Debugging a Crash, Found a Trojan

Hi, I’m Manish from Global Escalation Services. I would like to present a multiple random bug check issue, which was caused by malicious code (trojan) running on the machine. This is the walkthrough of how we found the virus on the server.

In this particular dump, the machine crashed with Bugcheck 0xA (IRQL_NOT_LESS_OR_EQUAL) because we got a Page Fault at dispatch level, also known as DPC Level (IRQL 2). Windows system architecture governs that we cannot have a page fault at dispatch level because paging requires I/O, I/O requires a wait, and we cannot wait while the IRQL is above dispatch level.  So when this anomaly happens Windows will intentionally crash the machine.

We trapped in CcMapData because we touched the address c226d800 which was not valid because it’s paged out. If we look at implementation of CcMapData on MSDN we see that this function can only be called below Dispatch Level, but the current CPU IRQL is 2.

So how did this happen?  The most likely possibility is that some driver on the stack raised the IRQL by calling KeRaiseIrql and then forgot to lower it by calling KeLowerIrql.  There are many drivers on this stack and anyone could be the culprit. It is difficult to track when one of these may have done it as it’s long gone.

We could have enabled IRQL Checking using Driver Verifier to find the culprit but we have to enable it on all drivers listed in the stack (and possibly others), which could cause some performance issues.  Also this was not the only crash we were seeing; there were various stop codes.

So before going the verifier route I decided to dig more into this dump. I noticed there is an address on the stack for which the module name is not getting resolved. This looked odd (suspicious) as most of the time the debugger does a great job of finding the module.

I started investigating what is this module.  It turned out to be a Trojan “TrojanDropper:Win32/Sirefef.B”.


0: kd> !analyze -v


*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *



An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.


Arg1: c226d800, memory referenced

Arg2: d0000002, IRQL

Arg3: 00000000, bitfield :

      bit 0 : value 0 = read operation, 1 = write operation

      bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: 808b64a6, address which referenced memory


0: kd> kv

ChildEBP RetAddr  Args to Child             

f78ae41c 808b64a6 badb0d00 00000000 00000001 nt!KiTrap0E+0x2a7 (FPO: [0,0] TrapFrame @ f78ae41c)

f78ae4cc f71a6f2d 8b22d520 f78ae4fc 00000400 nt!CcMapData+0x8c (FPO: [Non-Fpo])

f78ae4ec f71a4494 f78ae7ec 8b64c150 01c6d800 Ntfs!NtfsMapStream+0x4b (FPO: [Non-Fpo])

f78ae560 f71a6df0 f78ae7ec 8b3a7100 e7c50ce0 Ntfs!NtfsReadMftRecord+0x86 (FPO: [Non-Fpo])

f78ae598 f71a6fac f78ae7ec 8b3a7100 e7c50ce0 Ntfs!NtfsReadFileRecord+0x7a (FPO: [Non-Fpo])

f78ae5d0 f718e46d f78ae7ec e7c50cd8 e7c50ce0 Ntfs!NtfsLookupInFileRecord+0x37 (FPO: [Non-Fpo])

f78ae67c f718e541 f78ae7ec e7c50cd8 f718e2cb Ntfs!NtfsWalkUpTree+0xbe (FPO: [Non-Fpo])

f78ae6d8 f718e263 f78ae7ec e7c50cd8 00000000 Ntfs!NtfsBuildNormalizedName+0x44 (FPO: [Non-Fpo])

f78ae704 f7196c2e f78ae7ec 8801d600 e7c50da0 Ntfs!NtfsQueryNameInfo+0x4b (FPO: [Non-Fpo])

f78ae774 f71a0ff6 f78ae7ec 88081cb0 8b5f9260 Ntfs!NtfsCommonQueryInformation+0x291 (FPO: [Non-Fpo])

f78ae7d8 f71a102f f78ae7ec 88081cb0 00000001 Ntfs!NtfsFsdDispatchSwitch+0x12a (FPO: [Non-Fpo])

f78ae8f4 8081df85 8b3a7020 88081cb0 88081cb0 Ntfs!NtfsFsdDispatchWait+0x1c (FPO: [Non-Fpo])

f78ae908 f721fd28 8b2fd220 8b60d308 8b54b020 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78ae934 8081df85 8b5f9260 88081cb0 88081cb0 fltMgr!FltpDispatch+0x152 (FPO: [Non-Fpo])

f78ae948 f721fd28 88081ed0 8b60d308 c000000d nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78ae974 8081df85 8b54b020 88081cb0 88081cb0 fltMgr!FltpDispatch+0x152 (FPO: [Non-Fpo])

f78ae988 f5c62bec 88081cb0 8b54a980 88081cb0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

