In Linux system, It has a kernel_panic function responsible for the OS crash. Suppose there is a similar function in Windows 10, I want to locate its symbol.
I want my analysis tool to be able to catch system crash in the image by locating its memory location. I'm trying to target the function with the same functionality in Windows through debugging. For example, there are some very often BSODs like IRQL_NOT_LESS_EQUAL and PAGE_FAULT_IN_NONPAGED_AREA. Errors in tcpip.sys can cause these crashes.
I want to track the function by reviewing the call stack after manually triggering a system crash. Since I'm in the kernel mode, I'm unable to use .call command in windbg. Like the output below, the page-related problem is probably in nt kernel. Thus, I tried to replace the RIP's value with the functions' addresses. None of them worked. Based on my intention and approach, what might be the problem?
1: kd> x *!*page*fault*
fffff800`3e96ea44 nt!MiResolvePageFileFault (void)
fffff800`3e9268d0 nt!MiInitializePageFaultPacket (void)
fffff800`3e92e57c nt!PfSnLogPageFaultCommon (void)
fffff800`3eb35434 nt!EtwpCoverageSamplerPageFault (EtwpCoverageSamplerPageFault)
fffff800`3e8733b4 nt!PfSnLogPageFault (PfSnLogPageFault)
fffff800`3e865ab0 nt!xHalIommuServicePageFault (xHalIommuServicePageFault)
fffff800`3e9e0880 nt!KiPageFault (KiPageFault)
fffff800`3eb4c800 nt!KiPageFaultShadow (KiPageFaultShadow)
fffff800`3eb2dbf4 nt!EtwTracePageFault (EtwTracePageFault)
fffff800`3eb3c000 nt!ExpSvmServicePageFault (ExpSvmServicePageFault)
fffff800`3ead9bf8 nt!MiLargePageFault (MiLargePageFault)
fffff800`3f2cd9c0 hal!IvtGetPageFault (IvtGetPageFault)
fffff800`3f2d0070 hal!HsaDismissPageFault (HsaDismissPageFault)
fffff800`3f2c9940 hal!IommupHvDismissPageFault (IommupHvDismissPageFault)
fffff800`3f2ccfe0 hal!IvtDismissPageFault (IvtDismissPageFault)
fffff800`3f2d0a60 hal!HsaGetPageFault (HsaGetPageFault)
fffff800`3f31bf80 hal!HalpBlkPageFault (HalpBlkPageFault)
fffff800`3f2c9a80 hal!IommupHvGetPageFault (IommupHvGetPageFault)
fffff802`42434fb8 Wof!g_PagesFaultedOnAgain = <no type information>
fffff802`4446916c dxgmms2!VIDMM_GLOBAL::PageInFaultedAllocation (void)
fffff802`4449b5ec dxgmms2!VIDMM_GLOBAL::PageInFromFaultedList (public: long __cdecl VIDMM_GLOBAL::PageInFromFaultedList(class VIDMM_DEVICE *))
1: kd> x *!*irql*less*
fffff802`41daf7ec acpiex!PlExtpVerifyIrqlLessThanOrEqual (PlExtpVerifyIrqlLessThanOrEqual)
1: kd> db tcpip!TCPIP_MEMORY_FAILURES ---> a constant unfortunately
fffff802`42a0d900 55 04 00 10 02 00 55 04-80 00 00 00 80 00 00 80 U.....U.........
fffff802`42a0d910 92 05 00 10 05 00 89 05-00 00 00 00 01 00 00 80 ................
After careful examination, I have found the function. Like Luke and blabb said, the target functions are KeBugCheck/KeBugCheckEx.
First, run cmd as Administrator. Second, kill the kernel process manually in the terminal. The system will then crash and generate a minidump.
1: kd> p
nt!PspCatchCriticalBreak+0x94:
fffff806`73ea4c74 84db test bl,bl
1: kd> g
Critical process 0xFFFFB38F4D8CA080 (svchost.exe) exited
Break, or Ignore (bi)? bi
The call stack looks sth like this. .crash won't work and will only trigger the crash function for dbg.
nt!KeBugCheckEx
nt!PspCatchCriticalBreak+0x10e
nt!PspTerminateAllThreads+0x15b987
nt!PspTerminateProcess+0xe0
nt!NtTerminateProcess+0x9c
nt!KiSystemServiceCopyEnd+0x28