Jaa


Bugcheck BAD_POOL_HEADER (19)

Buggy kernel mode ????? ??? ????? Bugcheck BAD_POOL_HEADER (19) ? ??? ?????. ? ??? ?? ?? ?????? ??? ?? ?? pool ???? ? ?? ???? write?? next pool ??? ??? ??? ?????. User mode?? heap ??? ??? ????? Kernel mode?? pool ???? ??? ???? ??? ??? ???? crash?? ??, ExFreePool ?? ??? ?, ??? ??? ???? ???? crash ???.

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 82fd27c8, The pool entry we were looking for within the page.
Arg3: 82fd27f0, The next pool entry.
Arg4: 0a050008, (reserved)

kd> kbL
ChildEBP RetAddr  Args to Child             
f8ae3540 80532f7e 00000003 82fe72b0 82fd27c8 nt!KiBugCheckDebugBreak+0x19
f8ae3920 8053356e 00000019 00000020 82fd27c8 nt!KeBugCheck2+0x574
f8ae3940 8054b9c1 00000019 00000020 82fd27c8 nt!KeBugCheckEx+0x1b
f8ae3990 8054b339 82fd27d0 00000000 f8ae39c0 nt!ExFreePoolWithTag+0x2be
f8ae39a0 f894a743 82fd27d0 0000001b 82fd27d0 nt!ExFreePool+0xf
f8ae39c0 f894c01f f894d860 82fe72b0 82e8b2e8 Wolf!WolfEventMessageA+0xa3
...
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !pool 82fd27c8 2
Pool page 82fd27c8 region is Nonpaged pool
*82fd27c8 size:   28 previous size:   40  (Allocated) *None
  Pooltag None : call to ExAllocatePool
82fd27f0 is not a valid small pool allocation, checking large pool...

kd> dc 82fd27c8
82fd27c8  0a050008 656e6f4e 006f0057 0066006c  ....NoneW.o.l.f.
82fd27d8  00730020 00610074 00740072 00640065   .s.t.a.r.t.e.d.
82fd27e8  00740020 0020006f 00640061 00200064   .t.o. .a.d.d. .

kd> dc 82fd27f0
82fd27f0  00640061 00200064 00650064 00690076  a.d.d. .d.e.v.i.
82fd2800  00650063 00000000 00000000 00000000  c.e.............

Pool buffer overrun

kd> dt nt!_POOL_HEADER 82fd27c8
   +0x000 PreviousSize     : 0y000001000 (0x8)
   +0x000 PoolIndex        : 0y0000000 (0)
   +0x002 BlockSize        : 0y000000101 (0x5)
   +0x002 PoolType         : 0y0000101 (0x5)
   +0x000 Ulong1           : 0xa050008
   +0x004 ProcessBilled    : 0x656e6f4e _EPROCESS
   +0x004 PoolTag          : 0x656e6f4e
   +0x004 AllocatorBackTraceIndex : 0x6f4e
   +0x006 PoolTagHash      : 0x656e

kd> dt nt!_POOL_HEADER 82fd27f0
   +0x000 PreviousSize     : 0y001100001 (0x61) => It should be 0x5
   +0x000 PoolIndex        : 0y0000000 (0)
   +0x002 BlockSize        : 0y001100100 (0x64)
   +0x002 PoolType         : 0y0000000 (0)
   +0x000 Ulong1           : 0x640061
   +0x004 ProcessBilled    : 0x00200064 _EPROCESS
   +0x004 PoolTag          : 0x200064
   +0x004 AllocatorBackTraceIndex : 0x64
   +0x006 PoolTagHash      : 0x20

???? ??, pool buffer overrun? ??? pool block? ??? ????? ??? ??? ??? ??? ? ????. ??? ? crash??? Wolf ????? pool buffer overrun? ?????? ??? ?? ? ????. ? ? ???? pool block? ??? ?? ? ??? ???? ???? special pool ??? ??? ? ????. ???? ??? Special pool ? ?????? ??? ?? KB ??? ??? ???? ????.

How to use the special pool feature to isolate pool damage (https://support.microsoft.com/?id=188831)