Re: 求助!张老师驱动卸载蓝屏
Windows内核调试
求助!张老师驱动卸载蓝屏
cqyczj
2014-05-07, 15:46 下午
上次堆栈溢出解决后,又出现一问题,就是卸载时要蓝屏。通过dump,文件如下。我调试也发现这个蓝屏不是在DriverLoad卸载例程里,看dump文件也没看出在哪里有问题。现在请老师指点一下
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck CE, {8cf712d0, 8, 8cf712d0, 0}
Probably caused by : SafeSystem.sys ( SafeSystem+1a2d0 )
Followup: MachineOwner
---------
eax=8394017c ebx=00000000 ecx=00000000 edx=00000000 esi=83932d20 edi=00000000
eip=8388e8e3 esp=8e0abc28 ebp=8e0abca8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MmAccessFault+0x106:
8388e8e3 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
The broken driver's name is displayed on the screen.
Arguments:
Arg1: 8cf712d0, memory referenced
Arg2: 00000008, value 0 = read operation, 1 = write operation
Arg3: 8cf712d0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, Mm internal code.
Debugging Details:
------------------
WRITE_ADDRESS: 8cf712d0
FAULTING_IP:
SafeSystem+1a2d0
8cf712d0 ?? ???
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xCE
PROCESS_NAME: services.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre
TRAP_FRAME: 8e0abcc0 -- (.trap 0xffffffff8e0abcc0)
ErrCode = 00000010
eax=0000014f ebx=0000014f ecx=00000000 edx=016df404 esi=016df404 edi=839719c0
eip=8cf712d0 esp=8e0abd34 ebp=8e0abd34 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
<Unloaded_SafeSystem.sys>+0x1a2d0:
8cf712d0 ?? ???
Resetting default scope
IP_MODULE_UNLOADED:
SafeSystem+1a2d0
8cf712d0 ?? ???
LAST_CONTROL_TRANSFER: from 8384f5f8 to 8388e8e3
STACK_TEXT:
8e0abca8 8384f5f8 00000008 8cf712d0 00000000 nt!MmAccessFault+0x106
8e0abca8 8cf712d0 00000008 8cf712d0 00000000 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
8e0abd30 016df418 773964f4 badb0d00 016df404 <Unloaded_SafeSystem.sys>+0x1a2d0
8e0abd34 773964f4 badb0d00 016df404 00000000 0x16df418
8e0abd38 badb0d00 016df404 00000000 00000000 0x773964f4
8e0abd3c 016df404 00000000 00000000 00000000 0xbadb0d00
8e0abd40 00000000 00000000 00000000 00000000 0x16df404
STACK_COMMAND: kb
FOLLOWUP_IP:
SafeSystem+1a2d0
8cf712d0 ?? ???
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: SafeSystem+1a2d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SafeSystem
IMAGE_NAME: SafeSystem.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: 0xCE_SafeSystem+1a2d0
BUCKET_ID: 0xCE_SafeSystem+1a2d0
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xce_safesystem+1a2d0
FAILURE_ID_HASH: {e5697f25-4388-c653-f4a0-a211407900dd}
Followup: MachineOwner
---------
kd> k
ChildEBP RetAddr
8e0abca8 8384f5f8 nt!MmAccessFault+0x106
8e0abca8 8cf712d0 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
8e0abd30 016df418 <Unloaded_SafeSystem.sys>+0x1a2d0
8e0abd34 773964f4 0x16df418
8e0abd38 badb0d00 0x773964f4
8e0abd3c 016df404 0xbadb0d00
8e0abd40 00000000 0x16df404
Re: 求助!张老师驱动卸载蓝屏
格蠹老雷
2014-05-07, 17:54 下午
A driver unloaded without cancelling timers, DPCs, worker threads, etc.
这样的问题启用driver verifier百发百中,Google细节或者《软件调试》第19章
Re: 求助!张老师驱动卸载蓝屏
cqyczj
2014-05-08, 10:02 上午
张老师,一下就是用驱动验证过后的显示,希望您多给给点拨
Init Kernel Function Info Success
驱动成功被卸载
*** Fatal System Error: 0x000000c4
(0x00000062,0x8CEC7624,0x8CE17D00,0x00000011)
Break instruction exception - code 80000003 (first chance)
Connected to Windows 7 7600 x86 compatible target at (Thu May 8 09:45:31.558 2014 (UTC + 8:00)), ptr64 FALSE
Loading Kernel Symbols
.......................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
........................
................................................................
...........................
Loading User Symbols
.................................
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C4, {62, 8cec7624, 8ce17d00, 11}
Probably caused by : memory_corruption
Followup: memory_corruption
---------
nt!RtlpBreakWithStatusInstruction:
838ad394 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000062, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: 8cec7624, name of the driver having the issue.
Arg3: 8ce17d00, verifier internal structure with driver information.
Arg4: 00000011, total # of (paged+nonpaged) allocations that weren't freed.
