A forum for reverse engineering, OS internals and malware analysis 

here is a funny toy

Forum for announcements and questions about tools and software.

here is a funny toy

 #11999  by KK_
 Tue Mar 06, 2012 1:18 pm
CyberInterceptor

it maybe not that stable,since it is still in beta test.
so ,be careful .*_*
ps:BOSD may occur.Please let me know..
ddf761ce7bcb0a46a81cdd816b63f6246b60af51.jpg
ddf761ce7bcb0a46a81cdd816b63f6246b60af51.jpg (87.95 KiB) Viewed 835 times
(675.36 KiB) Downloaded 43 times

Re: here is a funny toy

 #12118  by EP_X0FF
 Thu Mar 15, 2012 10:28 am
BSOD
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 9315619c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804ee910, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: 9315619c

CURRENT_IRQL: 2

FAULTING_IP:
nt!MmMapLockedPagesSpecifyCache+1de
804ee910 8b4f0c mov ecx,dword ptr [edi+0Ch]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from f5d89a99 to 804ee910

STACK_TEXT:
f9e67f18 f5d89a99 8199bca0 1f000000 c03d3d98 nt!MmMapLockedPagesSpecifyCache+0x1de
WARNING: Stack unwind information not available. Following frames may be wrong.
f9e67f44 f5d89b05 8199bdc8 81a3f000 00000000 SuperCI+0x5a99
f9e67f5c f9b4dce6 81a478e8 8199bdc8 00000000 SuperCI+0x5b05
f9e67f94 f9b4d183 819c3e00 804e4a25 81a478e8 dc21x4!ProcessTransmitDescRing+0x304
f9e67fb4 f98a86a5 00010005 806ef123 81a478e8 dc21x4!DC21X4HandleInterrupt+0xef
f9e67fd0 804dbbd4 81a3f01c 81a3f008 00000000 NDIS!ndisMDpc+0xff
f9e67ff4 804db89e f6473cac 00000000 00000000 nt!KiRetireDpcList+0x46
f9e67ff8 f6473cac 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
804db89e 00000000 00000009 bb835675 00000128 0xf6473cac


STACK_COMMAND: kb

FOLLOWUP_IP:
SuperCI+5a99
f5d89a99 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: SuperCI+5a99

Re: here is a funny toy

 #12130  by KK_
 Thu Mar 15, 2012 11:46 am
thanks a lot for the feed back

looks like you are trying to send udp packet.

according to the stack,i assume that your os version is xp or 2k3.

am i right?

Re: here is a funny toy

 #12131  by EP_X0FF
 Thu Mar 15, 2012 11:49 am
KK_ wrote:thanks a lot for the feed back

looks like you are trying to send udp packet.

according to the stack,i assume that your os version is xp or 2k3.

am i right?
Yes, it was button "Send me" or something. Windows XP SP3 Eng.

Re: here is a funny toy

 #12135  by KK_
 Thu Mar 15, 2012 1:11 pm
did it crash everytime?/

come up with no clue

make mdl like this
pMdl = IoAllocateMdl(pBuffer2, len, FALSE, FALSE, NULL);
MmBuildMdlForNonPagedPool(pMdl);


then try 2 extract the pBuffer2 and free it
NdisQueryBufferSafe(pmdl,
(PVOID *)&pMemBuffer,
&upMemBufferLen,
HighPagePriority );
then crash here..

Re: here is a funny toy

 #12139  by Buster_BSA
 Thu Mar 15, 2012 2:34 pm
It says currently does not support redirecting from local to local.

When that function will be supported?

Re: here is a funny toy

 #12141  by KK_
 Thu Mar 15, 2012 3:24 pm
Buster_BSA wrote:It says currently does not support redirecting from local to local.

When that function will be supported?
sorry,i dont plan to make it supported in future.

Re: here is a funny toy

 #12155  by EP_X0FF
 Fri Mar 16, 2012 7:51 am
KK_ wrote:did it crash everytime?
Yes, every second click on "Send Me" results in BSOD.
 Return to “Tools/Software”