Jump to content

XP/W2k3 x86 on Modern Hardware


George King

Recommended Posts

@Mov AX, 0xDEAD

I found the place in the win8.0 usbxhci.sys where controller is started - theres a 100ms wait in there that I can increase to 127ms but theres no room for anything larger than that, and it might not achieve anything. I don't see a wait interval on the reset function though.

I'm not certain I can inject new code without breaking the driver.

The Wind10 driver code is similar but makes use of ExTimer functions

	            //
            // Controller failed to clear halt in the first 5 ms of aggressive polling by the driver.
            // Implement a secondary wait period with less frequent polling using high resolution
            // timers and relinquish the CPU while waiting for the timer event.
            //
            timer = ExAllocateTimer(Controller_HighResTimerCompletion,
                                    &event,
                                    EX_TIMER_HIGH_RESOLUTION);
	

Link to comment
Share on other sites

@infuscomus

Do the following to test the Win8 XHCI drivers on Win8.1:

- Create a bootable Win8.1 x86 USB flash drive using Rufus.

- Open boot.wim in 7-Zip.

- Replace the following files in folders \1\Windows\System32\Drivers and 2\Windows\System32\Drivers
ucx01000.sys, usbd.sys, usbhub3.sys and usbxhci.sys -> original, untouched from Win8.0!!! Ported drivers will crash.

- Restart and boot from it.

Worked just fine here.

If USB devices work, your issue is related to the ACPI driver.

Link to comment
Share on other sites

9 hours ago, daniel_k said:

@infuscomus

Do the following to test the Win8 XHCI drivers on Win8.1:

- Create a bootable Win8.1 x86 USB flash drive using Rufus.

- Open boot.wim in 7-Zip.

- Replace the following files in folders \1\Windows\System32\Drivers and 2\Windows\System32\Drivers
ucx01000.sys, usbd.sys, usbhub3.sys and usbxhci.sys -> original, untouched from Win8.0!!! Ported drivers will crash.

- Restart and boot from it.

Worked just fine here.

If USB devices work, your issue is related to the ACPI driver.

@daniel_k

Yes, win8.0 USB3 driver on 8.1 works.

It also works on 8.0 after swapping out @Dietmar's patched win8.0 acpi.sys

--------

ACPI driver issue is unlikely to ever be fixed for XP though.

Link to comment
Share on other sites

So _PmHalDispatchTable is part of struct _PM_DISPATCH_TABLE

typedef struct _PM_DISPATCH_TABLE {    ULONG   Signature;    ULONG   Version;    PVOID   Function[1];} PM_DISPATCH_TABLE, *PPM_DISPATCH_TABLE;
	

It's initialized as null

PPM_DISPATCH_TABLE PmAcpiDispatchTable = NULL;

 called and loaded by HaliInitPowerManagement

NTSTATUSHaliInitPowerManagement(    IN PPM_DISPATCH_TABLE  PmDriverDispatchTable,    IN OUT PPM_DISPATCH_TABLE *PmHalDispatchTable    );
	*PmHalDispatchTable = (PPM_DISPATCH_TABLE)&HalAcpiDispatchTable;
	

I've discovered that XP only fills the table up to HaliIsVectorValid whereas Vista has some additional functions XP does not have

HalAcpiGetTableDispatch
HalAcpiGetRsdpDispatch
HalAcpiGetFacsMappingDispatch
HalAcpiGetAllTablesDispatch


I think these functions being absent from XP's PM_DISPATCH_TABLE is why the vista acpi.sys fails since it seems to depend on these to find ACPI tables.

@Mov AX, 0xDEAD

what do you think?

Link to comment
Share on other sites

@infuscomus

I run a Windbg session with your new acpi.sys from Vista.

It hangs in a loop via  nt!KiIdleLoop  and then crashes with 0x7E (write in wrong memory)

Dietmar

 

Break instruction exception - code 80000003 (first chance)
nt!KiIdleLoop+0x10:
804dcbef f390            pause
4: kd> g

*** Fatal System Error: 0x0000007e
                       (0xC0000005,0x00000000,0xF789E168,0xF789DE64)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Fri Dec 17 19:50:01.687 2021 (UTC + 1:00)), ptr64 FALSE
Loading Kernel Symbols
.......................
Loading User Symbols

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 0, f789e168, f789de64}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for HAL3.DLL -
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
804e29c2 cc              int     3
11: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: f789e168, Exception Record Address
Arg4: f789de64, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher  bertragen.

