Jump to content

Client PC running MB3.5 and Windows 10 BSOD's on boot: mbamchameleon.sys


Recommended Posts

Greetings,

I am representing a client of mine in which they have a problem with your Antimalware product. The client is experiencing numerous blue screens that seem to be related to your "mbamchamelon.sys" kernel-mode driver causing a Blue Screen of Death upon boot up. However, on the second boot up, there is a very high chance it'll boot up normally.

My client installed MalwareBytes for protection against malware in conjuction with his security software, Total Defense Total Security. Yes I know what you're thinking, but apparently it is a real product using the BitDefender Antivirus Product Engine and the company is apparently based in the USA. I use BitDefender myself but that is besides the point.

Client Computer Configuration

  • AMD AM4 Platform with a AMD A10 Quad Core Processor
  • ASUS PRIME A320M-K Motherboard
  • 4GB DDR4 System Memory
  • Windows 10 32Bit* (more on that in a bit)
  • 120GB System SSD
  • Total Defense™ Total Security
  • MalwareBytes Home Edition 3.5 (Licensed)
  • Microsoft Office 2013 - might be 2016 or Office 365. Cannot confirm right now.

I cannot provide you the installed product list because my client has given me instructions to keep that information private as it is a business machine, but the reason why this machine is running Windows 10 32bit is because it was an emergency migration from a older Intel Core 2 Duo machine that had severe problems. No, a fresh installation of Windows 10 is not possible at this point in time as it is a production machine and downtime must be kept to a minimum.

All drivers are up to date, as well as latest BIOS updates.

Is this a BSOD?
Yes. Windows 10 BSOD says "UNEXPECTED_KERNEL_MODE_TRAP" (0x7F)

WinDBG Preview for Windows 10 on my workstation where I analyze these crash dumps says:

Microsoft (R) Windows Debugger Version 10.0.17674.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [S:\ClientAnalysis\[REDACTED]\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 17134 MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17134.1.x86fre.rs4_release.180410-1804
Machine Name: [REDACTED]
Kernel base = 0x81a69000 PsLoadedModuleList = 0x81ce8938
Debug session time: Fri Jun 22 06:59:57.499 2018 (UTC + 10:00)
System Uptime: 0 days 23:55:39.731
WARNING: Process directory table base E4B7D020 doesn't match CR3 001A8000
WARNING: Process directory table base E4B7D020 doesn't match CR3 001A8000
Loading Kernel Symbols
...............................................................
................................................................
....................................................
Loading User Symbols
PEB address is NULL !
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 8075bc00, 0, 0}

Page 4e8d8 not present in the dump file. Type ".hh dbgerr004" for details
[... last message repeats for a while - cutting ... ]
Page bf7f not present in the dump file. Type ".hh dbgerr004" for details
[... last message repeats for a while - cutting ... ]
Page 4e8d8 not present in the dump file. Type ".hh dbgerr004" for details
[... last message repeats for a while - cutting ... ]
Page bf7f not present in the dump file. Type ".hh dbgerr004" for details
[... last message repeats for a while - cutting ... ]
*** ERROR: Module load completed but symbols could not be loaded for MbamChameleon.sys
*** ERROR: Module load completed but symbols could not be loaded for farflt.sys
Page 4e8d8 not present in the dump file. Type ".hh dbgerr004" for details
[... last message repeats for a while - cutting ... ]
Page bf7f not present in the dump file. Type ".hh dbgerr004" for details
[... last message repeats for a while - cutting ... ]
[ rinse and repeat this for a good couple dozen lines ]
Probably caused by : MbamChameleon.sys ( MbamChameleon+6131 )

Followup:     MachineOwner
---------

WARNING: Process directory table base E4B7D020 doesn't match CR3 001A8000
WARNING: Process directory table base E4B7D020 doesn't match CR3 001A8000
eax=8075bc00 ebx=00000000 ecx=8075b850 edx=00000000 esi=00000000 edi=8075b800
eip=81baf11c esp=81cdd390 ebp=00000000 iopl=0         ov up di ng nz ac pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000896
nt!KiBugCheck2:
81baf11c 55              push    ebp

When asking the debugger for more info:

******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 8075bc00
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------
(lots of repeated messages about 2 page locations not being available)
KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17134.1.x86fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER:  System manufacturer

