Debugging Stop 0xC4 – Pool Allocation Error

A Stop 0xC4 is thrown by Driver Verifier and is typically very easy to debug. However, I thought I would show a few aspects of the bugcheck which are useful for identifying how the crash occurred and how you can find this information using WinDbg.

There are three key parameters for a Stop 0xC4: the first parameter, third parameter and fourth parameter.

BugCheck C4, {2000, fffff80f5527b048, 0, 56706353}
Probably caused by : ScpVBus.sys ( ScpVBus+b048 )

The first parameter indicates that the caller of the function was expecting a non-executable pool allocation, however, was provided with a executable pool allocation instead. The third parameter provides the pool type for the allocation.

We can find the pool type enumeration values within the POOL_TYPE enumeration.

: kd> dt nt!_POOL_TYPE
   NonPagedPool = 0n0
   NonPagedPoolExecute = 0n0
   PagedPool = 0n1
   NonPagedPoolMustSucceed = 0n2
   DontUseThisType = 0n3
   NonPagedPoolCacheAligned = 0n4
   PagedPoolCacheAligned = 0n5
   NonPagedPoolCacheAlignedMustS = 0n6
   MaxPoolType = 0n7
   NonPagedPoolBase = 0n0
   NonPagedPoolBaseMustSucceed = 0n2
   NonPagedPoolBaseCacheAligned = 0n4
   NonPagedPoolBaseCacheAlignedMustS = 0n6
   NonPagedPoolSession = 0n32
   PagedPoolSession = 0n33
   NonPagedPoolMustSucceedSession = 0n34
   DontUseThisTypeSession = 0n35
   NonPagedPoolCacheAlignedSession = 0n36
   PagedPoolCacheAlignedSession = 0n37
   NonPagedPoolCacheAlignedMustSSession = 0n38
   NonPagedPoolNx = 0n512
   NonPagedPoolNxCacheAligned = 0n516
   NonPagedPoolSessionNx = 0n544

The fourth parameter contains the address of the pool tag. We can use the .formats command with the address to obtain the stored string and then reverse the string to provide the pool tag. This string can then be used with the !pooltag extension to provide the name of the driver. Although, it should be noted that the !pooltag extension will only provide definitions for drivers defined within the pooltag.txt file.

1: kd> .formats 56706353
Evaluate expression:
  Hex:     00000000`56706353
  Decimal: 1450206035
  Octal:   0000000000012634061523
  Binary:  00000000 00000000 00000000 00000000 01010110 01110000 01100011 01010011
  Chars:   ....VpcS
  Time:    Tue Dec 15 11:00:35 2015
  Float:   low 6.60773e+013 high 0
  Double:  7.16497e-315

The reverse of VpcS is ScpV.

1: kd> !pooltag ScpV
Pooltag ScpV
Description: Mass storage driver tags

It appears that the pool tag is a generic tag used for a wide range of mass storage devices.

Using the lmvm command with the driver from the bugcheck description, we can see that the driver which potentially caused the crash was related to a bus driver.

1: kd> lmvm ScpVBus
Browse full module list
start             end                 module name
fffff80f`55270000 fffff80f`5527e000   ScpVBus  T (no symbols)           
    Loaded symbol image file: ScpVBus.sys
    Image path: ScpVBus.sys
    Image name: ScpVBus.sys
    Browse all global symbols  functions  data
    Timestamp:        Sun May  5 14:31:26 2013 (5186CFAE)
    CheckSum:         00010BD7
    ImageSize:        0000E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

To be specific, the driver was a third-party bus driver related to Dual Shock 3.

In addition to this, we can use the second parameter as the return address to find who called the faulting instruction. Again, this appears to be point to our third-party bus driver.

1: kd> knL
 # Child-SP          RetAddr           Call Site
00 ffffd801`60fb70f8 fffff802`7bdf803f nt!KeBugCheckEx
01 ffffd801`60fb7100 fffff802`7b8d9cef nt!VerifierBugCheckIfAppropriate+0x6b
02 ffffd801`60fb7140 fffff802`7bdef8b0 nt!VfReportIssueWithOptions+0x103
03 ffffd801`60fb7190 fffff802`7be05b3a nt!VfCheckPoolType+0x90
04 ffffd801`60fb71d0 fffff80f`5527b048 nt!VerifierExInitializeNPagedLookasideList+0x5a
05 ffffd801`60fb7250 ffffa60f`94f55410 ScpVBus+0xb048
06 ffffd801`60fb7258 00000000`00000000 0xffffa60f`94f55410

Using the ub command on the return address we can see that the disassembly reveals several calls involving the ScpVBus.

