// First param is 3, or a double-free:
2: kd> .bugcheckBugcheck code 00000139
Arguments 00000000`00000003 ffffd000`22031310 ffffd000`22031268 00000000`00000000
// Check the trap and stack:
2: kd> .trap 0xffffd00022031310
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0004c9904e0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe0004adf64e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8010b0e4acd rsp=ffffd000220314a0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000002 r10=ffffe0004c4052f0
r11=ffffe0004c990010 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
ndis!ndisNsiGetInterfaceInformation+0x21b8d:
fffff801`0b0e4acd cd29 int 29h
// There's the smoking gun:
2: kd> kn
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr Call Site
00 ffffd000`220314a0 fffff801`0ae0e572 ndis!ndisNsiGetInterfaceInformation+0x21b8d
01 ffffd000`22031550 fffff801`0c168a25 NETIO!NsiGetParameterEx+0x222
02 ffffd000`220316b0 fffff801`0c168be3 nsiproxy!NsippGetParameter+0x195
03 ffffd000`22031840 fffff801`74ea577f nsiproxy!NsippDispatch+0x53
04 ffffd000`22031880 fffff801`74ea4d22 nt!IopXxxControlFile+0xa4f
05 ffffd000`22031a20 fffff801`74bdc4b3 nt!NtDeviceIoControlFile+0x56
06 ffffd000`22031a90 00007ffd`879c123a nt!KiSystemServiceCopyEnd+0x13
07 000000dd`7654e728 00000000`00000000 0x00007ffd`879c123a
// Looks like you're up to date on nsiproxy and NETIO:
2: kd> lmvm nsiproxy
start end module name
fffff801`0c167000 fffff801`0c175000 nsiproxy (pdb symbols) C:\ProgramData\dbg\sym\nsiproxy.pdb\F642975D546440B4BA54F2A89C017E9B1\nsiproxy.pdb
Loaded symbol image file: nsiproxy.sys
Mapped memory image file: C:\ProgramData\dbg\sym\nsiproxy.sys\545054EBe000\nsiproxy.sys
Image path: nsiproxy.sys
Image name: nsiproxy.sys
Timestamp: Tue Oct 28 19:46:03 2014 (545054EB)
CheckSum: 000147DD
ImageSize: 0000E000
File version: 6.3.9600.17415
Product version: 6.3.9600.17415
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: nsiproxy.sys
OriginalFilename: nsiproxy.sys
ProductVersion: 6.3.9600.17415
FileVersion: 6.3.9600.17415 (winblue_r4.141028-1500)
FileDescription: NSI Proxy
LegalCopyright: © Microsoft Corporation. All rights reserved.
2: kd> lmvm NETIO
start end module name
fffff801`0ae00000 fffff801`0ae78000 NETIO (pdb symbols) C:\ProgramData\dbg\sym\netio.pdb\873BD5E25CFD43A2A47494662C917A872\netio.pdb
Loaded symbol image file: NETIO.SYS
Mapped memory image file: C:\ProgramData\dbg\sym\NETIO.SYS\546029C578000\NETIO.SYS
Image path: NETIO.SYS
Image name: NETIO.SYS
Timestamp: Sun Nov 09 18:58:13 2014 (546029C5)
CheckSum: 00076D9B
ImageSize: 00078000
File version: 6.3.9600.17485
Product version: 6.3.9600.17485
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: netio.sys
OriginalFilename: netio.sys
ProductVersion: 6.3.9600.17485
FileVersion: 6.3.9600.17485 (winblue_r5.141109-1500)
FileDescription: Network I/O Subsystem
LegalCopyright: © Microsoft Corporation. All rights reserved.
// The only real explanation for this at this point in the stack is a driver has overrun into the LIST_ENTRY and corrupted the linked list:
2: kd> !error 0xc0000409
Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
// Validation that this is what happened:
2: kd> .exr ffffd00022031268
ExceptionAddress: fffff8010b0e4acd (ndis!ndisNsiGetInterfaceInformation+0x0000000000021b8d)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
// Your Atheros NIC driver is older:
2: kd> lmvm L1C60x64
start end module name
fffff801`0ce00000 fffff801`0ce20000 L1C60x64 T (no symbols)
Loaded symbol image file: L1C60x64.sys
Image path: L1C60x64.sys
Image name: L1C60x64.sys
Timestamp: Wed May 29 00:16:33 2013 (51A5AB51)
CheckSum: 0002CD6A
ImageSize: 00020000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
// Intel WiFi driver is older too:
2: kd> lmvm NETwew00
start end module name
fffff801`0d4a0000 fffff801`0d7e7000 NETwew00 T (no symbols)
Loaded symbol image file: NETwew00.sys
Image path: NETwew00.sys
Image name: NETwew00.sys
Timestamp: Tue Feb 25 05:04:56 2014 (530C94F8)
CheckSum: 0033F502
ImageSize: 00347000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
// You're running virtual networking via VMWare workstation or player too:
2: kd> lmvm vmci; lmvm vsock; lmvm vmnetbridge; lmvm vmnetuserif
start end module name
fffff801`0a8f1000 fffff801`0a90a000 vmci T (no symbols)
Loaded symbol image file: vmci.sys
Image path: vmci.sys
Image name: vmci.sys
Timestamp: Fri May 17 18:19:18 2013 (5196D716)
CheckSum: 0001AA2D
ImageSize: 00019000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
start end module name
fffff801`0a90a000 fffff801`0a921000 vsock T (no symbols)
Loaded symbol image file: vsock.sys
Image path: vsock.sys
Image name: vsock.sys
Timestamp: Sun Jun 29 17:37:03 2014 (53B0B12F)
CheckSum: 0001CD66
ImageSize: 00017000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
start end module name
fffff801`0d928000 fffff801`0d939000 vmnetbridge T (no symbols)
Loaded symbol image file: vmnetbridge.sys
Image path: vmnetbridge.sys
Image name: vmnetbridge.sys
Timestamp: Sun Jul 27 06:30:32 2014 (53D4FEF8)
CheckSum: 00011919
ImageSize: 00011000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
start end module name
fffff801`0e574000 fffff801`0e57e000 vmnetuserif T (no symbols)
Loaded symbol image file: vmnetuserif.sys
Image path: vmnetuserif.sys
Image name: vmnetuserif.sys
Timestamp: Thu Nov 20 16:59:48 2014 (546E8E84)
CheckSum: 00015392
ImageSize: 0000A000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
// And you've got the Avira network stack here too:
2: kd> lmvm avnetflt
start end module name
fffff801`0e1ec000 fffff801`0e1fa000 avnetflt T (no symbols)
Loaded symbol image file: avnetflt.sys
Image path: avnetflt.sys
Image name: avnetflt.sys
Timestamp: Thu Nov 20 09:54:02 2014 (546E2ABA)
CheckSum: 00011251
ImageSize: 0000E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4