Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Unknown" faulting modules possibly related to DEP? Not in safe mode though!


  • Please log in to reply
1 reply to this topic

#1 Jacob_Dixon

Jacob_Dixon

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 24 December 2016 - 12:55 AM

I have an issue with a specific server running Server 2008 R2 with terminal services and a VM running on ESXi that has problems executing certain installers. We are trying to figure out if it could be virus related.  I found out if I reboot to safe mode then I can run some of these executables like vcredist.exe. I tried comparing loaded modules in System Information from running in safe mode and normal mode and disabled all the services so they matched safe mode. We have found that a wide range of installers are unable to run such as QuickBooks, vcredist, and .NET security updates. We did try turning DEP only on for essential services and even setting DEP to AlwaysOff with bcdedit. The errors generate something similar when they crash:

 

Faulting application name: NDP40-KB2600217-x64.exe, version: 10.0.30319.261, time stamp: 0x476b6aa0
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00e1fe44
Faulting process id: 0xdf0
Faulting application start time: 0x01d25d9fa4988b20
Faulting application path: C:\Windows\SoftwareDistribution\Download\Install\NDP40-KB2600217-x64.exe
Faulting module path: unknown
Report Id: 18c3525c-c993-11e6-b5f4-000c2961510b

 

We decided to take some crash dumps of these processes and they seem to have memory exceptions in common: c0000005 (Access violation), (NTSTATUS) 0xc0000096 - {EXCEPTION}  Privileged instruction.

 

I am not very good with windbg but this is what it is outputting:

DUMP_CLASS: 2
DUMP_QUALIFIER: 400


CONTEXT:  (.ecxr)
eax=271367cc ebx=002507e0 ecx=00000000 edx=0022ac88 esi=002507d8 edi=002507e0
eip=00d9fe56 esp=00edfd20 ebp=00edfd58 iopl=0         nv up ei ng nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010293
00d9fe56 6d              ins     dword ptr es:[edi],dx es:002b:002507e0=00000000
Resetting default scope


FAULTING_IP: 
+0
00d9fe56 6d              ins     dword ptr es:[edi],dx


EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00d9fe56
   ExceptionCode: c0000096
  ExceptionFlags: 00000000
NumberParameters: 0


PROCESS_NAME:  NDP40-KB2972106-x64.exe
ERROR_CODE: (NTSTATUS) 0xc0000096 - {EXCEPTION}  Privileged instruction.
EXCEPTION_CODE: (NTSTATUS) 0xc0000096 - {EXCEPTION}  Privileged instruction.
EXCEPTION_CODE_STR:  c0000096
BUGCHECK_STR:  STATUS_PRIVILEGED_INSTRUCTION
DEFAULT_BUCKET_ID:  STATUS_PRIVILEGED_INSTRUCTION
WATSON_BKT_PROCSTAMP:  476b6aa0
WATSON_BKT_PROCVER:  10.0.30319.1026
PROCESS_VER_PRODUCT:  Microsoft .NET Framework 4.0
WATSON_BKT_MODULE:  unknown
WATSON_BKT_MODVER:  0.0.0.0
WATSON_BKT_MODOFFSET:  d9fe56
WATSON_BKT_MODSTAMP:  bbbbbbb4
BUILD_VERSION_STRING:  6.1.7601.18409 (win7sp1_gdr.140303-2144)
MODLIST_WITH_TSCHKSUM_HASH:  92c7019316d9b75819cc59802df4e6554b2a89c
MODLIST_SHA1_HASH:  dcaf9178f120f6cc3db8549cd34b70815c61ffc8
NTGOBALFLAG:  0
APPLICATION_VERIFIER_FLAGS:  0
PRODUCT_TYPE:  3
SUITE_MASK:  16
DUMP_FLAGS:  8000c07
DUMP_TYPE:  0
ANALYSIS_SESSION_HOST:  DESKTOP-5DU7ER1
ANALYSIS_SESSION_TIME:  12-23-2016 23:47:11.0208
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU
PROBLEM_CLASSES: 
    Tid    [0x0]
    Frame  [0x00]
    String [STATUS_PRIVILEGED_INSTRUCTION]
    Data Bucketing


