CZUR Scanner, the client software of Windows platform developed by our company, has a blue screen of death when running on the user's computer installed webroot SecureAnywhere, and the user sent the system dmp file. After my analysis with Windbg tool, I found that the crash was caused by an internal exception of Webroot.
Please help me to analyze whether there are irregularities in our client software that will cause webroot to run abnormally?
~Removed Link to software and SN please contact Webroot support and give it to them!~
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: ffff9485cfa36510, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff9485cfa36468, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4109
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 32216
Key : Analysis.Init.CPU.mSec
Value: 1140
Key : Analysis.Init.Elapsed.mSec
Value: 856377
Key : Analysis.Memory.CommitPeak.Mb
Value: 88
Key : Bugcheck.Code.DumpHeader
Value: 0x139
Key : Bugcheck.Code.KiBugCheckData
Value: 0x139
Key : Bugcheck.Code.Register
Value: 0x139
Key : FailFast.Name
Value: STACK_BUFFER_OVERRUN
Key : FailFast.Type
Value: 0
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: MEMORY.DMP
BUGCHECK_CODE: 139
BUGCHECK_P1: 0
BUGCHECK_P2: ffff9485cfa36510
BUGCHECK_P3: ffff9485cfa36468
BUGCHECK_P4: 0
TRAP_FRAME: ffff9485cfa36510 -- (.trap 0xffff9485cfa36510)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8075c0621d0 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8075c0621d2 rsp=ffff9485cfa366a8 rbp=ffff9485cfa36749
r8=ffff9485cfa36770 r9=0000000000000002 r10=0000000000000002
r11=ffffae0c8b65c5b6 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
WRCore_x64+0x21d2:
fffff807`5c0621d2 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffff9485cfa36468 -- (.exr 0xffff9485cfa36468)
ExceptionAddress: fffff8075c0621d2 (WRCore_x64+0x00000000000021d2)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter50]: 0000000000000000
Subcode: 0 FAST_FAIL_LEGACY_GS_VIOLATION
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: CZUR Scanner.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffff9485`cfa361e8 fffff807`43a0a569 : 00000000`00000139 00000000`00000000 ffff9485`cfa36510 ffff9485`cfa36468 : nt!KeBugCheckEx
ffff9485`cfa361f0 fffff807`43a0a990 : 00000000`00000001 ffffd083`a039f690 ffffd083`a039f690 fffff807`4388b19d : nt!KiBugCheckDispatch+0x69
ffff9485`cfa36330 fffff807`43a08d23 : ffffd083`75fa1dd0 fffff807`482aaa0d ffff9485`cfa36500 ffffae0c`00000000 : nt!KiFastFailDispatch+0xd0
ffff9485`cfa36510 fffff807`5c0621d2 : fffff807`5c07f599 00000003`00000001 00000000`00000002 ffffae0c`8b65b5d0 : nt!KiRaiseSecurityCheckFailure+0x323
ffff9485`cfa366a8 fffff807`5c07f599 : 00000003`00000001 00000000`00000002 ffffae0c`8b65b5d0 00000000`00000fea : WRCore_x64+0x21d2
ffff9485`cfa366b0 fffff807`5c07f258 : ffff9485`00000e02 ffff9485`cfa36ba0 00000000`00000000 ffffd083`a039f690 : WRCore_x64+0x1f599
ffff9485`cfa366f0 fffff807`5c080df0 : ffff9485`cfa36cc0 00000000`00000000 ffff9485`cfa36ba0 ffffd083`a039f690 : WRCore_x64+0x1f258
ffff9485`cfa367b0 fffff807`5c081bf4 : 00000000`000045aa ffff9485`cfa36bf0 ffffd083`a039f690 00000000`00000000 : WRCore_x64+0x20df0
ffff9485`cfa36af0 fffff807`5c066cfb : ffffae0c`9f886d40 ffffd083`75d47050 00000000`00000000 ffffd083`9d4186f0 : WRCore_x64+0x21bf4
ffff9485`cfa36c40 fffff807`5c06684b : ffffd083`75d47001 ffffd083`a039f601 00000000`00000000 ffffae0c`9f886d40 : WRCore_x64+0x6cfb
ffff9485`cfa36cb0 fffff807`5c06bb05 : ffffae0c`9f886d40 ffff9485`cfa36db0 ffffd083`a039f690 ffffd083`9b7828a0 : WRCore_x64+0x684b
ffff9485`cfa36d00 fffff807`5c0688bb : ffff9485`cfa37050 ffff9485`cfa36e50 ffff9485`cfa37078 ffff9485`cfa36e50 : WRCore_x64+0xbb05
ffff9485`cfa36d50 fffff807`5c0671f8 : ffffd083`99ddfb08 ffff9485`cfa37078 ffff9485`cfa37050 ffff9485`cfa37000 : WRCore_x64+0x88bb
ffff9485`cfa36fb0 fffff807`4124648c : ffffd083`99ddfa20 ffff9485`cfa37099 ffffd083`99ddfb08 ffffd083`75d47310 : WRCore_x64+0x71f8
ffff9485`cfa36fe0 fffff807`41242804 : 00000000`00000000 00000000`000000ff ffff9485`cfa37200 ffff9485`00000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
ffff9485`cfa37100 fffff807`438c0ea7 : ffff9485`cfa38000 ffffd083`a2d82a20 ffff9485`cfa31000 fffff807`43825f97 : FLTMGR!FltpPreFsFilterOperation+0x184
ffff9485`cfa371b0 fffff807`43c63f71 : fffff807`41248e70 00000000`00000001 ffffd083`a039f690 fffff807`41242680 : nt!FsFilterPerformCallbacks+0xe7
ffff9485`cfa37220 fffff807`43c63bdf : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!FsRtlAcquireFileExclusiveCommon+0x121
ffff9485`cfa37510 fffff807`43c64433 : 00000000`00000000 00000000`00000002 00000000`00000001 ffff9485`cfa378c8 : nt!FsRtlAcquireToCreateMappedSection+0x5b
ffff9485`cfa37590 fffff807`43c64dad : ffffd083`00000000 ffffd083`00000000 ffffd083`a039f690 ffffd083`a2d08080 : nt!MiCallCreateSectionFilters+0x37
ffff9485`cfa375d0 fffff807`43c64594 : 00000000`00000000 00000000`00000000 ffffd083`a039f690 00000000`00000000 : nt!MiCreateImageOrDataSection+0x13d
ffff9485`cfa376c0 fffff807`43c642d7 : 00000000`01000000 ffff9485`cfa37a80 00000000`00000001 00000000`00000010 : nt!MiCreateSection+0xf4
ffff9485`cfa37840 fffff807`43c6405c : 00000000`0144e8d8 00000000`0000000d 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x207
ffff9485`cfa37920 fffff807`43a09fb5 : 00000000`00000000 00000000`00000001 00000000`0177f3ac ffff9485`cfa37a80 : nt!NtCreateSection+0x5c
ffff9485`cfa37990 00007ffc`36f4d884 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000000`0144e838 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`36f4d884
SYMBOL_NAME: WRCore_x64+21d2
MODULE_NAME: WRCore_x64
IMAGE_NAME: WRCore.x64.sys
IMAGE_VERSION: 1.4.0.54
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 21d2
FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_WRCore_x64!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {edcaf37f-67f2-19da-6af1-bb572a732c02}
Followup: MachineOwner