rafwu / ransomwatch Goto Github PK

In function
<BOOLEAN DeletionTrigger()>
addNumOfDirsProtected(0);>
I think need change it to
addNumOfDirsProtected --> need to change to -->addNumOfFilesProtected

Stop Code: IRQL_LESS_OR_EQUAL when starting Application.exe

I have followed the Steps given by you.
But when I start the server it says'[SC] StartService FAILED 487:
Attempt to access invalid address.'
Please help me to resolve it.

Hi,

I'm very new to driver dev and there is a good chance I miss something obvious.

I'm able to install the minifilter as described in the README. The application launches successfully for a minute or so and then Windows Crash with a IRQL_NOT_LESS_OR_EQUAL BSOD.

I think I understand what it means but I have no idea how to debug it.

Here are the details of the minidump. If you have an idea, I would greatly appreciate it.

0: kd> !analyze -v

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000001, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff803562aef58, address which referenced memory

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 2

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-U9J03LL

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 2

Key  : Analysis.Memory.CommitPeak.Mb
Value: 101

Key  : Analysis.System
Value: CreateObject

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_CODE: a

BUGCHECK_P1: 1

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff803562aef58

READ_ADDRESS: fffff803567733b8: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8035662a3b8: Unable to get Flags value from nt!KdVersionBlock
fffff8035662a3b8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
0000000000000001

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

IRP_ADDRESS: ffffffffffffff88

DEVICE_OBJECT: ffff848600000000

TRAP_FRAME: fffffd8b3ed4ee40 -- (.trap 0xfffffd8b3ed4ee40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=fffffd8b3ed4e4a8
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803562aef58 rsp=fffffd8b3ed4efd0 rbp=fffffd8b3ed4f119
r8=0000000000000002 r9=ffff848624402000 r10=fffff80356672b00
r11=ffff84863d5e84e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
nt!IopCompleteRequest+0xbe8:
fffff803562aef58 488b00 mov rax,qword ptr [rax] ds:0000000000000001=????????????????
Resetting default scope

STACK_TEXT:
fffffd8b3ed4ecf8 fffff803563d41e9 : 000000000000000a 0000000000000001 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffffd8b3ed4ed00 fffff803563d0529 : 0000000000000000 0000000000000005 ffff94800caff170 0000000000000000 : nt!KiBugCheckDispatch+0x69
fffffd8b3ed4ee40 fffff803562aef58 : 0000000000000000 fffffd8b3ed4f138 ffff94800caff170 0000000000000000 : nt!KiPageFault+0x469
fffffd8b3ed4efd0 fffff803562a615d : 0000000000000000 0000000000000000 0000000000000100 0000000000000000 : nt!IopCompleteRequest+0xbe8
fffffd8b3ed4f0c0 fffff803562cf44b : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDeliverApc+0x19d
fffffd8b3ed4f180 fffff803562a1eb4 : 0000000000000000 0000000000000001 0000000000000000 0100000000100000 : nt!KiCheckForKernelApcDelivery+0x2b
fffffd8b3ed4f1b0 fffff8035632c8c3 : 0000000000000000 0000000000000000 0000000000000001 ffff848647d925c0 : nt!KiLeaveGuardedRegionUnsafe+0x24
fffffd8b3ed4f1e0 fffff803562639f4 : 0000000000000000 0000000000001000 0000000000001000 ffffbf82085c0000 : nt!MmWaitForCacheManagerPrefetch+0x67
fffffd8b3ed4f210 fffff803567e49f9 : 0000000000000000 0000000000000000 0000000000000001 fffffd8b3ed4f320 : nt!CcFetchDataForRead+0x104
fffffd8b3ed4f270 fffff80356263725 : ffff848643f8b370 0000000000000000 fffffd8b00040000 ffff848647c62901 : nt!CcMapAndCopyFromCache+0xd9
fffffd8b3ed4f310 fffff8035b102009 : 0000000000000000 ffffaa0d00000000 ffff848600000381 ffffaa0d00000001 : nt!CcCopyReadEx+0x135
fffffd8b3ed4f3b0 fffff8035b1171da : 0000000000000381 ffff848647d925c0 fffffd8b3ed4f610 ffff848645f6ba20 : Ntfs!NtfsCachedRead+0x179
fffffd8b3ed4f420 fffff8035b11641c : fffffd8b3ed4f620 ffff848645f6ba20 fffffd8b3ed4f620 ffff84863dbe8a18 : Ntfs!NtfsCommonRead+0xbaa
fffffd8b3ed4f5e0 fffff80356299ed9 : ffff848645d2c370 ffff848645f6ba20 ffff848645f6be08 0000000000000000 : Ntfs!NtfsFsdRead+0x20c
fffffd8b3ed4f6a0 fffff803585355de : 0000000000000000 fffffd8b3ed4f780 ffff848645f6ba20 fffffd8b3ed4f790 : nt!IofCallDriver+0x59
fffffd8b3ed4f6e0 fffff80358533f16 : fffffd8b3ed4f780 0000000000000000 0000000000000001 fffff8035680fce5 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x15e
fffffd8b3ed4f760 fffff80356299ed9 : ffff848645f6ba20 0000000000000478 0000000000000000 0000000000000000 : FLTMGR!FltpDispatch+0xb6
fffffd8b3ed4f7c0 fffff803568080a5 : 0000000000000000 ffff848647d925c0 ffff848647d92610 ffff848647d925c0 : nt!IofCallDriver+0x59
fffffd8b3ed4f800 fffff8035680427f : ffff848600000000 0000000000000000 0000000000000000 fffffd8b3ed4fa80 : nt!IopSynchronousServiceTail+0x1a5
fffffd8b3ed4f8a0 fffff803563d3c15 : ffff848642bf3080 0000000000000000 0000000000000000 0000000000000000 : nt!NtReadFile+0x59f
fffffd8b3ed4f990 00007ffbb585c134 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
00000082e0efec88 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffb`b585c134

SYMBOL_NAME: nt!KiPageFault+469

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.18362.1016

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 469

FAILURE_BUCKET_ID: AV_nt!KiPageFault

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {ec3e2762-48ae-ffe9-5b16-fbcb853e8320}

Followup: MachineOwner

Please let us know when can we have an ARM64 version for Windows on ARM OS.