LAST_CONTROL_TRANSFER:  from 778fc4e7 to 00d9fe56


STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00edfd58 778fc4e7 ffffffff fffffffe ffffffff 0xd9fe56
00edfd7c 7769189e ffffffff fffffffe ffffffff KERNELBASE!DuplicateHandle+0x69
00edfda0 76aadf1e ffffffff fffffffe ffffffff kernel32!DuplicateHandleImplementation+0xb3
00edfdd4 76aade9b 00edfde0 00000000 00edfdf0 rpcrt4!THREAD::THREAD+0x66
00edfde4 76aa0736 0022aee8 00edfe04 76aafbdf rpcrt4!ThreadSelfHelper+0x28
00edfdf0 76aafbdf 00edfe64 0022aee8 77d827d8 rpcrt4!RpcpSetThreadpoolCallbackInstance+0xb
00edfe04 77da4b33 00edfe64 00000000 0022aee8 rpcrt4!PerformGarbageCollection+0x2c
00edfe28 77da4429 00edfe64 0022af48 773e486f ntdll!TppTimerpExecuteCallback+0x10f
00edff88 7769338a 0022c9b8 00edffd4 77d89f72 ntdll!TppWorkerThread+0x572
00edff94 77d89f72 0022c9b8 773e4833 00000000 kernel32!BaseThreadInitThunk+0xe
00edffd4 77d89f45 77da3e85 0022c9b8 ffffffff ntdll!__RtlUserThreadStart+0x70
00edffec 00000000 77da3e85 0022c9b8 00000000 ntdll!_RtlUserThreadStart+0x1b




THREAD_SHA1_HASH_MOD_FUNC:  df3c934f651350cf1f820dd7f2d6a2071bf070ce
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  7df2ca1142c355eba56ab2cfc50666f8783eb99f
THREAD_SHA1_HASH_MOD:  ca795b238e2fd3678ba3903f459ae4d499ac13f4


FOLLOWUP_IP: 
rpcrt4!THREAD::THREAD+66
76aadf1e 85c0            test    eax,eax


FAULT_INSTR_CODE:  840fc085
SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  rpcrt4!THREAD::THREAD+66
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: rpcrt4
IMAGE_NAME:  rpcrt4.dll
DEBUG_FLR_IMAGE_TIMESTAMP:  51db9710
STACK_COMMAND:  .ecxr ; kb
BUCKET_ID:  STATUS_PRIVILEGED_INSTRUCTION_rpcrt4!THREAD::THREAD+66
PRIMARY_PROBLEM_CLASS:  STATUS_PRIVILEGED_INSTRUCTION_rpcrt4!THREAD::THREAD+66
FAILURE_EXCEPTION_CODE:  c0000096
FAILURE_IMAGE_NAME:  rpcrt4.dll
BUCKET_ID_IMAGE_STR:  rpcrt4.dll
FAILURE_MODULE_NAME:  rpcrt4
BUCKET_ID_MODULE_STR:  rpcrt4
FAILURE_FUNCTION_NAME:  THREAD::THREAD
BUCKET_ID_FUNCTION_STR:  THREAD::THREAD
BUCKET_ID_OFFSET:  66
BUCKET_ID_MODTIMEDATESTAMP:  51db9710
BUCKET_ID_MODCHECKSUM:  adab5
BUCKET_ID_MODVER_STR:  6.1.7601.18205
BUCKET_ID_PREFIX_STR:  STATUS_PRIVILEGED_INSTRUCTION_
FAILURE_PROBLEM_CLASS:  STATUS_PRIVILEGED_INSTRUCTION
FAILURE_SYMBOL_NAME:  rpcrt4.dll!THREAD::THREAD
FAILURE_BUCKET_ID:  STATUS_PRIVILEGED_INSTRUCTION_c0000096_rpcrt4.dll!THREAD::THREAD
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/NDP40-KB2972106-x64.exe/10.0.30319.1026/476b6aa0/unknown/0.0.0.0/bbbbbbb4/c0000096/00d9fe56.htm?Retriage=1
TARGET_TIME:  2016-12-24T04:59:15.000Z
OSBUILD:  7601
OSSERVICEPACK:  18409
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE:  x86
OSNAME:  Windows 7
OSEDITION:  Windows 7 Server (Service Pack 1) TerminalServer
USER_LCID:  0
OSBUILD_TIMESTAMP:  2014-03-04 03:19:01
BUILDDATESTAMP_STR:  140303-2144
BUILDLAB_STR:  win7sp1_gdr
BUILDOSVER_STR:  6.1.7601.18409
ANALYSIS_SESSION_ELAPSED_TIME: 605
ANALYSIS_SOURCE:  UM
FAIURE_ID_HASH_STRING:  um:status_privileged_instruction_c0000096_rpcrt4.dll!thread::thread
FAILURE_ID_HASH:  {3608b864-62d0-b685-101a-b60ecbf06c94}

