When installing avast 2014 in win7 x64 rtm in qemu(virtual machine with cpu type core2duo), I got 0x0000007E BSOD。
aswvmm.sys information:
avast! VM Monitor
9.0.2004.130
signed timestamp: 2013.10.4 15:56:14
The exception address is:aswVmm+0xa3f4
In function:aswVmm+0x8fd4
Details:
1: kd> uf fffff880018ebfd4 aswVmm+0x8fd4: fffff880018ebfd4 4055 push rbp
fffff880018ebfd6 56 push rsi fffff880018ebfd7 57 push rdi
fffff880018ebfd8 4154 push r12 fffff880018ebfda 4155 push r13
fffff880018ebfdc 4156 push r14 fffff880018ebfde 4157 push r15
fffff880018ebfe0 4883ec50 sub rsp,50h fffff880018ebfe4 488d6c2420 lea rbp,[rsp+20h]
fffff880018ebfe9 4c8b7d68 mov r15,qword ptr [rbp+68h] fffff880018ebfed 33ff xor edi,edi
fffff880018ebfef 48895d70 mov qword ptr [rbp+70h],rbx fffff880018ebff3 40887d78 mov byte ptr [rbp+78h],dil
fffff880018ebff7 4c8be2 mov r12,rdx fffff880018ebffa 4c8bf1 mov r14,rcx
fffff880018ebffd 0f20c0 mov rax,cr0 fffff880018ec000 48894500 mov qword ptr [rbp],rax
fffff880018ec004 0f20e0 mov rax,cr4 fffff880018ec007 448b6d00 mov r13d,dword ptr [rbp]
fffff880018ec00b 48898588000000 mov qword ptr [rbp+88h],rax fffff880018ec012 41f6c501 test r13b,1
fffff880018ec016 0f84a5130000 je aswVmm+0xa3c1 (fffff880018ed3c1) #not jump
aswVmm+0x901c:
fffff880018ec01c 410fbae51f bt r13d,1Fh fffff880018ec021 0f839a130000 jae aswVmm+0xa3c1 (fffff880`018ed3c1) #not jump
aswVmm+0x9027:
fffff880018ec027 8bb588000000 mov esi,dword ptr [rbp+88h] fffff880018ec02d 40f6c620 test sil,20h
fffff880018ec031 750e jne aswVmm+0x9041 (fffff880018ec041) #not jump
aswVmm+0x9033:
fffff880018ec033 408a7578 mov sil,byte ptr [rbp+78h] fffff880018ec037 bfbb0000c0 mov edi,0C00000BBh
fffff880018ec03c e98d130000 jmp aswVmm+0xa3ce (fffff880018ed3ce)
aswVmm+0x9041: #jump from fffff880018ec031 fffff880018ec041 488982d0000000 mov qword ptr [rdx+0D0h],rax
fffff880018ec048 b9800000c0 mov ecx,0C0000080h fffff880018ec04d 0f32 rdmsr
fffff880018ec04f 48c1e220 shl rdx,20h fffff880018ec053 480bc2 or rax,rdx
fffff880018ec056 4989842440010000 mov qword ptr [r12+140h],rax fffff880018ec05e b801000000 mov eax,1
fffff880018ec063 0fa2 cpuid #ECX = 0000000080002221 fffff880018ec065 f6c120 test cl,20h
fffff880018ec068 894518 mov dword ptr [rbp+18h],eax fffff880018ec06b 895d1c mov dword ptr [rbp+1Ch],ebx
fffff880018ec06e 895524 mov dword ptr [rbp+24h],edx fffff880018ec071 74c0 je aswVmm+0x9033 (fffff880`018ec033) #bit 5 was set,support vmx, not jump
aswVmm+0x9073:
fffff880018ec073 0fbae60d bt esi,0Dh fffff880018ec077 72ba jb aswVmm+0x9033 (fffff880`018ec033) #esi = 6f8, not jump
