rafwu / ransomwatch Goto Github PK
View Code? Open in Web Editor NEWRansomware detection application for Windows using Windows Minifilter driver
Ransomware detection application for Windows using Windows Minifilter driver
In function
<BOOLEAN DeletionTrigger()>
addNumOfDirsProtected(0);>
I think need change it to
addNumOfDirsProtected --> need to change to -->addNumOfFilesProtected
Stop Code: IRQL_LESS_OR_EQUAL when starting Application.exe
Please let us know when can we have an ARM64 version for Windows on ARM OS.
Hi,
I'm very new to driver dev and there is a good chance I miss something obvious.
I'm able to install the minifilter as described in the README. The application launches successfully for a minute or so and then Windows Crash with a IRQL_NOT_LESS_OR_EQUAL BSOD.
I think I understand what it means but I have no idea how to debug it.
Here are the details of the minidump. If you have an idea, I would greatly appreciate it.
0: kd> !analyze -v
*
Bugcheck Analysis *
*
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000001, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff803562aef58, address which referenced memory
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-U9J03LL
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 101
Key : Analysis.System
Value: CreateObject
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_CODE: a
BUGCHECK_P1: 1
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff803562aef58
READ_ADDRESS: fffff803567733b8: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8035662a3b8: Unable to get Flags value from nt!KdVersionBlock
fffff8035662a3b8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
0000000000000001
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
IRP_ADDRESS: ffffffffffffff88
DEVICE_OBJECT: ffff848600000000
TRAP_FRAME: fffffd8b3ed4ee40 -- (.trap 0xfffffd8b3ed4ee40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=fffffd8b3ed4e4a8
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803562aef58 rsp=fffffd8b3ed4efd0 rbp=fffffd8b3ed4f119
r8=0000000000000002 r9=ffff848624402000 r10=fffff80356672b00
r11=ffff84863d5e84e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
nt!IopCompleteRequest+0xbe8:
fffff803562aef58 488b00 mov rax,qword ptr [rax] ds:00000000
00000001=????????????????
Resetting default scope
STACK_TEXT:
fffffd8b3ed4ecf8 fffff803
563d41e9 : 000000000000000a 00000000
00000001 0000000000000002 00000000
00000000 : nt!KeBugCheckEx
fffffd8b3ed4ed00 fffff803
563d0529 : 0000000000000000 00000000
00000005 ffff94800caff170 00000000
00000000 : nt!KiBugCheckDispatch+0x69
fffffd8b3ed4ee40 fffff803
562aef58 : 0000000000000000 fffffd8b
3ed4f138 ffff94800caff170 00000000
00000000 : nt!KiPageFault+0x469
fffffd8b3ed4efd0 fffff803
562a615d : 0000000000000000 00000000
00000000 0000000000000100 00000000
00000000 : nt!IopCompleteRequest+0xbe8
fffffd8b3ed4f0c0 fffff803
562cf44b : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiDeliverApc+0x19d
fffffd8b3ed4f180 fffff803
562a1eb4 : 0000000000000000 00000000
00000001 0000000000000000 01000000
00100000 : nt!KiCheckForKernelApcDelivery+0x2b
fffffd8b3ed4f1b0 fffff803
5632c8c3 : 0000000000000000 00000000
00000000 0000000000000001 ffff8486
47d925c0 : nt!KiLeaveGuardedRegionUnsafe+0x24
fffffd8b3ed4f1e0 fffff803
562639f4 : 0000000000000000 00000000
00001000 0000000000001000 ffffbf82
085c0000 : nt!MmWaitForCacheManagerPrefetch+0x67
fffffd8b3ed4f210 fffff803
567e49f9 : 0000000000000000 00000000
00000000 0000000000000001 fffffd8b
3ed4f320 : nt!CcFetchDataForRead+0x104
fffffd8b3ed4f270 fffff803
56263725 : ffff848643f8b370 00000000
00000000 fffffd8b00040000 ffff8486
47c62901 : nt!CcMapAndCopyFromCache+0xd9
fffffd8b3ed4f310 fffff803
5b102009 : 0000000000000000 ffffaa0d
00000000 ffff848600000381 ffffaa0d
00000001 : nt!CcCopyReadEx+0x135
fffffd8b3ed4f3b0 fffff803
5b1171da : 0000000000000381 ffff8486
47d925c0 fffffd8b3ed4f610 ffff8486
45f6ba20 : Ntfs!NtfsCachedRead+0x179
fffffd8b3ed4f420 fffff803
5b11641c : fffffd8b3ed4f620 ffff8486
45f6ba20 fffffd8b3ed4f620 ffff8486
3dbe8a18 : Ntfs!NtfsCommonRead+0xbaa
fffffd8b3ed4f5e0 fffff803
56299ed9 : ffff848645d2c370 ffff8486
45f6ba20 ffff848645f6be08 00000000
00000000 : Ntfs!NtfsFsdRead+0x20c
fffffd8b3ed4f6a0 fffff803
585355de : 0000000000000000 fffffd8b
3ed4f780 ffff848645f6ba20 fffffd8b
3ed4f790 : nt!IofCallDriver+0x59
fffffd8b3ed4f6e0 fffff803
58533f16 : fffffd8b3ed4f780 00000000
00000000 0000000000000001 fffff803
5680fce5 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x15e
fffffd8b3ed4f760 fffff803
56299ed9 : ffff848645f6ba20 00000000
00000478 0000000000000000 00000000
00000000 : FLTMGR!FltpDispatch+0xb6
fffffd8b3ed4f7c0 fffff803
568080a5 : 0000000000000000 ffff8486
47d925c0 ffff848647d92610 ffff8486
47d925c0 : nt!IofCallDriver+0x59
fffffd8b3ed4f800 fffff803
5680427f : ffff848600000000 00000000
00000000 0000000000000000 fffffd8b
3ed4fa80 : nt!IopSynchronousServiceTail+0x1a5
fffffd8b3ed4f8a0 fffff803
563d3c15 : ffff848642bf3080 00000000
00000000 0000000000000000 00000000
00000000 : nt!NtReadFile+0x59f
fffffd8b3ed4f990 00007ffb
b585c134 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
00000082e0efec88 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffb`b585c134
SYMBOL_NAME: nt!KiPageFault+469
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.18362.1016
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 469
FAILURE_BUCKET_ID: AV_nt!KiPageFault
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {ec3e2762-48ae-ffe9-5b16-fbcb853e8320}
I have followed the Steps given by you.
But when I start the server it says'[SC] StartService FAILED 487:
Attempt to access invalid address.'
Please help me to resolve it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.