This is the same issue but with the vcredist.exe file:

*** ERROR: Module load completed but symbols could not be loaded for vcredist_x86.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for wixstdba.dll - 


DUMP_CLASS: 2
DUMP_QUALIFIER: 400


CONTEXT:  (.ecxr)
eax=0034eef4 ebx=00004021 ecx=0034eeec edx=00677570 esi=77d4107c edi=0034eecc
eip=030600b4 esp=0034ee7c ebp=0034eef8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
030600b4 ??              ???
Resetting default scope


FAULTING_IP: 
+0
030600b4 ??              ???


EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 030600b4
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 030600b4
Attempt to read from address 030600b4


DEFAULT_BUCKET_ID:  BAD_INSTRUCTION_PTR
PROCESS_NAME:  vcredist_x86.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR:  c0000005
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  030600b4


FOLLOWUP_IP: 
vcredist_x86+35751
01215751 83f8ff          cmp     eax,0FFFFFFFFh


READ_ADDRESS:  030600b4 
FAILED_INSTRUCTION_ADDRESS: 
+0
030600b4 ??              ???


WATSON_BKT_PROCSTAMP:  535fef1c
WATSON_BKT_PROCVER:  12.0.30501.0
PROCESS_VER_PRODUCT:  Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
WATSON_BKT_MODULE:  unknown
WATSON_BKT_MODVER:  0.0.0.0
WATSON_BKT_MODOFFSET:  30600b4
WATSON_BKT_MODSTAMP:  bbbbbbb4
BUILD_VERSION_STRING:  6.1.7601.18409 (win7sp1_gdr.140303-2144)
MODLIST_WITH_TSCHKSUM_HASH:  eb5955b5bec7748e59c51cf5f83eea29a5fd58cd
MODLIST_SHA1_HASH:  eca2d39d0fb94e21fb639d877bb11a5dbe94a53e
NTGLOBALFLAG:  0
APPLICATION_VERIFIER_FLAGS:  0
PRDUCT_TYPE:  3
SUITE_MASK:  16
DUMP_FLAGS:  8000c07
DUMP_TYPE:  0
ANALYSIS_SESSION_HOST:  DESKTOP-5DU7ER1
ANALYSIS_SESSION_TIME:  12-23-2016 23:45:28.0830
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre


THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU


PROBLEM_CLASSES: 
BAD_INSTRUCTION_PTR
    Tid    [0xa68]
    Frame  [0x00]: unknown!unknown


INVALID_POINTER_READ
    Tid    [0xa68]
    Frame  [0x00]: unknown!unknown


BUGCHECK_STR:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ


IP_ON_HEAP:  77d4143f
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.


FRAME_ONE_INVALID: 1


LAST_CONTROL_TRANSFER:  from 77d4143f to 030600b4


STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
0034ee78 77d4143f 0034eef4 c0000000 0034eecc 0x30600b4
0034eef8 77d410e1 00100001 77e359c7 00004021 0x77d4143f
0034ef28 7790a6c6 0034efa0 00100001 0034ef54 0x77d410e1
0034f220 7790ac0b 0065ec58 00000000 0034f25c KERNELBASE!FindFirstFileExW+0x1cc
0034f240 01215751 0065ec58 0034f25c 0034f694 KERNELBASE!FindFirstFileW+0x16
0034f4b0 011f4204 0065ec58 00000000 00000000 vcredist_x86+0x35751
0034f4e0 011ee035 0034f99c 0034f694 00000000 vcredist_x86+0x14204
0034f524 011e1317 00000001 00000005 011e180f vcredist_x86+0xe035
0034f568 011e1a67 0034f58c 00000000 00000000 vcredist_x86+0x1317
0034f584 011e1e12 00000000 00000000 00000000 vcredist_x86+0x1a67
0034fbb8 011e1028 011e0000 005f1e22 0000000a vcredist_x86+0x1e12
0034fbd4 01207dcb 011e0000 00000000 005f1e22 vcredist_x86+0x1028
0034fc64 7769338a 7efde000 0034fcb0 77d89f72 vcredist_x86+0x27dcb
0034fc70 77d89f72 7efde000 77d0e385 00000000 kernel32!BaseThreadInitThunk+0xe
0034fcb0 77d89f45 01207e1e 7efde000 ffffffff ntdll!__RtlUserThreadStart+0x70
0034fcc8 00000000 01207e1e 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b




