FLR_FAULTING_THREAD, Bc->Args[0]);
  1500. Analysis->SetString(DEBUG_FLR_DEFAULT_BUCKET_ID, "GRAPHICS_DRIVER_FAULT");
  1501. }
  1503. DECL_GETINFO( CRITICAL_PROCESS_DIED ) // (0xef)
  1504. {
  1505. Analysis->SetUlong64(DEBUG_FLR_PROCESS_OBJECT, Bc->Args[0]);
  1506. }
  1508. DECL_GETINFO( CRITICAL_OBJECT_TERMINATION ) // (0xf4)
  1509. {
  1510. if (Bc->Args[0] == 3)
  1511. {
  1512. ULONG result;
  1513. CHAR ImageName[MAX_PATH];
  1515. Analysis->SetUlong64(DEBUG_FLR_PROCESS_OBJECT, Bc->Args[1]);
  1517. //
  1518. // Second parameter (which is actually a string within the EPROCESS)
  1519. // is the name of the image.
  1520. //
  1521. if (ReadMemory(Bc->Args[2], ImageName, sizeof(ImageName), &result) &&
  1522. result)
  1523. {
  1524. ImageName[MAX_PATH-1]=0;
  1525. ImageName[result]=0;
  1526. SaveImageName(Analysis, ImageName);
  1527. }
  1528. }
  1529. }
  1532. DECL_GETINFO( WINLOGON_FATAL_ERROR ) //(c000021a)
  1533. {
  1534. CHAR BugCheckStr[20];
  1536. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, Bc->Args[1]);
  1537. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  1538. }
  1540. DECL_GETINFO( STATUS_DRIVER_UNABLE_TO_LOAD ) //0xc0000xxx
  1541. {
  1542. if (Bc->Args[0])
  1543. {
  1544. AddBugcheckDriver(Analysis, FALSE, FALSE, Bc->Args[0]);
  1545. }
  1546. }
  1548. DECL_GETINFO( ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY ) // (0xFC)
  1549. {
  1550. if (Bc->Args[0])
  1551. {
  1552. Analysis->SetUlong64(DEBUG_FLR_FAULTING_IP, Bc->Args[0]);
  1553. }
  1554. // Add bugcheck driver from KiBugCheckDriver
  1555. AddBugcheckDriver(Analysis, TRUE, TRUE, 0);
  1556. }
  1558. DECL_GETINFO( UNMOUNTABLE_BOOT_VOLUME ) // 0xED
  1559. {
  1560. CHAR BugCheckStr[20];
  1562. sprintf(BugCheckStr, "0x%lx_%lx", Bc->Code, (ULONG) Bc->Args[1]);
  1563. Analysis->SetUlong(DEBUG_FLR_STATUS_CODE, (ULONG) Bc->Args[1]);
  1564. switch ((ULONG) Bc->Args[1])
  1565. {
  1566. case 0xC0000006:
  1567. Analysis->SetUlong(DEBUG_FLR_SHOW_ERRORLOG, 1);
  1568. break;
  1569. default:
  1570. break;
  1571. }
  1572. }
  1574. #define GETINFOCASE(bcname) \
  1575. case bcname : \
  1576. GetInfoFor##bcname (Bc, Analysis); \
  1577. break;
  1578. #define DUPINFOCASE(bcname) \
  1579. case bcname:
  1581. void
  1582. BcFillAnalysis(
  1583. PBUGCHECK_ANALYSIS Bc,
  1584. KernelDebugFailureAnalysis* Analysis
  1585. )
  1586. {
  1587. Analysis->SetFailureClass(DEBUG_CLASS_KERNEL);
  1589. HRESULT Status = Analysis->CheckModuleSymbols("nt", "Kernel");
  1590. if (Status != S_OK)
  1591. {
  1592. goto SkipBucheckSpecificProcessing;
  1593. }
  1595. //
  1596. // BBT Breaks the stack trace for builds > 2201
  1597. // Hack the return address for better results
  1598. // A new of routines are at the wrong addresses.
  1599. //
  1600. if ((g_TargetMachine == IMAGE_FILE_MACHINE_I386) &&
  1601. (g_TargetBuild > 2500) && (g_TargetBuild < 2507))
  1602. {
  1603. DEBUG_STACK_FRAME Stk[MAX_STACK_FRAMES];
  1604. ULONG Frames = 0;
  1606. if (S_OK == g_ExtControl->GetStackTrace(0, 0, 0, Stk, MAX_STACK_FRAMES,
  1607. &Frames) &&
  1608. FaIsFunctionAddr(Stk[0].InstructionOffset, "KeBugCheckEx"))
  1609. {
  1610. ULONG CallIP = (ULONG) Stk[1].InstructionOffset - 5, Res;
  1611. UCHAR Instr;
  1613. // Move the caller's IP back to the actual KeBugCheckEx
  1614. // call. Only do this if we haven't already backed up
  1615. // to a call instruction.