WARNING: Stack unwind information not available. Following frames may be wrong.

f78ae99c f5c5e3ee 8b03b690 00000000 f78ae9c0 CtxSbx+0x5bec

f78ae9ac 8081df85 8b03b690 88081cb0 8b0528e0 CtxSbx+0x13ee

f78ae9c0 f61074e1 8b0528e0 8801d600 f78aea00nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78ae9e4 f61075d0 8b0a9b80 00081cb0 f78aea08 CtxAltStr+0x44e1

f78ae9f4 8081df85 8b0a9b80 88081cb0 88081ed0 CtxAltStr+0x45d0

f78aea08 8b5cfc89 00000000 87ef0000 87ef9002 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aec90 8081df85 8b5ef610 8b08c110 8b08c2a8 0x8b5cfc89 <———— This looks odd what is this module?

f78aeca4 f7241607 8b08c2a8 00000000 f78aece8nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aecb4 f72412b2 8b08c2a8 8b392b70 87f11974 CLASSPNP!SubmitTransferPacket+0xbb (FPO: [Non-Fpo])

f78aece8 f7241533 00000000 00000e00 87f11808 CLASSPNP!ServiceTransferRequest+0x1e4 (FPO: [Non-Fpo])

f78aed0c 8081df85 8b392ab8 00000000 8b2a2670 CLASSPNP!ClassReadWrite+0x159 (FPO: [Non-Fpo])

f78aed20 f74c80cf 8b2b7d80 87f11998 f78aed44 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aed30 8081df85 8b6e4020 87f11808 87f119bc PartMgr!PmReadWrite+0x95 (FPO: [Non-Fpo])

f78aed44 f7317053 87f119d8 8b6e8148 882b9888 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aed60 8081df85 8b2b7cc8 87f11808 87f119fc ftdisk!FtDiskReadWrite+0x1a9 (FPO: [Non-Fpo])

f78aed74 f72cf4f5 885360cc 88536098 87f26810 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])

f78aed90 f72d1517 87f11808 885360cc 8b60c470 volsnap!VspDecrementIrpRefCount+0x14f (FPO: [Non-Fpo])

f78aeda8 f72c0398 87f26810 87f26810 88536098 volsnap!VspWriteVolumePhase22+0x3d (FPO: [Non-Fpo])

f78aee30 f72d15d3 00f26810 885360cc 00000000 volsnap!VspAcquireNonPagedResource+0xc6 (FPO: [Non-Fpo])

f78aee50 8081e123 00000000 87f215e8 88536098 volsnap!VspWriteVolumePhase2+0x59 (FPO: [Non-Fpo])

f78aee80 f7241829 f78aeeb0 f72413ec 8b392ab8 nt!IopfCompleteRequest+0xcd (FPO: [Non-Fpo])

f78aee88 f72413ec 8b392ab8 87f215e8 00000001 CLASSPNP!ClassCompleteRequest+0x11 (FPO: [Non-Fpo])

f78aeeb0 8081e123 00000000 8b08c428 8b08c5c0 CLASSPNP!TransferPktComplete+0x1fd (FPO: [Non-Fpo])

f78aeee0 f7266545 8b6e30e8 8b08c428 f78aef24 nt!IopfCompleteRequest+0xcd (FPO: [Non-Fpo])

f78aeef0 f7265a8a 87f856a8 00000001 00000000 SCSIPORT!SpCompleteRequest+0x5e (FPO: [Non-Fpo])

f78aef24 f7265130 8b6e30e8 87f856a8 f78aef9b SCSIPORT!SpProcessCompletedRequest+0x6a7 (FPO: [Non-Fpo])

f78aef9c 8083211c 8b6e30a4 8b6e3030 00000000 SCSIPORT!ScsiPortCompletionDpc+0x2bd (FPO: [Non-Fpo])

f78aeff4 8088dba7 f3f4f92c 00000000 00000000 nt!KiRetireDpcList+0xca (FPO: [Non-Fpo])