THREAD_SHA1_HASH_MOD_FUNC:  6a0c57037d9de43e7e4e78f408e6604deb4f9539
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  91e16772d38236b44f54b6f4c343b20d09fe385f
THREAD_SHA1_HASH_MOD:  7198235cb27a2d296cdf6112a57a7ffc84cb4e4e
FALT_INSTR_CODE:  74fff883
SYMBOL_STACK_INDEX:  5
SYMBOL_NAME:  vcredist_x86+35751
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: vcredist_x86
IMAGE_NAME:  vcredist_x86.exe
DEBUG_FLR_IMAGE_TIMESTAMP:  535fef1c
STACK_COMMAND:  .ecxr ; kb
FAILURE_BUCKET_ID:  BAD_INSTRUCTION_PTR_c0000005_vcredist_x86.exe!Unknown
BUCKET_ID:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_vcredist_x86+35751
PRIMARY_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_vcredist_x86+35751
FAILRE_EXCEPTION_CODE:  c0000005
FAILURE_IMAGE_NAME:  vcredist_x86.exe
BUCKET_ID_IMAGE_STR:  vcredist_x86.exe
FAILURE_MODULE_NAME:  vcredist_x86
BUCKET_ID_MODULE_STR:  vcredist_x86
FAILURE_FUNCTION_NAME:  Unknown
BUCKET_ID_FUNCTION_STR:  Unknown
BUCKET_ID_OFFSET:  35751
BUCKET_ID_MODTIMEDATESTAMP:  535fef1c
BUCKET_ID_MODCHECKSUM:  63f9be
BUCKET_ID_MODVER_STR:  12.0.30501.0
BUCKET_ID_PREFIX_STR:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_
FAILURE_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR
FAILURE_SYMBOL_NAME:  vcredist_x86.exe!Unknown
WATON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/vcredist_x86.exe/12.0.30501.0/535fef1c/unknown/0.0.0.0/bbbbbbb4/c0000005/030600b4.htm?Retriage=1
TARGET_TIME:  2016-12-24T03:58:45.000Z
OSBUILD:  7601
OSSERVICEPACK:  18409
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE:  x86
OSNAME:  Windows 7
OSEDITION:  Windows 7 Server (Service Pack 1) TerminalServer
USER_LCID:  0
OSBUILD_TIMESTAMP:  2014-03-04 03:19:01
BUILDDATESTAMP_STR:  140303-2144
BUILDLAB_STR:  win7sp1_gdr
BUILDOSVER_STR:  6.1.7601.18409
ANALSIS_SESSION_ELAPSED_TIME: 1dd6
ANAYSI_SOURCE:  UM
FAILUE_ID_HASH_STRING:  um:bad_instruction_ptr_c0000005_vcredist_x86.exe!unknown
FAILURE_ID_HASH:  {d715ecf7-49f8-0086-7eca-00e2bfa23e0d}
 
 

Edited by Jacob_Dixon, 24 December 2016 - 01:02 AM.


BC AdBot (Login to Remove)

 


#2 Jacob_Dixon

Jacob_Dixon
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 24 December 2016 - 11:14 AM

We ended up finding what it was. It was a dll file: ftsjapiflt64.dll (looks like a really old version) that was loaded by a USB software:

Product Name: Scanner for Remote Desktop (Server) 1.0.4.

Product Version: 1.0.4.0.

Product Language: 1033.

Manufacturer: FabulaTech

 

 

I'm curious what I did wrong with the dump files and why nothing in the dumps led me to this dll file?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users