question

ElisabethD-1200 avatar image
2 Votes"
ElisabethD-1200 asked PenningNicholas-9994 answered

BSOD DRIVER_OVERRAN_STACK_BUFFER when attaching to w3wp.exe process with VS2019

Recently (as of 2 days ago), every time I try to attach to the IIS process w3wp.exe with Visual Studio 2019 (running on Windows 10), I get the blue screen of death with the DRIVER_OVERRAN_STACK_BUFFER error. Several other people at my organization have started to see the same behavior. I've installed all the latest Windows and Dell updates. The crash dump file contains the following information, but I haven't been able to track down the root cause.



  •                      Bugcheck Analysis                                    *
    


DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ff99f2e088c41aef, Actual security check cookie from the stack
Arg2: 0000f8016000f0a2, Expected security check cookie
Arg3: ffff07fe9fff0f5d, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:


BUGCHECK_CODE: f7
BUGCHECK_P1: ff99f2e088c41aef
BUGCHECK_P2: f8016000f0a2
BUGCHECK_P3: ffff07fe9fff0f5d
BUGCHECK_P4: 0
PROCESS_NAME: msvsmon.exe
SYMBOL_NAME: SysmonDrv+1056
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_SysmonDrv!unknown_function
FAILURE_ID_HASH: {bfcd09b2-c8e3-6711-5ab4-bb081f1f34f2}
Followup: MachineOwner



xecutable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff801`5ac00000 PsLoadedModuleList = 0xfffff801`5b82a190
Debug session time: Thu Aug 12 10:49:11.047 2021 (UTC - 4:00)

windows-server-iiswindows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ElisabethD-1200 avatar image
1 Vote"
ElisabethD-1200 answered

Solution was uninstalling Sysmon Assistant.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamWu-MSFT avatar image
0 Votes"
SamWu-MSFT answered

@ElisabethD-1200

The DRIVER_OVERRAN_STACK_BUFFER bug check has a value of 0x000000F7. This indicates that a driver has overrun a stack-based buffer.

A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned.

This is the classic "buffer overrun" hacking attack. The system has been brought down to prevent a malicious user from gaining complete control of it.

Use the kb (Display Stack Backtrace) command to get a stack trace.

The last routine on the stack before the buffer overrun handlers and bug check call is the one that overran its local variable.


If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonnyWiederholm-1470 avatar image
2 Votes"
JonnyWiederholm-1470 answered

We are experiencing the same issue with Sysmon 13.23 and 13.24 when using the debugger in Visual Studio 2019.
Uninstalling sysmon is not an option in our case.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PenningNicholas-9994 avatar image
0 Votes"
PenningNicholas-9994 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.