f3f4f948 80a603d9 ffdffa02 f3f4f980 f3f4f980 nt!KiDispatchInterrupt+0x37 (FPO: [Uses EBP] [0,0,1])

f3f4f964 80a60577 8b6c226c f3f4f980 8088d91d hal!HalpCheckForSoftwareInterrupt+0x81 (FPO: [Non-Fpo])

f3f4f970 8088d91d 8b304c00 000001a3 f3f4fa04 hal!HalEndSystemInterrupt+0x67 (FPO: [Non-Fpo])

f3f4f970 809395e7 8b304c00 000001a3 f3f4fa04 nt!KiInterruptDispatch+0x5d (FPO: [0,2] TrapFrame @ f3f4f980)

f3f4fa04 80939c37 88139178 88028301 00000008 nt!ObpAllocateObject+0x199 (FPO: [Non-Fpo])

f3f4fa38 808f8d28 00000000 8b76aad0 f3f4fa70 nt!ObCreateObject+0x129 (FPO: [Non-Fpo])

f3f4fb44 80937a40 8b6afd10 00000000 88028398 nt!IopParseDevice+0x710 (FPO: [Non-Fpo])

f3f4fbc4 80933b74 00000000 f3f4fc04 00000042 nt!ObpLookupObjectName+0x5b0 (FPO: [Non-Fpo])

f3f4fc18 808eaee7 00000000 00000000 dffa7c01 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])

f3f4fc94 808ec181 077ef198 c0140000 077ef14c nt!IopCreateFile+0x447 (FPO: [Non-Fpo])

f3f4fcf0 808eec10 077ef198 c0140000 077ef14c nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])

f3f4fd30 808897ec 077ef198 c0140000 077ef14c nt!NtCreateFile+0x30 (FPO: [Non-Fpo])

f3f4fd30 7c82847c 077ef198 c0140000 077ef14c nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ f3f4fd64)

077ef22c 00000000 00000000 00000000 00000000 0x7c82847c


The current CPU IRQL is 2, at which pagefaults cannot be serviced, hence windows crashed the machine.

0: kd> !irql

Debugger saved IRQL for processor 0x0 — 2 (DISPATCH_LEVEL)


Un-assembling from the return address of this unknown driver, to try to confirm that this is really driver code and that it really does belong in this call stack:

0: kd> ub 8b5cfc89

8b5cfc62 8bd7            mov     edx,edi

8b5cfc64 c60605          mov     byte ptr [esi],5

8b5cfc67 895e18          mov     dword ptr [esi+18h],ebx

8b5cfc6a c7460400020000  mov     dword ptr [esi+4],200h

8b5cfc71 c7460809000000  mov     dword ptr [esi+8],9

8b5cfc78 c7461c70fb5c8b  mov     dword ptr [esi+1Ch],8B5CFB70h

8b5cfc7f c64603e0        mov     byte ptr [esi+3],0E0h

8b5cfc83 ff158c805d8b    call    dword ptr ds:[8B5D808Ch]

Sure does call IofCallDriver

0: kd> dps 8B5D808Ch l1

8b5d808c  8081df40 nt!IofCallDriver


So what is this driver? In Windows every image starts with a PE header which starts with letters “MZ”. So I started looking for PE header. I took the offset of the module on the stack and went back to its page boundary, then I started moving 1 page back at a time looking for the PE header.

0: kd> dc 8b5cf000

8b5cf000  0010b9f2 f02b0000 3b063c8b 83137538  ……+..<.;8u..

8b5cf010  c08304e9 04f98304 b85fee73 00000001  ……..s._…..

8b5cf020  9cb8c35e b98b5d86 00000010 ff8bd02b  ^….]……+…

8b5cf030  3b02348b 83137530 c08304e9 04f98304  .4.;0u……….

8b5cf040  b85fee73 00000001 335fc35e ccc35ec0  s._…..^._3.^..

8b5cf050  83ec8b55 78a04cec 538b5da4 c0b60f56  U….L.x.].SV…

8b5cf060  827ae857 ff330000 33f46589 f845c7db  W.z…3..e.3..E.

8b5cf070  00000400 8b084d8b 52510c55 50b4458d  …..M..U.QR.E.P


0: kd> dc 8b5cf000-1000

8b5ce000  01c73024 00000000 c70cc483 00800002  $0…………..

8b5ce010  845e5f00 b10874db 0815ff01 8b8b5d80  ._^..t…….]..

