How to find cause of BSOD without dump file

Sometimes it happens that BSOD occures without any dump file generated. It could take some time to figure out why there is no dump file generated and what to do. If this happens on customer side, sometimes it is really problematic due to different policies, restrictions, etc.

On the other hand, it is possible to have a clue about BSOD even without memory dump file. For this, you have to know the load address of your driver and offset where problem occured. Luckily, Windows provides this information when printing BSOD information on screen.

Usually, a typical BSOD looks like this:

As you can see, you have a crash address 919C3763 and base address 919B4000. Now, assuming you know exact version of your driver installed on this machine you can use IDA to disassemble it and analyze “the problematic place”.

First, we need to calculate RVA address where crash occures. This is easy: RVA = 919C3763 – 919B4000 ; RVA = F763 . Second, you need to fire-up Ida and disassemble your driver. When analysys finishes, go to header of file and look at imagebase value:

Now, having imagebase which is equal 10000 for this case, you have to calculate offset where crash occured:

Offset = ImageBase + RVA ; Offset = 10000 + F763; Offset = 1F763

Now, press “G” in Ida, and enter value 1F763:

If everything is done properly, you should see the faulty instruction. Of course, if you have symbols, it is much easier to analyse code, but even without symbols, you can recognize your code and have a clue what can go wrong.

3,709 views

Leave a Reply

Your email address will not be published. Required fields are marked *

Identify yourself * Time limit is exhausted. Please reload CAPTCHA.