FAULTING_IP:
+471
00000000 ??              ???

EXCEPTION_RECORD:  f789e168 -- (.exr 0xfffffffff789e168)
ExceptionAddress: 00000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT:  f789de64 -- (.cxr 0xfffffffff789de64)
eax=00000000 ebx=80702e40 ecx=54445358 edx=00000001 esi=f75bbb20 edi=80702d70
eip=00000000 esp=f789e230 ebp=f789e250 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
00000000 ??              ???
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher  bertragen.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

READ_ADDRESS:  00000000

FOLLOWUP_IP:
+471
00000000 ??              ???

FAILED_INSTRUCTION_ADDRESS:
+471
00000000 ??              ???

BUGCHECK_STR:  0x7E

LAST_CONTROL_TRANSFER:  from 00000000 to 00000000

STACK_TEXT:  
f789e22c 00000000 00000000 00000000 f75c04fc 0x0


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

11: kd> lm
start    end        module name
804d7000 80700000   nt         (pdb symbols)          c:\symbols\ntkrnlmp.pdb\2070D15C611B40BDA93F5F7F12CAC76C2\ntkrnlmp.pdb
80700000 80724f80   HAL3       (export symbols)       HAL3.DLL
bac2e000 bac47b80   Mup        (deferred)             
bac48000 bac74980   NDIS       (deferred)             
bac75000 bad01600   Ntfs       (deferred)             
bad02000 bad18880   KSecDD     (deferred)             
bad19000 bad2af00   sr         (deferred)             
bad2b000 bad4ab00   fltMgr     (deferred)             
bad4b000 bb000000   iaStor     (deferred)             
f747a000 f749fa00   dmio       (deferred)             
f74a0000 f74bed80   ftdisk     (deferred)             
f755f000 f756fa80   pci        (deferred)             
f7570000 f7592f00   ntoskrn8   (deferred)             
f7593000 f75d6000   ACPI       (deferred)             
f75f7000 f7600300   isapnp     (deferred)             
f7607000 f7611580   MountMgr   (deferred)             
f7617000 f7624200   VolSnap    (deferred)             
f7627000 f762fe00   disk       (deferred)             
f7637000 f7643180   CLASSPNP   (deferred)             
f7707000 f770bd00   PartMgr    (deferred)             
f7897000 f789a000   BOOTVID    (deferred)             
f7987000 f7988b80   kdcom      (deferred)             
f7989000 f798a100   WMILIB     (deferred)             
f798b000 f798c700   dmload     (deferred)             

 

 

 

 

