|
阅读:2125回复:5
ndis hook!蓝屏?我采用的是注册假协议的方式,只hook了TCPIP协议的 PNDIS_PROTOCOL_CHARACTERISTICS中的ReceiveHandler,ReceivePacketHandler,BindAdapterHandler 以及 PNDIS_OPEN_BLOCK中的ReceiveHandler,ReceivePacketHandler,SendHandler,SendPacketsHandler hook函数只有一句 VOID HookNdisProc( IN PVOID pHookProc, IN PVOID *ppOrigProc) { ppOrigProc[0] = pHookProc; } 而我自己的各个Handler函数均没有做任何操作,只是调用了原来的Handler。 现在问题是加载这个驱动后就BSOD了。 有没有高手来帮我讲解一下啊,万分感谢啊 |
|
|
沙发#
发布于:2010-04-16 16:39
看dump文件
|
|
|
板凳#
发布于:2010-04-16 17:13
windbg调一下 看死哪里了
|
|
|
地板#
发布于:2010-04-18 16:45
直接赋值不是更直接吗,为什么还要再通过一个函数来赋值?
|
|
|
|
地下室#
发布于:2010-04-19 09:50
to ceabie:
我用函数是为了保存一些地址,为了unhook,现在测试没用到,所以只有一句话。 dump 分析: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 00000000, The address that the exception occurred at Arg3: b265c730, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx" FAULTING_IP: +0 00000000 ?? ??? TRAP_FRAME: b265c730 -- (.trap 0xffffffffb265c730) ErrCode = 00000000 eax=82e9fed8 ebx=00000000 ecx=82f65008 edx=00000012 esi=82e9fed8 edi=82e0f008 eip=00000000 esp=b265c7a4 ebp=b265c7b8 iopl=0 nv up ei ng nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292 00000000 ?? ??? Resetting default scope CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: svchost.exe LAST_CONTROL_TRANSFER: from f8d48bc5 to 00000000 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. b265c7a0 f8d48bc5 82f65008 82e9fed8 00000049 0x0 b265c7b8 b2d77d40 82f65008 82e9fed8 82e0f008 Bogus!MySend+0x55 [d:\2010\proxy\mybogusprotocol\hookfunc.h @ 56] b265c7e0 b2d77916 82e0f008 82e9fed8 82c4f870 tcpip!ARPSendData+0x198 b265c80c b2d7765a 82e0f008 b265c800 00000001 tcpip!ARPTransmit+0x193 b265c83c b2d7779f 82a69d50 021aa8c0 82e9fed8 tcpip!SendIPPacket+0x193 b265c988 b2d7e308 b2db5bb4 828ed798 828ec020 tcpip!IPTransmit+0x289e b265ca28 b2d7e0cf 82dd34a0 828ed798 82c9f938 tcpip!UDPSend+0x41b b265ca4c b2d7e135 0065ca70 82c9f900 828ec060 tcpip!TdiSendDatagram+0xd5 b265ca84 b2d7a881 82c9f938 82c9f9f0 82c9f900 tcpip!UDPSendDatagram+0x4f b265caa0 804e47f7 82f18c88 82c9f938 82eae938 tcpip!TCPDispatchInternalDeviceControl+0xff b265cab0 b2d35807 b265cb9c 00000008 b265cb10 nt!IopfCallDriver+0x31 b265cb08 b2d2cb5e 006bf240 b2d2cb5e 82eae938 afd!AfdFastDatagramSend+0x2fd b265cc50 80590044 82f37c98 00000001 006bf110 afd!AfdFastIoDeviceControl+0x2a7 b265cd00 8058ffd7 000000ec 000000e8 00000000 nt!IopXxxControlFile+0x261 b265cd34 804df7ec 000000ec 000000e8 00000000 nt!NtDeviceIoControlFile+0x2a b265cd34 7c92e4f4 000000ec 000000e8 00000000 nt!KiFastCallEntry+0xf8 006bf200 00000000 00000000 00000000 00000000 0x7c92e4f4 STACK_COMMAND: kb FOLLOWUP_IP: Bogus!MySend+55 [d:\2010\proxy\mybogusprotocol\hookfunc.h @ 56] f8d48bc5 8945fc mov dword ptr [ebp-4],eax FAULTING_SOURCE_CODE: 52: DWORD PacketSize = 0; 53: KdPrint(("---HOOK-----MySend\n")); 54: NdisQueryPacket(Packet, NULL, NULL, NULL, &PacketSize); 55: KdPrint(("PacketSize = 0x%x\n", PacketSize)); > 56: Status = ((SEND_HANDLER)m_pSend)(NdisBindingHandle, Packet); 57: return Status; 58: } 59: 60: // 61: // SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: Bogus!MySend+55 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Bogus IMAGE_NAME: Bogus.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4bcbb51c FAILURE_BUCKET_ID: 0x8E_Bogus!MySend+55 BUCKET_ID: 0x8E_Bogus!MySend+55 Followup: MachineOwner --------- 谢谢你们了!! |
|
|
5楼#
发布于:2010-04-19 14:50
解决了,MySend函数调用了空指针。
谢谢诸位了。 |
|