發表文章

Recently I worked on an interesting bugcheck case where Windows 10 would crash with bugcheck code 0xFC (ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY) after keeping the device idle for a while. 3: kd> .bugcheck Bugcheck code 000000FC Arguments ffffac81`88ca26d0 8a000001`be07b963 ffffac81`88ca2460 00000000`00000002 The 1st argument is  The virtual address whose execution was attempted, do a !pte on the 1st argument and we obtain the pte of that virtual address. 3: kd> !pte ffffac81`88ca26d0                                            VA ffffac8188ca26d0 PXE at FFFF93C9E4F27AC8    PPE at FFFF93C9E4F59030    PDE at FFFF93C9EB206230    PTE at FFFF93D640C46510 contains 0A0000000138A863  contains 0A00000000EAA863  contains 0A0000011D722863  contains 8A000001BE07B963 pfn 138a      ---DA--KWEV  pfn eaa       ---DA--KWEV  pfn 11d722    ---DA--KWEV  pfn 1be07b    -G-DA--KW-V Obviously, this virtual address is NoExecute, that's why system bugcheck. do a kv to dump
最近的文章