Edited by Dietmar
Link to comment
Share on other sites

804dcbd3 42              inc     edx
804dcbd4 306689          xor     byte ptr [esi-77h],ah
804dcbd7 41              inc     ecx
804dcbd8 66c20800        ret     8
804dcbdc 8d4900          lea     ecx,[ecx]
nt!KiIdleLoop:
804dcbdf 8dab80090000    lea     ebp,[ebx+980h]
804dcbe5 eb08            jmp     nt!KiIdleLoop+0x10 (804dcbef)
804dcbe7 8d8b500c0000    lea     ecx,[ebx+0C50h]
804dcbed ff11            call    dword ptr [ecx]
804dcbef f390            pause
804dcbf1 fb              sti
804dcbf2 90              nop
804dcbf3 90              nop
804dcbf4 fa              cli
804dcbf5 3b6d00          cmp     ebp,dword ptr [ebp]
804dcbf8 740d            je      nt!KiIdleLoop+0x28 (804dcc07)
804dcbfa b102            mov     cl,2
804dcbfc ff15b4804d80    call    dword ptr [nt!_imp_HalClearSoftwareInterrupt (804d80b4)]
804dcc02 e8ba000000      call    nt!KiRetireDpcList (804dccc1)
804dcc07 83bb2801000000  cmp     dword ptr [ebx+128h],0 ds:0023:f7747128=00000000
804dcc0e 74d7            je      nt!KiIdleLoop+0x8 (804dcbe7)
804dcc10 b91c000000      mov     ecx,1Ch
804dcc15 ff152c804d80    call    dword ptr [nt!_imp_KfRaiseIrql (804d802c)]
804dcc1b fb              sti
804dcc1c 8d8b40050000    lea     ecx,[ebx+540h]
804dcc22 e851580000      call    nt!KeAcquireQueuedSpinLockAtDpcLevel (804e2478)
804dcc27 8bb328010000    mov     esi,dword ptr [ebx+128h]
804dcc2d 8bbb24010000    mov     edi,dword ptr [ebx+124h]
804dcc33 807e5000        cmp     byte ptr [esi+50h],0
804dcc37 753d            jne     nt!KiIdleLoop+0x97 (804dcc76)
804dcc39 3bf7            cmp     esi,edi
804dcc3b 745a            je      nt!KiIdleLoop+0xb8 (804dcc97)
804dcc3d 83c901          or      ecx,1
804dcc40 89b324010000    mov     dword ptr [ebx+124h],esi
804dcc46 26c6462d02      mov     byte ptr es:[esi+2Dh],2
804dcc4b c7832801000000000000 mov dword ptr [ebx+128h],0
804dcc55 6860cc4d80      push    offset nt!KiIdleLoop+0x81 (804dcc60)
804dcc5a 9c              pushfd
804dcc5b e900fdffff      jmp     nt!SwapContext+0x1e (804dc960)
804dcc60 b902000000      mov     ecx,2

Link to comment
Share on other sites

@infuscomus

 

This with PDB happens, because I rename the hal and ntoskrnl for debug.

No more information I get, the same as above.

It seems, that it is not a problem of acpi.sys, because I do not see any output for

acpi.sys in Windbg.

I notice, that the ntoskrnl that you send to me is ntkrnlmp.exe and not ntkrpamp.exe

Dietmar

 

Link to comment
Share on other sites

@infuscomus

With ntkrpamp the BSOD happens VERY early and cant be caught by normal Windbg

Dietmar

 

