Debugging Stop 0xFC – ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY

I’ve found a Minidump, in which I finally show the !pte extension, with this example a driver has attempted to execute a non-executable region of memory. Basically, a device driver has referenced a invalid memory address.

The first parameter is the virtual address which was referenced by the device driver. The !pte shows the mapping between the virtual and physical memory address, the PDE is the address of the Page Directory Entry. 

I’ve highlighted the PTE Status bits and Protection bits, and here is where I will explain what the currenty set bits mean:

D (Dirty) – The page has been written to previously. 

A (Accessed) – The page has been read.

K (Kernel Mode) – The page has a Kernel Mode owner.

W – The page is writtable and able to written to.

E – The page is executable.

V – The page is valid, and has a physical page corresponding to it.

There are a few other PTE bits, which are not with this current example, although, I’ll quickly explain them here:

C = Copy on Write (explained here)

G = Global; address translation will apply to all processes.

L = Large Page (not set means a Small Page).

Please note, that with many x86 systems which do not support the hardware execute/non-execute bit, the E may still be displayed.

There wasn’t much information within the dump file, so with this example, I’ll recommend running Driver Verifier.



Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s