1: kd> ub fffff80f`5527b048
fffff80f`5527b027 53              push    rbx
fffff80f`5527b028 637056          movsxd  esi,dword ptr [rax+56h]
fffff80f`5527b02b 488d0d4ea3ffff  lea     rcx,[ScpVBus+0x5380 (fffff80f`55275380)]
fffff80f`5527b032 4533c9          xor     r9d,r9d
fffff80f`5527b035 4533c0          xor     r8d,r8d
fffff80f`5527b038 33d2            xor     edx,edx
fffff80f`5527b03a 48c740d818000000 mov     qword ptr [rax-28h],18h
fffff80f`5527b042 ff15d88fffff    call    qword ptr [ScpVBus+0x4020 (fffff80f`55274020)]
Posted in Uncategorized | Leave a comment

Release of WinDbg Preview for Windows 10

Microsoft have decided to release a new version of WinDbg with a new UI. The UI has been designed to provide WinDbg with a more contemporary appearance, and more importantly, provide easier access to some of the important features of WinDbg such as the Registers window and the Command output window.

WinDbg Preview – Dark Theme

I’ve only started to use the preview version of WinDbg today, however, I have noted that once a dump file has been loaded into the debugger, the last line of the call stack is also printed. In addition to this, you’re also now able to switch between a light and dark themed Windbg, which is a feature that I quite enjoy using, especially if you’re potentially using WinDbg for long periods of time.

The underlying engine is the exact same at the moment, and therefore all the usual extensions and commands will work with this version of WinDbg. Although, I feel that debugger is rather sluggish against its current counterpart, despite the fact, that Microsoft have stated it has been designed to be smoother!

For more details, please visit the following blog post on Debugging Tools for Windows, which also provides the download link for the debugger. Please note that Microsoft have made no intentions yet to release the preview version for other operating system builds such as Windows 7. Although, I suspect that further alterations will be made to this version of WinDbg in the future, which will hopefully allow backwards compatibility with earlier operating systems.




Posted in Debugging, WinDbg | Leave a comment

Some Notes on the Goldbach Conjecture

The Goldbach Conjecture is a very simple conjecture to understand providing you have some basic knowledge about primes. It is one of those conjectures which is very easy to comprehend, but fiendishly difficult to solve. It was first conceived during a letter written by Goldbach to Euler in 1742. There is currently a strong and weak version of the Goldbach Conjecture, with the weak conjecture actually being the original conjecture.


xkcd: Goldbach Conjectures

The original conjecture asks to prove that all positive integers greater than 2 are equivalent to the sum of three primes, the only problem with the original conjecture, is that Goldbach considered the unit “1” to be prime, which has now been dismissed in Mathematics. However, the conjecture has been restated by Euler to the following modern equivalent, which is known as the strong Goldbach Conjecture (sometimes referred to as the binary Goldbach Conjecture):

Strong Goldbach Conjecture: Every positive even integer greater than or equal to 4, can be expressed as the sum of two primes.

The conjecture can also be expressed using the totient function:

\phi (p) + \phi (q) = 2m,

where m is a positive integer and p and q are both prime numbers. The totient function can be defined as the following (p is prime):

\phi(p) = p - 1

The weaker version of the Goldbach conjecture asks a slightly different question, and is as follows:

Weak Goldbach Conjecture: Every odd integer greater than or equal to 9, can be expressed as the sum of three odd primes.

Similarly, Levy’s Conjecture claims that all odd integers greater than or equal to 7, can be expressed the sum of prime and twice a prime.

p + 2q = n, where n is a positive integer greater than or equal to 7, and p and q are both primes.

Goldbach Number:

Goldbach numbers are any positive even integers which are the sum of two odd primes.

Goldbach Partition:

The Goldbach Partition is the number of ways in which a positive even integer n, can be written as the sum of two primes. The function which produces these partitions is called the Goldbach Partition function G(n). It is defined in the following manner:

G(n) = #{(p, q) | n = p + q, p \le q}

 Methods for proving the Goldbach Conjecture:

The two most common methods which have been used for solving the Goldbach Conjecture involve the Hardy-Littlewood Method along with a number of different sieving methods which have been used to produce greater asymptotic bounds on the distribution of which natural numbers can be written as Goldbach Partitions.


Goldbach Conjecture – Wolfram MathWorld

Goldbach Partition – Wolfram MathWorld

Goldbach Number – Wolfram MathWorld

On Partitions of Goldbach’s Conjecture (Woon)
















Posted in Uncategorized | 1 Comment

Project Euler: Problem 29

Problem 29 is actually a very easy problem to solve, but I will not provide the direct code, however, instead will provide the answer to the problem along with some insight into how to solve the problem using Java or a similar programming language.

The solution for the problem is 9183.