aswVmm+0x9079:
fffff880018ec079 f6c140 test cl,40h fffff880018ec07c 740f je aswVmm+0x908d (fffff880`018ec08d) #bit 6 not set, jump
aswVmm+0x907e:
fffff880018ec07e 0fbae60e bt esi,0Eh fffff880018ec082 7309 jae aswVmm+0x908d (fffff880`018ec08d)
aswVmm+0x9084:
fffff880`018ec084 41c684243801000001 mov byte ptr [r12+138h],1
aswVmm+0x908d: #jump from fffff880018ec07c fffff880018ec08d 41b83a000000 mov r8d,3Ah #read 3AH IA32_FEATURE_CONTROL MSR
fffff880018ec093 418bc8 mov ecx,r8d fffff880018ec096 0f32 rdmsr
fffff880018ec098 48c1e220 shl rdx,20h fffff880018ec09c b980040000 mov ecx,480h
fffff880018ec0a1 480bc2 or rax,rdx fffff880018ec0a4 48898580000000 mov qword ptr [rbp+80h],rax
fffff880018ec0ab 0f32 rdmsr #read 480H msr IA32_VMX_BASIC fffff880018ec0ad 48c1e220 shl rdx,20h
fffff880018ec0b1 480bc2 or rax,rdx fffff880018ec0b4 488bd8 mov rbx,rax
fffff880018ec0b7 48c1e820 shr rax,20h fffff880018ec0bb 2500003c00 and eax,3C0000h
fffff880018ec0c0 3d00001800 cmp eax,180000h fffff880018ec0c5 0f8568ffffff jne aswVmm+0x9033 (fffff880`018ec033) #eax = 180000H,not jump
aswVmm+0x90cb:
fffff880018ec0cb 8b8580000000 mov eax,dword ptr [rbp+80h] fffff880018ec0d1 a801 test al,1
fffff880018ec0d3 7421 je aswVmm+0x90f6 (fffff880018ec0f6) #al = 0,jump
aswVmm+0x90d5:
fffff880018ec0d5 418a8c2438010000 mov cl,byte ptr [r12+138h] fffff880018ec0dd 84c9 test cl,cl
fffff880018ec0df 740c je aswVmm+0x90ed (fffff880018ec0ed)
aswVmm+0x90e1:
fffff880018ec0e1 a802 test al,2 fffff880018ec0e3 0f844affffff je aswVmm+0x9033 (fffff880`018ec033)
aswVmm+0x90e9:
fffff880018ec0e9 84c9 test cl,cl fffff880018ec0eb 753b jne aswVmm+0x9128 (fffff880`018ec128)
aswVmm+0x90ed:
fffff880018ec0ed a804 test al,4 fffff880018ec0ef 7537 jne aswVmm+0x9128 (fffff880`018ec128)
aswVmm+0x90f1:
fffff880018ec0f1 e93dffffff jmp aswVmm+0x9033 (fffff880018ec033)
aswVmm+0x90f6: #jump from fffff880018ec0d3 fffff880018ec0f6 83c805 or eax,5
fffff880018ec0f9 4138bc2438010000 cmp byte ptr [r12+138h],dil fffff880018ec101 898580000000 mov dword ptr [rbp+80h],eax
fffff880018ec107 7409 je aswVmm+0x9112 (fffff880018ec112) #[r12+138h] = dil = 0, jump
aswVmm+0x9109:
fffff880018ec109 83c802 or eax,2 fffff880018ec10c 898580000000 mov dword ptr [rbp+80h],eax
aswVmm+0x9112: #jump from fffff880018ec107 fffff880018ec112 488b9580000000 mov rdx,qword ptr [rbp+80h]
fffff880018ec119 8b8580000000 mov eax,dword ptr [rbp+80h] fffff880018ec11f 418bc8 mov ecx,r8d
fffff880018ec122 48c1ea20 shr rdx,20h #write 480H msr,rax=5,rdx=0 fffff880018ec126 0f30 wrmsr
aswVmm+0x9128:
fffff880018ec128 e894ab0000 call aswVmm+0x13cc1 (fffff880018f6cc1) #disable a20m
