Search code examples
windowsdebuggingantivirusbsod

Windows Palo Alto Cortex XDR BSOD with Bug Check 0x139

The Windows antivirus Cortex XDR Agent version 8.1.1 is active on my dev machine. While running some snapshots of specified processes using CreateToolhelp32Snapshot, suddenly Cortex popped up a message saying Malicious tampering threat detected followed by a BSOD

bsod

After a few hours of debugging, here's the minimal reproduction

// HeapTest.c - Release x64 build with Visual C++ 2022 
// BSOD with Bug Check 0x139 in Cortex XDR

#include <windows.h>
#include <tlhelp32.h>

int main()
{
    CreateToolhelp32Snapshot(TH32CS_SNAPHEAPLIST, 8456);
}

where process ID 8456 is for cytray.exe.

xdr

Windows created a minidmp in %SystemRoot%\Minidump and opening it with the Windbg debugger shows

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\090223-14718-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 22621 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff807`72600000 PsLoadedModuleList = 0xfffff807`732130e0
Debug session time: Sat Sep  2 19:35:12.743 2023 (UTC - 4:00)
System Uptime: 0 days 5:06:37.745
Loading Kernel Symbols
...............................................................
................................................................
................................................................
....................................................
Loading User Symbols
Loading unloaded module list
...................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {a, 0, 0, fffff80772a2dfc0}

Probably caused by : Unknown_Image ( PAGE_NOT_ZERO )

Followup: MachineOwner
---------

 *** Memory manager detected 178688 instance(s) of page corruption, target is likely to have memory corruption.



6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (139)
Unknown bugcheck description
Arguments:
Arg1: 000000000000000a
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: fffff80772a2dfc0

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x139

PROCESS_NAME:  HeapTest.exe

CURRENT_IRQL:  0

BAD_PAGES_DETECTED: 2ba00

LAST_CONTROL_TRANSFER:  from fffff80772a3bf8e to fffff80772a31250

STACK_TEXT:  
ffffa20c`050b6988 fffff807`72a3bf8e : 00000000`00000139 00000000`0000000a 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffffa20c`050b6990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!guard_icall_bugcheck+0x1e


STACK_COMMAND:  kb

SYMBOL_NAME:  PAGE_NOT_ZERO

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

BUCKET_ID:  PAGE_NOT_ZERO

Followup: MachineOwner
---------

 *** Memory manager detected 178688 instance(s) of page corruption, target is likely to have memory corruption.

Based upon the prevention information from Cortex

OS version: 10.0.22621
Component: Anti Tampering Protection
Cortex XDR code: C04000AC
Prevention description: Malicious tampering threat detected
Verdict: 0
Quarantined: False
Post-Detected: False
Rule name: anti_tampering.8

it's mostly likely a bug in one of the following Cortex XDR Drivers

C:\Program Files\Palo Alto Networks\Traps\cyverak.sys
C:\Program Files\Palo Alto Networks\Traps\cyvrmtgn.sys
C:\Program Files\Palo Alto Networks\Traps\cyvrfsfd.sys
C:\Program Files\Palo Alto Networks\Traps\tedrdrv.sys
C:\Program Files\Palo Alto Networks\Traps\tdevflt.sys
C:\Program Files\Palo Alto Networks\Traps\tedrpers-<version>.sys
C:\Windows\System32\drivers\telam.sys

Question

Out of curiosity, is there a way to identify the name of the buggy sys driver?

Solution

  • Out of curiosity, is there a way to identify the name of the buggy sys driver?

    No reasonable way without the source code for the drivers. Memory corruption is something that happened before the crash. And it's a debugging exercise that really would require the driver developer to figure out.