Defrag Tools: #15 - WinDbg - Bugchecks (BSOD)

Not all Blue Screens of Death are easy to debug! Sometimes, you need to enable extra checking to help catch a buggy device driver. In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss using Driver Verifier in conjunction with WinDbg to track down a driver which is corrupting kernel mode pool memory.
Debugger commands used:
Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.
Resources:
Windows Internals book tools (including NotMyFault)
Forcing a System Crash from the Keyboard
How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system
Driver Verifier Options
Timeline:
[00:09] - What is Driver Verifier?
[01:54] - Using NotMyFault to cause a buffer overflow
[06:04] - Looking at a buffer overflow dump in WinDbg
[08:10] - What is the .trap command? (see: x64 Register Usage)
[12:45] - First dump was inconclusive. Looking at a second buffer overflow dump.
[15:47] - Memory is corrupted, but how to find out who is corrupting it? Driver Verifier!
[16:55] - Launching and configuring Driver Verifier
[20:20] - Verifier enabled, let's crash the system!
[21:25] - What is special pool?
[22:27] - Looking at the memory dump (captured with Verifier enabled)
[25:13] - Forcing a memory dump of a hung system via keyboard
[28:00] - Forcing a memory dump of a hung system via NMI switch
[31:52] - Advanced/custom Driver Verifier settings
AppVerifier would seem like a good topic for next week
@JohnLudlow: We are covering the basic commands for about 4 weeks and then will be doing Application Verifier. We thought of doing it straight away but decided to do the foundation stuff first.
@windev: Hi Andrew. That makes sense. WinDbg is not a small topic, so it's good that you're covering it in detail
Thanks & keep up the good work
You can use AutoHotkey to remap keyboard keys if you don't have a scroll lock key, or any others for that matter. Helpful if you don't have an external keyboard handy.
Thanks for the serise of videos on WInDbg and Driver Verifier. I am finding them very useful in my day to day work.
I have doubt regarding driver verifier. If I am developing a WDF driver of File System mini filter driver or a NDIS filter drivers; is it sufficient just to add my driver on the driver verifier?
For example, If have a FS mini filter driver (which I want to test); do I need to put fltmgr.sys(or any other related drivers) in Driver Verifier driver list?