Code:
[COLOR=Red]BugCheck 1000008E[/COLOR], {[COLOR=SeaGreen]c0000006[/COLOR], 82c47e93, a329b9b8, 0}
Probably caused by : [COLOR=Red]kl1.sys[/COLOR] ( kl1+e4935 )
This bugcheck indicates a exception happened in Kernel Mode, which the exception handler wasn't able to handle.
Code:
kd> [COLOR=SeaGreen]lmvm kl1[/COLOR]
start end module name
88c15000 89137000 kl1 T (no symbols)
Loaded symbol image file: kl1.sys
Image path: \SystemRoot\system32\DRIVERS\kl1.sys
Image name: kl1.sys
Timestamp: [COLOR=Red]Fri Mar 04 09:17:22 2011[/COLOR] (4D70AE22)
CheckSum: 00026AFA
ImageSize: 00522000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Your Kaspersky Unified Driver seems to be causing problems, please find a updated version of the program, or remove the program with the
Kaspersky Removal Tool.
Code:
kd> [COLOR=SeaGreen]!error c0000006[/COLOR]
Error code: (NTSTATUS) 0xc0000006 (3221225478) - The instruction at 0x%p referenced memory at 0x%p. The required data was not placed into memory because of an I/O error status of 0x%x.
Using the first parameter and the !error extension, we can see that a instruction or driver routine was called, to page some form of required data into physical memory, however, this wasn't achieved due to a I/O problem.
Code:
kd> [COLOR=SeaGreen]knL[/COLOR]
# ChildEBP RetAddr
00 a329ba34 88cf9935 nt!memcpy+0x33
WARNING: Stack unwind information not available. Following frames may be wrong.
01 a329baa8 88cfda4f kl1+0xe4935
02 a329bb00 88cfd4b2 kl1+0xe8a4f
03 a329bb24 88c1773e kl1+0xe84b2
04 a329bb78 82c45c29 kl1+0x273e
05 a329bb90 82e39bf9 nt!IofCallDriver+0x63
06 a329bbb0 82e3cde2 nt!IopSynchronousServiceTail+0x1f8
07 a329bc4c 82e83764 nt!IopXxxControlFile+0x6aa
08 a329bc80 8da4c25e nt!NtDeviceIoControlFile+0x2a <<< User Mode only?
09 a329bd04 82c4c8ba klif+0x3425e
0a a329bd04 774c7094 nt!KiFastCallEntry+0x12a
0b 13f0f234 00000000 0x774c7094
nt!memcpy is a C function used to move data between two memory buffers. This is where the crash occurred.
Code:
[COLOR=SeaGreen].trap 0xffffffffa329b9b8[/COLOR]
ErrCode = [COLOR=Red]00000000[/COLOR]
eax=1b6a8f58 ebx=003c8f58 ecx=000463d6 edx=00000000 esi=1b590000 edi=87672000
eip=82c47e93 esp=a329ba2c ebp=a329ba34 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
[COLOR=Blue]nt!memcpy[/COLOR]+0x33:
82c47e93 f3a5 [COLOR=Orange] rep movs[/COLOR] dword ptr [COLOR=Red]es:[edi][/COLOR],dword ptr [COLOR=Red][esi][/COLOR]
The exception code for the trap frame indicates a divide by 0 error, which is commonly related to device driver problems.
es: edi register is used to point to the destination register, or destination operand. esi register contains the source operand. The
movs instruction is used to move strings, and is prefixed with the rep, which is named Repeat String Operation Prefix.
After the operation, since the DF flag has been set to 0, the ESI and EDI should be incremented by 1. The repeating operation stops when the ecx register is 0. This instruction can also be suspended by a exception like in this case.
nt!IopXxxControlFile is used to sent a control code request to a file object, to perform a certain operation.
nt!IofCallDriver is used to sent a IRP to a driver of a device object.