  1616. if (!ReadMemory(Stk[1].InstructionOffset, &Instr, sizeof(Instr),
  1617. &Res) ||
  1618. Res != sizeof(Instr) ||
  1619. Instr != 0xe8)
  1620. {
  1621. WriteMemory(Stk[0].FrameOffset + 4, &CallIP, sizeof(CallIP),
  1622. &Res);
  1623. g_ExtControl->GetStackTrace(0, 0, 0, Stk, MAX_STACK_FRAMES,
  1624. &Frames);
  1625. }
  1626. }
  1627. }
  1629. //
  1630. // Special value that is set by the kernel debugger so we can detect when
  1631. // people are messing with physical address via the kernel debugger.
  1632. //
  1634. ULONG64 MmPoisonedTbAddr;
  1635. MmPoisonedTbAddr = GetExpression("nt!MmPoisonedTb");
  1637. if (MmPoisonedTbAddr)
  1638. {
  1639. ULONG cb;
  1640. ULONG MmPoisonedTb = 0;
  1642. if (ReadMemory(MmPoisonedTbAddr, &MmPoisonedTb, sizeof(ULONG), &cb) &&
  1643. (MmPoisonedTb != 0))
  1644. {
  1645. Analysis->SetUlong64(DEBUG_FLR_POISONED_TB, 0);
  1646. }
  1647. }
  1649. SkipBucheckSpecificProcessing:
  1652. Analysis->SetFailureType(DEBUG_FLR_KERNEL);
  1654. switch (Bc->Code)
  1655. {
  1656. case 0:
  1657. ULONG c_ip;
  1658. //
  1659. // This can be a user mode failurein kd. Try to determine that.
  1660. //
  1662. if ( (GetExpression("@$ip") < BcTargetKernelAddressStart()) &&
  1663. (GetExpression("@$sp") < BcTargetKernelAddressStart()) )
  1664. {
  1665. Analysis->SetFailureType(DEBUG_FLR_USER_CRASH);
  1666. g_ExtControl->Execute(DEBUG_OUTCTL_IGNORE, ".reload /user",
  1667. DEBUG_EXECUTE_NOT_LOGGED);
  1668. }
  1670. break;
  1672. GETINFOCASE( DRIVER_CAUGHT_MODIFYING_FREED_POOL );
  1674. DUPINFOCASE( PAGE_FAULT_IN_FREED_SPECIAL_POOL );
  1675. DUPINFOCASE( PAGE_FAULT_BEYOND_END_OF_ALLOCATION );
  1676. DUPINFOCASE( TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE );
  1677. DUPINFOCASE( PAGE_FAULT_IN_NONPAGED_AREA );
  1678. DUPINFOCASE( DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION );
  1679. GETINFOCASE( DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL );
  1681. GETINFOCASE( DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS );
  1683. GETINFOCASE( DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS );
  1685. GETINFOCASE( DRIVER_VERIFIER_IOMANAGER_VIOLATION );
  1687. DUPINFOCASE( DRIVER_IRQL_NOT_LESS_OR_EQUAL );
  1688. GETINFOCASE( IRQL_NOT_LESS_OR_EQUAL );
  1690. GETINFOCASE( PANIC_STACK_SWITCH );
  1692. GETINFOCASE( KMODE_EXCEPTION_NOT_HANDLED );
  1694. GETINFOCASE( SYSTEM_SERVICE_EXCEPTION );
  1696. GETINFOCASE( ACPI_BIOS_ERROR );
  1698. GETINFOCASE( USER_MODE_HEALTH_MONITOR );
  1700. GETINFOCASE( MEMORY_MANAGEMENT );
  1702. DUPINFOCASE( KERNEL_MODE_EXCEPTION_NOT_HANDLED_M );
  1703. GETINFOCASE( KERNEL_MODE_EXCEPTION_NOT_HANDLED );
  1705. DUPINFOCASE( SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M );
  1706. GETINFOCASE( SYSTEM_THREAD_EXCEPTION_NOT_HANDLED );
  1708. GETINFOCASE( SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION );
  1710. GETINFOCASE( KERNEL_STACK_INPAGE_ERROR );
  1712. GETINFOCASE( KERNEL_DATA_INPAGE_ERROR );
  1714. GETINFOCASE( TIMER_OR_DPC_INVALID );
  1716. DUPINFOCASE( UNEXPECTED_KERNEL_MODE_TRAP_M );
  1717. GETINFOCASE( UNEXPECTED_KERNEL_MODE_TRAP );
  1719. GETINFOCASE( MULTIPLE_IRP_COMPLETE_REQUESTS );
  1721. GETINFOCASE( WINLOGON_FATAL_ERROR );
  1723. DUPINFOCASE( RDR_FILE_SYSTEM );
  1724. DUPINFOCASE( UDFS_FILE_SYSTEM );
  1725. DUPINFOCASE( CDFS_FILE_SYSTEM );
  1726. DUPINFOCASE( NTFS_FILE_SYSTEM );
  1727. GETINFOCASE( FAT_FILE_SYSTEM );
  1729. DUPINFOCASE( STATUS_DRIVER_ENTRYPOINT_NOT_FOUND );
  1730. DUPINFOCASE( STATUS_PROCEDURE_NOT_FOUND );
  1731. DUPINFOCASE( STATUS_DRIVER_ORDINAL_NOT_FOUND );
  1732. GETINFOCASE( STATUS_DRIVER_UNABLE_TO_LOAD );
  1734. GETINFOCASE( PNP_DETECTED_FATAL_ERROR );
  1736. GETINFOCASE( MACHINE_CHECK_EXCEPTION );
  1738. GETINFOCASE( DRIVER_POWER_STATE_FAILURE );
  1740. DUPINFOCASE( THREAD_STUCK_IN_DEVICE_DRIVER_M );
  1741. GETINFOCASE( THREAD_STUCK_IN_DEVICE_DRIVER );
  1743. GETINFOCASE( SESSION3_INITIALIZATION_FAILED );
  1745. GETINFOCASE( DRIVER_VERIFIER_DETECTED_VIOLATION );
  1747. GETINFOCASE( CRITICAL_OBJECT_TERMINATION );
  1749. GETINFOCASE( CRITICAL_PROCESS_DIED );
  1751. GETINFOCASE( PROCESS_HAS_LOCKED_PAGES );
  1753. DUPINFOCASE( MANUALLY_INITIATED_CRASH1 );
  1754. GETINFOCASE( MANUALLY_INITIATED_CRASH );
  1756. GETINFOCASE( BAD_POOL_CALLER );
  1758. DUPINFOCASE( DRIVER_CORRUPTED_SYSPTES );
  1759. DUPINFOCASE( SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD )
  1760. DUPINFOCASE( DRIVER_PORTION_MUST_BE_NONPAGED );
  1761. GETINFOCASE( DRIVER_CORRUPTED_MMPOOL );
  1762. default:
  1763. break;
  1764. }
  1767. if (!Analysis->GetFailureCode())
  1768. {
  1769. //
  1770. // We ignore the top bit when setting the internal failure code
  1771. // so we can bucket things togeter appropriately.
  1772. // The top bit only represent a dump generation difference, not
  1773. // a root cause difference.
  1774. //
  1775. Analysis->SetFailureCode(Bc->Code & ~0x10000000);
  1776. }
  1778. if (!Analysis->Get(DEBUG_FLR_DEFAULT_BUCKET_ID))
  1779. {
  1780. if (Analysis->GetFailureType() == DEBUG_FLR_USER_CRASH)
  1781. {
  1782. Analysis->SetString(DEBUG_FLR_DEFAULT_BUCKET_ID, "APPLICATION_FAULT");
  1783. }
  1784. else
  1785. {
  1786. Analysis->SetString(DEBUG_FLR_DEFAULT_BUCKET_ID, "DRIVER_FAULT");
  1787. }
  1788. }
  1790. if (!Analysis->Get(DEBUG_FLR_BUGCHECK_STR))
  1791. {
  1792. CHAR BugCheckStr[12];
  1793. sprintf(BugCheckStr, "0x%lX", Analysis->GetFailureCode());
  1794. Analysis->SetString(DEBUG_FLR_BUGCHECK_STR, BugCheckStr);
  1796. if (Analysis->Get(DEBUG_FLR_WRITE_ADDRESS))
  1797. {
  1798. Analysis->SetString(DEBUG_FLR_BUGCHECK_SPECIFIER, "_W");
  1799. }
  1800. }
  1802. //
  1803. // Save the current IRQL.
