Hello! I want to run this tree of MemoryMon: https://github.com/tandasat/MemoryMon/tree/rwe_cdfs. But I have BSOD every time with PAGE_FAULT_IN_NONPAGED_AREA after running hypervisor. I also tried to fix it with tandasat/HyperPlatform#34 and tandasat/HyperPlatform#32
My dump:
Machine Name:
Kernel base = 0xfffff8053aac0000 PsLoadedModuleList = 0xfffff805`3af061b0
System Uptime: 0 days 0:00:00.000
KDTARGET: Refreshing KD connection
Break instruction exception - code 80000003 (first chance)
MemoryMon+0x12109b:
fffff8053a04109b cc int 3
*** WARNING: Unable to verify timestamp for ntdll.dll
0: kd> g
16:45:17.537 DBG #1 4 2060 System Log thread started (TID= 000000000000080C).
16:45:17.761 INF #0 4 272 System Log has been initialized.
16:45:17.761 DBG #1 4 272 System Info= FFFFF80539FF28A0, Buffer= FFFFE604EC010000 FFFFE604EC090000, File= \SystemRoot\MemoryMonRWE.log
16:45:17.761 DBG #1 4 272 System Found a hard coded PTE_BASE at FFFFF8053AD81592
16:45:17.761 DBG #1 4 272 System PXE at FFFFFAFD7EBF5000, PPE at FFFFFAFD7EA00000, PDE at FFFFFAFD40000000, PTE at FFFFFA8000000000
16:45:17.776 DBG #1 4 272 System Physical Memory Range: 0000000000001000 - 00000000000a0000
16:45:17.776 DBG #1 4 272 System Physical Memory Range: 0000000000100000 - 000000000eef1000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000eefa000 - 000000000ef0d000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000ef12000 - 000000000ef2c000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000ef31000 - 000000000fee7000
16:45:17.791 DBG #1 4 272 System Physical Memory Range: 000000000ff77000 - 0000000080000000
16:45:17.803 DBG #1 4 272 System Physical Memory Total: 2096112 KB
16:45:17.803 DBG #1 4 272 System shared_data = FFFFE604E45053B0
16:45:17.817 INF #0 4 272 System Initializing VMX for the processor 0.
16:45:17.896 DBG #0 4 272 System vmm_stack_limit = FFFFE604EA0B9000
16:45:17.896 DBG #0 4 272 System vmm_stack_region_base = FFFFE604EA0BF000
16:45:17.911 DBG #0 4 272 System vmm_stack_data = FFFFE604EA0BEFF8
16:45:17.911 DBG #0 4 272 System vmm_stack_base = FFFFE604EA0BEFF0
16:45:17.919 DBG #0 4 272 System processor_data = FFFFE604E45053F0 stored at FFFFE604EA0BEFF8
16:45:17.927 DBG #0 4 272 System guest_stack_pointer = FFFFD90525D95750
16:45:17.931 DBG #0 4 272 System guest_inst_pointer = FFFFF80539F21427
16:45:17.935 DBG #0 4 272 System Context at FFFFF80539F21478: rax= 0000000000000000 rbx= 0000000000000000 rcx= FFFFF8053A03DDF0 rdx= FFFFE604E45053B0 rsi= FFFFE604E9D5B000 rdi= FFFFD90525D95888 rsp= FFFFD90525D957D0 rbp= 0000000000000000 r8= 0000000000000065 r9= 0000000000000000 r10= 0000000000000007 r11= FFFFD90525D95170 r12= FFFFFFFF800027CC r13= 0000000000000002 r14= FFFFC50F1876A9A0 r15= FFFFE604E9D5B000 efl= 00040282
16:45:17.935 INF #0 4 272 System Initialized successfully.
16:45:17.969 INF #1 4 272 System Initializing VMX for the processor 1.
Access violation - code c0000005 (!!! second chance !!!)
MemoryMon+0x11b000:
fffff8053a03b000 cc int 3
0: kd> g
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x00000050
(0xFFFFFA8000000000,0x0000000000000002,0xFFFFF8053A03B001,0x000000000000000B)
Driver at fault:
*** MemoryMon.sys - Address FFFFF8053A03B001 base at FFFFF80539F20000, DateStamp 609a7d77
.
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff8053ac8b970 cc int 3
0: kd> !analyze -v
Connected to Windows 10 18362 x64 target at (Tue May 11 16:45:23.522 2021 (UTC + 3:00)), ptr64 TRUE
Loading Kernel Symbols
.................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................
................................................................
................................................................
..............................
Loading User Symbols
PEB address is NULL !