There are three key constructs which you will need to include in your code, and these are:

  • Nested For-loop
  • Power function
  • A collection to hold the sequence of numbers generated from the power function.

If you use the above programming constructs within your problem, then you’ll the solution to the problem almost instantly. A important point to remember is to consider the size of the numbers which will be generated, and which data types will be able to hold such large numbers (integers won’t work!).




Posted in Uncategorized | Leave a comment

Understanding Atom Tables

Atom Tables have been a structure on Windows which I wanted to investigate for a while, but only have managed to find the time to write about now.

Atom Tables enable strings to be encoded by with a 16-bit integer (an atom) which can then be shared among different processes. The encoded strings stored within the table are then referred to as atom names. There is two forms of Atom Table: Global Atom Table defined for all processes on the system and Local Atom Table which is defined privately for process which created the table.

Following from this, there are two types of Atom; String Atoms and Integer Atoms. The type which I had mentioned in the first paragraph refers to String Atoms.

For a String Atom, a string is passed to GlobalAddAtom or AddAtom, either function then returns a 16-bit integer which can be used to access the string stored within the atom table. We can use the GlobalFindAtom or FindAtom functions to do so.

Properties of String Atoms:

  • The values returned are within the range of 0xC000 to 0xFFFF.
  • The string can be no longer than 255 bytes in size.
  • The reference count associated with each atom name, is incremented when the string is added to the table, and decremented when a string is removed from the table. The atom is only removed from the atom table when the atom name reference count has decremented to 0.

Properties of Integer Atoms:

  • The values given are within the range of 0x0001 to 0xBFFF.
  • There is no reference count or storage limitations associated.

The Atom Table has the following structure:

0: kd> dt _RTL_ATOM_TABLE
+0x000 Signature : Uint4B
+0x004 ReferenceCount : Int4B
+0x008 PushLock : _EX_PUSH_LOCK
+0x010 ExHandleTable : Ptr64 _HANDLE_TABLE
+0x018 Flags : Uint4B
+0x01c NumberOfBuckets : Uint4B
+0x020 Buckets : [1] Ptr64 _RTL_ATOM_TABLE_ENTRY

Each entry within the atom table is then represented with the following structure:

   +0x000 HashLink         : Ptr64 _RTL_ATOM_TABLE_ENTRY
   +0x008 HandleIndex      : Uint2B
   +0x00a Atom             : Uint2B
   +0x010 Reference        : _RTL_ATOM_TABLE_REFERENCE
   +0x028 NameLength       : UChar
   +0x02a Name             : [1] Wchar

You can dump a Local Atom Table with the !atom extension, and dump a Global Atom Table with the !gatom extension. Here is an example of !gatom:

6: kd> !gatom

Global atom table c00c( 1) = Protocols (18) pinned
c031( 1) = Button (12)
c042( 1) = msctls_updown32 (30)
c00d( 1) = Topics (12) pinned
c00e( 1) = Formats (14) pinned
c024( 1) = TaskbandHWND (24)
c04b( 1) = SysIPAddress32 (28)
c023(47) = OleEndPointID (26)
c04a( 1) = RichEdit20W (22)
c02b( 1) = _IDH_ALTTAB_STICKY_PREV (46)
c032( 1) = Static (12)
c02d( 1) = _IDH_WINALTTAB_PREV (38)
c045( 1) = SysTreeView32 (26)
c018( 1) = UxSubclassInfo (28) pinned
c03c( 1) = msctls_hotkey32 (30)
c044( 1) = tooltips_class32 (32)
c046( 1) = SysMonthCal32 (26)
c047( 1) = SysDateTimePick32 (34)
c007( 1) = StdShowItem (22) pinned
c053( 1) = ClipboardDataObjectInterface (56)
c011( 1) = True (8) pinned
c03f( 1) = SysListView32 (26)
c04c( 1) = UIAE{46a56456-04b6-4a08-a2bd-9a764fc58246} (84)
c010( 1) = EditEnvItems (24) pinned
c01c( 1) = PROGMAN (14)
c02a( 1) = _IDH_ALTTAB_STICKY_NEXT (46)
c04e( 1) = MozillaPluginWindowPropertyAssociation (76)
c012( 1) = False (10) pinned
c02c( 1) = _IDH_WINALTTAB_NEXT (38)
c03e( 1) = msctls_trackbar32 (34)
c015( 1) = Close (10) pinned
c021( 4) = AllowConsentToStealFocus (48)
c038( 1) = ToolbarWindow32 (30)
c04d( 2) = MSAA_*FCFFFFFF00000000 (44)

The first column is the entry within the atom table, the number represents the unique 16-bit decimal representation of the string assigned to that atom; I believe the second column is the the number entries within that bucket and the last column is the number of references. Atom Tables are based upon the Hash Table data structure.


