开发的一个文件过滤驱动程序,主要就是绑定卷设备,然后过滤信息就Ok了。开始的时候调用了IoRegisterFsRegistrationChange注册了个回调。现在程序只是个DEMO,运行的时候就蓝了。烦请各位调试大牛帮帮忙哈~~~~
kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)Invalid system memory was referenced. This cannot be protected by try-except,it must be protected by a Probe. Typically the address is just plain bad or itis pointing at freed memory.Arguments:Arg1: f000ff67, memory referenced.Arg2: 00000000, value 0 = read operation, 1 = write operation.Arg3: bf931019, If non-zero, the instruction address which referenced the bad memory address.Arg4: 00000000, (reserved)
Debugging Details:------------------
READ_ADDRESS: f000ff67
FAULTING_IP: win32k!_WOWCleanup+95bf931019 0fb74814 movzx ecx,word ptr [eax+14h]
MM_INTERNAL_CODE: 0
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a
MODULE_NAME: win32k
FAULTING_MODULE: bf800000 win32k
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
TRAP_FRAME: f7a86830 -- (.trap 0xfffffffff7a86830)ErrCode = 00000000eax=f000ff53 ebx=00000002 ecx=00000000 edx=00000000 esi=00000084 edi=00000088eip=bf931019 esp=f7a868a4 ebp=f7a86900 iopl=0 nv up ei ng nz na pe nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286win32k!_WOWCleanup+0x95:bf931019 0fb74814 movzx ecx,word ptr [eax+14h] ds:0023:f000ff67=????Resetting default scope
LAST_CONTROL_TRANSFER: from 805338e7 to 804e4b25
STACK_TEXT: f7a86380 805338e7 00000003 f000ff67 00000000 nt!RtlpBreakWithStatusInstructionf7a863cc 805343be 00000003 806ee03c c03c003c nt!KiBugCheckDebugBreak+0x19f7a867ac 805349ae 00000050 f000ff67 00000000 nt!KeBugCheck2+0x574f7a867cc 805256fb 00000050 f000ff67 00000000 nt!KeBugCheckEx+0x1bf7a86818 804e2ff1 00000000 f000ff67 00000000 nt!MmAccessFault+0x6f5f7a86818 bf931019 00000000 f000ff67 00000000 nt!KiTrap0E+0xccf7a86900 bf814008 bc600940 00000082 00000000 win32k!_WOWCleanup+0x95f7a86940 bf80f470 bc600940 00000082 00000000 win32k!xxxSendMessageTimeout+0x18af7a86964 bf8fbb67 bc600940 00000082 00000000 win32k!xxxSendMessage+0x1bf7a869b0 bf8fc169 bc600940 f7a869cc e1695430 win32k!xxxFreeWindow+0xbef7a869d8 bf8fbb58 bc600818 e1695430 bc600818 win32k!xxxFW_DestroyAllChildren+0x6bf7a86a18 bf8fb5de bc600818 f7a86a58 00000000 win32k!xxxFreeWindow+0xaff7a86a68 bf8aabf1 00000000 00000022 0079fff4 win32k!xxxDestroyWindow+0x42df7a86d30 bf8c8602 bf9a8980 00000001 f7a86d54 win32k!xxxDesktopThread+0x71af7a86d40 bf800ff4 bf9a8980 f7a86d64 0079fff4 win32k!xxxCreateSystemThreads+0x6af7a86d54 804e006b 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23f7a86d54 7c92ebab 00000000 00000022 00000000 nt!KiFastCallEntry+0xf80079ffe0 764e53d6 764eb10b 00000000 00000022 ntdll!KiIntSystemCall+0x600000000 f000ff53 f000ff53 f000ff53 f000ff53 winsrv!NtUserCallOneParam+0xcWARNING: Frame IP not in any known module. Following frames may be wrong.00000000 00000000 f000ff53 f000ff53 f000ff53 0xf000ff53
STACK_COMMAND: kb
FOLLOWUP_IP: win32k!_WOWCleanup+95bf931019 0fb74814 movzx ecx,word ptr [eax+14h]
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: win32k!_WOWCleanup+95
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_win32k!_WOWCleanup+95
BUCKET_ID: 0x50_win32k!_WOWCleanup+95
Followup: MachineOwner---------
似乎我的程序里面也没用啥和win32k.sys相关的原料呀... 不解