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\com1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Sat Dec 18 15:10:41.875 2021 (UTC + 1:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: C:\symbols;C:\symbolss
Executable search path is: C:\Symbols
Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible
Built by: 2600.xpsp_sp3_qfe.180912-0606
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
8052b724 cc              int     3
kd> lm
start    end        module name
804d7000 806e5000   nt         (pdb symbols)          c:\symbols\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb
806e5000 80709f80   HAL3       (deferred)             
ba319000 ba332b80   Mup        (deferred)             
ba333000 ba35f980   NDIS       (deferred)             
ba360000 ba3ec600   Ntfs       (deferred)             
ba3ed000 ba403880   KSecDD     (deferred)             
ba404000 ba415f00   sr         (deferred)             
ba416000 ba435b00   fltMgr     (deferred)             
ba436000 ba6eb000   iaStor     (deferred)             
ba6eb000 ba710a00   dmio       (deferred)             
ba711000 ba72fd80   ftdisk     (deferred)             
ba730000 ba740a80   pci        (deferred)             
ba741000 ba763f00   ntoskrn8   (deferred)             
ba764000 ba7a7000   ACPI       (deferred)             
ba8a8000 ba8b1300   isapnp     (deferred)             
ba8b8000 ba8c2580   MountMgr   (deferred)             
ba8c8000 ba8d5200   VolSnap    (deferred)             
ba8d8000 ba8e0e00   disk       (deferred)             
ba8e8000 ba8f4180   CLASSPNP   (deferred)             
bab28000 bab2cd00   PartMgr    (deferred)             
bacb8000 bacbb000   BOOTVID    (deferred)             
bada8000 bada9b80   kdcom      (deferred)             
badaa000 badab100   WMILIB     (deferred)             
badac000 badad700   dmload     (deferred)             
kd> t
nt!RtlpBreakWithStatusInstruction+0x1:
8052b725 c20400          ret     4
kd> t
nt!KeUpdateSystemTime+0x175:
80545275 ebb3            jmp     nt!KeUpdateSystemTime+0x12a (8054522a)
kd> t
nt!KeUpdateSystemTime+0x12a:
8054522a 833d1440558000  cmp     dword ptr [nt!KiTickOffset (80554014)],0
kd> t
nt!KeUpdateSystemTime+0x131:
80545231 7f1f            jg      nt!KeUpdateSystemTime+0x152 (80545252)
kd> t
nt!KeUpdateSystemTime+0x133:
80545233 a10c405580      mov     eax,dword ptr [nt!KeMaximumIncrement (8055400c)]
kd> t
nt!KeUpdateSystemTime+0x138:
80545238 010514405580    add     dword ptr [nt!KiTickOffset (80554014)],eax
kd> t
nt!KeUpdateSystemTime+0x13e:
8054523e ff3424          push    dword ptr [esp]
kd> t
nt!KeUpdateSystemTime+0x141:
80545241 e846000000      call    nt!KeUpdateRunTime (8054528c)
kd> t
nt!KeUpdateRunTime:
8054528c 64a11c000000    mov     eax,dword ptr fs:[0000001Ch]
kd> t
nt!KeUpdateRunTime+0x6:
80545292 53              push    ebx
kd> t
nt!KeUpdateRunTime+0x7:
80545293 ff80c4050000    inc     dword ptr [eax+5C4h]
kd> t
nt!KeUpdateRunTime+0xd:
80545299 8b9824010000    mov     ebx,dword ptr [eax+124h]
kd> t
nt!KeUpdateRunTime+0x13:
8054529f 8b4b44          mov     ecx,dword ptr [ebx+44h]
kd> t
nt!KeUpdateRunTime+0x16:
805452a2 f7457000000200  test    dword ptr [ebp+70h],20000h
