My first DMP analysis has a lot to say and I am very happy!
Bsod and DMP information occurred during redirection:
Bad_pool_header (19)
The pool is already upt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be written ed to figure out a possible cause
The problem, and then special pool applied to the suspect tags or the driver
Verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is too upt.
Arg2: 81f72c98, the pool entry we were looking for within the page.
Arg3: 81f72cd8, the next pool entry.
Arg4: 0a080001, (Reserved)
Debugging details:
------------------
Bugcheck_str: 0x19_20
Pool_address: 81f72c98 nonpaged pool
Default_bucket_id: driver_fault
Process_name: notepad.exe
Last_control_transfer: From 8054c583 to 804faf43
Stack_text:
F66e8a14 8054c583 00000019 00000020 81f72c98 nt! Kebugcheckex + 0x1b
F66e8a64 8058438a 81f72ca0 00000000 823bde18 nt! Exfreepoolwithtag + 0x2a3
F66e8b4c 805c0450 823bde30 00000000 820850d8 nt! Iopparsedevice + 0xba2
F66e8bc4 805bc9dc 00000000 f66e8c04 00000040 nt! Obplookupobjectname + 0x53c
F66e8c6 80577033 00000000 00000000 6e8c8401 nt! Obopenobjectbyname + 0xea
F66e8c94 805779aa 0007d2d4 80100080 0007d274 nt! Iopcreatefile plus 0x407
F66e8cf0 8057a0b4 0007d2d4 80100080 0007d274 nt! Iocreatefile + 0x8e
F66e8d30 8054262c 0007d2d4 80100080 0007d274 nt! Ntcreatefile + 0x30
F66e8d30 7c92e4f4 0007d2d4 80100080 0007d274 nt! Kifastcallentry + 0xfc
Stack_command: KB
Followup_ip:
NT! Exfreepoolwithtag + 2A3
8054c583 8b45f8 mov eax, dword ptr [ebp-8]
Symbol_stack_index: 1
Followup_name: machineowner
Module_name: NT
Image_name: ntkrpamp.exe
Debug_flr_image_timestamp: 48a3fbd9
Symbol_name: NT! Exfreepoolwithtag + 2A3
Failure_bucket_id: 0x19_20_nt! Exfreepoolwithtag + 2A3
Bucket_id: 0x19_20_nt! Exfreepoolwithtag + 2A3
Followup: machineowner
The function call stack before the crash shows that the ntcreatefile routine encountered a problem during the call. It can be seen that an error occurs when the exfreepoolwithtag routine is executed, while the kebugcheckex is the bugcheck performed by the kernel to draw a blue screen background. The exfreepoolwithtag error is relatively simple, most of which are caused by excessive buffer release.
So I thought of the buffer used for redirection application. When rtlcopyunicodestring is used for copy, Microsoft's rtlcopyunicodestring is very standard. After copying the string buffer, it will add a unicode '/0' terminator at the end of the character. If the requested buffer is the length of the number of characters, '/0' overflows the buffer. So I thought of the buffer used for redirection application. When I use rtlcopyunicodestring for copy,
Microsoft's rtlcopyunicodestring is very standard. After copying the string buffer, it will add a unicode '/0' terminator at the end of the character. If the requested buffer is just strlength, '/0' overflows the buffer and overwrites other buffers, then bsod may occur during exfreepoolwithtag.
Therefore, when applying for a buffer, the length of the buffer must contain an ending character, that is, Length + '/0 '.