Windows 10: Hacking Attack ? or something else

  1.    15 Nov 2017 #1

    Hacking Attack ? or something else


    Yesterday my machine crashed and rebooted , when I investigated the Minidump I read a message in it "This is the classic "buffer overrun" hacking attack and the system has been brought down to prevent a malicious user from gaining complete control of it."

    It also mentions something about a Windows 8 Driver

    Now, I am not able to assess this information in the minidump as I just do not posess those levels of skills and knowlwdge.

    I guess my question is this; Do I need to do anything about this or is liable to be just a one hit wonder ?


    Gigabyte motherboard
    16 Gig Ram
    Intel Processor
    Windows 10
    Windows Firewall
    Anivirus - Windows Defender
    Anti Malware - Malware Bytes Pro
    Router Firewall On

    Here is the Minidump:
    Code:
    A driver has overrun a stack-based buffer.  This overrun could potentially
    allow a malicious user to gain control of this machine.
    DESCRIPTION
    A driver overran a stack-based buffer (or local variable) in a way that would
    have overwritten the function's return address and jumped back to an arbitrary
    address when the function returned.  This is the classic "buffer overrun"
    hacking attack and the system has been brought down to prevent a malicious user
    from gaining complete control of it.
    Do a kb to get a stack backtrace -- the last routine on the stack before the
    buffer overrun handlers and bugcheck call is the one that overran its local
    variable(s).
    Arguments:
    Arg1: 00006780bea282d0, Actual security check cookie from the stack
    Arg2: 0000d027b95c3a8c, Expected security check cookie
    Arg3: ffff2fd846a3c573, Complement of the expected security check cookie
    Arg4: 0000000000000000, zero
     
    Debugging Details:
    ------------------
     
     
    DUMP_CLASS: 1
     
    DUMP_QUALIFIER: 400
     
    BUILD_VERSION_STRING:  10.0.15063.674 (WinBuild.160101.0800)
     
    SYSTEM_MANUFACTURER:  Gigabyte Technology Co., Ltd.
     
    SYSTEM_PRODUCT_NAME:  To be filled by O.E.M.
     
    SYSTEM_SKU:  To be filled by O.E.M.
     
    SYSTEM_VERSION:  To be filled by O.E.M.
     
    BIOS_VENDOR:  American Megatrends Inc.
     
    BIOS_VERSION:  F14
     
    BIOS_DATE:  01/16/2014
     
    BASEBOARD_MANUFACTURER:  Gigabyte Technology Co., Ltd.
     
    BASEBOARD_PRODUCT:  H77M-D3H
     
    BASEBOARD_VERSION:  To be filled by O.E.M.
     
    DUMP_TYPE:  2
     
    BUGCHECK_P1: 6780bea282d0
     
    BUGCHECK_P2: d027b95c3a8c
     
    BUGCHECK_P3: ffff2fd846a3c573
     
    BUGCHECK_P4: 0
     
    SECURITY_COOKIE:  Expected 0000d027b95c3a8c found 00006780bea282d0
     
    CPU_COUNT: 8
     
    CPU_MHZ: d40
     
    CPU_VENDOR:  GenuineIntel
     
    CPU_FAMILY: 6
     
    CPU_MODEL: 3a
     
    CPU_STEPPING: 9
     
    CPU_MICROCODE: 6,3a,9,0 (F,M,S,R)  SIG: 1B'00000000 (cache) 1B'00000000 (init)
     
    BLACKBOXBSD: 1 (!blackboxbsd)
     
