|
开发的一个文件过滤驱动程序,主要就是绑定卷设备,然后过滤信息就Ok了。开始的时候调用了IoRegisterFsRegistrationChange注册了个回调。现在程序只是个DEMO,运行的时候就蓝了。烦请各位调试大牛帮帮忙哈~~~~
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f000ff67, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf931019, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: f000ff67
FAULTING_IP:
win32k!_WOWCleanup+95
bf931019 0fb74814 movzx ecx,word ptr [eax+14h]
MM_INTERNAL_CODE: 0
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a
MODULE_NAME: win32k
FAULTING_MODULE: bf800000 win32k
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
TRAP_FRAME: f7a86830 -- (.trap 0xfffffffff7a86830)
ErrCode = 00000000
eax=f000ff53 ebx=00000002 ecx=00000000 edx=00000000 esi=00000084 edi=00000088
eip=bf931019 esp=f7a868a4 ebp=f7a86900 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
win32k!_WOWCleanup+0x95:
bf931019 0fb74814 movzx ecx,word ptr [eax+14h] ds:0023:f000ff67=????
Resetting default scope
LAST_CONTROL_TRANSFER: from 805338e7 to 804e4b25
STACK_TEXT:
f7a86380 805338e7 00000003 f000ff67 00000000 nt!RtlpBreakWithStatusInstruction
f7a863cc 805343be 00000003 806ee03c c03c003c nt!KiBugCheckDebugBreak+0x19
f7a867ac 805349ae 00000050 f000ff67 00000000 nt!KeBugCheck2+0x574
f7a867cc 805256fb 00000050 f000ff67 00000000 nt!KeBugCheckEx+0x1b
f7a86818 804e2ff1 00000000 f000ff67 00000000 nt!MmAccessFault+0x6f5
f7a86818 bf931019 00000000 f000ff67 00000000 nt!KiTrap0E+0xcc
f7a86900 bf814008 bc600940 00000082 00000000 win32k!_WOWCleanup+0x95
f7a86940 bf80f470 bc600940 00000082 00000000 win32k!xxxSendMessageTimeout+0x18a
f7a86964 bf8fbb67 bc600940 00000082 00000000 win32k!xxxSendMessage+0x1b
f7a869b0 bf8fc169 bc600940 f7a869cc e1695430 win32k!xxxFreeWindow+0xbe
f7a869d8 bf8fbb58 bc600818 e1695430 bc600818 win32k!xxxFW_DestroyAllChildren+0x6b
f7a86a18 bf8fb5de bc600818 f7a86a58 00000000 win32k!xxxFreeWindow+0xaf
f7a86a68 bf8aabf1 00000000 00000022 0079fff4 win32k!xxxDestroyWindow+0x42d
f7a86d30 bf8c8602 bf9a8980 00000001 f7a86d54 win32k!xxxDesktopThread+0x71a
f7a86d40 bf800ff4 bf9a8980 f7a86d64 0079fff4 win32k!xxxCreateSystemThreads+0x6a
f7a86d54 804e006b 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23
f7a86d54 7c92ebab 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8
0079ffe0 764e53d6 764eb10b 00000000 00000022 ntdll!KiIntSystemCall+0x6
00000000 f000ff53 f000ff53 f000ff53 f000ff53 winsrv!NtUserCallOneParam+0xc
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 f000ff53 f000ff53 f000ff53 0xf000ff53
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!_WOWCleanup+95
bf931019 0fb74814 movzx ecx,word ptr [eax+14h]
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: win32k!_WOWCleanup+95
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_win32k!_WOWCleanup+95
BUCKET_ID: 0x50_win32k!_WOWCleanup+95
Followup: MachineOwner
---------
似乎我的程序里面也没用啥和win32k.sys相关的原料呀... 不解
|