  1804. //
  1806. if (g_TargetBuild > 2600)
  1807. {
  1808. PROCESSORINFO ProcInfo;
  1809. ULONG64 Prcb;
  1810. ULONG64 Irql = 0;
  1811. HRESULT Hr;
  1813. if (Ioctl(IG_KD_CONTEXT, &ProcInfo, sizeof(ProcInfo)))
  1814. {
  1815. Hr = g_ExtData->ReadProcessorSystemData(ProcInfo.Processor,
  1816. DEBUG_DATA_KPRCB_OFFSET,
  1817. &Prcb,
  1818. sizeof(Prcb),
  1819. NULL);
  1820. if (Hr == S_OK && Prcb)
  1821. {
  1822. if (!GetFieldValue(Prcb, "nt!_KPRCB", "DebuggerSavedIRQL", Irql))
  1823. {
  1824. Analysis->SetUlong64(DEBUG_FLR_CURRENT_IRQL, Irql);
  1825. }
  1826. }
  1827. }
  1828. }
  1830. ULONG64 Irp;
  1832. if (Analysis->GetUlong64(DEBUG_FLR_IRP_ADDRESS, &Irp))
  1833. {
  1834. BcGetDriverNameFromIrp(Analysis, Irp, 0, 0);
  1835. }
  1837. //
  1838. // Generic processing
  1839. //
  1841. Analysis->ProcessInformation();
  1842. }
  1844. void
  1845. ReadWatchDogBugcheck(
  1846. PBUGCHECK_ANALYSIS Bc
  1847. )
  1848. {
  1849. // Check if this could be a watchdog bugcheck
  1850. // Read watchdog!g_WdBugCheckData
  1851. ULONG64 wdBugcheck;
  1852. ULONG res;
  1853. ULONG PtrSize = IsPtr64() ? 8 : 4;
  1855. wdBugcheck = GetExpression("watchdog!g_WdBugCheckData");
  1856. if (wdBugcheck)
  1857. {
  1858. wdBugcheck = GetExpression("VIDEOPRT!g_WdpBugCheckData");
  1859. }
  1860. if (wdBugcheck)
  1861. {
  1862. ReadMemory(wdBugcheck, &Bc->Code, sizeof(ULONG), &res);
  1863. ReadPointer(wdBugcheck + PtrSize,&Bc->Args[0]);
  1864. ReadPointer(wdBugcheck + 2*PtrSize,&Bc->Args[1]);
  1865. ReadPointer(wdBugcheck + 3*PtrSize,&Bc->Args[2]);
  1866. ReadPointer(wdBugcheck + 4*PtrSize,&Bc->Args[3]);
  1867. }
  1869. }
  1871. KernelDebugFailureAnalysis*
  1872. BcAnalyze(
  1873. OUT PBUGCHECK_ANALYSIS Bc,
  1874. ULONG Flags
  1875. )
  1876. {
  1877. if (g_ExtControl->ReadBugCheckData(&Bc->Code, &Bc->Args[0], &Bc->Args[1],
  1878. &Bc->Args[2], &Bc->Args[3]) != S_OK)
  1879. {
  1880. return NULL;
  1881. }
  1883. if (Bc->Code == 0)
  1884. {
  1885. ReadWatchDogBugcheck(Bc);
  1886. }
  1888. KernelDebugFailureAnalysis* Analysis = new KernelDebugFailureAnalysis;
  1889. if (Analysis)
  1890. {
  1891. Analysis->SetProcessingFlags(Flags);
  1893. __try
  1894. {
  1895. BcFillAnalysis(Bc, Analysis);
  1896. }
  1897. __except(FaExceptionFilter(GetExceptionInformation()))
  1898. {
  1899. delete Analysis;
  1900. Analysis = NULL;
  1901. }
  1902. }
  1904. return Analysis;
  1905. }
  1907. HRESULT
  1908. AnalyzeBugCheck(
  1909. PCSTR args
  1910. )
  1911. {
  1912. KernelDebugFailureAnalysis* Analysis;
  1913. BUGCHECK_ANALYSIS Bc = {0};
  1914. BOOL Dump = TRUE;
  1915. ULONG Flags = 0;
  1916. DEBUG_FLR_PARAM_TYPE Params[10];
  1917. ULONG ParamCount = 0;
  1919. if (g_TargetClass != DEBUG_CLASS_KERNEL) {
  1920. dprintf("!analyzebugcheck is for kernel mode only\n");
  1921. return E_FAIL;
  1922. }
  1924. for (;;)
  1925. {
  1926. while (*args == ' ' || *args == '\t')
  1927. {
  1928. args++;
  1929. }
  1931. if (*args == '-')
  1932. {
  1933. ++args;
  1934. switch(*args)
  1935. {
  1936. case 'D':
  1937. {
  1938. CHAR ParamString[100];
  1939. ULONG ParamLength = 0;
  1940. args+=2;
  1941. while(*args && *args != ' ' && *args != '\t')
  1942. {
  1943. ParamString[ParamLength++] = *args++;
  1944. }
  1945. ParamString[ParamLength] = 0;
  1947. //
  1948. // Match the string to the actual failure ID.