Type !verifier 3 drivername.sys for info on the allocations
that were leaked that caused the bugcheck.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_62
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAULTING_MODULE: a4f02000 SafeSystem
VERIFIER_DRIVER_ENTRY: dt nt!_MI_VERIFIER_DRIVER_ENTRY ffffffff8ce17d00
Symbol nt!_MI_VERIFIER_DRIVER_ENTRY not found.
DEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: services.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre
LAST_CONTROL_TRANSFER: from 8391ee71 to 838ad394
STACK_TEXT:
8c2e748c 8391ee71 00000003 b7e33378 00000065 nt!RtlpBreakWithStatusInstruction
8c2e74dc 8391f96d 00000003 8ce17d00 00000011 nt!KiBugCheckDebugBreak+0x1c
8c2e78a0 8391ed10 000000c4 00000062 8cec7624 nt!KeBugCheck2+0x68b
8c2e78c0 83b76f03 000000c4 00000062 8cec7624 nt!KeBugCheckEx+0x1e
8c2e78e0 83b7b5eb 8cec7624 8ce17d00 a4f02000 nt!VerifierBugCheckIfAppropriate+0x30
8c2e78f0 8384ee8a 8cec75c8 83981ec8 83981ec8 nt!VfPoolCheckForLeaks+0x33
8c2e792c 839d369f 8cec75c8 a4f02000 40000000 nt!VfTargetDriversRemove+0x66
8c2e7940 839d3338 8398a7e0 8ce97d48 00000000 nt!VfDriverUnloadImage+0x5e
8c2e7978 839d458d 8cec75c8 ffffffff 00000000 nt!MiUnloadSystemImage+0x1c6
8c2e799c 83afd517 8cec75c8 861ff650 8ce2fb70 nt!MmUnloadSystemImage+0x36
8c2e79b4 83a636f4 8ce2fb88 8ce2fb88 8ce2fb70 nt!IopDeleteDriver+0x38
8c2e79cc 838aaf60 00000000 8c2e7ce8 8ce2fb88 nt!ObpRemoveObjectRoutine+0x59
8c2e79e0 838aaed0 8ce2fb88 83afdbe5 b7e33c98 nt!ObfDereferenceObjectWithTag+0x88
8c2e79e8 83afdbe5 b7e33c98 8c2e7b54 8c2e7bd0 nt!ObfDereferenceObject+0xd
8c2e7b3c 83afd836 00000000 8c2e7b54 8388542a nt!IopUnloadDriver+0x3a0
8c2e7b48 8388542a 8c2e7ce8 8c2e7d1c 83884741 nt!NtUnloadDriver+0xf
8c2e7b48 83884741 8c2e7ce8 8c2e7d1c 83884741 nt!KiFastCallEntry+0x12a
8c2e7bc4 83afd935 8c2e7ce8 b7e33ab8 0089f0f4 nt!ZwUnloadDriver+0x11
8c2e7d1c 83afd836 00000000 8c2e7d34 b804342a nt!IopUnloadDriver+0xf0
8c2e7d28 b804342a 0089f0f4 0089f0fc 777364f4 nt!NtUnloadDriver+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
8c2e7d34 777364f3 badb0d00 0089f0e4 00000000 0xb804342a
8c2e7d38 badb0d00 0089f0e4 00000000 00000000 ntdll!KiFastSystemCall+0x3
8c2e7d3c 0089f0e4 00000000 00000000 00000000 0xbadb0d00
8c2e7d40 00000000 00000000 00000000 00000000 0x89f0e4
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
83885300-
[ b9 23 00 00 00:e9 fb df 7b 34 ]
[ 8b ff 55 8b ec:e9 fb df 7b 34 ]
[ 8b ff 55 8b ec:e9 fb df 7b 34 ]
[ 6a 4c 68 b8 ce 89 83:e9 23 2a 47 21 90 90 ]
22 errors : !nt (83885300-83a9185e)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:memory_corruption_large
FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}
Followup: memory_corruption
---------
Re: 求助!张老师驱动卸载蓝屏
cqyczj
2014-05-08, 10:14 上午
kd> db 0x8CEC7624
8cec7624 53 00 61 00 66 00 65 00-53 00 79 00 73 00 74 00 S.a.f.e.S.y.s.t.
8cec7634 65 00 6d 00 2e 00 73 00-79 00 73 00 00 00 fc 8e e.m...s.y.s.....
8cec7644 00 40 3f 90 11 00 12 04-4d 6d 43 61 e0 bb 40 b3 .@?.....MmCa..@.
8cec7654 e4 bb ec 8c 64 5c 12 8f-00 00 00 00 04 00 00 00 ....d\..........
8cec7664 00 00 00 00 00 00 00 00-80 00 00 00 00 00 00 00 ................
8cec7674 d7 0b f1 8c 00 00 00 00-00 00 00 00 00 00 00 00 ................
