EasyAntiCheat_EOS.sys BSOD Crash

Warhammer 40,000: Darktide Technical Support
1

There’s currently no log as it BSOD my machine. I do have a windows dump file I’ll pull up here but this is 100% unacceptable. Never have I had anticheats do so poorly and cause so many issues then EasyAntiCheat.

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff8042bc00000 PsLoadedModuleList = 0xfffff8042c82a2b0
Debug session time: Wed Dec 7 12:52:01.313 2022 (UTC - 5:00)
System Uptime: 2 days 11:39:52.975
Loading Kernel Symbols

…Page 141a13 not present in the dump file. Type “.hh dbgerr004” for details
…Page 14724e not present in the dump file. Type “.hh dbgerr004” for details



Loading User Symbols

Loading unloaded module list

For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8042bff92d0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffdc081e5cb550=0000000000000139
3: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000eac, Type of memory safety violation
Arg2: ffffdc081e5cb870, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffffdc081e5cb7c8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 3139

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 5097

Key  : Analysis.IO.Other.Mb
Value: 9

Key  : Analysis.IO.Read.Mb
Value: 0

Key  : Analysis.IO.Write.Mb
Value: 26

Key  : Analysis.Init.CPU.mSec
Value: 2296

Key  : Analysis.Init.Elapsed.mSec
Value: 18329

Key  : Analysis.Memory.CommitPeak.Mb
Value: 99

Key  : Bugcheck.Code.DumpHeader
Value: 0x139

Key  : Bugcheck.Code.KiBugCheckData
Value: 0x139

Key  : Bugcheck.Code.Register
Value: 0x139

Key  : FailFast.Type
Value: 3756

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

FILE_IN_CAB: MEMORY.DMP

BUGCHECK_CODE: 139

BUGCHECK_P1: eac

BUGCHECK_P2: ffffdc081e5cb870

BUGCHECK_P3: ffffdc081e5cb7c8

BUGCHECK_P4: 0

TRAP_FRAME: ffffdc081e5cb870 – (.trap 0xffffdc081e5cb870)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff80579a3c10f rbx=0000000000000000 rcx=0000000000000eac
rdx=0000000001091080 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80579a3c114 rsp=ffffdc081e5cba08 rbp=fffffffff75f7cef
r8=0000000000000000 r9=fffff80579640074 r10=ffffdc081e5cbb98
r11=0000000000000030 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
EasyAntiCheat_EOS+0xa5c114:
fffff805`79a3c114 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffdc081e5cb7c8 – (.exr 0xffffdc081e5cb7c8)
ExceptionAddress: fffff80579a3c114 (EasyAntiCheat_EOS+0x0000000000a5c114)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000eac
Subcode: 0xeac (unknown subcode)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000eac

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffffdc081e5cb548 fffff8042c00d329 : 0000000000000139 0000000000000eac ffffdc081e5cb870 ffffdc081e5cb7c8 : nt!KeBugCheckEx
ffffdc081e5cb550 fffff8042c00d890 : 0000000000000000 ffffdc081e5cbb98 0000000000000001 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffdc081e5cb690 fffff8042c00b85d : 0000000000000000 0000000000000000 fb53a727f736a217 f827a778f4ffcfbf : nt!KiFastFailDispatch+0xd0
ffffdc081e5cb870 fffff80579a3c114 : f183b6b7f125d875 fa8a24c1faea2f0b fb87b412f400063b f06102d9ff7e5936 : nt!KiRaiseSecurityCheckFailure+0x31d
ffffdc081e5cba08 f183b6b7f125d875 : fa8a24c1faea2f0b fb87b412f400063b f06102d9ff7e5936 f202498afdb4bda4 : EasyAntiCheat_EOS+0xa5c114
ffffdc081e5cba10 fa8a24c1faea2f0b : fb87b412f400063b f06102d9ff7e5936 f202498afdb4bda4 f38d22cff649d1b1 : 0xf183b6b7f125d875 ffffdc081e5cba18 fb87b412f400063b : f06102d9ff7e5936 f202498afdb4bda4 f38d22cff649d1b1 ffffffffffffffff : 0xfa8a24c1faea2f0b
ffffdc081e5cba20 f06102d9ff7e5936 : f202498afdb4bda4 f38d22cff649d1b1 ffffffffffffffff 0000000000000000 : 0xfb87b412f400063b ffffdc081e5cba28 f202498afdb4bda4 : f38d22cff649d1b1 ffffffffffffffff 0000000000000000 0000000000000000 : 0xf06102d9ff7e5936
ffffdc081e5cba30 f38d22cff649d1b1 : ffffffffffffffff 0000000000000000 0000000000000000 0000000000000000 : 0xf202498afdb4bda4 ffffdc081e5cba38 ffffffffffffffff : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xf38d22cff649d1b1
ffffdc081e5cba40 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xffffffff`ffffffff

