Analysis of blue screen problems caused by China Mobile website controls

On Thursday (March February 23), I received a strange blue-screen case from my colleague. According to his recollection, he did not install any software or drivers recently, nor did he change the hardware configuration of the computer, in addition to automatic updates on the Windows background, he cannot remember any additional changes to the computer. But suddenly, from the evening of Wednesday on the 23rd of the previous day, his computer began to have a blue screen. After the restart, there would be a blue screen before entering the system, or a blue screen after the system was used. Therefore, he suspected that it was caused by a hardware (such as memory) failure or a Windows Update problem.

 

As mentioned above, sudden hardware faults such as loose memory may lead to blue screens, but blue screens are rare due to patch defects pushed by Windows Update, we should generally follow the principle of trusting Microsoft's components by default.

 

It is understood that his blue screen generally has several random error codes. After querying the Debugging Help, the explanation is as follows:

Blue Screen code (Bug Check)	Key Parameter)	Description
PFN_LIST_CORRUPT (0x4E)		This is typically caused by a driver passing a bad memory descriptor list. For example, the driver might have called MmUnlockPages twice with the same list. Stack trace examination is needed.
MEMORY_MANAGEMENT (0x1A)	P1: 0x41287	Internal memory management structures are already upted. To further investigate the cause, a kernel memory dump file is needed.
NTFS_FILE_SYSTEM (0x24)		One possible cause of this bug check is disk ready uption. partition uption in the NTFS file system or bad blocks (sectors) on the hard disk can induce this error. lost upted SCSI and IDE drivers can also adversely affect the system's ability to read and write to disk, thus causing the error.Another possible cause is depletion of nonpaged pool memory. if the nonpaged pool memory is completely depleted, this error can stop the system. however, during the indexing process, if the amount of available nonpaged pool memory is very low, another kernel-mode driver requiring nonpaged pool memory can also trigger this error.
SYSTEM_SERVICE_EXCEPTION (0x3B)		This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over andPassing bad data to the kernel code.
SYSTEM_THREAD_EXCEPTION _ NOT_HANDLED_M (1000007e)		This indicates that a system thread generated an exception which the error handler did not catch.

 

Among the preceding errors, the first two errors occur most frequently. If you encounter the above error on Baidu, you have enough reason to start removing the memory stick and wiping the golden finger. However, I personally think this is definitely not a hardware error. In my opinion, such errors seem to be random, but there should be a common possibility-there is a bad write driver in the system. In this case, we can find that "bad" depletion "" nonpaged pool "appears frequently. In addition, it is worth noting that, the bug check of the 0x24 NTFS file system is often misleading due to disk damage. However, it may be that the non-page feed pool is exhausted, the content I added to the table above.

 

For such random errors, we often cannot find the murderer through the analysis stack. For example, here is an example of Stack:

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041287, The subtype of the bugcheck.
Arg2: 0000000000000030
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

BUGCHECK_STR: 0x1a_41287
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: WmiPrvSE.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff88007e6d6e0 -- (. trap 0xfffff88007e6d6e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.

STACK_TEXT:
Fffff880 '07e6d578 fffff800 '02c62d7e: 00000000 '0000001a 00000000' 00041287 00000000 '00000030 100' 00000000: nt! KeBugCheckEx
Fffff880 '07e6d580 fffff800 '02ccdd6e: 00000000 '2017 00000000' 00000000 00000030 '2017 00000000 'fffffa80: nt! ?? : FNODOBFM: 'string' + 0x46485
Fffff880 '07e6d6e0 fffff800 '02dadbc5: 00000000' 000af94a 00000000 '00000000 ffffffff' ffffffff 00000000' 01464000: nt! KiPageFault + 0x16e
Fffff880 '07e6d870 fffff800 '02dda-b0: fffffa80 '098d5058 fffff6fd '4004c6a8 fffffff800 '02f055c0 fffff880 '07e6db11: nt! MiResolvePageFileFault + 0x1115
Fffff880 '07e6d9b0 fffff800 '02cdea07: 00000000' 00000000 00000000 '01440004 00000000 '0240f3c4 fffff800' 00000000: nt! ?? : FNODOBFM: 'string' + 0x399d4
Fffff880 '07e6dac0 fffff800 '02ccdd6e: 00000000' 00000001 00000000 '01440004 00000000 '023ae701 100' 00000000: nt! MmAccessFault + 0x1e47
Fffff880 '07e6dc20 00000000 '76b87222: 00000000 '2017 00000000' 00000000 00000000 '2017 00000000 '00000000: nt! KiPageFault + 0x16e
00000000 '0240f394 00000000 '00000000: 00000000 '00000000 100' 00000000 00000000 '00000000 100' 00000000:0x76b87222

As you can see, apart from the functions in ntkrnlmp.exe, 0x76b87222 at the beginning cannot be parsed. The dds command cannot parse the specific name.

