Re: 求助:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS错误

Windows内核调试

求助:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS错误

maxsjm 2011-05-10, 22:07 下午
我写了一个简单驱动,加载,运行,卸载都可以。但卸载完后,再去单击一个文件,就蓝屏了。Windbg显示:A driver unloaded without cancelling timers, DPCs, worker threads, etc.
但我的驱动里没有用这些。
有谁帮我看下,万分感谢。
信息如下:
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: fa05d410, memory referenced
Arg2: 00000008, value 0 = read operation, 1 = write operation
Arg3: fa05d410, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, Mm internal code.

Debugging Details:
------------------


WRITE_ADDRESS: fa05d410

FAULTING_IP:
processguard+410
fa05d410 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xCE

PROCESS_NAME: explorer.exe

TRAP_FRAME: f94bab08 -- (.trap 0xfffffffff94bab08)
ErrCode = 00000010
eax=fa05d410 ebx=814cb310 ecx=8055b2e0 edx=e15a3466 esi=817298c0 edi=e15a3460
eip=fa05d410 esp=f94bab7c ebp=f94bacc4 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
+0x410:
fa05d410 ?? ???
Resetting default scope

IP_MODULE_UNLOADED:
processguard+410
fa05d410 ?? ???

LAST_CONTROL_TRANSFER: from 804f8b9d to 80528bdc

STACK_TEXT:
f94ba644 804f8b9d 00000003 fa05d410 00000000 nt!RtlpBreakWithStatusInstruction
f94ba690 804f978a 00000003 00000000 c07d02e8 nt!KiBugCheckDebugBreak+0x19
f94baa70 804f9cb5 00000050 fa05d410 00000008 nt!KeBugCheck2+0x574
f94baa90 8051dc4f 00000050 fa05d410 00000008 nt!KeBugCheckEx+0x1b
f94baaf0 8054151c 00000008 fa05d410 00000000 nt!MmAccessFault+0x8e7
f94baaf0 fa05d410 00000008 fa05d410 00000000 nt!KiTrap0E+0xcc
WARNING: Frame IP not in any known module. Following frames may be wrong.
f94bab78 805c76ab 00000574 00000478 00000001 +0x410
f94bacc4 805c8304 024bd604 001f03ff 00000000 nt!PspCreateThread+0x3e3
f94bad3c 8053e638 024bd604 001f03ff 00000000 nt!NtCreateThread+0xfc
f94bad3c 7c92e4f4 024bd604 001f03ff 00000000 nt!KiFastCallEntry+0xf8
024bdc80 7c802362 00000000 0017e4dc 0017c244 ntdll!KiFastSystemCallRet
024bdcb8 7d5d37fc 0017e4dc 0017c244 00000000 kernel32!CreateProcessW+0x2c
024be73c 7d5d3666 000200f4 00000000 0017e8ec SHELL32!Ordinal159+0x4dd
024be790 7d5d359d 0017aff0 024be7b0 7d5d309c SHELL32!Ordinal159+0x347
024be79c 7d5d309c 00000000 000cf6e8 0017aff0 SHELL32!Ordinal159+0x27e
024be7b0 7d5d2fce 000cf6e8 000cf6e8 024be7f0 SHELL32!ShellExecuteExW+0x199
024be7c4 7d5d2f6a 024be7f0 000db450 000cf6e8 SHELL32!ShellExecuteExW+0xcb
024be7e0 7d5df71b 024be7f0 00000000 0000003c SHELL32!ShellExecuteExW+0x67
024be82c 7d5df670 024bea88 40000000 024be85c SHELL32!PathProcessCommand+0x1290
024bea68 7d5df5a7 024bea88 00000000 000cf6e8 SHELL32!PathProcessCommand+0x11e5
024beaf4 7d5df4f3 000db454 024beb10 0016fc40 SHELL32!PathProcessCommand+0x111c
024beb54 7d5df445 000d1a20 024beb74 00000001 SHELL32!PathProcessCommand+0x1068
024bede4 7d675d63 0016fc40 024bf130 00000000 SHELL32!PathProcessCommand+0xfba
024bf114 7d67aafc 0016fc40 024bf130 00000000 SHELL32!DAD_AutoScroll+0x89d
024bf280 7d67abdf 0016fc40 00000000 00000000 SHELL32!DAD_AutoScroll+0x5636
024bf2ac 7d6195e1 00000000 00000000 04000000 SHELL32!DAD_AutoScroll+0x5719
024bf52c 7d5c461b 024bf8a4 00145fa8 00145fa8 SHELL32!SHCreateQueryCancelAutoPlayMoniker+0x766b
024bf544 7d5c448b 024bf8a4 00000000 00145fa8 SHELL32!Shell_GetCachedImageIndex+0x63b
024bf6b8 7d5c44ff 00010168 0000004e 00000001 SHELL32!Shell_GetCachedImageIndex+0x4ab
024bf6fc 77d18734 00010168 0000004e 00000001 SHELL32!Shell_GetCachedImageIndex+0x51f
024bf728 77d18816 7d5c44a9 00010168 0000004e USER32!GetDC+0x6d
024bf790 77d2927b 0009d4e0 7d5c44a9 00010168 USER32!GetDC+0x14f
024bf7cc 77d292e3 005b3418 0059a658 00000001 USER32!GetParent+0x16c
024bf7ec 7719b001 00010168 0000004e 00000001 USER32!SendMessageW+0x49
024bf884 771d0711 00145340 ffffff8e 024bf8a4 comctl32!Ordinal414+0xfb4
024bf900 771d0ab6 0001016a 00000001 0000017e comctl32!Ordinal384+0x34861
024bf920 771d14e9 00145340 00000001 0000017e comctl32!Ordinal384+0x34c06
024bfa90 77d18734 0001016a 00000203 00000001 comctl32!Ordinal384+0x35639
024bfabc 77d18816 771d0c92 0001016a 00000203 USER32!GetDC+0x6d
024bfb24 77d2a013 0009d4e0 771d0c92 0001016a USER32!GetDC+0x14f
024bfb54 77d2a039 771d0c92 0001016a 00000203 USER32!IsWindowUnicode+0xa1
024bfb74 6c556093 771d0c92 0001016a 00000203 USER32!CallWindowProcW+0x1b
024bfba4 77d18734 00000000 00000203 00000001 DUSER!LookupGadgetTicket+0x5065
024bfbd0 77d18816 029e0fe0 0001016a 00000203 USER32!GetDC+0x6d
024bfc38 77d189cd 0009d4e0 029e0fe0 0001016a USER32!GetDC+0x14f
024bfc98 77d18a10 024bfcd8 00000000 024bfcc0 USER32!GetWindowLongW+0x127
024bfca8 75f0d875 024bfcd8 00000000 000deba0 USER32!DispatchMessageW+0xf
024bfcc0 75f15218 024bfcd8 00000000 00000000 BROWSEUI!DllCanUnloadNow+0x1358c
024bff20 75f15389 00137c80 00000000 00000000 BROWSEUI!Ordinal138+0x7958
024bffb4 7c80b713 00137c80 00000000 00000000 BROWSEUI!Ordinal138+0x7ac9
024bffec 00000000 75f15339 00137c80 00000000 kernel32!GetModuleFileNameA+0x1b4