SYSTEM_PRODUCT_NAME:  System Product Name

SYSTEM_SKU:  SKU

SYSTEM_VERSION:  System Version

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  4011

BIOS_DATE:  04/19/2018

BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT:  PRIME A320M-K

BASEBOARD_VERSION:  Rev X.0x

DUMP_TYPE:  1

BUGCHECK_P1: 8

BUGCHECK_P2: ffffffff8075bc00

BUGCHECK_P3: 0

BUGCHECK_P4: 0

BUGCHECK_STR:  0x7f_8

TSS:  00000028 -- (.tss 0x28)
eax=b66a1120 ebx=00000000 ecx=b66a1520 edx=92d42110 esi=b66a1520 edi=00000000
eip=891d711e esp=b66a0f94 ebp=b66a10a4 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
Ntfs!NtfsLookupRealAllocation+0x1e:
891d711e 53              push    ebx
Resetting default scope

CPU_COUNT: 4

CPU_MHZ: da5

CPU_VENDOR:  AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 65

CPU_STEPPING: 1

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  Registry

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DESKTOP-8K174LE

ANALYSIS_SESSION_TIME:  06-27-2018 13:02:15.0843

ANALYSIS_VERSION: 10.0.17674.1000 amd64fre

TRAP_FRAME:  b66a194c -- (.trap 0xffffffffb66a194c)
ErrCode = 00000000
eax=00000000 ebx=b66a19f4 ecx=0000001c edx=b98bd8c0 esi=024a9000 edi=00000360
eip=81d688c4 esp=b66a19c0 ebp=b66a19cc iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
nt!HvpGetCellPaged+0x84:
81d688c4 8b043e          mov     eax,dword ptr [esi+edi] ds:0023:024a9360=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 891d6f2b to 891d711e

BAD_STACK_POINTER:  81cdd390

STACK_OVERFLOW: Stack Limit: b66a1000. Use (kF) and (!stackusage) to investigate stack usage.