kd> t
nt!KeUpdateRunTime+0x1d:
805452a9 7541            jne     nt!KeUpdateRunTime+0x60 (805452ec)
kd> t
nt!KeUpdateRunTime+0x1f:
805452ab f6456c01        test    byte ptr [ebp+6Ch],1
kd> t
nt!KeUpdateRunTime+0x23:
805452af 753b            jne     nt!KeUpdateRunTime+0x60 (805452ec)
kd> t
nt!KeUpdateRunTime+0x25:
805452b1 ba00000000      mov     edx,0
kd> t
nt!KeUpdateRunTime+0x2a:
805452b6 ff80c8050000    inc     dword ptr [eax+5C8h]
kd> t
nt!KeUpdateRunTime+0x30:
805452bc 807c240802      cmp     byte ptr [esp+8],2
kd> t
nt!KeUpdateRunTime+0x35:
805452c1 721d            jb      nt!KeUpdateRunTime+0x54 (805452e0)
kd> t
nt!KeUpdateRunTime+0x54:
805452e0 ff8344010000    inc     dword ptr [ebx+144h]
kd> t
nt!KeUpdateRunTime+0x5a:
805452e6 f0ff4138        lock inc dword ptr [ecx+38h]
kd> t
nt!KeUpdateRunTime+0x5e:
805452ea eb18            jmp     nt!KeUpdateRunTime+0x78 (80545304)
kd> t
nt!KeUpdateRunTime+0x78:
80545304 833d78c7558000  cmp     dword ptr [nt!KiTimeUpdateNotifyRoutine (8055c778)],0
kd> t
nt!KeUpdateRunTime+0x7f:
8054530b 7413            je      nt!KeUpdateRunTime+0x94 (80545320)
kd> t
nt!KeUpdateRunTime+0x94:
80545320 8b888c090000    mov     ecx,dword ptr [eax+98Ch]
kd> t
nt!KeUpdateRunTime+0x9a:
80545326 8b909c090000    mov     edx,dword ptr [eax+99Ch]
kd> t
nt!KeUpdateRunTime+0xa0:
8054532c 89889c090000    mov     dword ptr [eax+99Ch],ecx
kd> t
nt!KeUpdateRunTime+0xa6:
80545332 2bca            sub     ecx,edx
kd> t
nt!KeUpdateRunTime+0xa8:
80545334 0388a0090000    add     ecx,dword ptr [eax+9A0h]
kd> t
nt!KeUpdateRunTime+0xae:
8054533a d1e9            shr     ecx,1
kd> t
nt!KeUpdateRunTime+0xb0:
8054533c 8988a0090000    mov     dword ptr [eax+9A0h],ecx
kd> t
nt!KeUpdateRunTime+0xb6:
80545342 83b89009000000  cmp     dword ptr [eax+990h],0
kd> t
nt!KeUpdateRunTime+0xbd:
80545349 744e            je      nt!KeUpdateRunTime+0x10d (80545399)
kd> t
nt!KeUpdateRunTime+0x10d:
80545399 ff88dc050000    dec     dword ptr [eax+5DCh]
kd> t
nt!KeUpdateRunTime+0x113:
8054539f 7523            jne     nt!KeUpdateRunTime+0x138 (805453c4)
kd> t
nt!KeUpdateRunTime+0x138:
805453c4 806b6f03        sub     byte ptr [ebx+6Fh],3
kd> t
nt!KeUpdateRunTime+0x13c:
805453c8 7f19            jg      nt!KeUpdateRunTime+0x157 (805453e3)
kd> t
nt!KeUpdateRunTime+0x157:
805453e3 5b              pop     ebx
kd> t
nt!KeUpdateRunTime+0x158:
805453e4 c20400          ret     4
kd> t
nt!KeUpdateSystemTime+0x146:
80545246 fa              cli
kd> t
nt!KeUpdateSystemTime+0x147:
80545247 ff1594804d80    call    dword ptr [nt!_imp__HalEndSystemInterrupt (804d8094)]
kd> t
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for HAL3.DLL -
HAL3!HalEndSystemInterrupt:
806e8414 33c9            xor     ecx,ecx
kd> t
HAL3!HalEndSystemInterrupt+0x2:
806e8416 8a4c2404        mov     cl,byte ptr [esp+4]
kd> t
HAL3!HalEndSystemInterrupt+0x6:
806e841a 8a8914796e80    mov     cl,byte ptr HAL3!HalRequestIpi+0x4c0 (806e7914)[ecx]
kd> t
HAL3!HalEndSystemInterrupt+0xc:
806e8420 c705b000feff00000000 mov dword ptr ds:[0FFFE00B0h],0
kd> t
HAL3!HalEndSystemInterrupt+0x16:
806e842a 80f941          cmp     cl,41h
kd> t
HAL3!HalEndSystemInterrupt+0x19:
806e842d 720f            jb      HAL3!HalEndSystemInterrupt+0x2a (806e843e)