Posted in Computer Science, WinDbg, Windows Internals | Leave a comment

Learning the Importance of Mathematics

Tonight, I thought I would write about how I came to become so interested in Mathematics; and the importance of Mathematics in scienfic disciplines; and more importantly the importance of Mathematics in our everyday life.

Mathematics, in my opinion, is a universal language which can be understood by everyone providing they know how to write and read Mathematics; it is very much like how English has become the universal language within Business and Latin has become the universal language when classifying new species; Mathematics is the fundamental language of scienfic disciplines and the language which we speak everyday.

I would not consider myself to be a Mathematician of any sorts, since quite honestly, I do not like every area of Maths. I loathe Differential Equations and Calculus. However, the main areas of interest to me are the following: Graph Theory, Number Theory, Set Theory/Logic and Abstract Algebra. There is something about these areas in which I have a particular interest with.

Alan Turing, one of my heroes and favorite Mathematicians.

Alan Turing, one of my heroes and favorite Mathematicians.

I never really appreciated or learned Maths until after leaving secondary school at the age of 15. The culture of the school at the time, was that Maths is one of those subjects which is useless and abstract and a pass in the subject would be suffice. Ironically, I had a deep interest in the Natural Sciences (Biology, Chemistry and Physics), achieving two A*s and an A. I only bothered to pass my Maths class since I adopted the culture which was a popular at my school, a serious mistake which I regret and wish I could reverse.

I believe Mathematics is poorly taught at schools – it certainly was at my school – and the importance of Mathematics isn’t fully expressed by teachers, ask any person who doesn’t have an interest in Maths, and I guarantee that if you asked them, what do you think Maths is about? They will immediately answer with either Numbers or Equations. This is not what Mathematics is about, it is about rigorous and rational thinking; an application of intuition and abstract though to find solutions to complex puzzles which provide important applications to our understanding of our beautiful and weird Universe.

Once we overcome the stereotypical perception that Maths can only be exploited by intellectuals and academics, we will finally begin to overcome the bottleneck created by ourselves, to enable everyone learn, appreciate and apply Mathematics to their everyday life. Mathematics can be learned and appreciated by anyone, it is finding that dedication, enthusiasm and motivation to begin exploring a very interesting subject!



Posted in Mathematics | Leave a comment

The Fundamental Laws of Logic

The Fundamental Laws of Logic or the Classic Laws of Thought may be redundant in some respects; the introduction of propositional logic and fuzzy logic has meant that some of the axioms (some disrupted to be axioms) these laws are not always applicable when discussing situations regarding logic like the construction of mathematical proofs. The three laws are still used in most systems of logic, and consist of the following:

Law of Contradiction:

Let P be any proposition, then the law of contradiction states that:

\forall P, \sim (P \wedge \sim P)

The above statement states that it is impossible for both P and the negation of P to both be true at the same time. For example, an even number can’t also be odd (or non-even), it is either even or odd.

Law of Excluded Middle:

Let P be any proposition, then the law of excluded middle states that:

P \vee \sim P

The mentioned statement asserts that the proposition P is either true or it is false, it is not possible for both P and the negation of P to be both true.

Principle of Identity:

Let X be some proposition or variable, then the principle of identity asserts that:

\forall X, X = X

The principle of identity implies that for all instances of the object named X, each instance is exactly the same as each other.

Extensions to the Fundamental Laws of Logic

There have been some additions by Logicians to the traditional laws of thought, Leibniz added two of these laws, which are as follows:

Principle of Sufficient Reason:

The principle of sufficient reason is simple and self explanatory within the name; it states that nothing is without reason, and thus every event has a cause. This forms the basis of our rational thinking and of scientific method.

In some aspects, the principle of sufficient reason can be used to contest the notion of free will; the paradox of free will indicates that while we are given free will, we are not truly free since God created us and the rules which are used to control the game known as life.

The principle additionally shows us that for something to not exist, then there must be a reason for that object’s non existence; the principle also has given rise to the philosophical concept of Necessitarianism.

Identity of Indiscernibles:

This is slightly more interesting than Leibniz’s other principle, it implies that no two distinct objects are exactly identical, even though that it may appear to be that way. This statement can be summarised in the following formula:

\forall P (Px \leftrightarrow Py) \rightarrow x = y, where P denotes the property.

The above principle can be counter intuitive in some circumstances, especially when considering hypothetical situations. For instance, what if the property which distinguishes the two objects is shared by both of the objects?


In the future, I’m intending to write some more philosophical posts regarding Logic and Mathematics, however, due to other commitments it may be a while before anything else is written on this blog.












Posted in Uncategorized | Leave a comment