报错栈信息如下
0:009> kbn # ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong.00 039ef990 764bc4e7 002d0d58 00000090 00000000 <Unloaded_NetVideo.ocx>+0xe468b01 039ef9bc 764bc5e7 08ba468b 002d0d58 00000090 user32!InternalCallWinProc+0x2302 039efa34 764b4f0e 0052e9cc 08ba468b 002d0d58 user32!UserCallWinProcCheckWow+0x14b03 039efa90 764b4f7d 007a2090 00000090 00000000 user32!DispatchClientMessage+0xda04 039efab8 77b16fee 039efad0 00000018 039efb58 user32!__fnDWORD+0x2405 039efae4 764ab300 6d9fd0c0 002d0aee 00000000 ntdll!KiUserCallbackDispatcher+0x2e06 039efae8 6d9fd0c0 002d0aee 00000000 00000001 user32!NtUserDestroyWindow+0xc07 039efb1c 7615ed6c 00000000 039efb68 77b337f5 ieframe!Ordinal160+0x4a4908 039efb28 77b337f5 004941c0 74feb9e3 00000000 kernel32!BaseThreadInitThunk+0x1209 039efb68 77b337c8 7194313c 004941c0 ffffffff ntdll!__RtlUserThreadStart+0x700a 039efb80 00000000 7194313c 004941c0 00000000 ntdll!_RtlUserThreadStart+0x1b
IDA查询看<Unloaded_NetVideo.ocx>+0xe468b代码是AfxWndProc(HWND__ *,uint,uint,long)
刚开始以为是定时器或线程没关导致,对比定时器消息和内部消息的栈发现那些消息都是直接从user32通过DispatchMessage传到OCX,不会出现上面种过了ntdll后调用DispatchClientMessage的栈。而且根本不会有0x90号消息。对windows消息底层不是十分熟悉,请教各位前辈帮忙分析
模块卸载之后,回调函数又被调用,应该是没有做好注销和清理工作...