1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

*** Fatal System Error: 0x000000d6
                       (0xFEEBD010,0x00000000,0x97E59D41,0x00000000)

Driver at fault: 
***    win32k.sys - Address 97E59D41 base at 97D40000, DateStamp 56422bfd
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Fri Dec 11 10:21:11.190 2015 (UTC - 8:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
..................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................
.......
Loading User Symbols
....................................
Loading unloaded module list
.................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D6, {feebd010, 0, 97e59d41, 0}


Probably caused by : win32k.sys ( win32k!EPOINTQF::operator+=+8 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
82cbb308 cc              int     3
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: feebd010, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 97e59d41, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

READ_ADDRESS:  feebd010 Special pool

FAULTING_IP: 
win32k!EPOINTQF::operator+=+8
97e59d41 8b10            mov     edx,dword ptr [eax]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  56422bfd

MODULE_NAME: win32k

FAULTING_MODULE: 97d40000 win32k

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD6

PROCESS_NAME:  c3.exe

CURRENT_IRQL:  2

TRAP_FRAME:  823438f4 -- (.trap 0xffffffff823438f4)
ErrCode = 00000000
eax=feebd010 ebx=82343c3c ecx=823439a0 edx=00000090 esi=82343b04 edi=ff7bf000
eip=97e59d41 esp=82343968 ebp=82343968 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
win32k!EPOINTQF::operator+=+0x8:
97e59d41 8b10            mov     edx,dword ptr [eax]  ds:0023:feebd010=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82d1fce7 to 82cbb308

STACK_TEXT:  
82343444 82d1fce7 00000003 c87c81e7 00000065 nt!RtlpBreakWithStatusInstruction
82343494 82d207e5 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x1c
82343858 82cce3c1 00000050 feebd010 00000000 nt!KeBugCheck2+0x68b
823438dc 82c80be8 00000000 feebd010 00000000 nt!MmAccessFault+0x104
823438dc 97e59d41 00000000 feebd010 00000000 nt!KiTrap0E+0xdc
82343968 97e59eb0 feebd010 00000000 82343b04 win32k!EPOINTQF::operator+=+0x8
823439d0 97e1c0d1 00000090 00000090 00000000 win32k!ESTROBJ::vCharPos_G2+0x150
82343a0c 97d956f2 82343cd0 00000004 82343c1c win32k!ESTROBJ::vInit+0x3cb
82343c2c 97d958b5 00000000 82343cd0 fefa8cf0 win32k!GreGetTextExtentExW+0x12a
82343d0c 82c7da06 310107b4 00860b48 00000004 win32k!NtGdiGetTextExtentExW+0x141
82343d0c 775571b4 310107b4 00860b48 00000004 nt!KiSystemServicePostCall
0016ef10 75aec5fe 75aec5e9 310107b4 00860b48 ntdll!KiFastSystemCallRet
0016ef14 75aec5e9 310107b4 00860b48 00000004 GDI32!NtGdiGetTextExtentExW+0xc
0016ef3c 76078e97 310107b4 00860b48 00000004 GDI32!GetTextExtentExPointWPri+0x21
0016ef6c 76055dce 310107b4 00860b48 0016f06c USP10!GDIPlace+0x37
0016ef90 7606186d 310107b4 008608f4 00860b48 USP10!ScriptPlace+0xee
0016efec 76062af6 00000000 00000000 0016f06c USP10!RenderItemNoFallback+0x2ed
0016f018 76062da2 00000000 00000000 0016f06c USP10!RenderItemWithFallback+0xe6
0016f03c 76064339 00000000 0016f06c 008608f4 USP10!RenderItem+0x22
0016f080 76057a04 000020a0 00002000 310107b4 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0016f098 76101736 310107b4 00860810 00000005 USP10!ScriptStringAnalyse+0x284
0016f0e4 761018c1 310107b4 0016f78c 00000005 LPK!LpkStringAnalyse+0xe5
0016f1e0 761017b4 310107b4 a0c369de 00000000 LPK!LpkCharsetDraw+0x332
0016f214 75b456e9 310107b4 a0c369de 000000c7 LPK!LpkDrawTextEx+0x40
0016f254 75b45e48 310107b4 00000038 000000c7 USER32!DT_DrawStr+0x13c
0016f288 75b42209 310107b4 000000c7 0016f78c USER32!DT_DrawJustifiedLine+0x5f
0016f3c8 75b42d01 310107b4 000000c7 0016f78c USER32!AddEllipsisAndDrawLine+0x187
0016f474 75b458c2 310107b4 ffffffff 00000005 USER32!DrawTextExWorker+0x1b0
0016f498 73e04e27 310107b4 0016f78c 00000005 USER32!DrawTextExW+0x1e
0016f648 73e04f27 00476338 310107b4 0000000e uxtheme!CTextDraw::DrawTextW+0x817
0016f688 73e1f4ba 006928d0 310107b4 0000000e uxtheme!DrawThemeText+0x69
0016f998 73e11ede 000a0116 0016fc64 0016fa54 uxtheme!CThemeMenuPopup::DrawItem+0x30d
0016f9b0 73e11eae 000a0116 00000000 0016fc64 uxtheme!CThemeMenu::OnDrawItem+0x26
0016f9f4 73e01d8c 004776f8 00000092 00000000 uxtheme!CThemeWnd::_PreDefWindowProc+0x164
0016fa58 73e05dda 00000000 00000000 00000000 uxtheme!_ThemeDefWindowProc+0x8d
0016fa74 75b3c6bf 000a0116 00000092 00000000 uxtheme!ThemeDefWindowProcA+0x18
0016fabc 00d7157c 000a0116 00000092 00000000 USER32!DefWindowProcA+0x68
WARNING: Stack unwind information not available. Following frames may be wrong.
0016fb10 75b4c4f7 000a0116 00000092 00000000 c3+0x157c
0016fb3c 75b4c5f7 00d71430 000a0116 00000092 USER32!InternalCallWinProc+0x23
0016fbb4 75b44f1b 00000000 00d71430 000a0116 USER32!UserCallWinProcCheckWow+0x14b
0016fc14 75b6707e 00dc7e60 00000092 00000000 USER32!DispatchClientMessage+0xe6
0016fc40 775570ee 0016fc58 00000088 0016fd88 USER32!__fnINLPUAHDRAWMENUITEM+0x3e
0016fcdc 75b94b87 00d71737 000a0116 310107b4 ntdll!KiUserCallbackDispatcher+0x2e
0016fce0 00d71737 000a0116 310107b4 0016fd38 USER32!NtUserDrawMenuBarTemp+0xc
0016fd4c 00d71a31 00000001 0019d028 0019b808 c3+0x1737
0016fd98 75ccee6c 7ffd6000 0016fde4 77573ab3 c3+0x1a31
0016fda4 77573ab3 7ffd6000 774bbc8c 00000000 kernel32!BaseThreadInitThunk+0xe
0016fde4 77573a86 00d71aae 7ffd6000 00000000 ntdll!__RtlUserThreadStart+0x70
0016fdfc 00000000 00d71aae 7ffd6000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!EPOINTQF::operator+=+8
97e59d41 8b10            mov     edx,dword ptr [eax]

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  win32k!EPOINTQF::operator+=+8

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xD6_VRF_win32k!EPOINTQF::operator+=+8

BUCKET_ID:  0xD6_VRF_win32k!EPOINTQF::operator+=+8

Followup: MachineOwner
---------