做文件过滤驱动时蓝屏，高手分析一下问题出在哪个地方

欢迎光临高端调试登录 | 注册 | FAQ

搜索论坛

	内核调试

	ACPI调试 Linux内核调试 Windows内核调试
	调试方法学

	调试战役调试原理新工具观察
	操作系统

	Linux Windows Vista Windows
	驱动开发

	Linux驱动 WDF WDM
	总线

	PCI Express PCI/PCI-X USB 无线通信协议
	中央处理器

	64位CPU ARM IA-32
	CPU Info Center
	计算机机系统

	ACPI标准系统认证 Desktop 服务器
	嵌入式系统

	Embedded Linux 嵌入式开发工具 VxWorks WinCE 嵌入式Windows
	特别链接

	格蠹调试套件(GDK)
	格蠹学院
	小朱书店
	老雷的微博
	《软件调试》
	《格蠹汇编》
	《软件调试(第二版)》


沪ICP备11027180号-1

Windows内核调试

帖子发起人: bluedragon 发起时间: 2010-02-04 21:49 下午 回复: 3

搜索论坛

帖子排序:

2010-02-04, 21:49 下午

lookaside 离线，最后访问时间: 2010/2/4 21:45:37 bluedragon

发帖数前500位
注册: 2010-02-04
发贴: 1

做文件过滤驱动时蓝屏，高手分析一下问题出在哪个地方

Normal 0 7.8 磅 0 2 false false false MicrosoftInternetExplorer4 st1\:*{behavior:url(#ieooui) } /* Style Definitions */ table.MsoNormalTable {mso-style-name:普通表格; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}
dump信息如下
BugCheck 7E, {c0000005, 805338b7, faf5ac08, faf5a904}

*** Fatal System Error: 0x0000007e

                       (0xC0000005,0x805338B7,0xFAF5AC08,0xFAF5A904)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.

Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Fri Jan 29 14:35:25.671 2010 (GMT+8)), ptr64 FALSE

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlpa.exe -

Loading Kernel Symbols

Probably caused by : ntkrnlpa.exe ( nt!ExAcquireResourceSharedLite+65 )

Followup: MachineOwner

---------

nt!DbgBreakPointWithStatus+0x4:

80528bec cc              int     3

kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

This is a very common bugcheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: 805338b7, The address that the exception occurred at

Arg3: faf5ac08, Exception Record Address

Arg4: faf5a904, Context Record Address
Normal 0 7.8 磅 0 2 false false false MicrosoftInternetExplorer4 st1\:*{behavior:url(#ieooui) } /* Style Definitions */ table.MsoNormalTable {mso-style-name:普通表格; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}
MODULE_NAME: nt

FAULTING_MODULE: 804d8000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4a7834f7

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:

nt!ExAcquireResourceSharedLite+65

805338b7 66395e0c        cmp     word ptr [esi+0Ch],bx

EXCEPTION_RECORD: faf5ac08 -- (.exr 0xfffffffffaf5ac08)

ExceptionAddress: 805338b7 (nt!ExAcquireResourceSharedLite+0x00000065)

   ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 00000000

   Parameter[1]: 6e664d52

Attempt to read from address 6e664d52

CONTEXT: faf5a904 -- (.cxr 0xfffffffffaf5a904)

eax=8130e6e8 ebx=00000000 ecx=ffa8c090 edx=faf5ad40 esi=6e664d46 edi=8130e6e8

eip=805338b7 esp=faf5acd0 ebp=faf5acdc iopl=0         nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010046

nt!ExAcquireResourceSharedLite+0x65:

805338b7 66395e0c        cmp     word ptr [esi+0Ch],bx    ds:0023:6e664d52=????

Resetting default scope

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from fa84f3ea to 805338b7

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

faf5acdc fa84f3ea 6e664d46 00000001 ffa8c090 nt!ExAcquireResourceSharedLite+0x65

faf5acf0 804e4b1f e1cf8758 00000001 80551190 Fastfat+0x83ea

faf5ad2c 804e71fe 8130a218 8055c140 8130e6e8 nt!CcFlushCache+0x5f3

faf5ad74 80535c12 8130a218 00000000 8130e6e8 nt!CcWaitForCurrentLazyWriterActivity+0x612

faf5adac 805c721e 8130a218 00000000 00000000 nt!ExQueueWorkItem+0x1b2

faf5addc 80542de2 80535b12 00000000 00000000 nt!PsRemoveCreateThreadNotifyRoutine+0x21e

00000000 00000000 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x5a2

FOLLOWUP_IP:

nt!ExAcquireResourceSharedLite+65

805338b7 66395e0c        cmp     word ptr [esi+0Ch],bx

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ExAcquireResourceSharedLite+65

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

STACK_COMMAND: .cxr 0xfffffffffaf5a904 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

IP 地址: 已记录   报告

2010-02-17, 12:29 下午

Raymond 离线，最后访问时间: 2020/7/3 3:40:25 格蠹老雷

发帖数前10位
注册: 2005-12-19
发贴: 1,303

Re: 做文件过滤驱动时蓝屏，高手分析一下问题出在哪个地方

从上面的栈回溯来看，调试器没有找到Fastfat模块的符号，建议先解决这个符号问题...

IP 地址: 已记录   报告

2010-02-17, 19:56 下午

WANGyu 离线，最后访问时间: 2012/9/10 3:34:00 王宇

发帖数前10位

注册: 2007-05-08
发贴: 306

Re: 做文件过滤驱动时蓝屏，高手分析一下问题出在哪个地方

BOOLEAN
ExAcquireResourceSharedLite(
IN PERESOURCE Resource,
IN BOOLEAN Wait
);

ExAcquireResourceSharedLite 应该不是 FastCall 所以两个参数在栈上分别是：
pResource : 6e664d46
Wait : 00000001

蓝屏时 cmp word ptr [esi+0Ch], bx 的 esi=6e664d46，所以资源的指针有问题。

IP 地址: 已记录   报告

2010-02-18, 11:27 上午

Raymond 离线，最后访问时间: 2020/7/3 3:40:25 格蠹老雷

发帖数前10位
注册: 2005-12-19
发贴: 1,303

Re: 做文件过滤驱动时蓝屏，高手分析一下问题出在哪个地方

王宇，假日也还这么勤奋啊 :-)
是的，王宇说的很对!
ESI所代表指针明显没有指向有效的内核空间；用.formats命令看一下：

lkd> .formats 6e664d46
Evaluate expression:
Hex: 6e664d46
Decimal: 1852198214
Octal: 15631446506
Binary: 01101110 01100110 01001101 01000110
Chars: nfMF
Time: Sun Sep 10 19:30:14 2028
Float: low 1.78187e+028 high 0
Double: 9.15108e-315

它居然是fltmgr模块使用的一个TAG——用来代表NAME_CACHE_NODE结构的四字节标记：
FMfn - fltmgr.sys - NAME_CACHE_NODE structure

问题应该在父函数，传递了错误的参数下来...但是因为现在缺少符号，没有显示出父函数的名称...

IP 地址: 已记录   报告

高端调试 » 软件调试 » Windows内核调试 » 做文件过滤驱动时蓝屏，高手分析一下问题出在哪个地方