Loading unloaded module list
.......
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffa8000000000, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: fffff8053a03b001, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 000000000000000b, (reserved)
Debugging Details:
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-I56MG4S
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 3
Key : Analysis.Memory.CommitPeak.Mb
Value: 63
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 50
BUGCHECK_P1: fffffa8000000000
BUGCHECK_P2: 2
BUGCHECK_P3: fffff8053a03b001
BUGCHECK_P4: b
READ_ADDRESS: fffffa8000000000
MM_INTERNAL_CODE: b
IMAGE_NAME: MemoryMon.sys
MODULE_NAME: MemoryMon
FAULTING_MODULE: fffff80539f20000 MemoryMon
PROCESS_NAME: svchost.exe
TRAP_FRAME: ffffd90526d37810 -- (.trap 0xffffd90526d37810)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa8000000000 rbx=0000000000000000 rcx=ffffe604e9a90580
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8053a03b001 rsp=ffffd90526d379a0 rbp=ffffd90526d37b20
r8=fffffafd7eb0a110 r9=0000000021422008 r10=0000000000000001
r11=fffffafd40000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
MemoryMon+0x11b001:
fffff8053a03b001 0000 add byte ptr [rax],al ds:fffffa8000000000=??
Resetting default scope
STACK_TEXT:
ffffd90526d36e88 fffff8053ad68dc2 : fffffa8000000000 0000000000000003 ffffd90526d36ff0 fffff8053abe64d0 : nt!DbgBreakPointWithStatus
ffffd90526d36e90 fffff8053ad684b7 : fffff80500000003 ffffd90526d36ff0 fffff8053ac981f0 ffffd90526d37530 : nt!KiBugCheckDebugBreak+0x12
ffffd90526d36ef0 fffff8053ac83c27 : 0000000000000000 0000000000000005 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x947
ffffd90526d375f0 fffff8053ad10c54 : 0000000000000050 fffffa8000000000 0000000000000002 ffffd90526d37810 : nt!KeBugCheckEx+0x107
ffffd90526d37630 fffff8053ab8ac3a : 0000000000000000 0000000000000002 ffffd90526d37770 0000000000000000 : nt!MiRaisedIrqlFault+0x127c14
ffffd90526d37670 fffff8053ac91b5e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0x48a
ffffd90526d37810 fffff8053a03b001 : 0000000000000aa0 ffffe604e8413030 ffffd90526d37d4a fffff8053b0e7f8a : nt!KiPageFault+0x35e
ffffd90526d379a0 0000000000000aa0 : ffffe604e8413030 ffffd90526d37d4a fffff8053b0e7f8a 0000000000000000 : MemoryMon+0x11b001
ffffd90526d379a8 ffffe604e8413030 : ffffd90526d37d4a fffff8053b0e7f8a 0000000000000000 fffff80500000027 : 0xaa0
ffffd90526d379b0 ffffd90526d37d4a : fffff8053b0e7f8a 0000000000000000 fffff80500000027 ffffffffffffffff : 0xffffe604e8413030
ffffd90526d379b8 fffff8053b0e7f8a : 0000000000000000 fffff80500000027 ffffffffffffffff ffffe604e4a40000 : 0xffffd90526d37d4a
ffffd90526d379c0 fffffafd61422008 : ffffe60400000000 ffffffffffffffff ffffd90500000000 0000000000000000 : nt!IopGetFileInformation+0x106
ffffd90526d37a40 ffffe60400000000 : ffffffffffffffff ffffd90500000000 0000000000000000 0000000000001001 : 0xfffffafd61422008
ffffd90526d37a48 ffffffffffffffff : ffffd90500000000 0000000000000000 0000000000001001 ffff8508803ad000 : 0xffffe60400000000
ffffd90526d37a50 ffffd90500000000 : 0000000000000000 0000000000001001 ffff8508803ad000 0000000000000000 : 0xffffffffffffffff
ffffd90526d37a58 0000000000000000 : 0000000000001001 ffff8508803ad000 0000000000000000 0000000000000000 : 0xffffd90500000000
SYMBOL_NAME: MemoryMon+11b001
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 11b001
FAILURE_BUCKET_ID: AV_INVALID_MemoryMon!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {26be4fc7-3792-4cc6-76ba-e1db17101433}
Followup: MachineOwner
(different debugging + i checked address with IDA)
Access violation - code c0000005 (!!! second chance !!!)
MemoryMon+0x11b000:
fffff8047c7eb000 cc int 3
![image](https://user-images.githubusercontent.com/47255730/117950493-e9077100-b31b-11eb-83ce-8ddb9c61de39.png)