|
阅读:3246回复:13
KeInsertQueueApc BOSD Windows2003SP1 召唤wowocock
kd> !analyze -v
******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000008, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 8082fbcd, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00000008 CURRENT_IRQL: 2 FAULTING_IP: nt!KiInsertQueueApc+62 8082fbcd 8b5f04 mov ebx,[edi+0x4] DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA LAST_CONTROL_TRANSFER: from 80874ad9 to 8081d97e STACK_TEXT: f78ee874 80874ad9 00000003 00000008 00000000 nt!RtlpBreakWithStatusInstruction f78ee8c0 808758f6 00000003 00000008 8082fbcd nt!KiBugCheckDebugBreak+0x19 f78eec58 80826493 0000000a 00000008 00000002 nt!KeBugCheck2+0x5b2 f78eec58 8082fbcd 0000000a 00000008 00000002 nt!KiTrap0E+0x2a1 f78eecfc 80829262 82006128 808960a4 00000000 nt!KiInsertQueueApc+0x62 f78eed1c f66f39bb 82006128 00000000 00000000 nt!KeInsertQueueApc+0x47 f78eed6c 8092393d 81f75878 820060f0 808b059c packet!RunProcessCallback+0x1c1 [d:\whp\projects\ndis\process.c @ 415] f78eed80 808203bd 81fa9d40 00000000 82396b40 nt!IopProcessWorkItem+0x13 f78eedac 80905d2c 81fa9d40 00000000 00000000 nt!ExpWorkerThread+0xeb f78eeddc 80828499 80820300 00000001 00000000 nt!PspSystemThreadStartup+0x2e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FOLLOWUP_IP: packet!RunProcessCallback+1c1 [d:\whp\projects\ndis\process.c @ 415] f66f39bb 84c0 test al,al FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: packet!RunProcessCallback+1c1 MODULE_NAME: packet IMAGE_NAME: packet.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4802c1c5 STACK_COMMAND: kb BUCKET_ID: 0xA_packet!RunProcessCallback+1c1 Followup: MachineOwner --------- kd> u KiInsertQueueApc+0x62 nt!KiInsertQueueApc+0xaa: 80828ecd 643b0d24010000 cmp ecx,fs:[00000124] 80828ed4 0f84af760100 je nt!KiInsertQueueApc+0xb3 (80840589) 80828eda 84d2 test dl,dl 80828edc 0f853a9c0000 jne nt!KiInsertQueueApc+0x16e (80832b1c) 80828ee2 c6413d01 mov byte ptr [ecx+0x3d],0x1 80828ee6 0fb6514c movzx edx,byte ptr [ecx+0x4c] 80828eea 83fa02 cmp edx,0x2 80828eed 0f84ad760100 je nt!KiInsertQueueApc+0xc2 (808405a0) kd> u KiInsertQueueApc nt!KiInsertQueueApc: 80828e6b 8bff mov edi,edi 80828e6d 55 push ebp 80828e6e 8bec mov ebp,esp 80828e70 51 push ecx 80828e71 8bc1 mov eax,ecx 80828e73 80782c03 cmp byte ptr [eax+0x2c],0x3 80828e77 8b4808 mov ecx,[eax+0x8] 80828e7a 8955fc mov [ebp-0x4],edx kd> u nt!KiInsertQueueApc+0x12: 80828e7d 0f844cc70200 je nt!KiInsertQueueApc+0x14 (808555cf) 80828e83 83781c00 cmp dword ptr [eax+0x1c],0x0 80828e87 0fbe502c movsx edx,byte ptr [eax+0x2c] 80828e8b 53 push ebx 80828e8c 56 push esi 80828e8d 57 push edi 80828e8e 8bbc9130010000 mov edi,[ecx+edx*4+0x130] 80828e95 8a502d mov dl,[eax+0x2d] kd> u nt!KiInsertQueueApc+0x32: 80828e98 0f85216d0000 jne nt!KiInsertQueueApc+0x34 (8082fbbf) 80828e9e 0fbef2 movsx esi,dl 80828ea1 8d3cf7 lea edi,[edi+esi*8] 80828ea4 8b7704 mov esi,[edi+0x4] 80828ea7 3bf7 cmp esi,edi 80828ea9 0f859c300200 jne nt!KiInsertQueueApc+0x7f (8084bf4b) 80828eaf 8b1e mov ebx,[esi] 80828eb1 8d780c lea edi,[eax+0xc] kd> u nt!KiInsertQueueApc+0x91: 80828eb4 891f mov [edi],ebx 80828eb6 897704 mov [edi+0x4],esi 80828eb9 897b04 mov [ebx+0x4],edi 80828ebc 893e mov [esi],edi 80828ebe 0fb6b11c010000 movzx esi,byte ptr [ecx+0x11c] 80828ec5 0fbe782c movsx edi,byte ptr [eax+0x2c] 80828ec9 3bfe cmp edi,esi 80828ecb 755b jnz nt!KiInsertQueueApc+0xca (80828f28) kd> u nt!KiInsertQueueApc+0xaa: 80828ecd 643b0d24010000 cmp ecx,fs:[00000124] 80828ed4 0f84af760100 je nt!KiInsertQueueApc+0xb3 (80840589) 80828eda 84d2 test dl,dl 80828edc 0f853a9c0000 jne nt!KiInsertQueueApc+0x16e (80832b1c) 80828ee2 c6413d01 mov byte ptr [ecx+0x3d],0x1 80828ee6 0fb6514c movzx edx,byte ptr [ecx+0x4c] 80828eea 83fa02 cmp edx,0x2 80828eed 0f84ad760100 je nt!KiInsertQueueApc+0xc2 (808405a0) kd> u nt!KiInsertQueueApc+0xe4: 80828ef3 83fa05 cmp edx,0x5 80828ef6 0f8555c80100 jne nt!KiInsertQueueApc+0x116 (80845751) 80828efc 80794e00 cmp byte ptr [ecx+0x4e],0x0 80828f00 0f854bc80100 jne nt!KiInsertQueueApc+0x116 (80845751) 80828f06 33d2 xor edx,edx 80828f08 66395172 cmp [ecx+0x72],dx 80828f0c 0f8541c80100 jne nt!KiInsertQueueApc+0x118 (80845753) 80828f12 39501c cmp [eax+0x1c],edx kd> u nt!KiInsertQueueApc+0xfa: 80828f15 0f8529e60100 jne nt!KiInsertQueueApc+0xfc (80847544) 80828f1b ba00010000 mov edx,0x100 80828f20 ff75fc push dword ptr [ebp-0x4] 80828f23 e8dd6cffff call nt!KiUnwaitThread (8081fc05) 80828f28 5f pop edi 80828f29 5e pop esi 80828f2a 5b pop ebx 80828f2b c9 leave ,__________________________________________________________ 大牛帮我看看到底是什么原因啊?有时候可以成功 |
|
|
沙发#
发布于:2008-04-14 11:50
nt!KiInsertQueueApc:
80828e6b 8bff mov edi,edi 80828e6d 55 push ebp 80828e6e 8bec mov ebp,esp 80828e70 51 push ecx 80828e71 8bc1 mov eax,ecx 80828e73 80782c03 cmp byte ptr [eax+0x2c],0x3 80828e77 8b4808 mov ecx,[eax+0x8] 80828e7a 8955fc mov [ebp-0x4],edx 80828e7d 0f844cc70200 je nt!KiInsertQueueApc+0x14 (808555cf) 80828e83 83781c00 cmp dword ptr [eax+0x1c],0x0 80828e87 0fbe502c movsx edx,byte ptr [eax+0x2c] 80828e8b 53 push ebx 80828e8c 56 push esi 80828e8d 57 push edi 80828e8e 8bbc9130010000 mov edi,[ecx+edx*4+0x130] 80828e95 8a502d mov dl,[eax+0x2d] 80828e98 0f85216d0000 jne nt!KiInsertQueueApc+0x34 (8082fbbf) //这里跳至后面代码--》 80828e9e 0fbef2 movsx esi,dl 80828ea1 8d3cf7 lea edi,[edi+esi*8] 80828ea4 8b7704 mov esi,[edi+0x4] 80828ea7 3bf7 cmp esi,edi 80828ea9 0f859c300200 jne nt!KiInsertQueueApc+0x7f (8084bf4b) 80828eaf 8b1e mov ebx,[esi] 80828eb1 8d780c lea edi,[eax+0xc] 80828eb4 891f mov [edi],ebx 80828eb6 897704 mov [edi+0x4],esi 80828eb9 897b04 mov [ebx+0x4],edi 80828ebc 893e mov [esi],edi 80828ebe 0fb6b11c010000 movzx esi,byte ptr [ecx+0x11c] 80828ec5 0fbe782c movsx edi,byte ptr [eax+0x2c] 80828ec9 3bfe cmp edi,esi 80828ecb 755b jnz nt!KiInsertQueueApc+0xca (80828f28) 80828ecd 643b0d24010000 cmp ecx,fs:[00000124] 80828ed4 0f84af760100 je nt!KiInsertQueueApc+0xb3 (80840589) 80828eda 84d2 test dl,dl 80828edc 0f853a9c0000 jne nt!KiInsertQueueApc+0x16e (80832b1c) 80828ee2 c6413d01 mov byte ptr [ecx+0x3d],0x1 80828ee6 0fb6514c movzx edx,byte ptr [ecx+0x4c] 80828eea 83fa02 cmp edx,0x2 80828eed 0f84ad760100 je nt!KiInsertQueueApc+0xc2 (808405a0) 80828ef3 83fa05 cmp edx,0x5 80828ef6 0f8555c80100 jne nt!KiInsertQueueApc+0x116 (80845751) 80828efc 80794e00 cmp byte ptr [ecx+0x4e],0x0 80828f00 0f854bc80100 jne nt!KiInsertQueueApc+0x116 (80845751) 80828f06 33d2 xor edx,edx 80828f08 66395172 cmp [ecx+0x72],dx 80828f0c 0f8541c80100 jne nt!KiInsertQueueApc+0x118 (80845753) 