 

So how can we find the culprit?

In fact, the random blue screen error is enabledSpecial poolIs a good choice. ForSpecial pool)This is not my first introduction. For the debugging method of this magical special memory area, see my earlier article "enable special pool interpretation 0x000000c5 blue screen". or its English version "Enable" Special Pool "to Interpret 0x000000c5 Blue Screen".

 

Start the system in safe mode, start verifier, and configure to enable special pool. of course, in security mode, the driver that may cause problems may not be loaded. Therefore, we 'd better select "select the driver name from a list ", then select "add drivers that are not currently loaded to the list... ", In the pop-up Select File Dialog Box, browse % systemroot % \ system32 \ derivers, then add the file attributes" Copyright "and" Product Name ", and sort them. Select All Program drivers that are not Microsoft, or seemingly unprofessional drivers that do not have digital signatures/copyrights or incomplete product information, and add them to the selected application special pool.

 

 

Note that the settings of the special pool are saved in the registry, specifically in the branch of the Memory Manager:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory Management

It depends on the DWord ValueVerifyDriverLevelAnd String valueVerifyDriversControl. If you are interested, check out J.

 

After the special pool is enabled, restart the computer and try to repro the system normally. After a while, the login is still blue. This operation directly enters the safe mode and obtains the memory dump file for analysis:

First, we can see that the special Pool takes effect and the memory pool allocation is successful:

4: kd>! Verifier

Verify Level 1... enabled options are:
Special pool

Summary of All Verifier Statistics

RaiseIrqls 0x0
AcquireSpinLocks 0x0
Synch Executions 0x0
Trims 0x0

Pool Allocations Attempted 0x2
Pool Allocations Succeeded 0x2
Pool Allocations Succeeded SpecialPool 0x2
Pool Allocations With no tag 0x0
Pool Allocations Failed 0x0
Resource Allocations Failed Deliberately 0x0

Current paged pool allocations 0x0 for 00000000 bytes
Peak paged pool allocations 0x0 for 00000000 bytes
Current nonpaged pool allocations 0x0 for 00000000 bytes
Peak nonpaged pool allocations 0x0 for 00000000 bytes

 

Then, we can directly see who the problem driver is:

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to upload upt the system has been caught. This is
Because the driver was specified in the registry as being suspect (by
Administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to upload upt the system, bugchecks 0xC4, 0xC1 and 0xA will
Be among the most commonly seen crashes.
Arguments:
Arg1: commandid 000000b2, MmMapLockedPages called on an MDL having incorrect flags.
For example, calling MmMapLockedPages for an MDL
That is already mapped to a system address is incorrect.
Arg2: fffffa800a4e71b0, MDL address.
Arg3: 0000000000000005, MDL flags.
Arg4: 0000000000000005, Incorrect MDL flags.

Debugging Details:
------------------
BUGCHECK_STR: 0xc4_b2
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8000311f3dc to fffff80002c95c40
STACK_TEXT:
Fffff880 '0300007e8 fffff800 '0311f3dc: 100' 000000c4 00000000' 000000b2 fffffa80 '0a4e71b0 100' 00000000: nt! KeBugCheckEx
Fffff880 '0300007f0 fffff800 '0311ffb3: fffff880 '05926f60 fffff880 '05926f60 fffffa80 '069ce700 fffff800 '0312e09a: nt! VerifierBugCheckIfAppropriate + 0x3c
Fffff880 '03369830 fffff800' 031327bb: fffffa80 '0a4e71b0 fffffa80 '09b69000 fffffa80 '0a4e71b0 fffff880 '05926f60: nt! ViMmMapLockedPagesSanityChecks + 0xa3
Fffff880 '2014 fffff880 '2014: fffffa80 '0a4e72c0 ffffffffffff' 8000069c fffffa80 '0a4e72c0 03369870 '06220009: nt! VerifierMmMapLockedPages + 0x1b
Fffff880 '0300008b0 fffff880 '0624c93a: fffff880 '03369970 fffff880 '05926f60 fffffa80' 00000032 00000000 '0000001c:PassGuard_x64! Distorm_version + 0x6809
Fffff880 '0300008f0 fffff880 '192: fffff880 '05926f60 fffffa80 '192 100' 0000001c fffffffa80 '06768f30:PassGuard_x64! Distorm_version + 0x3313a
Fffff880 '0300008f8 fffff880 '05926f5f: fffffa80 '0000001c fffffa80 '06768f30 100' 00000032: 0xfffff880' 00000000
Fffff880 '2014 fffffa80 '2014: 03369900 '0000001c fffffa80 '06768f30 00000032 '2014: 001c 100' 00000000: usbhub! UsbhSyncSendCommand + 0x327
Fffff880 '0000001c: fffffa80 '06768f30 03369908 '0000001c '0000001c fffff880' 00000000: 0xfffffa80 '00000000
Fffff880 '100 fffffa80 '06768f30: 03369910 '2017 100' 00000000 fffff880 '2017 100' 001e001c: 0x1c
Fffff880 '000000' 03369918: 000000' 00000000 fffff880 '0000001e001c fffff880 '062563f8: 0xfffffa80 '06768f30
Fffff880 '000000' 03369920: fffff880 '0000001e001c fffff880 '062563f8 100' 00000000: 0x00000000

