Re: MonitoringHost蓝屏,大家帮忙看看什么原因

WinDbg

MonitoringHost蓝屏,大家帮忙看看什么原因

Ares.Lee 2013-01-07, 15:43 下午
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80001252a6f, Address of the instruction which caused the bugcheck
Arg3: fffffadf87564260, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

FAULTING_IP: 
nt!ObpDeleteNameCheck+f1
fffff800`01252a6f f0480fba2900    lock bts qword ptr [rcx],0

CONTEXT:  fffffadf87564260 -- (.cxr 0xfffffadf87564260)
rax=fffffadf9c08c040 rbx=fffffa8003f244f0 rcx=2020655302080531
rdx=0000000000140000 rsi=2020655302080409 rdi=fffffa8003f24580
rip=fffff80001252a6f rsp=fffffadf87564a70 rbp=fffffa8003f24590
 r8=fffffadf9c08c040  r9=0000000000000000 r10=fffffa800041e320
r11=fffffadf9c08c040 r12=fffffadf9ca22860 r13=fffffa8003f245b0
r14=0000000000000000 r15=fffffa8003f245b0
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!ObpDeleteNameCheck+0xf1:
fffff800`01252a6f f0480fba2900    lock bts qword ptr [rcx],0 ds:002b:20206553`02080531=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  0

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR:  0x3B

PROCESS_NAME:  MonitoringHost.

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80001287e27 to fffff80001252a6f

STACK_TEXT:  
fffffadf`87564a70 fffff800`01287e27 : fffffa80`02e98900 fffffadf`997bc040 fffffadf`9ca22860 00000000`00000000 : nt!ObpDeleteNameCheck+0xf1
fffffadf`87564af0 fffff800`01287f2e : fffffa80`02e98900 00000000`00004a40 fffffa80`0041e320 00000000`00000000 : nt!ObpDecrementHandleCount+0x17d
fffffadf`87564b50 fffff800`01284af4 : 00000000`00000000 00000000`00004a40 fffffadf`997bc040 fffffadf`9c08c040 : nt!ObpCloseHandleTableEntry+0x242
fffffadf`87564bf0 fffff800`0102e33d : fffffadf`9c08c040 fffffadf`87564cf0 00000000`0030b320 00000000`00000000 : nt!ObpCloseHandle+0xb0
fffffadf`87564c70 00000000`77ef0aea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
00000000`0182fe28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77ef0aea


FOLLOWUP_IP: 
nt!ObpDeleteNameCheck+f1
fffff800`01252a6f f0480fba2900    lock bts qword ptr [rcx],0

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!ObpDeleteNameCheck+f1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4b7abd06

STACK_COMMAND:  .cxr 0xfffffadf87564260 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_nt!ObpDeleteNameCheck+f1

BUCKET_ID:  X64_0x3B_nt!ObpDeleteNameCheck+f1

Followup: MachineOwner
---------

0: kd> .cxr 0xfffffadf87564260
rax=fffffadf9c08c040 rbx=fffffa8003f244f0 rcx=2020655302080531
rdx=0000000000140000 rsi=2020655302080409 rdi=fffffa8003f24580
rip=fffff80001252a6f rsp=fffffadf87564a70 rbp=fffffa8003f24590
 r8=fffffadf9c08c040  r9=0000000000000000 r10=fffffa800041e320
r11=fffffadf9c08c040 r12=fffffadf9ca22860 r13=fffffa8003f245b0
r14=0000000000000000 r15=fffffa8003f245b0
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!ObpDeleteNameCheck+0xf1:
fffff800`01252a6f f0480fba2900    lock bts qword ptr [rcx],0 ds:002b:20206553`02080531=????????????????

Re: MonitoringHost蓝屏,大家帮忙看看什么原因

Ares.Lee 2013-01-08, 13:39 下午
呼叫Raymond 老师~

Re: MonitoringHost蓝屏,大家帮忙看看什么原因

格蠹老雷 2013-01-11, 14:03 下午

这个dump非常珍贵!

首先,系统运行了好长时间:

System Uptime: 260 days 6:13:53.812

第二,非法访问时, 调试寄存器里有断点活跃,但从运行时间看,估计不是在被调试的系统。

第三, 模块列表里有bxvbda.sys在

What Is bxvbda.sys

The bxvbda.sys file is a malicious file related to spyware. You can read the following information to learn more about the bxvbda.sys file and get detailed approach on how to detect and remove the bxvbda.sys file.

...

楼主怎样得到的这个dump?从服务器的minidump folder找到的?常有发生么?如果希望进一步分析,最好能找到windows目录下的memory.dmp,通常比较大,可以放到网盘或者发到我的GMAIL邮箱...

 

 

Re: MonitoringHost蓝屏,大家帮忙看看什么原因

格蠹老雷 2013-01-11, 14:15 下午

bxvbda也有可能是:

Broadcom NetXtreme II GigE VBD

要看系统的实际网卡或者看一下磁盘上的驱动文件了... Mini-Dump的信息太有限

 

Re: MonitoringHost蓝屏,大家帮忙看看什么原因

Ares.Lee 2013-01-17, 17:32 下午
首先非常感谢老师的热情回复!
对,dump是公司服务器产生的,这个问题还会出现,和Mini120812-01------.dmp相关的memory dump运营人员没有给我。
我只有完整版的12月5日的,不过没有看到bxvbda.sys

下载地址是:
http://pan.baidu.com/share/link?shareid=170412&uk=570818598

Re: MonitoringHost蓝屏,大家帮忙看看什么原因

Ares.Lee 2013-01-17, 17:46 下午
上服务器看了一下文件是 Broadcom NetXtreme II GigE VBD
分析了不是病毒~

Powered by Community Server Powered by CnForums.Net