SYMBOL_NAME: EasyAntiCheat_EOS+a5c114

MODULE_NAME: EasyAntiCheat_EOS

IMAGE_NAME: EasyAntiCheat_EOS.sys

IMAGE_VERSION: 1.0.0.0

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: a5c114

FAILURE_BUCKET_ID: 0x139_MISSING_GSFRAME_EasyAntiCheat_EOS!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {dde04553-d42f-b4d7-f06a-e1871a067075}

Followup: MachineOwner

2

If your system is BSOD then that’s more of an lower level OS problem. Can you do a full windows update on your system as a first step

3

I’ve sent this over to Easy Anti-Cheat. Thank you.

1 Like
4

Jsut played a long session of Darktide. Upon closing the Game BSOD (attempted write to readonly memory).
Memory dump says its EAC (start_protected_game.exe):

Microsoft (R) Windows Debugger Version 10.0.25200.1003 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80684600000 PsLoadedModuleList = 0xfffff8068522a2b0
Debug session time: Thu Dec 8 04:56:52.692 2022 (UTC + 9:00)
System Uptime: 0 days 9:22:16.328
Loading Kernel Symbols



Loading User Symbols
PEB is paged out (Peb.Ldr = 0000000002ffb018). Type ".hh dbgerr001" for details Loading unloaded module list ......... For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff806849f92d0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffe183`6df71d10=00000000000000be
2: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver’s name (Unicode string) is printed on
the BugCheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffddfbbdc12ffc, Virtual address for the attempted write.
Arg2: 8a00000000200121, PTE contents.
Arg3: ffffe1836df71fb0, (reserved)
Arg4: 000000000000000b, (reserved)

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 2749

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 4550

Key  : Analysis.IO.Other.Mb
Value: 4

Key  : Analysis.IO.Read.Mb
Value: 0

Key  : Analysis.IO.Write.Mb
Value: 26

Key  : Analysis.Init.CPU.mSec
Value: 983

Key  : Analysis.Init.Elapsed.mSec
Value: 37114

Key  : Analysis.Memory.CommitPeak.Mb
Value: 96

Key  : Bugcheck.Code.DumpHeader
Value: 0xbe

Key  : Bugcheck.Code.KiBugCheckData
Value: 0xbe

Key  : Bugcheck.Code.Register
Value: 0xbe

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

FILE_IN_CAB: MEMORY.DMP

BUGCHECK_CODE: be

BUGCHECK_P1: ffffddfbbdc12ffc

BUGCHECK_P2: 8a00000000200121

BUGCHECK_P3: ffffe1836df71fb0

BUGCHECK_P4: b

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: start_protected_game.exe

TRAP_FRAME: ffffe1836df71fb0 – (.trap 0xffffe1836df71fb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffddfbbdc12ffc rbx=0000000000000000 rcx=ffffddfbbdc13014
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80684a0e930 rsp=ffffe1836df72148 rbp=ffffe1836df722e0
r8=000000000000001a r9=0000000000000008 r10=ffffddfbbdc13010
r11=00000000780980b4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac pe nc
nt!memset+0x30:
Page 200 not present in the dump file. Type “.hh dbgerr004” for details
fffff80684a0e930 4a895408f8 mov qword ptr [rax+r9-8],rdx ds:ffffddfbbdc12ffc=???
Resetting default scope