STACK_COMMAND: kb
FOLLOWUP_IP:
PassGuard_x64! Distorm_version more than 6809
Fffff880' 06220009 4889442428 mov qword ptr [rsp + 28 h], rax
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: PassGuard_x64! Distorm_version more than 6809
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PassGuard_x64
IMAGE_NAME: PassGuard_x64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4e2fb9f4
FAILURE_BUCKET_ID: X64_0xc4_b2_VRF_PassGuard_x64! Distorm_version more than 6809
BUCKET_ID: X64_0xc4_b2_VRF_PassGuard_x64! Distorm_version more than 6809
Followup: MachineOwner
---------

4: kd> lmvm PassGuard_x64
Start end module name
Fffff880 '2014 fffff880 '06218000 PassGuard_x64 (export symbols) PassGuard_x64.sys
Loaded symbol image file: PassGuard_x64.sys
Image path :\?? \ C: \ windows \ system32 \ drivers \ PassGuard_x64.sys
Image name:PassGuard_x64.sys
Timestamp: Wed Jul 27 15:10:44 2011 (4E2FB9F4)
CheckSum: 0004A5F0
ImageSize: 00049000
File version: 1.0.0.6
Product version: 1.0.0.6
File flags: 0 (Mask 17)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0804.04b0
ProductName:SysEnter Application
InternalName: SysEnter
OriginalFilename: SysEnter.exe
ProductVersion: 1, 0, 0, 6
FileVersion: 1, 0, 0, 6
FileDescription: SysEnter Application
LegalCopyright: Copyright (C) 2011

 

Now that we know that the driver called PassGuard_x64.sys is the culprit, we should remove it and start loading. Open Registry Editor in security mode and delete HKEY_LOCAL_MACHINE \ SYSTEM \CurrentControlSet\ ServicesPassGuardThe entire key, of course, you also need to find the same key under ControlSet001/002 to delete. Here, I will display the PassGuard key content by the way:

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ PassGuard]
"Type" = dword: 00000001
"Start" = dword: 00000002
"ErrorControl" = dword: 00000001
"ImagePath" = hex (2): 5c, 00, 3f, 00, 3f, 00, 5c, 00, 3a, 00, 5c, 00, 00, 6e, 00 ,\
, 6f, 00, 5c ,\
00, 5c, 00, 5c, 00 ,\
, 00, 2e ,\
, 00, 00
"DisplayName" = "PassGuard"
"WOW64" = dword: 00000001

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ PassGuard \ Enum]
"0" = "Root \ LEGACY_PASSGUARD \ 0000"
"Count" = dword: 00000001
"NextInstance" = dword: 00000001

Delete this key. If there are no other multiple problems, the system will run normally. Before restarting and entering normal mode, remember to delete the special pool configuration in verifier.

 

To further Delete the program or other files associated with the driver (if any), I ask this colleague to recall what this is. So I told him to recall any possible situations, such as changes in the Internet Explorer plug-in, bundling in some programs, and malicious programs. As a result, he remembered that on Wednesday, he went to China Mobile's 10086.cn to recharge his account and installed a security control.

 

Open the IE add-on Manager, select all the add-on, and find this one:

 

 

Fortunately, it is not malware, and you can use the remove button below to delete the associated control file. Well, let's not talk about it much. Let's see how bad the drivers written by China Mobile for 64-bit operating systems are.

 

In this case, we can see not only how to use the special pool and troubleshooting ideas, but also a problem faced by many information service companies, the driver of your own products is outsourced, and the contracted development-driven companies do not have enough experience and specifications to drive writing, or they are put into use without passing tests. The damage is not only caused by customers, it is also the service company's own brand. There are too many such examples. In addition to badly written driver, badly written software, badly written website... The 12306 website of the Ministry of Railways is boring if it is too much. To tell the truth, I am afraid to use the bank card payment machine implemented by China Unicom in the business office. Think about inserting a bank card into a machine developed by China Unicom's outsourcers, and entering a bank card password...