I looked into fuzzing a driver. However, I'm running into issues when a call to ExAllocatePoolWithTag is executed during the fuzzing withs bochscpu or KVM. Sometimes it crashes directly inside the function and sometimes afterwards. Do you have an idea how to resolve/emulate this? I've attached an example trace file. The last call from the Target is nt!ExAllocatePoolWithTag

Thanks for your help!
efd332708da860ec4c82a347b65118e4.trace.txt

Oh man, seems like I never got back to you - so sorry I forgot! Feel free to bug me in the future if I forget 🤦🏽‍♂️😅

Let me try to take a look at that trace..

Okay this is something I haven't seen - do you remember what kind of bugcheck this was triggering? Also, is this possible that your fuzzing module corrupts memory that is then detected by the LFH which bugchecks (callstack seems to match yours in LFH Kernel Pool Allocator Challenges the Incumbent
)?

Cheers

Closing as it has been idle for months; please feel free to re-open if you have the same problem again :)

Cheers

Sorry, I did not have any time for having a look at it. If I'll get back to it I let you know. Thanks for the help!

No worries at all - just doing a spring cleaning :)

Cheers

I checked it again, the issue was that the driver requested PagedPool with the IRQL=f which is not allowed.

The actual problem, however, is probably the following:

kd> r cr8
cr8=000000000000000f
kd> !irql
Debugger saved IRQL for processor 0x0 -- 0 (LOW_LEVEL)

The cr8 is changed if a breakpoint is hit in WinDBG and consequently, the regs.json from bdump contains the value "f" instead of "0" in this case.