Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\admin\Desktop\Memory.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 18362 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Machine Name:
Kernel base = 0xfffff807`07800000 PsLoadedModuleList = 0xfffff807`07c48190
Debug session time: Tue Mar 9 06:20:29.069 2021 (GMT+8)
System Uptime: 0 days 1:08:02.837
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...............
Loading User Symbols
Loading unloaded module list
......
Cannot read PEB32 from WOW64 TEB32 00013b44 - Win32 error 0n30
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck F7, {ffff8601706dfc60, d31570b1adbd, ffff2cea8f4e5242, 0}
Probably caused by : memory_corruption
Followup: memory_corruption
---------
*** Memory manager detected 80708 instance(s) of page corruption, target is likely to have memory corruption.
14: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ffff8601706dfc60, Actual security check cookie from the stack
Arg2: 0000d31570b1adbd, Expected security check cookie
Arg3: ffff2cea8f4e5242, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
DEFAULT_BUCKET_ID: CODE_CORRUPTION
SECURITY_COOKIE: Expected 0000d31570b1adbd found ffff8601706dfc60
BUGCHECK_STR: 0xF7
PROCESS_NAME: System
CURRENT_IRQL: 0
BAD_PAGES_DETECTED: 13b44
LAST_CONTROL_TRANSFER: from fffff80707a7c8b5 to fffff807079c23a0
STACK_TEXT:
ffff8601`706dea18 fffff807`07a7c8b5 : 00000000`000000f7 ffff8601`706dfc60 0000d315`70b1adbd ffff2cea`8f4e5242 : nt!KeBugCheckEx
ffff8601`706dea20 fffff807`079a2ca2 : ffff9406`e54cfce0 fffff807`079308f4 00000000`00000000 ffff9406`e82ff1e0 : nt!_report_gsfailure+0x25
ffff8601`706dea60 fffff807`079a2c37 : fffff807`00000000 fffff807`0788d7be ffff9406`e82ff100 fffff807`0793085f : nt!_GSHandlerCheckCommon+0x5a
ffff8601`706dea90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!_GSHandlerCheck+0x13
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
fffff8070784a44f-fffff8070784a450 2 bytes - nt!PoIdle+44f
[ 48 ff:4c 8b ]
fffff8070784a456-fffff8070784a459 4 bytes - nt!PoIdle+456 (+0x07)
[ 0f 1f 44 00:e8 c5 ed a6 ]
fffff8070784a469-fffff8070784a46a 2 bytes - nt!PoIdle+469 (+0x13)
[ 48 ff:4c 8b ]
fffff8070784a470-fffff8070784a473 4 bytes - nt!PoIdle+470 (+0x07)
[ 0f 1f 44 00:e8 bb 63 a8 ]
fffff8070784accf-fffff8070784acd0 2 bytes - nt!PpmIdleExecuteTransition+7bf (+0x85f)
[ 48 ff:4c 8b ]
fffff8070784acd6-fffff8070784acd9 4 bytes - nt!PpmIdleExecuteTransition+7c6 (+0x07)
[ 0f 1f 44 00:e8 95 db a6 ]
18 errors : !nt (fffff8070784a44f-fffff8070784acd9)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: X64_MEMORY_CORRUPTION_LARGE
BUCKET_ID: X64_MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
---------
*** Memory manager detected 80708 instance(s) of page corruption, target is likely to have memory corruption.