8cec7684 00 00 00 00 00 00 00 00-00 00 00 00 01 00 00 00 ................
8cec7694 00 00 00 00 98 76 ec 8c-98 76 ec 8c 50 76 ec 8c .....v...v..Pv..
kd> !verifier 3 SafeSystem.sys
Verify Flags Level 0x00000fbf
STANDARD FLAGS:
[X] (0x00000000) Automatic Checks
[X] (0x00000001) Special pool
[X] (0x00000002) Force IRQL checking
[X] (0x00000008) Pool tracking
[X] (0x00000010) I/O verification
[X] (0x00000020) Deadlock detection
[X] (0x00000080) DMA checking
[X] (0x00000100) Security checks
[X] (0x00000800) Miscellaneous checks
ADDITIONAL FLAGS:
[X] (0x00000004) Randomized low resources simulation
[X] (0x00000200) Force pending I/O requests
[X] (0x00000400) IRP logging
[X] Indicates flag is enabled
Summary of All Verifier Statistics
RaiseIrqls 0x515a8
AcquireSpinLocks 0x5de01b
Synch Executions 0x94e2
Trims 0x1fc
Pool Allocations Attempted 0x435ca8
Pool Allocations Succeeded 0x435ca8
Pool Allocations Succeeded SpecialPool 0x435ca8
Pool Allocations With NO TAG 0x5
Pool Allocations Failed 0x0
Current paged pool allocations 0x5d76 for 009A7BE0 bytes
Peak paged pool allocations 0x5d80 for 00D8EBBC bytes
Current nonpaged pool allocations 0x4dc1 for 0122588C bytes
Peak nonpaged pool allocations 0x4ddd for 0122AF90 bytes
Driver Verification List
------------------------
MODULE: 0x8cf00bc0 SafeSystem.sys (Loaded)
Pool Allocation Statistics: ( NonPagedPool / PagedPool )
Current Pool Allocations: ( 0x0000000b / 0x00000006 )
Current Pool Bytes: ( 0x00af6118 / 0x00000074 )
Peak Pool Allocations: ( 0x0000000b / 0x00000007 )
Peak Pool Bytes: ( 0x00af6118 / 0x003c6000 )
Contiguous Memory Bytes: 0x00000000
Peak Contiguous Memory Bytes: 0x00000000
Pool Allocations:
Address Length Tag Caller
---------- ---------- ---- ----------
0xb8600000 0x00411000 vDvP 0xa4f1c4aa SafeSystem!ReLoadNtos
0xb7446fc0 0x00000040 vDvP 0xa4f1c22f SafeSystem!InitSafeOperationModule
0xb75949b8 0x00000644 vDvP 0xa4f1c1d8 SafeSystem!InitSafeOperationModule
0xb5850fc0 0x00000040 vDvP 0xa4f1c147 SafeSystem!InitSafeOperationModule
0xb75be9b8 0x00000644 vDvP 0xa4f1c08d SafeSystem!InitSafeOperationModule
0xb7730ff0 0x00000010 VStr 0xa4f144c4 SafeSystem!GetKernelModuleBase
0xb77d6fe8 0x00000014 VStr 0xa4f144c4 SafeSystem!GetKernelModuleBase
0xb77f0fe8 0x00000014 VStr 0xa4f144c4 SafeSystem!GetKernelModuleBase
0xb77e0fe8 0x00000018 VStr 0xa4f144c4 SafeSystem!GetKernelModuleBase
0xb776aff0 0x00000010 VStr 0xa4f144c4 SafeSystem!GetKernelModuleBase
0xb8000000 0x00411000 vDvP 0xa4f14bde SafeSystem!ImageFile
0x8f69a000 0x00012000 vDvP 0xa4f15796 SafeSystem!InitKernelThreadData
0xb762afe8 0x00000014 VStr 0xa4f144c4 SafeSystem!GetKernelModuleBase
0xb7800000 0x002a1000 vDvP 0xa4f1c41a SafeSystem!ReLoadNtos
0xb74fedf8 0x00000208 vDvP 0xa4f147e3 SafeSystem!GetSystemKernelModuleInfo
0xb754cdf8 0x00000208 vDvP 0xa4f14faa SafeSystem!KernelOpenFile
0x8f67a000 0x00020000 vDvP 0xa4f1c36b SafeSystem!ReLoadNtos
Contiguous allocations are not displayed with public symbols.
Re: 求助!张老师驱动卸载蓝屏
格蠹老雷
2014-05-08, 23:14 下午
看起来这个驱动的问题不是一个两个。上面显示的都是内核池泄漏,还没有触及到第一次提到的STOP CE。不建议在这样的公开论坛上过多粘贴实际产品的信息,可以发邮件联系我
Re: 求助!张老师驱动卸载蓝屏
cqyczj
2014-05-09, 09:02 上午
谢谢老师的提醒,也谢谢老师热心