When installing avast 2014 in win7 x64 rtm in qemu(virtual machine with cpu type core2duo), I got 0x0000007E BSOD。
aswvmm.sys information:
avast! VM Monitor
9.0.2004.130
signed timestamp: 2013.10.4 15:56:14
The exception address is:aswVmm+0xa3f4
In function:aswVmm+0x8fd4
Details:
1: kd> uf fffff880`018ebfd4
aswVmm+0x8fd4:
fffff880`018ebfd4 4055 push rbp
fffff880`018ebfd6 56 push rsi
fffff880`018ebfd7 57 push rdi
fffff880`018ebfd8 4154 push r12
fffff880`018ebfda 4155 push r13
fffff880`018ebfdc 4156 push r14
fffff880`018ebfde 4157 push r15
fffff880`018ebfe0 4883ec50 sub rsp,50h
fffff880`018ebfe4 488d6c2420 lea rbp,[rsp+20h]
fffff880`018ebfe9 4c8b7d68 mov r15,qword ptr [rbp+68h]
fffff880`018ebfed 33ff xor edi,edi
fffff880`018ebfef 48895d70 mov qword ptr [rbp+70h],rbx
fffff880`018ebff3 40887d78 mov byte ptr [rbp+78h],dil
fffff880`018ebff7 4c8be2 mov r12,rdx
fffff880`018ebffa 4c8bf1 mov r14,rcx
fffff880`018ebffd 0f20c0 mov rax,cr0
fffff880`018ec000 48894500 mov qword ptr [rbp],rax
fffff880`018ec004 0f20e0 mov rax,cr4
fffff880`018ec007 448b6d00 mov r13d,dword ptr [rbp]
fffff880`018ec00b 48898588000000 mov qword ptr [rbp+88h],rax
fffff880`018ec012 41f6c501 test r13b,1
fffff880`018ec016 0f84a5130000 je aswVmm+0xa3c1 (fffff880`018ed3c1) #not jump
aswVmm+0x901c:
fffff880`018ec01c 410fbae51f bt r13d,1Fh
fffff880`018ec021 0f839a130000 jae aswVmm+0xa3c1 (fffff880`018ed3c1) #not jump
aswVmm+0x9027:
fffff880`018ec027 8bb588000000 mov esi,dword ptr [rbp+88h]
fffff880`018ec02d 40f6c620 test sil,20h
fffff880`018ec031 750e jne aswVmm+0x9041 (fffff880`018ec041) #not jump
aswVmm+0x9033:
fffff880`018ec033 408a7578 mov sil,byte ptr [rbp+78h]
fffff880`018ec037 bfbb0000c0 mov edi,0C00000BBh
fffff880`018ec03c e98d130000 jmp aswVmm+0xa3ce (fffff880`018ed3ce)
aswVmm+0x9041: #jump from fffff880`018ec031
fffff880`018ec041 488982d0000000 mov qword ptr [rdx+0D0h],rax
fffff880`018ec048 b9800000c0 mov ecx,0C0000080h
fffff880`018ec04d 0f32 rdmsr
fffff880`018ec04f 48c1e220 shl rdx,20h
fffff880`018ec053 480bc2 or rax,rdx
fffff880`018ec056 4989842440010000 mov qword ptr [r12+140h],rax
fffff880`018ec05e b801000000 mov eax,1
fffff880`018ec063 0fa2 cpuid #ECX = 0000000080002221
fffff880`018ec065 f6c120 test cl,20h
fffff880`018ec068 894518 mov dword ptr [rbp+18h],eax
fffff880`018ec06b 895d1c mov dword ptr [rbp+1Ch],ebx
fffff880`018ec06e 895524 mov dword ptr [rbp+24h],edx
fffff880`018ec071 74c0 je aswVmm+0x9033 (fffff880`018ec033) #bit 5 was set,support vmx, not jump
aswVmm+0x9073:
fffff880`018ec073 0fbae60d bt esi,0Dh
fffff880`018ec077 72ba jb aswVmm+0x9033 (fffff880`018ec033) #esi = 6f8, not jump