kd> t
HAL3!HalEndSystemInterrupt+0x2a:
806e843e 64803d9600000000 cmp     byte ptr fs:[96h],0
kd> t
HAL3!HalEndSystemInterrupt+0x32:
806e8446 64c6059500000000 mov     byte ptr fs:[95h],0
kd> t
HAL3!HalEndSystemInterrupt+0x3a:
806e844e 74df            je      HAL3!HalEndSystemInterrupt+0x1b (806e842f)
kd> t
HAL3!HalEndSystemInterrupt+0x1b:
806e842f 890d8000feff    mov     dword ptr ds:[0FFFE0080h],ecx
kd> t
HAL3!HalEndSystemInterrupt+0x21:
806e8435 8b158000feff    mov     edx,dword ptr ds:[0FFFE0080h]
kd> t
HAL3!HalEndSystemInterrupt+0x27:
806e843b c20800          ret     8
kd> t
nt!KeUpdateSystemTime+0x14d:
8054524d e94aceffff      jmp     nt!KiExceptionExit (8054209c)
kd> t
nt!KiExceptionExit:
8054209c fa              cli
kd> t
nt!Kei386EoiHelper+0x1:
8054209d f7457000000200  test    dword ptr [ebp+70h],20000h
kd> t
nt!Kei386EoiHelper+0x8:
805420a4 7506            jne     nt!Kei386EoiHelper+0x10 (805420ac)
kd> t
nt!Kei386EoiHelper+0xa:
805420a6 f6456c01        test    byte ptr [ebp+6Ch],1
kd> t
nt!Kei386EoiHelper+0xe:
805420aa 7434            je      nt!Kei386EoiHelper+0x44 (805420e0)
kd> t
nt!Kei386EoiHelper+0x44:
805420e0 8b54244c        mov     edx,dword ptr [esp+4Ch]
kd> t
nt!Kei386EoiHelper+0x48:
805420e4 648b1d50000000  mov     ebx,dword ptr fs:[50h]
kd> t
nt!Kei386EoiHelper+0x4f:
805420eb 64891500000000  mov     dword ptr fs:[0],edx
kd> t
nt!Kei386EoiHelper+0x56:
805420f2 f7c3ff000000    test    ebx,0FFh
kd> t
nt!Kei386EoiHelper+0x5c:
805420f8 754e            jne     nt!Kei386EoiHelper+0xac (80542148)
kd> t
nt!Kei386EoiHelper+0x5e:
805420fa f744247000000200 test    dword ptr [esp+70h],20000h
kd> t
nt!Kei386EoiHelper+0x66:
80542102 0f85c0000000    jne     nt!Kei386EoiHelper+0x12c (805421c8)
kd> t
nt!Kei386EoiHelper+0x6c:
80542108 66f744246cf9ff  test    word ptr [esp+6Ch],0FFF9h
kd> t
nt!Kei386EoiHelper+0x73:
8054210f 7477            je      nt!Kei386EoiHelper+0xec (80542188)
kd> t
nt!Kei386EoiHelper+0x75:
80542111 8b54243c        mov     edx,dword ptr [esp+3Ch]
kd> t
nt!Kei386EoiHelper+0x79:
80542115 8b4c2440        mov     ecx,dword ptr [esp+40h]
kd> t
nt!Kei386EoiHelper+0x7d:
80542119 8b442444        mov     eax,dword ptr [esp+44h]
kd> t
nt!Kei386EoiHelper+0x81:
8054211d 66837d6c08      cmp     word ptr [ebp+6Ch],8
kd> t
nt!Kei386EoiHelper+0x86:
80542122 740c            je      nt!Kei386EoiHelper+0x94 (80542130)
kd> t
nt!Kei386EoiHelper+0x94:
80542130 8d6554          lea     esp,[ebp+54h]
kd> t
nt!Kei386EoiHelper+0x97:
80542133 5f              pop     edi
kd> t
nt!Kei386EoiHelper+0x98:
80542134 5e              pop     esi
kd> t
nt!Kei386EoiHelper+0x99:
80542135 5b              pop     ebx
kd> t
nt!Kei386EoiHelper+0x9a:
80542136 5d              pop     ebp
kd> t
nt!Kei386EoiHelper+0x9b:
80542137 66817c24088000  cmp     word ptr [esp+8],80h
kd> t
nt!Kei386EoiHelper+0xa2:
8054213e 0f87a0000000    ja      nt!Kei386EoiHelper+0x148 (805421e4)
kd> t
nt!Kei386EoiHelper+0xa8:
80542144 83c404          add     esp,4
kd> t
nt!Kei386EoiHelper+0xab:
80542147 cf              iretd
kd> t
Illegal instruction - code c000001d (!!! second chance !!!)
nt!KeUpdateRunTime+0x59:
805452e5 ff              ???
kd> t