STACK_TEXT:  
b66a19cc 81d67eb7 95459008 02278360 b66a19f4 nt!HvpGetCellPaged+0x84
b66a1a3c 81d5c322 b66a1ab8 b66a1a88 b66a1adf nt!CmpWalkOneLevel+0x227
b66a1b94 81d61e02 48077500 00000240 b66a1e1c nt!CmpDoParseKey+0x822
b66a1cac 81d5e362 8800efd0 87f7a9a0 c3bc7418 nt!CmpParseKey+0x232
b66a1dbc 81d64da8 00000240 87f7a9a0 00000000 nt!ObpLookupObjectName+0x3d2
b66a1e44 81d64b80 b66a206c 87f7a9a0 00000000 nt!ObOpenObjectByNameEx+0x118
b66a1fb0 81d66ff8 b66a206c 00000000 00000000 nt!CmOpenKey+0x240
b66a1fc8 81bc0b2f b66a208c 000f003f b66a206c nt!NtOpenKey+0x18
b66a1fc8 81badfb5 b66a208c 000f003f b66a206c nt!KiSystemServicePostCall
b66a204c 98406131 b66a208c 000f003f b66a206c nt!ZwOpenKey+0x11
WARNING: Stack unwind information not available. Following frames may be wrong.
b66a2090 98401e27 44fda755 00000000 a4f461b8 MbamChameleon+0x6131
b66a20e0 81d7dc49 98421e28 b66a213c 00021410 MbamChameleon+0x1e27
b66a2124 81d62a8c b66a2190 87eb2040 b66a24cc nt!ObpCallPreOperationCallbacks+0xd9
b66a2214 81d76a0e 00000000 b66a24cc 00000000 nt!ObpCreateHandle+0x89c
b66a2398 81d761ba 9e56fa00 00000200 b66a24cc nt!ObOpenObjectByPointer+0xce
b66a2564 81d76039 b66a2624 b66a263c 00000000 nt!PsOpenProcess+0x17a
b66a2584 81bc0b2f b66a265c 80020000 b66a2624 nt!NtOpenProcess+0x2d
b66a2584 81badf15 b66a265c 80020000 b66a2624 nt!KiSystemServicePostCall
b66a260c 9840bbec b66a265c 80020000 b66a2624 nt!ZwOpenProcess+0x11
b66a2644 9840ab6f 000003c8 80020000 b66a265c MbamChameleon+0xbbec
b66a2668 984083b6 81bb0760 00008013 b66a2780 MbamChameleon+0xab6f
b66a2678 98402de8 be2f1580 44fda035 00000000 MbamChameleon+0x83b6
b66a2780 81d5fa13 00000000 0000001c b66a28d0 MbamChameleon+0x2de8
b66a2834 81d61db4 b66a2878 00000001 0000001d nt!CmpCallCallBacksEx+0x313
b66a2944 81d5e362 8800efd0 87f7a9a0 c3f87820 nt!CmpParseKey+0x1e4
b66a2a54 81d64da8 00000240 87f7a9a0 00000000 nt!ObpLookupObjectName+0x3d2
b66a2adc 81d64b80 b66a2d04 87f7a9a0 00000000 nt!ObOpenObjectByNameEx+0x118
b66a2c48 81d66ff8 b66a2d04 00000000 00000000 nt!CmOpenKey+0x240
b66a2c60 81bc0b2f b66a2d24 000f003f b66a2d04 nt!NtOpenKey+0x18
b66a2c60 81badfb5 b66a2d24 000f003f b66a2d04 nt!KiSystemServicePostCall
b66a2ce4 98406131 b66a2d24 000f003f b66a2d04 nt!ZwOpenKey+0x11
b66a2d28 98401e27 44fdaacd 00000000 a4f461b8 MbamChameleon+0x6131
b66a2d78 81d7dc49 98421e28 b66a2dd4 001fffff MbamChameleon+0x1e27
b66a2dbc 81d62a8c b66a2e28 87eb2040 b66a3168 nt!ObpCallPreOperationCallbacks+0xd9
b66a2eac 81d76a0e 00000000 b66a3168 00000000 nt!ObpCreateHandle+0x89c
b66a3034 81d761ba 9e56fa00 00000200 b66a3168 nt!ObOpenObjectByPointer+0xce
b66a3200 81d76039 b66a32cc b66a32e4 00000000 nt!PsOpenProcess+0x17a
b66a3220 81bc0b2f b66a32f8 001fffff b66a32cc nt!NtOpenProcess+0x2d
b66a3220 81badf15 b66a32f8 001fffff b66a32cc nt!KiSystemServicePostCall
b66a32a8 ad005791 b66a32f8 001fffff b66a32cc nt!ZwOpenProcess+0x11
b66a3310 81d71997 000003c8 000028ec 87f68901 farflt+0x5791
b66a333c 81d4e4f0 00000000 48075bf3 00000000 nt!PspCallThreadNotifyRoutines+0x97
b66a33b4 81d4e033 b66a3894 b66a3410 001fffff nt!PspInsertThread+0x3a4
b66a3584 81d4a831 b66a3aec 80000b70 00000000 nt!PspCreateThread+0x211
b66a3a08 81bc0b2f b66a3b10 001fffff b66a3aec nt!NtCreateThreadEx+0x161
b66a3a08 81bae861 b66a3b10 001fffff b66a3aec nt!KiSystemServicePostCall
b66a3aac 81e00150 b66a3b10 001fffff b66a3aec nt!ZwCreateThreadEx+0x11
b66a3b3c 81b704c5 00000000 00000000 00040000 nt!RtlpCreateUserThreadEx+0xc2
b66a3b90 81ab1dbf 9e4f2cb0 9e521140 9e580e80 nt!ExpWorkerFactoryCreateThread+0xb1
b66a3bb4 81ab1b96 00000000 000005c0 0320f668 nt!ExpWorkerFactoryCheckCreate+0x13f
b66a3c08 81bc0b2f 000005c0 0320f6b0 77410750 nt!NtReleaseWorkerFactoryWorker+0x266
b66a3c08 77410750 000005c0 0320f6b0 77410750 nt!KiSystemServicePostCall
0320f6b0 00000000 00000000 00000000 00000000 0x77410750

STACK_COMMAND:  .trap 0xffffffffb66a194c ; kb

THREAD_SHA1_HASH_MOD_FUNC:  7c84cad4e395a6ac6b9cbc45a29ffdca7fb29c4b

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  91cea10d87227341343679aaa708d3737ba0d688

THREAD_SHA1_HASH_MOD:  a168ef793a0dbedb24c03939f290ba65f52710ce

FOLLOWUP_IP: 
MbamChameleon+6131
98406131 8b3dc0e04198    mov     edi,dword ptr [MbamChameleon+0x1e0c0 (9841e0c0)]

FAULT_INSTR_CODE:  e0c03d8b

SYMBOL_STACK_INDEX:  a

SYMBOL_NAME:  MbamChameleon+6131

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MbamChameleon

IMAGE_NAME:  MbamChameleon.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5ae0d958

BUCKET_ID_FUNC_OFFSET:  6131

FAILURE_BUCKET_ID:  0x7f_8_STACKPTR_ERROR_MbamChameleon!unknown_function

BUCKET_ID:  0x7f_8_STACKPTR_ERROR_MbamChameleon!unknown_function

PRIMARY_PROBLEM_CLASS:  0x7f_8_STACKPTR_ERROR_MbamChameleon!unknown_function

TARGET_TIME:  2018-06-21T20:59:57.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-06-08 18:55:45

