Re: 这种报错能初步判断是什么问题吗?谢谢
WinDbg
这种报错能初步判断是什么问题吗?谢谢
futurestar
2009-01-15, 15:00 下午
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000144, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80536813, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000144
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExReleaseResourceLite+a3
80536813 0fb68f43010000 movzx ecx,byte ptr [edi+143h]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0xA
PROCESS_NAME: svchost.exe
LAST_CONTROL_TRANSFER: from 805333cb to 80536813
STACK_TEXT:
f6b32c6c 805333cb e10a95d8 e15ac260 f6b32ca8 nt!ExReleaseResourceLite+0xa3
f6b32c7c 805d01ba e10a95d8 e1116de0 00000002 nt!SeTokenCanImpersonate+0x67
f6b32ca8 805f7b07 85359510 e1116de0 00000001 nt!PsImpersonateClient+0x10e
f6b32cc4 805a62d6 f6b32c01 00000000 f6b32d64 nt!SeImpersonateClientEx+0x37
f6b32d54 8054261c 00000a50 000bf748 011cfcf4 nt!NtImpersonateClientOfPort+0x178
f6b32d54 7c92e4f4 00000a50 000bf748 011cfcf4 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
011cfcf4 00000000 00000000 00000000 00000000 0x7c92e4f4
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -db !nt
3 errors : !nt (8053676f-8053677f)
80536760 15 14 91 4d 80 5e c9 c2 04 00 cc cc cc cc cc *84 ...M.^..........
80536770 8b ff 55 8b ec 83 ec 0c 53 56 57 8b f1 64 *a9 *cc ..U.....SVW..d..
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: STRIDE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_STRIDE
BUCKET_ID: MEMORY_CORRUPTION_STRIDE
Re: 这种报错能初步判断是什么问题吗?谢谢
王宇
2009-01-16, 11:14 上午
问题很简单,内存访问错。
ExReleaseResourceLite() 函数的实现如下:
VOID
FASTCALL
ExReleaseResourceLite(
__inout PERESOURCE Resource
)
/*++
Routine Description:
This routine releases the specified resource for the current thread
and decrements the recursion count. If the count reaches zero, then
the resource may also be released.
Arguments:
Resource - Supplies a pointer to the resource to release.
Return Value:
None.
--*/
{
ERESOURCE_THREAD CurrentThread;
ULONG Index;
ULONG Number;
EXP_LOCK_HANDLE LockHandle;
POWNER_ENTRY OwnerEntry, OwnerEnd;
CurrentThread = (ERESOURCE_THREAD)PsGetCurrentThread();
ASSERT_RESOURCE(Resource);
//
// Acquire exclusive access to the specified resource.
//
EXP_LOCK_RESOURCE(Resource, &LockHandle);
.............
//
// If the resource is exclusively owned, then release exclusive
// ownership. Otherwise, release shared ownership.
//
// N.B. The two release paths are split since this is such a high
// frequency function.
//
if (IsOwnedExclusive(Resource)) {
.............
}
} else {
if (Resource->OwnerThreads[1].OwnerThread == CurrentThread) {
OwnerEntry = &Resource->OwnerThreads[1];
} else if (Resource->OwnerThreads[0].OwnerThread == CurrentThread) {
OwnerEntry = &Resource->OwnerThreads[0];
} else {
Index = ((PKTHREAD)(CurrentThread))->ResourceIndex;
.............
注意最后一句:Index = ((PKTHREAD)(CurrentThread))->ResourceIndex;
再看一下反汇编代码:
nt!ExReleaseResourceLite:
80535764 8bff mov edi,edi
80535766 55 push ebp
80535767 8bec mov ebp,esp
80535769 83ec0c sub esp,0Ch
8053576c 53 push ebx
8053576d 56 push esi
8053576e 57 push edi
8053576f 8bf1 mov esi,ecx
80535771 64a124010000 mov eax,dword ptr fs:[00000124h]
80535777 8d4e34 lea ecx,[esi+34h]
8053577a 8d55f4 lea edx,[ebp-0Ch]
8053577d 8bf8 mov edi,eax
这里 EDI 被赋值为:fs:[00000124h],显然,这是一个 _KTHREAD。
而蓝屏的语句是:80536813 0fb68f43010000 movzx ecx,byte ptr [edi+143h]
_KTHREAD 的 +0x143 偏移为:
+0x143 ResourceIndex : UChar
也就是说,上面C语言代码的最后一句导致了蓝屏(CurrentThread 指针无效)。
比较奇怪的是 CurrentThread 是局部变量,难道你遇到了邪恶的 Inline Call Hook 破坏了局部变量/寄存器/堆栈? 嗯... 看来,一切只有等核心转储出来才能真相大白...
Re: 这种报错能初步判断是什么问题吗?谢谢
格蠹老雷
2009-01-16, 14:02 下午
王宇分析的很透彻。可能是调用PsGetCurrentThread得到的返回值就是NULL。看起来,当前线程是在服务一个LPC请求,需要以LPC客户的身份做些事情,但是在准备扮演(Impersonate)客户线程时出问题了。
建议楼主执行以下下面几个命令,然后把结果贴上来:
r
dd fs:[0] l100
!handle 00000a50 && 显示LPC句柄,得到LPC端口
!lpc port