 

Edited by Dietmar
Link to comment
Share on other sites

@infuscomus

With bootvid.dll from XP SP3 and XP SP1 same Bsod

Dietmar

 

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\com1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Sat Dec 18 15:28:32.140 2021 (UTC + 1:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: C:\symbols;C:\symbolss
Executable search path is: C:\Symbols
Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible
Built by: 2600.xpsp_sp3_qfe.180912-0606
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
8052b724 cc              int     3
kd> bp 805452e5
kd> g

*** Fatal System Error: 0x0000000a
                       (0x55FAF8EC,0x0000001C,0x00000001,0x805452E0)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Sat Dec 18 15:28:46.968 2021 (UTC + 1:00)), ptr64 FALSE
Loading Kernel Symbols
.......................
Loading User Symbols

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {55faf8ec, 1c, 1, 805452e0}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for halmacpi.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for BOOTVID.dll -
Probably caused by : BOOTVID.dll ( BOOTVID!VidInitialize+106 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052b724 cc              int     3
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 55faf8ec, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805452e0, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  55faf8ec

CURRENT_IRQL:  1c

FAULTING_IP:
nt!KeUpdateRunTime+54
805452e0 ff8344010000    inc     dword ptr [ebx+144h]

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  System

TRAP_FRAME:  bacc369c -- (.trap 0xffffffffbacc369c)
ErrCode = 00000002
eax=ffdff000 ebx=89faf7a8 ecx=89fafb98 edx=00000000 esi=00000000 edi=0002625a
eip=805452e0 esp=bacc3710 ebp=bacc3724 iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
nt!KeUpdateRunTime+0x54:
805452e0 ff8344010000    inc     dword ptr [ebx+144h] ds:0023:89faf8ec=00000000
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f8e95 to 8052b724

STACK_TEXT:  
bacc3250 804f8e95 00000003 bacc35ac 00000000 nt!RtlpBreakWithStatusInstruction
bacc329c 804f9a80 00000003 55faf8ec 805452e0 nt!KiBugCheckDebugBreak+0x19
bacc367c 8054483c 0000000a 55faf8ec 0000001c nt!KeBugCheck2+0x574
bacc367c 805452e0 0000000a 55faf8ec 0000001c nt!KiTrap0E+0x180
bacc3710 80545246 ba2fd000 ba2fd000 000000d1 nt!KeUpdateRunTime+0x54
bacc3710 806e79a3 ba2fd000 ba2fd000 000000d1 nt!KeUpdateSystemTime+0x146
WARNING: Stack unwind information not available. Following frames may be wrong.
bacc37fc bacb893a 800860b8 00000001 80084000 hal!KfLowerIrql+0x17
bacc3820 80697a7a 80698701 00000000 80698701 BOOTVID!VidInitialize+0x106
bacc3834 806989d7 80084000 00000013 00000000 nt!InbvDriverInitialize+0x6c
bacc3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xcb
bacc3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
BOOTVID!VidInitialize+106
bacb893a 680099cbba      push    offset BOOTVID!VidBitBlt+0x12a (bacb9900)

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  BOOTVID!VidInitialize+106

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: BOOTVID

IMAGE_NAME:  BOOTVID.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  3b7d8345

FAILURE_BUCKET_ID:  0xA_BOOTVID!VidInitialize+106

BUCKET_ID:  0xA_BOOTVID!VidInitialize+106

Followup: MachineOwner
---------

kd> lm
start    end        module name
804d7000 806e5000   nt         (pdb symbols)          c:\symbols\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb
806e5000 80709f80   hal        (export symbols)       halmacpi.dll
ba319000 ba332b80   Mup        (deferred)             
ba333000 ba35f980   NDIS       (deferred)             
ba360000 ba3ec600   Ntfs       (deferred)             
ba3ed000 ba403880   KSecDD     (deferred)             
ba404000 ba415f00   sr         (deferred)             
ba416000 ba435b00   fltMgr     (deferred)             
ba436000 ba6eb000   iaStor     (deferred)             
ba6eb000 ba710a00   dmio       (deferred)             
ba711000 ba72fd80   ftdisk     (deferred)             
ba730000 ba740a80   pci        (deferred)             
ba741000 ba763f00   ntoskrn8   (deferred)             
ba764000 ba7a7000   ACPI       (deferred)             
ba8a8000 ba8b1300   isapnp     (deferred)             
ba8b8000 ba8c2580   MountMgr   (deferred)             
ba8c8000 ba8d5200   VolSnap    (deferred)             
ba8d8000 ba8e0e00   disk       (deferred)             
ba8e8000 ba8f4180   CLASSPNP   (deferred)             
bab28000 bab2cd00   PartMgr    (deferred)             
bacb8000 bacbb000   BOOTVID    (export symbols)       BOOTVID.dll
bada8000 bada9b80   kdcom      (deferred)             
badaa000 badab100   WMILIB     (deferred)             
badac000 badad700   dmload     (deferred)             

 

Edited by Dietmar
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...