fffff880018ec12d 4183cd20 or r13d,20h fffff880018ec131 44896d00 mov dword ptr [rbp],r13d
fffff880018ec135 488b4500 mov rax,qword ptr [rbp] fffff880018ec139 0f22c0 mov cr0,rax
fffff880018ec13c 0fbaee0d bts esi,0Dh #rsi=00000000000006f8,set bit 13(CR4.VMXE) fffff880018ec140 89b588000000 mov dword ptr [rbp+88h],esi
fffff880018ec146 488b8588000000 mov rax,qword ptr [rbp+88h] fffff880018ec14d 0f22e0 mov cr4,rax
fffff880018ec150 0f20e0 mov rax,cr4 fffff880018ec153 0fbae00d bt eax,0Dh
fffff880018ec157 48898588000000 mov qword ptr [rbp+88h],rax fffff880018ec15e 0f83cffeffff jae aswVmm+0x9033 (fffff880`018ec033) #eax=esi,bit 13 was set, not jump
aswVmm+0x9164:
fffff880018ec164 488d4d08 lea rcx,[rbp+8] fffff880018ec168 40b601 mov sil,1 # (CR4.VMXE=1) was set, set sil=1
fffff880018ec16b e87dac0000 call aswVmm+0x13ded (fffff880018f6ded) #sgdt
fffff880018ec170 488d4d18 lea rcx,[rbp+18h] fffff880018ec174 e87cac0000 call aswVmm+0x13df5 (fffff880018f6df5) #sidt fffff880018ec179 4d8b9c2448010000 mov r11,qword ptr [r12+148h]
fffff880018ec181 498d8c2450010000 lea rcx,[r12+150h] fffff880018ec189 41891b mov dword ptr [r11],ebx
fffff880018ec18c e81eac0000 call aswVmm+0x13daf (fffff880018f6daf) #vmxon, A question:forgot to set [r12+1CC] flag???
fffff880018ec191 4084c6 test sil,al fffff880018ec194 0f8520120000 jne aswVmm+0xa3ba (fffff880018ed3ba) #test sil,al not 0,jump ..... ..... ..... ..... aswVmm+0xa3ba: #jump from fffff880018ec194
fffff880018ed3ba bf2d0000c0 mov edi,0C000002Dh fffff880018ed3bf eb0d jmp aswVmm+0xa3ce (fffff880`018ed3ce)
aswVmm+0xa3c1:
fffff880018ed3c1 408a7578 mov sil,byte ptr [rbp+78h] fffff880018ed3c5 bfbb0000c0 mov edi,0C00000BBh
aswVmm+0xa3ca:
fffff880018ed3ca 85ff test edi,edi fffff880018ed3cc 7929 jns aswVmm+0xa3f7 (fffff880`018ed3f7)
aswVmm+0xa3ce: #jump from fffff880018ed3bf fffff880018ed3ce 4180bc24cc01000000 cmp byte ptr [r12+1CCh],0
fffff880018ed3d7 740e je aswVmm+0xa3e7 (fffff880018ed3e7) #[r12+1CCh] = 0,jump!!! this maybe the problem!!!
aswVmm+0xa3d9:
fffff880018ed3d9 41c68424cc01000000 mov byte ptr [r12+1CCh],0 fffff880018ed3e2 e899980000 call aswVmm+0x13c80 (fffff880`018f6c80) #vmxoff
aswVmm+0xa3e7:
fffff880018ed3e7 4084f6 test sil,sil #sil=1,not jump fffff880018ed3ea 740b je aswVmm+0xa3f7 (fffff880`018ed3f7) #f**k off
aswVmm+0xa3ec:
fffff880018ed3ec 0f20e0 mov rax,cr4 #cr4=00000000000026f8 fffff880018ed3ef 480fbaf00d btr rax,0Dh #reset bit 13,rax = 00000000000006f8
fffff880`018ed3f4 0f22e0 mov cr4,rax #in vmx root operation,it’s impossible to reset CR4.VMXE