Re: 跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

Windows内核调试

跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

lxy_xian 2009-06-29, 16:32 下午

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffe48ae8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80634a79, If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  ffe48ae8

FAULTING_IP:
nt!CmpConstructName+19
80634a79 803900          cmp     byte ptr [ecx],0

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  sesssvr.exe

LAST_CONTROL_TRANSFER:  from 80636e66 to 80634a79

STACK_TEXT: 
9b983b64 80636e66 0041004d e33a89d8 e4292008 nt!CmpConstructName+0x19
9b983ba0 805c5ab1 e33a89f0 8a620100 e4292008 nt!CmpQueryKeyName+0x2a
9b983c70 99d38342 e33a89f0 e4292008 00000400 nt!ObQueryNameString+0xcd
9b983cc8 99d3950a 00000194 01c6a1b0 87c38008 HostRegmon!CanCreateKey+0x132 [d:\edpregmon\sys\regsys.c @ 868]
9b983cec a16e6608 01c6ac64 000f003f 01c69f7c HostRegmon!AddOperateFilter+0x18a [d:\edpregmon\sys\regsys.c @ 1510]
WARNING: Stack unwind information not available. Following frames may be wrong.
9b983d40 8054262c 01c6ac64 000f003f 01c69f7c SafeBoxKrnl+0xb608
9b983d40 7c92e514 01c6ac64 000f003f 01c69f7c nt!KiFastCallEntry+0xfc
01c6a160 00000000 00000000 00000000 00000000 0x7c92e514

Re: 跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

王宇 2009-06-29, 17:42 下午

和这里 (http://advdbg.org/forums/2418/ShowPost.aspx) 类似,建议楼主检查自己的代码。

9b983b64 80636e66 0041004d e33a89d8 e4292008 nt!CmpConstructName+0x19

Re: 跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

MJ0011 2009-06-29, 18:54 下午
会不会写程序啊,冲突个毛!

Re: 跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

lxy_xian 2009-06-29, 20:19 下午
ye不大清楚,你是怎么写程序的

Re: 跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

benlong 2009-06-30, 13:24 下午
看看是不是这个原因http://hi.baidu.com/1ian9yu/blog/item/a41cbadd73576adf8c102931.html

Re: 跟360保险箱冲突,系统函数ObQueryNameString 获取注册表项全路径出现的问题,请问能看出具体什么原因

lxy_xian 2009-07-01, 08:37 上午
多谢 benlong了,倒不是上面所说的原因,
现在的寄存器
1: kd> r
eax=bad0b0b0 ebx=00000000 ecx=00000810 edx=206b6444 esi=e1339008 edi=e5573690
eip=8058b5bc esp=a936ac10 ebp=a936acc4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!ObQueryNameString+0x9b:
8058b5bc 8b88a4000000 mov ecx,dword ptr [eax+0A4h] ds:0023:bad0b154=????????


///////////////////////////
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bad0b154, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8058b5bc, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: bad0b154

FAULTING_IP:
nt!ObQueryNameString+9b
8058b5bc 8b88a4000000 mov ecx,dword ptr [eax+0A4h]

MM_INTERNAL_CODE: 2

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: sesssvr.exe

LAST_CONTROL_TRANSFER: from a936c342 to 8058b5bc

STACK_TEXT:
a936acc4 a936c342 e55736a8 e1339008 00000400 nt!ObQueryNameString+0x9b
a936ad1c a936d50a 000001a0 0182ac00 83860510 HostRegmon!GetFullName+0xb2 [d:\edpregmon\sys\regsys.c @ 3643]
a936ad40 804de99f 0182ac64 000f003f 0182a9cc HostRegmon!HookRegCreateKey+0x32 [d:\edpregmon\sys\regsys.c @ 3895]
a936ad40 7c92e514 0182ac64 000f003f 0182a9cc nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0182abb0 00000000 00000000 00000000 00000000 0x7c92e514


STACK_COMMAND: kb

Powered by Community Server Powered by CnForums.Net