  1949. //
  1951. ULONG i=0;
  1952. while(FlrLookupTable[i].Data &&
  1953. strcmp(FlrLookupTable[i].String, ParamString))
  1954. {
  1955. i++;
  1956. }
  1958. Params[ParamCount++] = FlrLookupTable[i].Data;
  1959. break;
  1960. }
  1961. case 'n':
  1962. if (!strncmp(args, "nodb",4))
  1963. {
  1964. args+=4;
  1965. Flags |= FAILURE_ANALYSIS_NO_DB_LOOKUP;
  1966. }
  1967. break;
  1968. case 's':
  1969. if (!strncmp(args, "show",4))
  1970. {
  1971. ULONG64 Code;
  1972. args+=4;
  1973. GetExpressionEx(args, &Code, &args);
  1974. Bc.Code = (ULONG)Code;
  1976. for (ULONG i=0; i<4 && *args; i++)
  1977. {
  1978. if (!GetExpressionEx(args, &Bc.Args[i], &args))
  1979. {
  1980. break;
  1981. }
  1982. }
  1983. GetBugCheckDescription(&Bc);
  1984. PrintBugDescription(&Bc);
  1985. return S_OK;
  1986. }
  1987. case 'v':
  1988. Flags |= FAILURE_ANALYSIS_VERBOSE;
  1989. break;
  1990. case 'f':
  1991. break;
  1992. default:
  1993. {
  1994. CHAR Option[2];
  1995. Option[0] = *args; Option[1] = 0;
  1996. dprintf("\nUnknown option '-%s'\n", Option );
  1997. break;
  1998. }
  1999. }
  2000. if (*args == 0)
  2001. {
  2002. break;
  2003. }
  2004. ++args;
  2005. }
  2006. else
  2007. {
  2008. break;
  2009. }
  2010. }
  2013. g_ExtControl->ReadBugCheckData(&Bc.Code, &Bc.Args[0], &Bc.Args[1],
  2014. &Bc.Args[2], &Bc.Args[3]);
  2016. if (Bc.Code == 0)
  2017. {
  2018. ReadWatchDogBugcheck(&Bc);
  2019. }
  2021. if (!ParamCount)
  2022. {
  2023. dprintf("*******************************************************************************\n");
  2024. dprintf("* *\n");
  2025. dprintf("* Bugcheck Analysis *\n");
  2026. dprintf("* *\n");
  2027. dprintf("*******************************************************************************\n");
  2028. dprintf("\n");
  2030. if (Flags & FAILURE_ANALYSIS_VERBOSE)
  2031. {
  2032. GetBugCheckDescription(&Bc);
  2033. PrintBugDescription(&Bc);
  2034. dprintf("\nDebugging Details:\n------------------\n\n");
  2035. }
  2036. else
  2037. {
  2038. dprintf("Use !analyze -v to get detailed debugging information.\n\n");
  2040. dprintf("BugCheck %lX, {%1p, %1p, %1p, %1p}\n\n",
  2041. Bc.Code,
  2042. Bc.Args[0],Bc.Args[1],Bc.Args[2],Bc.Args[3]);
  2043. }
  2044. }
  2046. Analysis = BcAnalyze(&Bc, Flags);
  2048. if (!Analysis)
  2049. {
  2050. dprintf("\n\nFailure could not be analyzed\n\n");
  2051. return E_FAIL;
  2052. }
  2054. if (ParamCount)
  2055. {
  2056. while(ParamCount--)
  2057. {
  2058. Analysis->OutputEntryParam(Params[ParamCount]);
  2059. }
  2060. }
  2062. //
  2063. // Always call output so we can key information printed out also, such
  2064. // as *** entries.
  2065. //
  2067. Analysis->Output();
  2069. delete Analysis;
  2071. return S_OK;
  2073. }
  2076. //----------------------------------------------------------------------------
  2077. //
  2078. // KernelDebugFailureAnalysis.
  2079. //
  2080. //----------------------------------------------------------------------------
  2082. KernelDebugFailureAnalysis::KernelDebugFailureAnalysis(void)
  2083. : m_KernelModule("nt")
  2084. {
  2085. }
  2087. DEBUG_POOL_REGION
  2088. KernelDebugFailureAnalysis::GetPoolForAddress(ULONG64 Addr)
  2089. {
  2090. PGET_POOL_REGION GetPoolRegion = NULL;
  2092. if (g_ExtControl->
  2093. GetExtensionFunction(0, "GetPoolRegion",
  2094. (FARPROC*)&GetPoolRegion) == S_OK &&
  2095. GetPoolRegion)
  2096. {
  2097. DEBUG_POOL_REGION RegionId;
  2099. (*GetPoolRegion)(g_ExtClient, Addr, &RegionId);
  2100. return RegionId;
  2101. }
  2103. return DbgPoolRegionUnknown;
  2104. }
  2106. PCSTR
  2107. KernelDebugFailureAnalysis::DescribeAddress(ULONG64 Addr)
  2108. {
  2109. DEBUG_POOL_REGION RegionId = GetPoolForAddress(Addr);
  2112. if ((RegionId != DbgPoolRegionUnknown) &&
  2113. (RegionId < DbgPoolRegionMax))
  2114. {
  2115. return g_PoolRegion[RegionId];
  2116. }
  2117. return NULL;
  2118. }
  2120. FOLLOW_ADDRESS
  2121. KernelDebugFailureAnalysis::IsPotentialFollowupAddress(ULONG64 Address)
  2122. {
  2123. CHAR Buffer[MAX_PATH];
  2124. ULONG64 Disp;
  2126. //
  2127. // Check for special symbols which indicate we are transitioning back
  2128. // to user mode code, so the rest of the stack can not be at fault.
