Juan Lang wrote:
L"C:\windows\System32\Drivers\GEARAspiWDM.sys" (native) at 0x460000 trace:module:process_attach (L"GEARAspiWDM.sys",(nil)) - START trace:module:MODULE_InitDLL (0x460000 L"GEARAspiWDM.sys",PROCESS_ATTACH,(nil)) - CALL trace:seh:raise_exception code=c0000005 flags=0 addr=0x464010 trace:seh:raise_exception info[0]=00000001 trace:seh:raise_exception info[1]=00460038 trace:seh:raise_exception eax=0046137e ebx=7bc90dc8 ecx=0000001c edx=00460000 esi=7bc87f5b edi=00460038
That address (0x00460038) is suspect. It looks like part of a Unicode
string.
Something about how this driver is loaded is buggy, I'm guessing
ntoskrnl.exe
is a bit too stubby for it yet.
I think this conclusion is a bit to simple. Considering the module base address of 0x460000 this address could be quite legitime.
Rolf Kalbermatter