Hypervisor random BSOD IRQL_NOT_LESS_OR_EQUAL

[1337331]

Windows 11 23H2 - OS Build 22631.4169 BSOD appears in about 2 hours

Tips for collapsed BSOD info

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00007fffffff0000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
        bit 0 : value 0 = read operation, 1 = write operation
        bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80727c81b39, address which referenced memory

Debugging Details:



KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1046

    Key  : Analysis.Elapsed.mSec
    Value: 2107

    Key  : Analysis.IO.Other.Mb
    Value: 27

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 30

    Key  : Analysis.Init.CPU.mSec
    Value: 140

    Key  : Analysis.Init.Elapsed.mSec
    Value: 27254

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 98

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xa

    Key  : Bugcheck.Code.TargetModel
    Value: 0xa

    Key  : Failure.Bucket
    Value: AV_nt!RtlpxVirtualUnwind

    Key  : Failure.Hash
    Value: {90caf8d4-a034-a257-3599-d8f696fd9681}

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Version
    Value: 10.0.22621.1


BUGCHECK_CODE:  a

BUGCHECK_P1: 7fffffff0000

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80727c81b39

FILE_IN_CAB:  100724-16937-01.dmp

FAULTING_THREAD:  ffff900d3a9ac040

READ_ADDRESS: fffff8072871d470: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
 00007fffffff0000 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

TRAP_FRAME:  ffffb600829a4b60 -- (.trap 0xffffb600829a4b60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00007fffffff0000 rbx=0000000000000000 rcx=00007fffffff0000
rdx=ffffb600829a4ea8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80727c81b39 rsp=ffffb600829a4cf0 rbp=ffffb600829a5310
 r8=0000000000000000  r9=0000000000000000 r10=fffff80728800038
r11=ffffb600829a4e10 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!RtlpxVirtualUnwind+0x419:
fffff807`27c81b39 0fb600          movzx   eax,byte ptr [rax] ds:00007fff`ffff0000=??
Resetting default scope

STACK_TEXT:  
ffffb600`829a4a18 fffff807`27e2bf29     : 00000000`0000000a 00007fff`ffff0000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffb600`829a4a20 fffff807`27e27389     : fffffd87`00000286 fffffd87`09b7f1d0 fffff807`27dc0018 fffff807`27ae8c88 : nt!KiBugCheckDispatch+0x69
ffffb600`829a4b60 fffff807`27c81b39     : ffffb600`829a5310 fffff807`27c69fd5 00000000`00000000 fffff807`27dd21cb : nt!KiPageFault+0x489
ffffb600`829a4cf0 fffff807`27c7fc75     : ffffb600`829a5f88 ffffb600`829a5d38 00000000`00000000 00000000`00000000 : nt!RtlpxVirtualUnwind+0x419
ffffb600`829a4db0 fffff807`27d628ee     : ffffffff`ffffffff ffffb600`829a5de0 ffffb600`829a5de0 ffffb600`829a5550 : nt!RtlDispatchException+0x215
ffffb600`829a5520 fffff807`27e2c07c     : 00800800`00000000 ffd00094`ffffb06e 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x1ae
ffffb600`829a5c00 fffff807`27e26ed8     : 00000000`00000000 00000000`00000000 ffffb600`82985180 00000000`00000000 : nt!KiExceptionDispatch+0x13c
ffffb600`829a5de0 ffff900d`5302b59d     : fffff807`27aed860 ffffb600`829a6fb0 fffff807`27c69fd5 ffffb600`829a59f0 : nt!KiGeneralProtectionFault+0x358
ffffb600`829a5f70 fffff807`27aed860     : ffffb600`829a6fb0 fffff807`27c69fd5 ffffb600`829a59f0 fffff807`27cf34c4 : 0xffff900d`5302b59d
ffffb600`829a5f78 ffffb600`829a6fb0     : fffff807`27c69fd5 ffffb600`829a59f0 fffff807`27cf34c4 fffff807`27ab5b60 : nt!setjmpexused <PERF> (nt+0xed860)
ffffb600`829a5f80 fffff807`27c69fd5     : ffffb600`829a59f0 fffff807`27cf34c4 fffff807`27ab5b60 ffffb600`829a67a0 : 0xffffb600`829a6fb0
ffffb600`829a5f88 00000000`00000000     : ffffb600`829a6238 fffff807`27a00000 ffffb600`829a6730 fffffd87`09b7eed8 : nt!MiFastLockLeafPageTable+0x385


SYMBOL_NAME:  nt!RtlpxVirtualUnwind+419

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.22621.4169

STACK_COMMAND:  .process /r /p 0xfffff80728749f40; .thread 0xffff900d3a9ac040 ; kb

BUCKET_ID_FUNC_OFFSET:  419

FAILURE_BUCKET_ID:  AV_nt!RtlpxVirtualUnwind

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {90caf8d4-a034-a257-3599-d8f696fd9681}

Followup:     MachineOwner

[Nitr0-G]

Did you run it on a virtual machine or on your own? Do you have amd or intel? Which hypervisor is the problem on?

[1337331]

Did you run it on a virtual machine or on your own? Do you have amd or intel? Which hypervisor is the problem on?

Thank you for such a quick response. I run it on host, Intel i9-13900HX CPU. When I call KbVmmEnable and just wait a few hours on the desktop then IRQL_NOT_LESS_OR_EQUAL I will still keep testing it and interception work for me.

Related: https://github.com/HoShiMin/Kernel-Bridge/blob/44b130690c5af5c0eb93d54c435087ffad4c79ab/Kernel-Bridge/API/Hypervisor.cpp#L1311

may be useful: https://www.unknowncheats.me/forum/anti-cheat-bypass/616775-x64-stack-unwinding.html

[Nitr0-G]

I have amd =( Later I will have intel and I will look at it