  2129. //
  2131. if (GetFailureType() == DEBUG_FLR_USER_CRASH)
  2132. {
  2133. return FollowYes;
  2134. }
  2136. if (FaGetSymbol(Address, Buffer, &Disp, sizeof(Buffer)) &&
  2137. (!_strcmpi(Buffer, "nt!KiCallUserMode") ||
  2138. !_strcmpi(Buffer, "SharedUserData!SystemCallStub")))
  2139. {
  2140. return FollowStop;
  2141. }
  2143. if (Address > BcTargetKernelAddressStart())
  2144. {
  2145. return FollowYes;
  2146. }
  2147. else
  2148. {
  2149. //
  2150. // We don't stop on user mode addresses because they could be
  2151. // garbage on the stack we - just skip them
  2152. //
  2154. return FollowSkip;
  2155. }
  2156. }
  2158. FOLLOW_ADDRESS
  2159. KernelDebugFailureAnalysis::IsFollowupContext(ULONG64 Address1,
  2160. ULONG64 Address2,
  2161. ULONG64 Address3)
  2162. {
  2163. // If it's a user mode address, and a dump file, it's not a valid
  2164. // context.
  2165. // A user mode address is valid for a kernel mode context because
  2166. // a hardcoded breakpoint from user mode with kd active will show up
  2167. // on the stack.
  2169. if ( (Address1 < BcTargetKernelAddressStart()) &&
  2170. (Address2 < BcTargetKernelAddressStart()) &&
  2171. (Address3 < BcTargetKernelAddressStart()) )
  2172. {
  2173. if ((g_TargetQualifier == DEBUG_DUMP_SMALL) ||
  2174. (g_TargetQualifier == DEBUG_DUMP_DEFAULT) ||
  2175. (g_TargetQualifier == DEBUG_DUMP_FULL))
  2176. {
  2177. return FollowStop;
  2178. }
  2179. }
  2181. return FollowYes;
  2182. }
  2184. FlpClasses
  2185. KernelDebugFailureAnalysis::GetFollowupClass(ULONG64 Address,
  2186. PCSTR Module, PCSTR Routine)
  2187. {
  2188. if (m_KernelModule.Contains(Address) ||
  2189. !_strcmpi(Module, "ntfs") ||
  2190. !_strcmpi(Module, "fastfat"))
  2191. {
  2192. return FlpOSRoutine;
  2193. }
  2194. else if (!_strcmpi(Module, "sr") ||
  2195. !_strcmpi(Module, "ndis") ||
  2196. !_strcmpi(Module, "videoprt") ||
  2197. !_strcmpi(Module, "USBPORT") ||
  2198. !_strcmpi(Module, "USBHUB") ||
  2199. !_strcmpi(Module, "dxg") ||
  2200. !_strcmpi(Module, "win32k") ||
  2201. !_strcmpi(Module, "verifier") ||
  2202. !_strcmpi(Module, "scsiport"))
  2203. {
  2204. return FlpOSFilterDrv;
  2205. }
  2206. else if (!_strcmpi(Module, "SharedUserData") &&
  2207. Routine && !_strcmpi(Routine, "SystemCallStub"))
  2208. {
  2209. // Do not followup on usermode calls
  2210. return FlpIgnore;
  2211. }
  2212. else
  2213. {
  2214. return FlpUnknownDrv;
  2215. }
  2216. }
  2220. /*
  2221. * This checks for valid object pointers in HANDLE_TABLE_ENTRY. If the pointers are
  2222. * invalid it tries to figure out who corrupted the values.
