阅读:1788回复:1
请教MINIFILTER高手
朋友写的一个MINIFILTER, 设置为开机BOOT加载,开机加载是出现BSOD,下面是MEMORY DUMP,我自己现在做LINUX的驱动开发,不懂WINDOWS MINIFILTER的. 我大至看了一下,看到是在fltmgr!FltpPerformPostCallbacks+0x337处出问题,ERROR CODE 是0XC0000005,而且在该位置第一条指令是 TEST RBP, RBP,
我猜想会不会test rbp, rbp是一个MINIFILTER注册的一个CALLBACK ROUTINE里开头的第一条指令,执行到这里的时候出现0XC0000005的错误,会不会是该CALLBACK ROUTINE被交换出去了,不在内存里,而当前的IRQL又不允许把交换出去的页读进来,由此而产生的错误? 以上只是猜想,还请高手过目,以下是MEMORY DUMP: Loading User Symbols Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {ffffffffc0000005, 1010072a8, fffffa60019d7538, fffffa60019d6f10} Probably caused by : fltmgr.sys ( fltmgr!FltpPerformPostCallbacks+337 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: 00000001010072a8, The address that the exception occurred at Arg3: fffffa60019d7538, Exception Record Address Arg4: fffffa60019d6f10, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: +1010072a8 00000001`010072a8 ?? ??? EXCEPTION_RECORD: fffffa60019d7538 -- (.exr 0xfffffa60019d7538) ExceptionAddress: 00000001010072a8 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000008 Parameter[1]: 00000001010072a8 Attempt to execute non-executable address 00000001010072a8 CONTEXT: fffffa60019d6f10 -- (.cxr 0xfffffa60019d6f10) rax=00000000fffffa60 rbx=fffffa8003f23c60 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=fffffa8003f23ee3 rip=00000001010072a8 rsp=fffffa60019d7770 rbp=fffffa800320e030 r8=0000000000000000 r9=50003c41c6000000 r10=50003c41c60d0001 r11=fffffa60019d7858 r12=0000000000000001 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286 00000001`010072a8 ?? ??? Resetting default scope DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT PROCESS_NAME: System CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. WRITE_ADDRESS: 00000001010072a8 FAILED_INSTRUCTION_ADDRESS: +1010072a8 00000001`010072a8 ?? ??? BUGCHECK_STR: 0x7E LOCK_ADDRESS: fffff80001856c20 -- (!locks fffff80001856c20) Resource @ nt!PiEngineLock (0xfffff80001856c20) Exclusively owned Contention Count = 4 Threads: fffffa8001895720-01<*> 1 total locks, 1 locks currently held PNP_TRIAGE: Lock address : 0xfffff80001856c20 Thread Count : 1 Thread address: 0xfffffa8001895720 Thread wait : 0xe1fc LAST_CONTROL_TRANSFER: from fffff8000199e4c4 to fffff800016b0390 STACK_TEXT: fffffa60`019d7770 fffffa60`019d7770 : fffffa80`0320e030 fffffa80`03f23f70 fffffa60`00d3ff26 fffffa80`03f23c60 : 0x1`010072a8 fffffa60`019d7778 fffffa80`0320e030 : fffffa80`03f23f70 fffffa60`00d3ff26 fffffa80`03f23c60 fffff800`016b2705 : 0xfffffa60`019d7770 fffffa60`019d7780 fffffa80`03f23f70 : fffffa60`00d3ff26 fffffa80`03f23c60 fffff800`016b2705 fffffa80`034eb620 : 0xfffffa80`0320e030 fffffa60`019d7788 fffffa60`00d3ff26 : fffffa80`03f23c60 fffff800`016b2705 fffffa80`034eb620 fffffa60`019d7808 : 0xfffffa80`03f23f70 fffffa60`019d7790 fffffa60`00d3e007 : fffffa80`03f23c60 fffffa80`03f23c00 00000000`00000000 fffffa80`022d6460 : fltmgr!FltpPerformPostCallbacks+0x337 fffffa60`019d7860 fffffa60`00d3d0dd : fffffa80`03f23c60 fffffa80`0228a2a0 fffffa80`0228a200 fffffa80`0333e7a0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x417 fffffa60`019d78d0 fffff800`019f2011 : fffffa80`03f23c60 fffffa80`01e0ecc0 00000000`00000009 fffffa80`0320e030 : fltmgr!FltpDispatch+0xcd fffffa60`019d7930 fffff800`01a8ea3f : fffffa80`01e0ecc0 fffffa60`019d7a80 fffffa80`0320e030 fffff800`017cf680 : nt!PnpAsynchronousCall+0xd1 fffffa60`019d7970 fffff800`01a8f43a : fffffa60`019d7bd8 fffff880`08199010 fffffa60`019d7b88 fffffa60`019d7c88 : nt!PiIrpQueryRemoveDevice+0xef fffffa60`019d7a50 fffff800`01a8f570 : 00000000`00000000 fffffa80`01e042d0 fffffa60`019d7b88 00000000`00000000 : nt!PnpQueryRemoveLockedDeviceNode+0x6a fffffa60`019d7a80 fffff800`01a8f640 : 00000000`00000000 fffffa80`01e04201 fffff880`0719ad30 fffff800`3f051397 : nt!PnpDeleteLockedDeviceNode+0x90 fffffa60`019d7ab0 fffff800`01a93920 : 00000000`00000002 00000000`00000000 00000000`00000000 fffffa80`01e042d0 : nt!PnpDeleteLockedDeviceNodes+0xa0 fffffa60`019d7b20 fffff800`01a9432c : fffffa60`00000000 fffffa80`037e5300 fffffa80`01895700 fffffa80`00000000 : nt!PnpProcessQueryRemoveAndEject+0x810 fffffa60`019d7c70 fffff800`019949c7 : 00000000`00000001 fffffa80`037e5390 fffff880`08199010 00000000`00000000 : nt!PnpProcessTargetDeviceEvent+0x4c fffffa60`019d7ca0 fffff800`016bd066 : fffff800`018c4594 fffff880`08199010 fffff800`017ed8f8 fffffa80`01895720 : nt! ?? ::NNGAKEGL::`string'+0x4c0d4 fffffa60`019d7cf0 fffff800`018d3de3 : fffffa80`037e5390 6d388100`044e0076 fffffa80`01895720 00000000`00000080 : nt!ExpWorkerThread+0x11a fffffa60`019d7d50 fffff800`016ea536 : fffffa60`017d2180 fffffa80`01895720 fffffa60`017dbd40 00000000`00000001 : nt!PspSystemThreadStartup+0x57 fffffa60`019d7d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 FOLLOWUP_IP: fltmgr!FltpPerformPostCallbacks+337 fffffa60`00d3ff26 4885ed test rbp,rbp SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: fltmgr!FltpPerformPostCallbacks+337 FOLLOWUP_NAME: MachineOwner MODULE_NAME: fltmgr IMAGE_NAME: fltmgr.sys DEBUG_FLR_IMAGE_TIMESTAMP: 47919082 STACK_COMMAND: .cxr 0xfffffa60019d6f10 ; kb FAILURE_BUCKET_ID: X64_0x7E_BAD_IP_fltmgr!FltpPerformPostCallbacks+337 BUCKET_ID: X64_0x7E_BAD_IP_fltmgr!FltpPerformPostCallbacks+337 |
|
沙发#
发布于:2009-03-18 14:46
帮你顶一下,我将来也会碰到这个问题
|
|
|