Re: CURRENT_IRQL: ff 是指什么IRQL
Windows内核调试
CURRENT_IRQL: ff 是指什么IRQL
superchao
2010-09-04, 15:23 下午
!analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: e11e7000, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8054d1cb, address which referenced memory
Debugging Details:
------------------
BUGCHECK_STR: 0xC5_FF
CURRENT_IRQL: ff
FAULTING_IP:
nt!ExAllocatePoolWithTag+863
8054d1cb 8906 mov dword ptr [esi],eax
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
TRAP_FRAME: f8af15c4 -- (.trap 0xfffffffff8af15c4)
ErrCode = 00000002
eax=0c810600 ebx=825ef078 ecx=00000000 edx=825f2080 esi=e11e7000 edi=000001ff
eip=8054d1cb esp=f8af1638 ebp=f8af168c iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010046
nt!ExAllocatePoolWithTag+0x863:
8054d1cb 8906 mov dword ptr [esi],eax ds:0023:e11e7000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8054d1cb to 805456e0
STACK_TEXT:
f8af15c4 8054d1cb badb0d00 825f2080 f8af1624 nt!KiTrap0E+0x238
f8af168c 805e6642 00000001 00000000 63416553 nt!ExAllocatePoolWithTag+0x863
f8af16b4 805e6b4f 00000000 00000000 00000000 nt!RtlpInheritAcl+0x28
f8af1790 805f1e39 00000000 e20c1718 f8af17e8 nt!RtlpNewSecurityObject+0x485
f8af17bc 805c0f55 00000000 00000000 f8af17e8 nt!SeAssignSecurity+0x4f
f8af17ec 805c4397 f8af1900 00000000 8242ca00 nt!ObAssignSecurity+0x35
f8af18d4 805d169a 8242ca00 f8af1900 00000000 nt!ObInsertObject+0x401
f8af1a24 805d212d f8af1a88 00000000 00000000 nt!PspCreateThread+0x5d0
f8af1a58 f89c6657 f8af1a88 00000000 00000000 nt!PsCreateSystemThread+0x33
f8af1ab0 805d10b0 f8af1cf8 00000000 f8af1b4c Hook!LoadImage+0x127 [d:\waigua\anti-restart\driver1.cpp @ 541]
f8af1ad0 805afd27 f8af1cf8 00000000 f8af1b4c nt!PsCallImageNotifyRoutines+0x36
f8af1c74 8058207b f8af1cf8 00000000 00000000 nt!MmLoadSystemImage+0x9e5
f8af1d54 80582487 80000470 00000001 00000000 nt!IopLoadDriver+0x371
f8af1d7c 8053976d 80000470 00000000 825b58b8 nt!IopLoadUnloadDriver+0x45
f8af1dac 805d0f64 b25a4cf4 00000000 00000000 nt!ExpWorkerThread+0xef
f8af1ddc 805470de 8053967e 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
Hook!LoadImage+127 [d:\waigua\anti-restart\driver1.cpp @ 541]
f89c6657 8945f4 mov dword ptr [ebp-0Ch],eax
FAULTING_SOURCE_CODE:
537:
538: WPOFF();
539: antirestart(ImageInfo->ImageBase);
540:
> 541: rc = PsCreateSystemThread(&hThread,0,0,0,0,ReHook,0);
542:
543: if(NT_SUCCESS(rc))//¨°¨°?a?¨°??2??¨′¨o1¨?????à¨2?¨′¨°?1??à???
544: {
545: ZwClose(hThread);
546: }
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: Hook!LoadImage+127
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Hook
IMAGE_NAME: Hook.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c80ab93
FAILURE_BUCKET_ID: 0xC5_FF_Hook!LoadImage+127
BUCKET_ID: 0xC5_FF_Hook!LoadImage+127
Followup: MachineOwner
---------
上面是在PsCreateSystemThread调用出的错,不知道是不是IRQL的问题.
Re: CURRENT_IRQL: ff 是指什么IRQL
王宇
2010-09-06, 13:38 下午
基本功。建议按照提示开驱动校验跑您的 Hook.sys,这类问题 Verifier 会轻易帮您定位到。