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.x86fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  221c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x7f_8_stackptr_error_mbamchameleon!unknown_function

FAILURE_ID_HASH:  {b9ae5be3-18b3-bd8f-2c30-bdfcaf14819a}

Followup:     MachineOwner
---------

WARNING: Process directory table base E4B7D020 doesn't match CR3 001A8000
WARNING: Process directory table base E4B7D020 doesn't match CR3 001A8000

Memory Dump for debugging team available upon request. Simply notify me with email and I'll get it to you within a few hours.

This is a semi-urgent request so I appreciate if I could have this issue placed on high priority.

Edited by MCoburn
Link to post
Share on other sites
  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link
    welcome mbst.png
  • Click the Gather Logs button
    gatherlogs.png
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

    Click "Reveal Hidden Contents" below for details on how to attach a file:
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    _mb_attach.jpg.a0465aaafd6cae688aa38ab16
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites
  • Staff

Greetings,

If this issue is being caused by mbamchameleon.sys then that is the self-protection driver in Malwarebytes and for now until the issue is resolved, hopefully in a future release, you should be able to work around the issue by disabling self-protection.  To do so, open Malwarebytes and navigate to Settings>Protection and locate the Startup Options section near the bottom and switch the Enable self-protection module setting to Off then restart the computer and as long as the self-protection driver was the root cause of the issue, it shouldn't happen again as long as self-protection remains disabled.

Additionally, just to make sure the Developers and Support team have all the info they need, please do the following:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced Options on the main page (not Get Started)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Finally, you mentioned that you have the memory dump.  I'm sure the Developers would find it helpful in tracking down and fixing this issue so please upload it to WeTransfer.com using the Send as>Link option and then post the link here.  To access the Send as setting you need to click the blue ... button with a blue circle around it.

Link to post
Share on other sites
  • Staff

Yes, they would, but there shouldn't be anything personally identifiable or sensitive in a Windows crash dump.

That said, if you still aren't comfortable with it then you can instead send @dcollins a private message containing the link to download the memory dump.  He's a member of Malwarebytes Support that works here on the forums.

Link to post
Share on other sites

Hm, alright. I just got in touch with my client and the error is still ongoing (same response apparently). They also had another BSOD in which WinDBG pointed the finger at MBAMChameleon.sys again. The original memory dump I have was one that was just the active memory dump and clicked in around 400MB uncompressed, however since then I changed the Windows dump option to Complete Memory Dump. This resulted in a 4GBish file so I made a minidump out of that big dump today. I'll include both in the archive file.

I have uploaded the mbst-grab-results.zip file as requested.

mbst-grab-results.zip

Link to post
Share on other sites

Hm, alright. I just got in touch with my client and the error is still ongoing (same response apparently). They also had another BSOD in which WinDBG pointed the finger at MBAMChameleon.sys again. The original memory dump I have was one that was just the active memory dump and clicked in around 400MB uncompressed, however since then I changed the Windows dump option to Complete Memory Dump. This resulted in a 4GBish file so I made a minidump out of that big dump today. I'll include both in the archive file.

I have uploaded the mbst-grab-results.zip file as requested.

mbst-grab-results.zip

Link to post
Share on other sites
  • Staff

Yes, that should be sufficient.  Once a member of the support team shows up they'll collect the data you provided and analyze it and share it with the Devs.  Thanks for all your help in troubleshooting this issue.

Do you know if disabling self-protection eliminated the BSOD's or not, or was the last one that occurred after already disabling self-protection and restarting the system?

Link to post
Share on other sites
On 6/29/2018 at 12:46 AM, dcollins said:

Thanks for the report. This issue should be fixed in our upcoming release which should be available soon.

Can you please provide brief detail on what causes the crash? Does the kernel module attempt operations on a null pointer that causes it to throw a exception?

Link to post
Share on other sites
  • Staff

The engineers know exactly what was fixed, and generally we don't release that information.

However, this issue should be fixed in our beta that was just released. You can download the beta by going to Settings -> Applications and toggling on the beta option. After a little while, you should get the beta version which is Component Package 1.0.390 and this should hopefully resolve the issue. Please let us know.

If you don't want to try the beta, the full release should be out soon based on feedback from beta users.

beta2.png.3649b475fbbd78987232182ef09eb6d6.png

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.