调试遇到的IRQL蓝屏

Windows内核调试

调试遇到的IRQL蓝屏

holly 2008-08-18, 12:10 下午

写了一个遍历内核EPROCESS 链表取得PEB并读取进程路径的驱动

使用了KeAttachProcess这样的切换进程函数,偶然的情况下驱动会蓝屏,出现

IRQL_NOT_LESS_OR_EQUAL (a)
CURRENT_IRQL:  1c

这个IRQL的中断看资料是时间硬件中断,不解,代码是如何进入这个中断级别的,该如何防止。暂时在KeAttachProcess与KeDetachProcess代码之间增加了对当前IRQL的判断以避免,但是这个蓝屏出现几率不是很高,也不知道这样是否能解决问题。

请教高手也来参详一下,多谢了!

以下附上详细的Crach Dump:


IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
 bit 0 : value 0 = read operation, 1 = write operation
 bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804f9913, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  00000000

CURRENT_IRQL:  1c

FAULTING_IP:
nt!KeStartThread+11
804f9913 8b10            mov     edx,dword ptr [eax]

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

MISALIGNED_IP:
nt!KeStartThread+11
804f9913 8b10            mov     edx,dword ptr [eax]

LAST_CONTROL_TRANSFER:  from 804f9a20 to 804f9913

STACK_TEXT: 
b2fb5658 804f9a20 89583020 8945c020 8945c000 nt!KeStartThread+0x11
b2fb5678 b2ee037a 8945c000 89db2660 895086c0 nt!RtlAppendUnicodeToString+0x2f
WARNING: Stack unwind information not available. Following frames may be wrong.
b2fb56b0 b2edfb20 89676da0 89040000 00040000 Freezer+0x237a
b2fb56ec 804f0095 89676ce8 8b788f68 806e5428 Freezer+0x1b20
b2fb5720 8057f70a 8b788fd8 894fbaa0 8b788f68 nt!CcAcquireByteRangeForWrite+0x726
b2fb5734 8058056d 89676ce8 8b788f68 894fbaa0 nt!NtImpersonateThread+0xda
b2fb57d0 805790c2 00000f58 00000000 00000000 nt!NtQueryObject+0x107
b2fb5804 8054186c 00000f58 00000000 00000000 nt!NtCreateMutant+0x89
b2fb5834 7c90eb94 badb0d00 0012d9c4 00000000 nt!RtlIpv6StringToAddressA+0x17f
b2fb5844 0117ee48 b2fb58d0 8c17effc 8c17ee48 0x7c90eb94
00000000 00000000 00000000 00000000 00000000 0x117ee48


STACK_COMMAND:  kb

FOLLOWUP_IP:
Freezer+237a
b2ee037a ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  Freezer+237a

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: hardware

FAILURE_BUCKET_ID:  IP_MISALIGNED

BUCKET_ID:  IP_MISALIGNED

Followup: MachineOwner
---------

 

 

Re: 调试遇到的IRQL蓝屏

王宇 2008-08-18, 12:36 下午
0xa 号蓝的参数 4 是 Address which referenced memory ,这里即 804f9913。

804f9913 的代码为:
804f9913 8b10 mov edx,dword ptr [eax]
应该是取了某指针里的值

而 READ_ADDRESS: 00000000,显然必挂机。

建议楼主检查相关指针。

Re: 调试遇到的IRQL蓝屏

格蠹老雷 2008-08-18, 13:01 下午
王宇说的很对。我再详细解释一下。这个蓝屏代码的确容易让人困惑,其实它在本例中的含义是在当前的高IRQL下不能产生Page Fault,但事实上那条mov指令引用了空指针,因而产生了Page Fault。当前的IRQL很高,有产生了Page Fault,所以就只能Stop了。
从上面信息看到,这条MOV指令是在NT内核的自己代码中,这一点是可信的。但是目前显示的栈回溯很不完整,建议你首先要设置好调试符号,目前连你自己的Freezer驱动(是你自己的吧)都没有符号。正确的调试符号很重要。

Re: 调试遇到的IRQL蓝屏

holly 2008-08-20, 17:20 下午
谢谢两位的热心指导,目前写驱动的经验不足,经过这次调试,对于解读Dump Crash文件有了不少的收获,而且连续解决了3个隐藏的问题,十分的感谢!

Powered by Community Server Powered by CnForums.Net