     
    CUSTOMER_CRASH_COUNT:  1
     
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
     
    BUGCHECK_STR:  0xF7
     
    PROCESS_NAME:  svchost.exe
     
    CURRENT_IRQL:  2
     
    ANALYSIS_SESSION_HOST:  ALISTAIR-PC
     
    ANALYSIS_SESSION_TIME:  11-15-2017 13:35:02.0996
     
    ANALYSIS_VERSION: 10.0.17016.1000 amd64fre
     
    LAST_CONTROL_TRANSFER:  from fffff8007e25b905 to fffff8007e1ed580
     
    STACK_TEXT:  
    ffffe080`b5fd2f88 fffff800`7e25b905 : 00000000`000000f7 00006780`bea282d0 0000d027`b95c3a8c ffff2fd8`46a3c573 : nt!KeBugCheckEx
    ffffe080`b5fd2f90 fffff800`7e0ea550 : ffffb684`327cc000 ffffe080`b5fd3010 00000000`00000000 ffffa464`00000000 : nt!_report_gsfailure+0x25
    ffffe080`b5fd2fd0 fffff800`7e0ea3fe : 00000000`00000100 ffffb684`327cd8c0 00000000`00000000 ffffe080`b5fd3198 : nt!MiIdentifyPfn+0x100
    ffffe080`b5fd30a0 fffff800`7e52de1a : 00000000`00000000 ffffb684`327cd380 ffffb684`327cc000 fffff800`7e0e8763 : nt!MiIdentifyPfnWrapper+0x3e
    ffffe080`b5fd30d0 fffff800`7e52d92f : ffffb684`2a221080 00000000`00000001 ffffe080`b5fd32b4 ffffb684`327cc000 : nt!PfpPfnPrioRequest+0xca
    ffffe080`b5fd3150 fffff800`7e52bb8e : 00000000`0000004f ffffa45b`42193e60 000000ae`ad87a008 00000000`00000200 : nt!PfQuerySuperfetchInformation+0x2bf
    ffffe080`b5fd3280 fffff800`7e52b83b : 00000000`00000000 00000000`00000000 00000000`00000008 000000ae`ad87d250 : nt!ExpQuerySystemInformation+0x22e
    ffffe080`b5fd3ac0 fffff800`7e1f8413 : ffffb684`2a221080 00000000`00000000 00000000`00000000 00007ff9`f4754d50 : nt!NtQuerySystemInformation+0x2b
    ffffe080`b5fd3b00 00007ffa`02bf5a64 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    000000ae`ad879ef8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`02bf5a64
     
     
    THREAD_SHA1_HASH_MOD_FUNC:  0621696229749f19418dfeecf88f4c3d2bd5058e
     
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  1e0bc3642c40aa307336c381675ee4a94c42db8e
     
    THREAD_SHA1_HASH_MOD:  9f457f347057f10e1df248e166a3e95e6570ecfe
     
    FOLLOWUP_IP: 
    nt!_report_gsfailure+25
    fffff800`7e25b905 cc              int     3
     
    FAULT_INSTR_CODE:  cccccccc
     
    SYMBOL_STACK_INDEX:  1
     
    SYMBOL_NAME:  nt!_report_gsfailure+25
     
    FOLLOWUP_NAME:  MachineOwner
     
    MODULE_NAME: nt
     
    IMAGE_NAME:  ntkrnlmp.exe
     
    DEBUG_FLR_IMAGE_TIMESTAMP:  59cdf43a
     
    IMAGE_VERSION:  10.0.15063.674
     
    STACK_COMMAND:  .thread ; .cxr ; kb
     
    BUCKET_ID_FUNC_OFFSET:  25
     
    FAILURE_BUCKET_ID:  0xF7_MISSING_GSFRAME_nt!_report_gsfailure
     
    BUCKET_ID:  0xF7_MISSING_GSFRAME_nt!_report_gsfailure
     
    PRIMARY_PROBLEM_CLASS:  0xF7_MISSING_GSFRAME_nt!_report_gsfailure
     
    TARGET_TIME:  2017-11-15T01:37:43.000Z
     
    OSBUILD:  15063
     
    OSSERVICEPACK:  674
     
    SERVICEPACK_NUMBER: 0
     
    OS_REVISION: 0
     
    SUITE_MASK:  272
     
    PRODUCT_TYPE:  1
     
    OSPLATFORM_TYPE:  x64
     
    OSNAME:  Windows 10
     
    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
     
    OS_LOCALE:  
     
    USER_LCID:  0
     
    OSBUILD_TIMESTAMP:  2017-09-29 17:20:26
     
    BUILDDATESTAMP_STR:  160101.0800
     
    BUILDLAB_STR:  WinBuild
     
    BUILDOSVER_STR:  10.0.15063.674
     
    ANALYSIS_SESSION_ELAPSED_TIME:  db0
     
    ANALYSIS_SOURCE:  KM
     
    FAILURE_ID_HASH_STRING:  km:0xf7_missing_gsframe_nt!_report_gsfailure
     
    FAILURE_ID_HASH:  {82d2c1b5-b0cb-60a5-9a5d-78c8c4284f84}
     
    Followup:     MachineOwner
    ---------
     
    6: kd> !blackboxbsd
    Version: 136
    Product type: 1
     
    Auto advanced boot: FALSE
    Advanced boot menu timeout: 30
    Last boot succeeded: TRUE
    Last boot shutdown: FALSE
    Sleep in progrees: FALSE
     
