2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000039, A shadow stack violation has occurred due to mismatched return addresses
on the call stack vs the shadow stack.
Arg2: ffff9f85d630cbd0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff9f85d630cb28, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for aow_drv_x64_ev.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2109
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 3965
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 374
Key : Analysis.Init.Elapsed.mSec
Value: 5320
Key : Analysis.Memory.CommitPeak.Mb
Value: 87
Key : Bugcheck.Code.DumpHeader
Value: 0x139
Key : Bugcheck.Code.Register
Value: 0x139
Key : Dump.Attributes.AsUlong
Value: 1808
Key : Dump.Attributes.DiagDataWrittenToHeader
Value: 1
Key : Dump.Attributes.ErrorCode
Value: 0
Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1
Key : Dump.Attributes.LastLine
Value: Dump completed successfully.
Key : Dump.Attributes.ProgressPercentage
Value: 0
Key : FailFast.Name
Value: CONTROL_INVALID_RETURN_ADDRESS
Key : FailFast.Type
Value: 57
FILE_IN_CAB: 050123-17890-01.dmp
TAG_NOT_DEFINED_202b: *** Unknown TAG in analysis list 202b
DUMP_FILE_ATTRIBUTES: 0x1808
Kernel Generated Triage Dump
BUGCHECK_CODE: 139
BUGCHECK_P1: 39
BUGCHECK_P2: ffff9f85d630cbd0
BUGCHECK_P3: ffff9f85d630cb28
BUGCHECK_P4: 0
TRAP_FRAME: ffff9f85d630cbd0 -- (.trap 0xffff9f85d630cbd0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd5889d182301 rbx=0000000000000000 rcx=fffff8015b30a821
rdx=ffffd5889d111b40 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8015b30a61e rsp=ffff9f85d630cd68 rbp=ffff9f85d630d049
r8=0000000000000002 r9=fffff8015b2a85e8 r10=fffff801421748f0
r11=ffff9f85d630ce90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
aow_drv_x64_ev+0x11a61e:
fffff801`5b30a61e ?? ???
Resetting default scope
EXCEPTION_RECORD: ffff9f85d630cb28 -- (.exr 0xffff9f85d630cb28)
ExceptionAddress: fffff8015b30a61e (aow_drv_x64_ev+0x000000000011a61e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 2
Parameter[0]: 0000000000000039
Parameter[1]: ffff9c805c9c9fb8
Subcode: 0x39 FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS Shadow stack violation
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000409 - Sistem, bu uygulamada y n tabanl bir arabelle in ta t n alg lad . Bu ta ma, k t niyetli bir kullan c n n bu uygulaman n denetimini ele ge irmesine olanak verebilir.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000039
EXCEPTION_PARAMETER2: ffff9c805c9c9fb8
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffff9f85`d630c8a8 fffff801`42240fa9 : 00000000`00000139 00000000`00000039 ffff9f85`d630cbd0 ffff9f85`d630cb28 : nt!KeBugCheckEx
ffff9f85`d630c8b0 fffff801`42241532 : ffffd588`783e2040 ffffd588`7efd8270 ffffd588`7efd6000 ffffd588`783e20c0 : nt!KiBugCheckDispatch+0x69
ffff9f85`d630c9f0 fffff801`4223ec7d : 00000000`00000000 00000000`00000000 ffff9f85`d630cd70 fffff801`42043005 : nt!KiFastFailDispatch+0xb2
ffff9f85`d630cbd0 fffff801`5b30a61e : fffff801`5b30a821 ffffd588`9d111b40 00000000`00000000 fffff801`5b2ce158 : nt!KiControlProtectionFault+0x3bd
ffff9f85`d630cd68 fffff801`5b30a821 : ffffd588`9d111b40 00000000`00000000 fffff801`5b2ce158 00000000`00000001 : aow_drv_x64_ev+0x11a61e
ffff9f85`d630cd70 ffffd588`9d111b40 : 00000000`00000000 fffff801`5b2ce158 00000000`00000001 00000000`00000000 : aow_drv_x64_ev+0x11a821
ffff9f85`d630cd78 00000000`00000000 : fffff801`5b2ce158 00000000`00000001 00000000`00000000 fffff801`421748f0 : 0xffffd588`9d111b40
SYMBOL_NAME: aow_drv_x64_ev+11a61e
MODULE_NAME: aow_drv_x64_ev
IMAGE_NAME: aow_drv_x64_ev.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 11a61e
FAILURE_BUCKET_ID: 0x139_39_aow_drv_x64_ev!unknown_function
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {61e2ba5d-4348-2745-601c-44cdfef2e55e}
Followup: MachineOwner
---------
2: kd> lmvm aow_drv_x64_ev
Browse full module list
start end module name
fffff801`5b1f0000 fffff801`5b34a000 aow_drv_x64_ev T (no symbols)
Loaded symbol image file: aow_drv_x64_ev.sys
Image path: aow_drv_x64_ev.sys
Image name: aow_drv_x64_ev.sys
Browse all global symbols functions data
Timestamp: Tue Oct 11 09:19:30 2022 (63450AF2)
CheckSum: 0015FA66
ImageSize: 0015A000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
2: kd> !sysinfo machineid
Machine ID Information [From Smbios 3.3, DMIVersion 0, Size=3339]
BiosMajorRelease = 7
BiosMinorRelease = 4
FirmwareMajorRelease = 7
FirmwareMinorRelease = 6
BiosVendor = INSYDE Corp.
BiosVersion = 1.07.04TFB1
BiosReleaseDate = 07/01/2021
SystemManufacturer = MONSTER
SystemProductName = TULPAR T7 V24.1
SystemFamily = Not Applicable
SystemVersion = Not Applicable
SystemSKU = Not Applicable
BaseBoardManufacturer = MONSTER
BaseBoardProduct = TULPAR T7 V24.1
BaseBoardVersion = Not Applicable