  2223. *
  2224. * Reutrns TRUE if it succesfully identifies a memory curruption
  2225. */
  2226. BOOL
  2227. KernelDebugFailureAnalysis::CheckForCorruptionInHTE(
  2228. ULONG64 hTableEntry,
  2229. PCHAR Owner,
  2230. ULONG OwnerSize)
  2231. {
  2232. ULONG64 Object = 0;
  2233. ULONG64 CorruptingPool = 0;
  2234. DEBUG_POOL_REGION Region;
  2236. // hTableEntry must be in PagedPool, but we have
  2237. // a loose check here since GetPoolForAddress is unreliable on
  2238. // minidumps PagedPool
  2239. if (IsPotentialFollowupAddress(hTableEntry) != FollowYes)
  2240. {
  2241. return FALSE;
  2242. }
  2244. if (!ReadPointer(hTableEntry, &Object))
  2245. {
  2246. return FALSE;
  2247. }
  2249. Region = GetPoolForAddress(Object);
  2251. if (IsPotentialFollowupAddress(Object) != FollowYes)
  2252. {
  2253. // Object is invalid, it must be in PagedPool or NonPagedPool
  2255. return AddCorruptingPool(hTableEntry);
  2256. }
  2258. if (InitTypeRead(Object, nt!_OBJECT_HEADER))
  2259. {
  2260. return FALSE;
  2261. }
  2262. ULONG PointerCount, HandleCount;
  2263. ULONG64 ObjType;
  2265. PointerCount = (ULONG) ReadField(PointerCount);
  2266. HandleCount = (ULONG) ReadField(HandleCount);
  2267. ObjType = (ULONG) ReadField(Type);
  2269. // Verify object for inconsistent counts
  2270. // Invalid object type, must be in kernel mode
  2272. if ((PointerCount > 0x10000) ||
  2273. (HandleCount > 0x10000) ||
  2274. (HandleCount > PointerCount) ||
  2275. (IsPotentialFollowupAddress(ObjType) != FollowYes)
  2276. )
  2277. {
  2278. // Object is corrupted, previous pool is a possible corruptor
  2280. AddCorruptingPool(Object);
  2281. }
  2282. else
  2283. {
  2284. return FALSE;
  2285. }
  2286. return TRUE;
  2287. }
  2289. BOOL
  2290. KernelDebugFailureAnalysis::AddCorruptingPool(
  2291. ULONG64 CorruptedPool
  2292. )
  2293. {
  2294. DEBUG_POOL_DATA PoolData = {0};
  2296. PoolData.SizeofStruct = sizeof(DEBUG_POOL_DATA);
  2297. if (ExtGetPoolData(CorruptedPool, &PoolData) != S_OK)
  2298. {
  2299. //
  2300. // Pool block is badly corrupted, loop backwards to find first non-corrupt block
  2301. //
  2302. ULONG PoolHeaderSize = GetTypeSize("nt!_POOL_HEADER");
  2303. ULONG64 PoolAddr;
  2304. for (PoolAddr = CorruptedPool - 2*PoolHeaderSize;
  2305. PoolAddr > (CorruptedPool -0x1000); // Limit to 4KB
  2306. PoolAddr -= 2*PoolHeaderSize)
  2307. {
  2308. if (ExtGetPoolData(PoolAddr, &PoolData) == S_OK)
  2309. {
  2310. goto FoundPool;
  2311. }
  2312. }
  2314. return FALSE;
  2315. } else if (PoolData.Free && !PoolData.Allocated &&
  2316. PoolData.Size != 0)
  2317. {
  2318. // Pool seem to have been correctly freed
  2319. return FALSE;
  2320. } else if (ExtGetPoolData(PoolData.PoolBlock - PoolData.PreviousSize,
  2321. &PoolData) == S_OK)
  2322. // Now get previous pool as it most likely corruptor
  2323. {
  2324. FoundPool:
  2325. CHAR PoolTag[8] = {0};
  2326. SetUlong64(DEBUG_FLR_CORRUPTING_POOL_ADDRESS, PoolData.PoolBlock);
  2328. sprintf(PoolTag,"%c%c%c%c",
  2329. #define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
  2330. PP(PoolData.PoolTag),
  2331. PP(PoolData.PoolTag >> 8),
  2332. PP(PoolData.PoolTag >> 16),
  2333. PP((PoolData.PoolTag&~0x80000000) >> 24)
  2334. #undef PP
  2335. );
  2337. SetString(DEBUG_FLR_CORRUPTING_POOL_TAG, PoolTag);
  2339. return TRUE;
  2340. }
  2342. return FALSE;
  2343. }
  2345. typedef struct _CHECK_STACK {
  2346. PCHAR* BreakinStk;
  2347. BOOL ValidMatch;
  2348. ULONG MachineType;
  2349. } CHECK_STACK;
  2351. BOOL
  2352. KernelDebugFailureAnalysis::IsManualBreakin(
  2353. PDEBUG_STACK_FRAME Stk,
  2354. ULONG Frames
  2355. )
  2356. //
  2357. // Check stack to see if this is result of manual breakin
  2358. //
  2359. {
  2360. CHAR szBrakFn[100];
  2361. ULONG64 Disp;
  2362. ULONG NumStacks, i, j;