    Power button timestamp: 0
    System running: TRUE
    Connected standby in progress: FALSE
    User shutdown in progress: FALSE
    System shutdown in progress: FALSE
    Sleep in progress: 0
    Connected standby scenario instance id: 0
    Connected standby entry reason: 0
    Connected standby exit reason: 0
    System sleep transitions to on: 3
    Last reference time: 0x1d35da598cd4c10
    Last reference time checksum: 0x15f1626a
    Last update boot id: 46
     
    Boot attempt count: 1
    Last boot checkpoint: TRUE
    Checksum: 0x34
    Last boot id: 46
    Last successful shutdown boot id: 45
    Last reported abnormal shutdown boot id: 44
     
    Error info boot id: 0
    Error info repeat count: 0
    Error info other error count: 0
    Error info code: 0
    Error info other error count: 0
     
    Power button last press time: 0
    Power button cumulative press count: 0
    Power button last press boot id: 0
    Power button last power watchdog stage: 0
    Power button watchdog armed: FALSE
    Power button shutdown in progress: FALSE
    Power button last release time: 0
    Power button cumulative release count: 0
    Power button last release boot id: 0
    Power button error count: 0
    Power button current connected standby phase: 0
    Power button transition latest checkpoint id: 0
    Power button transition latest checkpoint type: 0
    Power button transition latest checkpoint sequence number: 0
    6: kd> kb
    # RetAddr           : Args to Child                                                           : Call Site
    00 fffff800`7e25b905 : 00000000`000000f7 00006780`bea282d0 0000d027`b95c3a8c ffff2fd8`46a3c573 : nt!KeBugCheckEx
    01 fffff800`7e0ea550 : ffffb684`327cc000 ffffe080`b5fd3010 00000000`00000000 ffffa464`00000000 : nt!_report_gsfailure+0x25
    02 fffff800`7e0ea3fe : 00000000`00000100 ffffb684`327cd8c0 00000000`00000000 ffffe080`b5fd3198 : nt!MiIdentifyPfn+0x100
    03 fffff800`7e52de1a : 00000000`00000000 ffffb684`327cd380 ffffb684`327cc000 fffff800`7e0e8763 : nt!MiIdentifyPfnWrapper+0x3e
    04 fffff800`7e52d92f : ffffb684`2a221080 00000000`00000001 ffffe080`b5fd32b4 ffffb684`327cc000 : nt!PfpPfnPrioRequest+0xca
    05 fffff800`7e52bb8e : 00000000`0000004f ffffa45b`42193e60 000000ae`ad87a008 00000000`00000200 : nt!PfQuerySuperfetchInformation+0x2bf
    06 fffff800`7e52b83b : 00000000`00000000 00000000`00000000 00000000`00000008 000000ae`ad87d250 : nt!ExpQuerySystemInformation+0x22e
    07 fffff800`7e1f8413 : ffffb684`2a221080 00000000`00000000 00000000`00000000 00007ff9`f4754d50 : nt!NtQuerySystemInformation+0x2b
    08 00007ffa`02bf5a64 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    09 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`02bf5a64
    Last edited by Brink; 15 Nov 2017 at 19:01. Reason: code box
      My ComputerSystem Spec


  2. Posts : 207
    Windows 10 Professional 64bit
       15 Nov 2017 #2

    I'd wait to see if it happens again before diving deeper into the problem.

    Make sure you get all of your drivers from the manufacturer, not some random website.
      My ComputerSystem Spec


 

Related Threads
Solved Locking down a pc to prevent a child ' hacking' it in User Accounts and Family Safety
Windows 10 pro 64bit Previousy I installed kids wartch on my sons pc, but he insisted on keeping his count as admin, but eventually he decided to disable kidswatch. i intend installing it again but keeping his account as local user....intend...
Router flaws put ATT customers at hacking risk | ZDNet
Remote hacking in AntiVirus, Firewalls and System Security
I believe I am being remotely monitored. My task manager spikes whenever this person uses their computer and I have very odd programs running. I have a dell windows 10 upgraded from 7. Can someone lead me thru steps on how to find it and eliminate...
Right that does it... whoever it is from Microsoft that keeps hacking into my PC and removing YTD video downloader - pack it in!
Hey everyone, I am one of the biggest contributors to BleachBit (FOSS rival of CCleaner) and I am trying to hack up a cleaner for Edge. Been looking around some directories for an hour and a half and I stumbled upon the...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:46.
Find Us