STACK_COMMAND: kb

FOLLOWUP_IP:
processguard+410
fa05d410 ?? ???

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: processguard+410

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: processguard

IMAGE_NAME: processguard.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: 0xCE_processguard+410

BUCKET_ID: 0xCE_processguard+410

Followup: MachineOwner
---------

Re: 求助:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS错误

王宇 2011-05-11, 10:57 上午
常见问题。

看调用栈猜测是 processguard.sys 卸载时,没有取消 CreateThreadNotifyRoutine。

所以 nt!PspCreateThread+0x3e3 打算 call 一个地址的时候 bsod 了。对应代码如下:

for (i = 0; i * PSP_MAX_CREATE_THREAD_NOTIFY; i++) {
CallBack = ExReferenceCallBackBlock (&PspCreateThreadNotifyRoutine<img src="/emoticons/emotion-55.gif" alt="Idea [I]" />);
if (CallBack != NULL) {
Rtn = (PCREATE_THREAD_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack);
.........

论坛会转意“小于号”,所以我替换成 * 号。

Re: 求助:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS错误

maxsjm 2011-05-11, 14:52 下午
谢谢。
怪自己大意。
MSDN上:A driver must remove any callbacks that it registers before it unloads.
自己在Unload时没有进行相关处理。

Re: 求助:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS错误

wrong 2011-05-12, 11:05 上午
以前碰到过类似的蓝屏,正好学习了

Powered by Community Server Powered by CnForums.Net