aswVmm+0x9079:
fffff880`018ec079 f6c140 test cl,40h
fffff880`018ec07c 740f je aswVmm+0x908d (fffff880`018ec08d) #bit 6 not set, jump
aswVmm+0x907e:
fffff880`018ec07e 0fbae60e bt esi,0Eh
fffff880`018ec082 7309 jae aswVmm+0x908d (fffff880`018ec08d)
aswVmm+0x9084:
fffff880`018ec084 41c684243801000001 mov byte ptr [r12+138h],1
aswVmm+0x908d: #jump from fffff880`018ec07c
fffff880`018ec08d 41b83a000000 mov r8d,3Ah #read 3AH IA32_FEATURE_CONTROL MSR
fffff880`018ec093 418bc8 mov ecx,r8d
fffff880`018ec096 0f32 rdmsr
fffff880`018ec098 48c1e220 shl rdx,20h
fffff880`018ec09c b980040000 mov ecx,480h
fffff880`018ec0a1 480bc2 or rax,rdx
fffff880`018ec0a4 48898580000000 mov qword ptr [rbp+80h],rax
fffff880`018ec0ab 0f32 rdmsr #read 480H msr IA32_VMX_BASIC
fffff880`018ec0ad 48c1e220 shl rdx,20h
fffff880`018ec0b1 480bc2 or rax,rdx
fffff880`018ec0b4 488bd8 mov rbx,rax
fffff880`018ec0b7 48c1e820 shr rax,20h
fffff880`018ec0bb 2500003c00 and eax,3C0000h
fffff880`018ec0c0 3d00001800 cmp eax,180000h
fffff880`018ec0c5 0f8568ffffff jne aswVmm+0x9033 (fffff880`018ec033) #eax = 180000H,not jump
aswVmm+0x90cb:
fffff880`018ec0cb 8b8580000000 mov eax,dword ptr [rbp+80h]
fffff880`018ec0d1 a801 test al,1
fffff880`018ec0d3 7421 je aswVmm+0x90f6 (fffff880`018ec0f6) #al = 0,jump
aswVmm+0x90d5:
fffff880`018ec0d5 418a8c2438010000 mov cl,byte ptr [r12+138h]
fffff880`018ec0dd 84c9 test cl,cl
fffff880`018ec0df 740c je aswVmm+0x90ed (fffff880`018ec0ed)
aswVmm+0x90e1:
fffff880`018ec0e1 a802 test al,2
fffff880`018ec0e3 0f844affffff je aswVmm+0x9033 (fffff880`018ec033)
aswVmm+0x90e9:
fffff880`018ec0e9 84c9 test cl,cl
fffff880`018ec0eb 753b jne aswVmm+0x9128 (fffff880`018ec128)
aswVmm+0x90ed:
fffff880`018ec0ed a804 test al,4
fffff880`018ec0ef 7537 jne aswVmm+0x9128 (fffff880`018ec128)
aswVmm+0x90f1:
fffff880`018ec0f1 e93dffffff jmp aswVmm+0x9033 (fffff880`018ec033)
aswVmm+0x90f6: #jump from fffff880`018ec0d3
fffff880`018ec0f6 83c805 or eax,5
fffff880`018ec0f9 4138bc2438010000 cmp byte ptr [r12+138h],dil
fffff880`018ec101 898580000000 mov dword ptr [rbp+80h],eax
fffff880`018ec107 7409 je aswVmm+0x9112 (fffff880`018ec112) #[r12+138h] = dil = 0, jump
aswVmm+0x9109:
fffff880`018ec109 83c802 or eax,2
fffff880`018ec10c 898580000000 mov dword ptr [rbp+80h],eax
aswVmm+0x9112: #jump from fffff880`018ec107
fffff880`018ec112 488b9580000000 mov rdx,qword ptr [rbp+80h]
fffff880`018ec119 8b8580000000 mov eax,dword ptr [rbp+80h]
fffff880`018ec11f 418bc8 mov ecx,r8d
fffff880`018ec122 48c1ea20 shr rdx,20h #write 480H msr,rax=5,rdx=0
fffff880`018ec126 0f30 wrmsr
aswVmm+0x9128:
fffff880`018ec128 e894ab0000 call aswVmm+0x13cc1 (fffff880`018f6cc1) #disable a20m
fffff880`018ec12d 4183cd20 or r13d,20h
fffff880`018ec131 44896d00 mov dword ptr [rbp],r13d
fffff880`018ec135 488b4500 mov rax,qword ptr [rbp]
fffff880`018ec139 0f22c0 mov cr0,rax
fffff880`018ec13c 0fbaee0d bts esi,0Dh #rsi=00000000000006f8,set bit 13(CR4.VMXE)
fffff880`018ec140 89b588000000 mov dword ptr [rbp+88h],esi
fffff880`018ec146 488b8588000000 mov rax,qword ptr [rbp+88h]
fffff880`018ec14d 0f22e0 mov cr4,rax
fffff880`018ec150 0f20e0 mov rax,cr4
fffff880`018ec153 0fbae00d bt eax,0Dh
fffff880`018ec157 48898588000000 mov qword ptr [rbp+88h],rax
fffff880`018ec15e 0f83cffeffff jae aswVmm+0x9033 (fffff880`018ec033) #eax=esi,bit 13 was set, not jump
aswVmm+0x9164:
fffff880`018ec164 488d4d08 lea rcx,[rbp+8]
fffff880`018ec168 40b601 mov sil,1 # (CR4.VMXE=1) was set, set sil=1
fffff880`018ec16b e87dac0000 call aswVmm+0x13ded (fffff880`018f6ded) #sgdt
fffff880`018ec170 488d4d18 lea rcx,[rbp+18h]
fffff880`018ec174 e87cac0000 call aswVmm+0x13df5 (fffff880`018f6df5) #sidt
fffff880`018ec179 4d8b9c2448010000 mov r11,qword ptr [r12+148h]
fffff880`018ec181 498d8c2450010000 lea rcx,[r12+150h]
fffff880`018ec189 41891b mov dword ptr [r11],ebx
fffff880`018ec18c e81eac0000 call aswVmm+0x13daf (fffff880`018f6daf) #vmxon, A question:forgot to set [r12+1CC] flag???
fffff880`018ec191 4084c6 test sil,al
fffff880`018ec194 0f8520120000 jne aswVmm+0xa3ba (fffff880`018ed3ba) #test sil,al not 0,jump
.....
.....
.....
.....
aswVmm+0xa3ba: #jump from fffff880`018ec194
fffff880`018ed3ba bf2d0000c0 mov edi,0C000002Dh
fffff880`018ed3bf eb0d jmp aswVmm+0xa3ce (fffff880`018ed3ce)
aswVmm+0xa3c1:
fffff880`018ed3c1 408a7578 mov sil,byte ptr [rbp+78h]
fffff880`018ed3c5 bfbb0000c0 mov edi,0C00000BBh
aswVmm+0xa3ca:
fffff880`018ed3ca 85ff test edi,edi
fffff880`018ed3cc 7929 jns aswVmm+0xa3f7 (fffff880`018ed3f7)
aswVmm+0xa3ce: #jump from fffff880`018ed3bf
fffff880`018ed3ce 4180bc24cc01000000 cmp byte ptr [r12+1CCh],0
fffff880`018ed3d7 740e je aswVmm+0xa3e7 (fffff880`018ed3e7) #[r12+1CCh] = 0,jump!!! this maybe the problem!!!
aswVmm+0xa3d9:
fffff880`018ed3d9 41c68424cc01000000 mov byte ptr [r12+1CCh],0
fffff880`018ed3e2 e899980000 call aswVmm+0x13c80 (fffff880`018f6c80) #vmxoff
aswVmm+0xa3e7:
fffff880`018ed3e7 4084f6 test sil,sil #sil=1,not jump
fffff880`018ed3ea 740b je aswVmm+0xa3f7 (fffff880`018ed3f7) #f**k off
aswVmm+0xa3ec:
fffff880`018ed3ec 0f20e0 mov rax,cr4 #cr4=00000000000026f8
fffff880`018ed3ef 480fbaf00d btr rax,0Dh #reset bit 13,rax = 00000000000006f8
fffff880`018ed3f4 0f22e0 mov cr4,rax #in vmx root operation,it's impossible to reset CR4.VMXE