STACK_TEXT:
ffffe1836df71d08 fffff80684a34353 : 00000000000000be ffffddfbbdc12ffc 8a00000000200121 ffffe1836df71fb0 : nt!KeBugCheckEx
ffffe1836df71d10 fffff806848399e0 : ffffce0042171000 0000000000000003 ffffe1836df72030 0000000000000000 : nt!MiSystemFault+0x1dc943
ffffe1836df71e10 fffff80684a08dd8 : ffffffffffffffff 0000000000000001 ffffce0042163180 fffff806848bc485 : nt!MmAccessFault+0x400
ffffe1836df71fb0 fffff80684a0e930 : fffff806848cbad8 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x358
ffffe1836df72148 fffff806848cbad8 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!memset+0x30
ffffe1836df72150 fffff80684ed0e37 : 00000000000000d5 00000000780980b5 0000000078097fe0 0000000000000000 : nt!RtlClearBitsEx+0x98
ffffe1836df72180 fffff80684ed0dbc : ffff8d080df6d330 0000000000000001 0000000000000000 0000000000000d4f : nt!MiMarkRetpolineBits+0x63
ffffe1836df721b0 fffff80684e15f72 : ffff8d080df6d330 ffff8d080df6d330 ffffe1836df722e0 0000000000000001 : nt!MiMarkKernelImageRetpolineBits+0x34
ffffe1836df721e0 fffff80684d68d01 : 0000000000000000 fffff806ffffffff fffffed500000001 ffffe40f759d7ec0 : nt!MiUnloadSystemImage+0x1519b2
ffffe1836df72380 fffff80684d68c2e : ffff8d080f6dde00 ffffe1836df72520 0000000000000000 ffff8d080f6dde30 : nt!MmUnloadSystemImage+0x41
ffffe1836df723b0 fffff80684c16d50 : ffff8d080f6dde00 ffffe1836df72520 fffff80685325400 ffffe1836df72420 : nt!IopDeleteDriver+0x4e
ffffe1836df72400 fffff8068480ec07 : 0000000000000000 0000000000000000 ffffe1836df72520 ffff8d080f6dde30 : nt!ObpRemoveObjectRoutine+0x80
ffffe1836df72460 fffff80684a1ba98 : 0000000000000000 ffff8d080f6dde30 0000000000000000 0000000000000000 : nt!ObfDereferenceObjectWithTag+0xc7
ffffe1836df724a0 fffff8068482c0d2 : 36776f775f746165 61652e3436785f00 fffff8067fc64910 fffff8068482a6b5 : nt!IopCompleteUnloadOrDelete+0x2149d8
ffffe1836df72560 fffff80684c1cc10 : ffff8d0822f16b90 0000000000000000 0000000000000000 fffff8068480ca17 : nt!IopDecrementDeviceObjectRef+0x162
ffffe1836df725c0 fffff80684c16d50 : ffff8d07fa4f96c0 0000000000000001 ffff8d0822f16b60 ffff8d0800000000 : nt!IopDeleteFile+0x210
ffffe1836df72640 fffff8068480ec07 : 0000000000000000 0000000000000000 ffffe1836df727c9 ffff8d0822f16b90 : nt!ObpRemoveObjectRoutine+0x80
ffffe1836df726a0 fffff80684c04299 : ffff8d0822f16b60 0000000000000000 0000000000000000 ffff8d0822f16b60 : nt!ObfDereferenceObjectWithTag+0xc7
ffffe1836df726e0 fffff80684bdd9b5 : 0000000000000000 0000000000000000 0000000000000103 0000000000000000 : nt!ObCloseHandleTableEntry+0x6c9
ffffe1836df72820 fffff80684bde07d : ffff8d0805b09080 ffff8d0805b09080 ffffffffffffff01 ffff8d080cac74d8 : nt!ExSweepHandleTable+0xd5
ffffe1836df728d0 fffff80684bdd6e4 : ffffffffffffffff ffff8d080cac7080 ffffe1836df72920 fffff80684cb0b54 : nt!ObKillProcess+0x35
ffffe1836df72900 fffff80684c45cba : ffff8d080cac7080 ffffe40f6f01c060 0000000000000000 0000000000000000 : nt!PspRundownSingleProcess+0x204
ffffe1836df72990 fffff80684bd90ce : ffff8d08c0000005 0000000000000001 00000000c0000005 0000000002ffd000 : nt!PspExitThread+0x5f6
ffffe1836df72a90 fffff80684a0caf8 : ffff8d080cac7080 ffff8d0805b09080 ffffe1836df72b80 ffff8d0800000000 : nt!NtTerminateProcess+0xde
ffffe1836df72b00 0000000077a81cfc : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000000307eb88 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x77a81cfc

SYMBOL_NAME: nt!MiSystemFault+1dc943

MODULE_NAME: nt

STACK_COMMAND: .cxr; .ecxr ; kb

IMAGE_NAME: ntkrnlmp.exe

BUCKET_ID_FUNC_OFFSET: 1dc943

FAILURE_BUCKET_ID: AV_nt!MiSystemFault

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {d80c40a2-5000-439f-696b-1bd8abb14be3}

Followup: MachineOwner

5

not diagnosing this but I had a similar problem that came down to me updating my Bios and it reset everything to default. The mobo was a MSI B450 tomahawk (first gen) and it was fine with 2 sticks of ram of 8gb a piece but the second I put on two more 8gb it was throwing up errors as such as if it was bad ram, turns out the bios was trying to run the ram at full spec but it didn’t support it for 4 sticks only 2 so I had to drop down the ram frequency in bios to get it more stable. Maybe that helps for an NTKRNLMP.EXE

6

nah…it’s just EAC trying to access stuff it shouldn’t.

7

Could you please PM me the Windows “Minidump” associated with this session? Which I can then pass on to our contacts at Easy Anti-Cheat. The Minidump directory can be located here: C:\Windows\Minidump

8

done