Advanced Debugging
About AdvDbg Consult Train Services Products Tools Community Contact  
欢迎光临 高端调试 登录 | 注册 | FAQ
 
  ACPI调试
Linux内核调试
Windows内核调试
 
  调试战役
调试原理
新工具观察
 
  Linux
Windows Vista
Windows
 
  Linux驱动
WDF
WDM
 
  PCI Express
PCI/PCI-X
USB
无线通信协议
 
  64位CPU
ARM
IA-32
  CPU Info Center
 
  ACPI标准
系统认证
Desktop
服务器
 
  Embedded Linux
嵌入式开发工具
VxWorks
WinCE
嵌入式Windows
 
  格蠹调试套件(GDK)
  格蠹学院
  小朱书店
  老雷的微博
  《软件调试》
  《格蠹汇编》
  《软件调试(第二版)》
沪ICP备11027180号-1

WinDbg

帖子发起人: futurestar   发起时间: 2009-01-15 15:00 下午   回复: 2

Print Search
帖子排序:    
   2009-01-15, 15:00 下午
futurestar 离线,最后访问时间: 2010/3/3 17:48:16 futurestar

发帖数前50位
注册: 2007-11-28
发 贴: 19
这种报错能初步判断是什么问题吗?谢谢
Reply Quote

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000144, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80536813, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000144

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExReleaseResourceLite+a3
80536813 0fb68f43010000 movzx ecx,byte ptr [edi+143h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0xA

PROCESS_NAME: svchost.exe

LAST_CONTROL_TRANSFER: from 805333cb to 80536813

STACK_TEXT:
f6b32c6c 805333cb e10a95d8 e15ac260 f6b32ca8 nt!ExReleaseResourceLite+0xa3
f6b32c7c 805d01ba e10a95d8 e1116de0 00000002 nt!SeTokenCanImpersonate+0x67
f6b32ca8 805f7b07 85359510 e1116de0 00000001 nt!PsImpersonateClient+0x10e
f6b32cc4 805a62d6 f6b32c01 00000000 f6b32d64 nt!SeImpersonateClientEx+0x37
f6b32d54 8054261c 00000a50 000bf748 011cfcf4 nt!NtImpersonateClientOfPort+0x178
f6b32d54 7c92e4f4 00000a50 000bf748 011cfcf4 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
011cfcf4 00000000 00000000 00000000 00000000 0x7c92e4f4


STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -db !nt
3 errors : !nt (8053676f-8053677f)
80536760 15 14 91 4d 80 5e c9 c2 04 00 cc cc cc cc cc *84 ...M.^..........
80536770 8b ff 55 8b ec 83 ec 0c 53 56 57 8b f1 64 *a9 *cc ..U.....SVW..d..

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: STRIDE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_STRIDE

BUCKET_ID: MEMORY_CORRUPTION_STRIDE

IP 地址: 已记录   报告
   2009-01-16, 11:14 上午
WANGyu 离线,最后访问时间: 2012/9/10 3:34:00 王宇

发帖数前10位
男
注册: 2007-05-08
发 贴: 306
Re: 这种报错能初步判断是什么问题吗?谢谢
Reply Quote
问题很简单,内存访问错。

ExReleaseResourceLite() 函数的实现如下:

VOID
FASTCALL
ExReleaseResourceLite(
__inout PERESOURCE Resource
)

/*++

Routine Description:

This routine releases the specified resource for the current thread
and decrements the recursion count. If the count reaches zero, then
the resource may also be released.

Arguments:

Resource - Supplies a pointer to the resource to release.

Return Value:

None.

--*/

{
ERESOURCE_THREAD CurrentThread;
ULONG Index;
ULONG Number;
EXP_LOCK_HANDLE LockHandle;
POWNER_ENTRY OwnerEntry, OwnerEnd;

CurrentThread = (ERESOURCE_THREAD)PsGetCurrentThread();

ASSERT_RESOURCE(Resource);

//
// Acquire exclusive access to the specified resource.
//

EXP_LOCK_RESOURCE(Resource, &LockHandle);

.............

//
// If the resource is exclusively owned, then release exclusive
// ownership. Otherwise, release shared ownership.
//
// N.B. The two release paths are split since this is such a high
// frequency function.
//

if (IsOwnedExclusive(Resource)) {
.............
}
} else {
if (Resource->OwnerThreads[1].OwnerThread == CurrentThread) {
OwnerEntry = &Resource->OwnerThreads[1];

} else if (Resource->OwnerThreads[0].OwnerThread == CurrentThread) {
OwnerEntry = &Resource->OwnerThreads[0];

} else {
Index = ((PKTHREAD)(CurrentThread))->ResourceIndex;
.............

注意最后一句:Index = ((PKTHREAD)(CurrentThread))->ResourceIndex;


再看一下反汇编代码:

nt!ExReleaseResourceLite:
80535764 8bff mov edi,edi
80535766 55 push ebp
80535767 8bec mov ebp,esp
80535769 83ec0c sub esp,0Ch
8053576c 53 push ebx
8053576d 56 push esi
8053576e 57 push edi
8053576f 8bf1 mov esi,ecx
80535771 64a124010000 mov eax,dword ptr fs:[00000124h]
80535777 8d4e34 lea ecx,[esi+34h]
8053577a 8d55f4 lea edx,[ebp-0Ch]
8053577d 8bf8 mov edi,eax

这里 EDI 被赋值为:fs:[00000124h],显然,这是一个 _KTHREAD。
而蓝屏的语句是:80536813 0fb68f43010000 movzx ecx,byte ptr [edi+143h]

_KTHREAD 的 +0x143 偏移为:
+0x143 ResourceIndex : UChar

也就是说,上面C语言代码的最后一句导致了蓝屏(CurrentThread 指针无效)。

比较奇怪的是 CurrentThread 是局部变量,难道你遇到了邪恶的 Inline Call Hook 破坏了局部变量/寄存器/堆栈? 嗯... 看来,一切只有等核心转储出来才能真相大白...
IP 地址: 已记录   报告
   2009-01-16, 14:02 下午
Raymond 离线,最后访问时间: 2020/7/3 3:40:25 格蠹老雷

发帖数前10位
注册: 2005-12-19
发 贴: 1,303
Re: 这种报错能初步判断是什么问题吗?谢谢
Reply Quote
王宇分析的很透彻。可能是调用PsGetCurrentThread得到的返回值就是NULL。看起来,当前线程是在服务一个LPC请求,需要以LPC客户的身份做些事情,但是在准备扮演(Impersonate)客户线程时出问题了。
建议楼主执行以下下面几个命令,然后把结果贴上来:
r
dd fs:[0] l100

!handle 00000a50 && 显示LPC句柄,得到LPC端口
!lpc port
IP 地址: 已记录   报告
高端调试 » 软件调试 » WinDbg » Re: 这种报错能初步判断是什么问题吗?谢谢

 
Legal Notice Privacy Statement Corporate Governance Corporate Governance
(C)2004-2020 ADVDBG.ORG All Rights Reserved.