I'm not sure why the driver is a problem
Code:
1: kd> kv
ChildEBP RetAddr Args to Child
8edf2594 82c5aaa8 00000000 a4f86ffe 00000000 nt!MmAccessFault+0x104
8edf2594 82c455c5 00000000 a4f86ffe 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ 8edf25ac)
8edf2624 9f2194ed a4f86ffe 8edf2874 00000007 nt!_wcsnicmp+0x13 (FPO: [Non-Fpo])
8edf28a4 883b8aeb 85e75e88 8edf28c4 8edf28f0 BEDaisy+0x164ed
8edf2910 883bbc77 8edf2928 8edf29cc 8edf2988 fltmgr!FltpPerformPreCallbacks+0x34d (FPO: [Non-Fpo])
8edf2940 82cac273 8edf2988 8edf29d4 855e2218 fltmgr!FltpPreFsFilterOperation+0xab (FPO: [Non-Fpo])
8edf2964 82e4c201 00000001 00000001 8edf2abb nt!FsFilterPerformCallbacks+0xa4
8edf2ac0 82e3eb7c 84f03420 00000010 00000000 nt!FsRtlAcquireFileExclusiveCommon+0x10a
8edf2be0 82e3e2bb 8edf2c34 0000000f 00000000 nt!MmCreateSection+0x384
8edf2d10 82c578c6 0191f99c 0000000f 00000000 nt!NtCreateSection+0x16e
8edf2d10 0655a000 0191f99c 0000000f 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame-EDITED @ 8edf2d10)
00002000 00000000 00000000 00000000 00000000 0x655a000
The BEDaisy.sys driver is a
really controversial driver. It's a literal kernel-mode driver from/for Arma2 (a video game) that has obfuscation to prevent reversing, contacts various C&C servers to upload data, hooks applications, etc. It's
basically a 'legal' rootkit. We can see that Arma2 was in fact the game running at the time of crash:
Code:
PROCESS_NAME: ArmA2OA.exe
We unfortunately cannot see any of BEDaisy's work in action as it's merely a minidump.
Code:
1: kd> .trap 8edf25ac
ErrCode = 00000000
eax=00000000 ebx=82c455b2 ecx=00000200 edx=a4f86ffe esi=8edf2874 edi=fffffff6
eip=82c455c5 esp=8edf2620 ebp=8edf2624 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!_wcsnicmp+0x13:
82c455c5 0fb702 movzx eax,word ptr [edx] ds:0023:a4f86ffe=????
It called the
_wcsnicmp function to most likely lexicographically compare strings, but I could be wrong. What exactly went wrong however regarding the driver was we were copying the contents of the edx register to the eax register, and then zero extending the value. This is a minidump so we cannot dump the contents of the edx register, but we can see eax is null:
This is likely the reason for the crash, although edx's contents may have also possibly been invalid. I'd need a kernel dump to check.
In any case, I don't think this is actually a bug in the kernel-mode driver itself (although it's possible), but perhaps your antivirus is under the impression it's an actual rootkit (because it behaves like one), and is conflicting with it. You can try and whitelist it with 360 antivirus, or uninstall 360 antivirus entirely (my recommendation, because I wouldn't recommend that antivirus) and see if the crashes stop.
Also, unrelated, you have a driver loaded from 1996 that is known to cause problems:
Code:
1: kd> lmvm giveio
start end module name
889ff000 889ff680 giveio (deferred)
Image path: \SystemRoot\system32\giveio.sys
Image name: giveio.sys
Timestamp: Wed Apr 03 22:33:25 1996
Known software to associate itself with this driver - ADC Analyzer/SwiftForth/Disspy/SpeedFan. Uninstall whichever you have.