8b5ce020  6a0c2444 15ff5000 8b5d8028 14c25b5d  D$.j.P..(.].][..

8b5ce030  cccccc00 cccccccc cccccccc cccccccc  …………….

8b5ce040  6a306a56 2415ff00 8b8b5d80 74f685f0  Vj0j…$.]…..t

8b5ce050  6a006a53 68026a01 8b5d0892 5d08ae68  Sj.j.j.h..].h..]

8b5ce060  ff006a8b 5d80ac15 ff56508b 5d80a815  .j…..].PV….]

8b5ce070  000d8b8b ff8b5da2 5d80b015 6a006a8b  …..]…..].j.j

0: kd> dc 8b5cf000-1000*2

8b5cd000  0689c033 89044689 46890846 1046890c  3….F..F..F..F.

8b5cd010  89144689 ec831846 1c46891c 57204689  .F..F…..F..F W

8b5cd020  85244689 8d0574f6 02eb284e c033c933  .F$..t..N(..3.3.

8b5cd030  41890189 08418904 8b34468b 4e891048  …A..A..F4.H..N

8b5cd040  14508b10 8b145689 4e891848 1c508b18  ..P..V..H..N..P.

8b5cd050  8b1c5689 4e891848 1c508b20 2424448d  .V..H..N .P..D$$

8b5cd060  244c8d50 186a510c 8b245689 6a302454  P.L$.Qj..V$.T$0j

8b5cd070  46c65205 46c70005 00000008 0c46c700  .R.F…F……F.


Finally I found the PE header for this image.

0: kd> dc 8b5cf000-1000*3

8b5cc000  00905a4d 00000003 00000004 0000ffff  MZ…………..

8b5cc010  000000b8 00000000 00000040 00000000  ……..@…….

8b5cc020  00000000 00000000 00000000 00000000  …………….

8b5cc030  00000000 00000000 00000000 000000d0  …………….

8b5cc040  0eba1f0e cd09b400 4c01b821 685421cd  ……..!..L.!Th

8b5cc050  70207369 72676f72 63206d61 6f6e6e61  is program canno

8b5cc060  65622074 6e757220 206e6920 20534f44  t be run in DOS

8b5cc070  65646f6d 0a0d0d2e 00000024 00000000  mode….$…….


Using the built-in debugger extension !dh I dumped the header of this image to find the name.  Unfortunately there is no name for this image. This address 8b5cc000 is not in the loaded module list, which raised further suspicion. Either it is hiding its load address or this driver was not loaded by standard loading mechanism. This module date shows it’s pretty recent build.

0: kd> !dh 8b5cc000


File Type: DLL


     14C machine (i386)

       4 number of sections

4EA3461E time date stamp Sun Oct 23 04:09:26 2011


       0 file pointer to symbol table

       0 number of symbols

      E0 size of optional header

    2102 characteristics


            32 bit word machine




     10B magic #

    9.00 linker version

    A400 size of code

    2000 size of initialized data

       0 size of uninitialized data

    46C0 address of entry point

    1000 base of code

         —– new —–

10000000 image base

    1000 section alignment

     200 file alignment

       1 subsystem (Native)

    5.00 operating system version

    0.00 image version

    5.00 subsystem version

   10000 size of image

     400 size of headers

    DF1F checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

       0  DLL characteristics

       0 [       0] address [size] of Export Directory

    C91C [      3C] address [size] of Import Directory

       0 [       0] address [size] of Resource Directory

       0 [       0] address [size] of Exception Directory

       0 [       0] address [size] of Security Directory

    F000 [     3FC] address [size] of Base Relocation Directory

       0 [       0] address [size] of Debug Directory

       0 [       0] address [size] of Description Directory

       0 [       0] address [size] of Special Directory

       0 [       0] address [size] of Thread Storage Directory

       0 [       0] address [size] of Load Configuration Directory

       0 [       0] address [size] of Bound Import Directory

    C000 [     1A8] address [size] of Import Address Table Directory

       0 [       0] address [size] of Delay Import Directory

       0 [       0] address [size] of COR20 Header Directory

       0 [       0] address [size] of Reserved Directory




   .text name

    A354 virtual size

    1000 virtual address

    A400 size of raw data

     400 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

60000020 flags


         (no align specified)

         Execute Read



  .rdata name

    13AC virtual size

    C000 virtual address

    1400 size of raw data

    A800 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         (no align specified)