  2363. BOOL NoMatches;
  2364. static PCHAR StkX86CtrlCBreakin1[] = {
  2365. "nt!*Break*",
  2366. "nt!KeUpdateSystemTime",
  2367. "nt!KiIdleLoop",
  2368. NULL,
  2369. };
  2370. static PCHAR StkX86CtrlCBreakin2[] = {
  2371. "nt!*Break*",
  2372. "nt!KeUpdateSystemTime",
  2373. "hal!HalProcessorIdle",
  2374. NULL,
  2375. };
  2376. static PCHAR StkIa64CtrlCBreakin1[] = {
  2377. "nt!KeBreakinBreakpoint",
  2378. "hal!HalpClockInterrupt",
  2379. "nt!KiExternalInterruptHandler",
  2380. "nt!Kil_TopOfIdleLoop",
  2381. NULL,
  2382. };
  2383. static PCHAR StkIa64CtrlCBreakin2[] = {
  2384. "nt!KeBreakinBreakpoint",
  2385. "hal!HalpClockInterrupt",
  2386. "nt!KiExternalInterruptHandler",
  2387. NULL
  2388. };
  2389. CHECK_STACK StksToCheck[] = {
  2390. {StkX86CtrlCBreakin1, TRUE, IMAGE_FILE_MACHINE_I386},
  2391. {StkX86CtrlCBreakin2, TRUE, IMAGE_FILE_MACHINE_I386},
  2392. {StkIa64CtrlCBreakin1, TRUE, IMAGE_FILE_MACHINE_IA64},
  2393. {StkIa64CtrlCBreakin2, TRUE, IMAGE_FILE_MACHINE_IA64},
  2394. };
  2397. //
  2398. // We are looking for:
  2399. // 0 nt!*Break*
  2400. //
  2403. //
  2404. // Assume 3 to 5 frames for a manual breakin stack
  2405. //
  2406. if (Frames < 3 || Frames > 5 || Stk == NULL)
  2407. {
  2408. return FALSE;
  2409. }
  2411. if (FaGetSymbol(Stk[0].InstructionOffset, szBrakFn,
  2412. &Disp, sizeof(szBrakFn)))
  2413. {
  2414. if (!strstr(szBrakFn, "Break"))
  2415. {
  2416. return FALSE;
  2417. }
  2418. } else
  2419. {
  2420. return FALSE;
  2421. }
  2423. NumStacks = sizeof(StksToCheck)/sizeof(CHECK_STACK);
  2425. for (i = 0; i < NumStacks; ++i)
  2426. {
  2427. if (StksToCheck[i].MachineType != g_TargetMachine)
  2428. {
  2429. StksToCheck[i].ValidMatch = FALSE;
  2430. }
  2431. }
  2433. for (j=1;j<Frames;++j)
  2434. {
  2435. NoMatches = TRUE;
  2436. if (FaGetSymbol(Stk[j].InstructionOffset, szBrakFn,
  2437. &Disp, sizeof(szBrakFn)))
  2438. {
  2439. for (i = 0; i < NumStacks; ++i)
  2440. {
  2441. if (StksToCheck[i].ValidMatch)
  2442. {
  2443. if (StksToCheck[i].BreakinStk[j] == NULL)
  2444. {
  2445. StksToCheck[i].ValidMatch = FALSE;
  2446. } else if (strcmp(szBrakFn, StksToCheck[i].BreakinStk[j]))
  2447. {
  2448. StksToCheck[i].ValidMatch = FALSE;
  2449. } else
  2450. {
  2451. // Breakin stack i matck with current stack till frame j
  2452. NoMatches = FALSE;
  2453. }
  2455. }
  2456. }
  2458. }
  2460. if (NoMatches)
  2461. {
  2462. // None of the stacks in StksToCheck match
  2463. return FALSE;
  2464. }
  2465. }
  2467. for (i = 0; i < NumStacks; ++i)
  2468. {
  2469. if (StksToCheck[i].ValidMatch)
  2470. {
  2471. return TRUE;
  2472. }
  2473. }
  2475. return FALSE;
  2476. }
  2479. //
  2480. // Create a new minidump file of this crash
  2481. //
  2482. #if 0
  2483. ULONG FailTime = 0;
  2484. ULONG UpTime = 0;
  2485. CHAR CurrentTime[20];
  2486. CHAR CurrentDate[20];
  2487. CHAR Buffer[MAX_PATH];
  2489. g_ExtControl->GetCurrentTimeDate(&FailTime);
  2490. g_ExtControl->GetCurrentSystemUpTime(&UpTime);
  2491. _strtime(CurrentTime);
  2492. _strdate(CurrentDate);
  2494. if (CurrentTime && UpTime)
  2495. {
  2496. PrintString(Buffer, sizeof(Buffer), "Dump%s-%s-%08lx-%08lx-%s.dmp",
  2497. FailTime, Uptime, Currentdate, CurrentTime);
  2498. Status = g_ExtClient->WriteDumpFile(Buffer ,DEBUG_DUMP_SMALL);
  2499. }
  2500. #endif
  2502. #if 0
  2503. CHAR Buffer[MAX_PATH];
  2504. if (Dump && GetTempFileName(".", "DMP", 0, Buffer))
  2505. {
  2506. Status = g_ExtClient->WriteDumpFile(Buffer ,DEBUG_DUMP_SMALL);
  2508. if (Status == S_OK)
  2509. {
  2510. //
  2511. // We create a file - now lets send it to the database
  2512. //
  2514. //CopyFile(Buffer, "c:\\xxxx", 0);
  2515. DeleteFile(Buffer);
  2516. }
  2517. dprintf("Done.");
  2518. }
  2520. dprintf("\n\n");
  2521. #endif