Thursday 16 May 2013

!error and NTSTATUS Errors

This is going to be very short post, however, I still feel it's important to understand how to use the !error extension in order to extract some readable and understandable information about a NTSTATUS error.

Here's a current list of NTSTATUS Errors - 2.3.1 NTSTATUS values

The NTSTATUS are used by kernel-mode drivers which support standard driver routines and driver support routines. Some driver return a NTSTATUS value as their return type, in order to display information regarding: success values, informational values, warnings and error values.

We can therefore use the !error extension with the value displayed by the NTSTATUS value:


Stop: 0x0000007E (0xC000005, 0x95E5529C, 0xA12C0B40, 0xA12C0720

Here's a little snippet I've taken from a dump, notice the 0xC000005, this is a NTSTATUS error, we can use the !error extension with this value to display the following result:


STATUS_ACCESS_VIOLATION

The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
This is usually due to drivers referencing invalid memory addresses.

  






No comments:

Post a Comment