0x139_3_CORRUPT_LIST_ENTRY_injdrv in InjCreateInjectionInfo while call InsertTailList

[curie71]

---

                    Bugcheck Analysis 

---

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff208510c9970, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff208510c98c8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:

"C:\Windows\System32\KERNELBASE.dll" was not found in the image list.
Debugger will attempt to load "C:\Windows\System32\KERNELBASE.dll" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 2171

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 693889

Key  : Analysis.IO.Other.Mb
Value: 15

Key  : Analysis.IO.Read.Mb
Value: 4

Key  : Analysis.IO.Write.Mb
Value: 27

Key  : Analysis.Init.CPU.mSec
Value: 1734

Key  : Analysis.Init.Elapsed.mSec
Value: 11687220

Key  : Analysis.Memory.CommitPeak.Mb
Value: 97

Key  : Bugcheck.Code.DumpHeader
Value: 0x139

Key  : Bugcheck.Code.KiBugCheckData
Value: 0x139

Key  : Bugcheck.Code.Register
Value: 0x3

Key  : FailFast.Name
Value: CORRUPT_LIST_ENTRY

Key  : FailFast.Type
Value: 3

Key  : WER.OS.Branch
Value: 19h1_release

Key  : WER.OS.Timestamp
Value: 2019-03-18T12:02:00Z

Key  : WER.OS.Version
Value: 10.0.18362.1

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: fffff208510c9970

BUGCHECK_P3: fffff208510c98c8

BUGCHECK_P4: 0

TRAP_FRAME: fffff208510c9970 -- (.trap 0xfffff208510c9970)
NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect. rax=ffffda084ac90b90 rbx=0000000000000000 rcx=0000000000000003 rdx=fffff804756b6370 rsi=0000000000000000 rdi=0000000000000000 rip=fffff804756b1772 rsp=fffff208510c9b08 rbp=fffff208510c9c89 r8=0000000000000000 r9=0000000000000fff r10=ffffa20003219000 r11=fffff208510c9b30 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc injdrv+0x1772: fffff804`756b1772 cd29 int 29h Resetting default scope

EXCEPTION_RECORD: fffff208510c98c8 -- (.exr 0xfffff208510c98c8)
ExceptionAddress: fffff804756b1772 (injdrv+0x0000000000001772)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

PROCESS_NAME: ngentask.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
fffff208510c8ea8 fffff804720a9522 : 0000000000000003 0000000000000003 fffff208510c9010 fffff80471f1db90 : nt!DbgBreakPointWithStatus
fffff208510c8eb0 fffff804720a8c12 : 0000000000000003 fffff208510c9010 fffff80471fd5b60 0000000000000139 : nt!KiBugCheckDebugBreak+0x12
fffff208510c8f10 fffff80471fc15e7 : ffffda084a8f6ae0 fffff80471e40b8a fffff208510c9c60 00000000ffff7fff : nt!KeBugCheck2+0x952
fffff208510c9610 fffff80471fd32e9 : 0000000000000139 0000000000000003 fffff208510c9970 fffff208510c98c8 : nt!KeBugCheckEx+0x107
fffff208510c9650 fffff80471fd3710 : 0000000000000000 0000000000000000 ffffb28a8afb1730 fffff208510c9840 : nt!KiBugCheckDispatch+0x69
fffff208510c9790 fffff80471fd1aa5 : ffffda083f267300 fffff80472460351 0000000000000000 0000000000000000 : nt!KiFastFailDispatch+0xd0
fffff208510c9970 fffff804756b1772 : fffff804756b182d 0000000000000000 0000000000000000 00000000000000c8 : nt!KiRaiseSecurityCheckFailure+0x325
fffff208510c9b08 fffff804756b182d : 0000000000000000 0000000000000000 00000000000000c8 fffff80471f9fb13 : injdrv+0x1772
fffff208510c9b10 fffff804756b2a61 : fffff804756b6370 fffff804756b6370 0000000000000000 fffff8047216f06d : injdrv+0x182d
fffff208510c9b40 fffff804756b28d8 : fffff804756b6370 0000000000000030 ffffda0800000000 fffff80474dea5a0 : injdrv+0x2a61
fffff208510c9b70 fffff804756b19b7 : fffff804756b6370 ffffda084ac90b90 ffffda0843c089a0 ffffda0800000000 : injdrv+0x28d8
fffff208510c9bb0 fffff804756b19e7 : 0000000000000000 0000000000000380 ffffda0843c08970 ffffda084a0d72c0 : injdrv+0x19b7
fffff208510c9bf0 fffff804723cd996 : ffffda084a0d72c0 0000000000000380 fffff208510c9c60 0000000000000000 : injdrv+0x19e7
fffff208510c9c20 fffff8047245da9c : ffffffff00000000 fffff208510caa10 fffff208510ca301 ffffda084b41d120 : nt!PspCallProcessNotifyRoutines+0x212
fffff208510c9cf0 fffff8047242fba4 : ffffda084aec60c0 ffffda084a0d72c0 fffff208510ca4b0 fffff208510ca370 : nt!PspInsertThread+0x5e8
fffff208510c9de0 fffff80471fd2d18 : 00000000004ffda0 0000000000774000 0000000000000000 0000000000000000 : nt!NtCreateUserProcess+0x964
fffff208510caa90 00007ffd54ddd934 : 00007ffd52fa04f8 00007ffd00580058 0000000000a901dc 00000000004fe050 : nt!KiSystemServiceCopyEnd+0x28
00000000004fdd28 00007ffd52fa04f8 : 00007ffd00580058 0000000000a901dc 00000000004fe050 0000000000a901c0 : ntdll!NtCreateUserProcess+0x14
00000000004fdd30 00007ffd52f9fce0 : 00000000004fe050 00000000004fdef8 0000000002000000 0000000002000000 : wow64!Wow64NtCreateUserProcess+0xe4
00000000004fde10 00007ffd52f97123 : 00000000005fea01 0000000000774000 00007ffd52f9f790 0000000000000000 : wow64!whNtCreateUserProcess+0x550
00000000004fe0f0 00000000777f1783 : 0000002377871e7c 00007ffd54d90023 0000000000000000 00000000005fdf4c : wow64!Wow64SystemServiceEx+0x153
00000000004fe9b0 00000000777f1199 : 00000000005ff61c 00007ffd52f9c864 00000000004fea80 00007ffd52f9bf58 : wow64cpu!ServiceNoTurbo+0xb
00000000004fea60 00007ffd52f9c77a : 0000000000773000 0000000000450080 0000000000000000 00000000004ff2e0 : wow64cpu!BTCpuSimulate+0x9
00000000004feaa0 00007ffd52f9c637 : 0000000000000000 0000000000912178 0000000000000000 0000000000000000 : wow64!RunCpuSimulation+0xa
00000000004fead0 00007ffd54e13fb3 : 0000000000772000 0000000000772000 00007ffd54e6d4c0 0000000000000010 : wow64!Wow64LdrpInitialize+0x127
00000000004fed80 00007ffd54e01db5 : 0000000000000001 0000000000000000 0000000000000000 0000000000000001 : ntdll!LdrpInitializeProcess+0x186b
00000000004ff1c0 00007ffd54db1853 : 0000000000000000 00007ffd54d40000 0000000000000000 0000000000774000 : ntdll!_LdrpInitialize+0x50549
00000000004ff260 00007ffd54db17fe : 00000000004ff2e0 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrpInitialize+0x3b
00000000004ff290 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe

SYMBOL_NAME: injdrv+1772

MODULE_NAME: injdrv

IMAGE_NAME: injdrv.sys

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 1772

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_injdrv!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {b45b9d7e-89f1-dfe2-8192-89894ee49511}

Followup: MachineOwner

7: kd> .trap 0xfffff208510c9970
NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect. rax=ffffda084ac90b90 rbx=0000000000000000 rcx=0000000000000003 rdx=fffff804756b6370 rsi=0000000000000000 rdi=0000000000000000 rip=fffff804756b1772 rsp=fffff208510c9b08 rbp=fffff208510c9c89 r8=0000000000000000 r9=0000000000000fff r10=ffffa20003219000 r11=fffff208510c9b30 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc injdrv+0x1772: fffff804`756b1772 cd29 int 29h

k
*** Stack trace for last set context - .thread/.cxr resets it

Child-SP RetAddr Call Site

00 fffff208510c9b08 fffff804756b182d injdrv+0x1772
01 fffff208510c9b10 fffff804756b2a61 injdrv+0x182d
02 fffff208510c9b40 fffff804756b28d8 injdrv+0x2a61
03 fffff208510c9b70 fffff804756b19b7 injdrv+0x28d8
04 fffff208510c9bb0 fffff804756b19e7 injdrv+0x19b7
05 fffff208510c9bf0 fffff804723cd996 injdrv+0x19e7
06 fffff208510c9c20 fffff8047245da9c nt!PspCallProcessNotifyRoutines+0x212
07 fffff208510c9cf0 fffff8047242fba4 nt!PspInsertThread+0x5e8
08 fffff208510c9de0 fffff80471fd2d18 nt!NtCreateUserProcess+0x964
09 fffff208510caa90 00007ffd54ddd934 nt!KiSystemServiceCopyEnd+0x28
0a 00000000004fdd28 00007ffd52fa04f8 ntdll!NtCreateUserProcess+0x14
0b 00000000004fdd30 00007ffd52f9fce0 wow64!Wow64NtCreateUserProcess+0xe4
0c 00000000004fde10 00007ffd52f97123 wow64!whNtCreateUserProcess+0x550
0d 00000000004fe0f0 00000000777f1783 wow64!Wow64SystemServiceEx+0x153
0e 00000000004fe9b0 00000000777f1199 wow64cpu!ServiceNoTurbo+0xb
0f 00000000004fea60 00007ffd52f9c77a wow64cpu!BTCpuSimulate+0x9
10 00000000004feaa0 00007ffd52f9c637 wow64!RunCpuSimulation+0xa
11 00000000004fead0 00007ffd54e13fb3 wow64!Wow64LdrpInitialize+0x127
12 00000000004fed80 00007ffd54e01db5 ntdll!LdrpInitializeProcess+0x186b
13 00000000004ff1c0 00007ffd54db1853 ntdll!_LdrpInitialize+0x50549
14 00000000004ff260 00007ffd54db17fe ntdll!LdrpInitialize+0x3b
15 00000000004ff290 0000000000000000 ntdll!LdrInitializeThunk+0xe

[curie71]

solved by #19