         Read Only



   .data name

     4B0 virtual size

    E000 virtual address

     200 size of raw data

    BC00 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

C0000040 flags

         Initialized Data

         (no align specified)

         Read Write



  .reloc name

     576 virtual size

    F000 virtual address

     600 size of raw data

    BE00 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

         Initialized Data


         (no align specified)

         Read Only

0: kd> !lmi 8b5cc000 

Loaded Module Info: [8b5cc000]

ffffffff8b5cc000 is not a valid address


0: kd> lmvm 8b5cc000 

start    end        module name

Checking the import table it does have calls to raise and lower the IRQL. We get to the import table by taking the base address plus the offset to the Import Address Table Directory.  The below output is just a snippet of the whole table.

0: kd> dps 8b5cc000+c000

8b5d8000  80a603f4 hal!KfLowerIrql

8b5d8004  80a5ff00 hal!KeGetCurrentIrql

8b5d8008  80a600b4 hal!KfRaiseIrql


Dumping the entire image contents in memory to find more clues about this driver.  Again, I am only showing snippets of the whole output.

0: kd> dc 8b5cc000  L?10000/4

8b5cc000  00905a4d 00000003 00000004 0000ffff  MZ…………..

8b5cc010  000000b8 00000000 00000040 00000000  ……..@…….

8b5cc020  00000000 00000000 00000000 00000000  …………….

8b5cc030  00000000 00000000 00000000 000000d0  …………….

8b5cc040  0eba1f0e cd09b400 4c01b821 685421cd  ……..!..L.!Th

8b5cc050  70207369 72676f72 63206d61 6f6e6e61  is program canno

8b5cc060  65622074 6e757220 206e6920 20534f44  t be run in DOS

8b5cc070  65646f6d 0a0d0d2e 00000024 00000000  mode….$…….

8b5d5e20  76000000 66697265 77252079 00000a5a  …verify %wZ…

8b5d5e30  31000000 35343332 39383736 33323130  …1234567890123

8b5d5e40  37363534 31303938 35343332 39383736  4567890123456789

8b5d5e50  33323130 37363534 31303938 35343332  0123456789012345

8b5d5e60  39383736 33323130 37363534 31303938  6789012345678901

8b5d5e70  00343332 66000000 646e756f 67697320  234….found sig

8b5d5e80  7574616e 3d206572 0a752520 b4000000  nature = %u…..   


Interestingly this image has other images (modules) embedded in it.  We can see other PE headers, which again have no name.  This looks highly suspicious and resembles behavior used by malicious software.

8b5d0970  f775c085 4848c78b 4dc35f5e 0300905a  ..u…HH^_.MZ…

8b5d0980  04000000 ff000000 b80000ff 00000000  …………….

8b5d0990  40000000 00000000 00000000 00000000  …@…………

8b5d09a0  00000000 00000000 00000000 00000000  …………….

8b5d09b0  00000000 c8000000 0e000000 000eba1f  …………….

8b5d09c0  21cd09b4 cd4c01b8 69685421 72702073  …!..L.!This pr

8b5d09d0  6172676f 6163206d 746f6e6e 20656220  ogram cannot be

8b5d09e0  206e7572 44206e69 6d20534f 2e65646f  run in DOS mode.

8b5d2200  4d00004e 0300905a 04000000 ff000000  N..MZ………..

8b5d2210  b80000ff 00000000 40000000 00000000  ………..@….

8b5d2220  00000000 00000000 00000000 00000000  …………….

8b5d2230  00000000 00000000 00000000 f0000000  …………….

8b5d2240  0e000000 000eba1f 21cd09b4 cd4c01b8  ………..!..L.

8b5d2250  69685421 72702073 6172676f 6163206d  !This program ca

8b5d2260  746f6e6e 20656220 206e7572 44206e69  nnot be run in D

8b5d2270  6d20534f 2e65646f 240a0d0d 00000000  OS mode….$….


After ensuring my AV definitions were up to date, I decided to dump this memory contents into a file onto my machine. The moment contents were written my AV Microsoft Forefront Endpoint Protection caught a Trojan in this file.

0: kd> .writemem c:\temp\drv.sys 8b5cc000   L?10000
Writing 10000 bytes…………………………..




Before any further trouble shooting we asked the customer to clean the Trojan. Once we did that bug checks disappeared.

Hope you enjoyed reading this post.

Comments (0)