80828f12 39501c cmp [eax+0x1c],edx 80828f15 0f8529e60100 jne nt!KiInsertQueueApc+0xfc (80847544) 80828f1b ba00010000 mov edx,0x100 80828f20 ff75fc push dword ptr [ebp-0x4] 80828f23 e8dd6cffff call nt!KiUnwaitThread (8081fc05) 80828f28 5f pop edi 80828f29 5e pop esi 80828f2a 5b pop ebx 80828f2b c9 leave 继续执行 nt!KiInsertQueueApc+0x34: 8082fbbf 84d2 test dl,dl 8082fbc1 0f852a2f0000 jne nt!KiInsertQueueApc+0x38 (80832af1) 8082fbc7 0fbeda movsx ebx,dl 8082fbca 8d3cdf lea edi,[edi+ebx*8] 8082fbcd 8b5f04 mov ebx,[edi+0x4] //这里产生错误!!!! 8082fbd0 8d700c lea esi,[eax+0xc] 8082fbd3 893e mov [esi],edi 8082fbd5 895e04 mov [esi+0x4],ebx 8082fbd8 8933 mov [ebx],esi 8082fbda 897704 mov [edi+0x4],esi 8082fbdd e9dc92ffff jmp nt!KiInsertQueueApc+0x9b (80828ebe) 8082fbe2 8b91e4090000 mov edx,[ecx+0x9e4] 8082fbe8 81c1e0090000 add ecx,0x9e0 8082fbee 8d4660 lea eax,[esi+0x60] 8082fbf1 8908 mov [eax],ecx 8082fbf3 895004 mov [eax+0x4],edx 8082fbf6 8902 mov [edx],eax 8082fbf8 894104 mov [ecx+0x4],eax 8082fbfb e9cefdfeff jmp nt!KeWaitForSingleObject+0x2b8 (8081f9ce) 8082fc00 6683f81b cmp ax,0x1b 8082fc04 0f858c0bffff jne nt!KiCheckForSListAddress+0x38 (80820796) 8082fc0a a10c838a80 mov eax,[nt!KeUserPopEntrySListResume (808a830c)] 8082fc0f 3bd0 cmp edx,eax 8082fc11 0f827f0bffff jb nt!KiCheckForSListAddress+0x38 (80820796) 8082fc17 3b1514838a80 cmp edx,[nt!KeUserPopEntrySListEnd (808a8314)] 8082fc1d e9a1c4ffff jmp nt!KiCheckForSListAddress+0x33 (8082c0c3) |
|
|
板凳#
发布于:2008-04-14 17:16
把代码发到wowocock@hotmail.com,有空帮你调下.不过估计你死在了
InsertTailList(&ApcState->ApcListHead[ApcMode], &Apc->ApcListEntry); 好好检查下相关的项. |
|
|
|
地板#
发布于:2008-04-15 08:06
 已发送邮件,我昨天稍微修改了下,但是还是不怎么稳定,有时候居然把机器冻住  |
|
|
地下室#
发布于:2008-04-15 19:08
InsertTailList(&ApcState->ApcListHead[ApcMode],
&Apc->ApcListEntry); 调用的时候,可不可能你的目标线程已经结束了那. |
|
|
5楼#
发布于:2008-04-16 11:12
bugcheck 的时候你的 pTargetThread 并不是一个kthread.
f78eac84 lpProcess = 0xf799a470 "c:\test.exe" f78eac38 pMappedAddress = 0x00000000 f78eac3c lpTargetPath = 0x00000000 "" f78eac40 dwMappedAddress = 0 f78eac44 pCurrentList = 0x8519c908 f78eac48 pApc = 0x854b4298 f78eac4c pApcState = 0x00000000 f78eac50 pTargetThread = 0x8519c760 f78eac54 pTempList = 0x8519c908 f78eac58 data_addr = 0x00000000 f78eac5c dwSize = 0x40 f78eac60 lpThreadAlertable = 0x8519c7b8 "???" kd> !thread 0x8519c760 8519c760 is not a thread object, interpreting as stack value... kd> dt demo_apc!g_EProcessWinlogon 0x8519c8b8 kd> !process 0x8519c8b8 PROCESS 8519c8b8 SessionId: 0 Cid: 0630 Peb: 7ffd5000 ParentCid: 060c DirBase: 1c67c220 ObjectTable: e1401550 HandleCount: 254. Image: explorer.exe VadRoot 854ac740 Vads 150 Clone 0 Private 1342. Modified 74. Locked 0. DeviceMap e1793fa0 Token e15f2d10 ElapsedTime 00:00:21.656 UserTime 00:00:00.031 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 89300 QuotaPoolUsage[NonPagedPool] 6768 Working Set Sizes (now,min,max) (2654, 50, 345) (10616KB, 200KB, 1380KB) PeakWorkingSetSize 2659 VirtualSize 49 Mb PeakVirtualSize 56 Mb PageFaultCount 3265 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1863 THREAD 8547ac20 Cid 0630.0634 Teb: 7ffdf000 Win32Thread: e162e730 WAIT: (WrUserRequest) UserMode Non-Alertable 851a2850 SynchronizationEvent Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 3854 Ticks: 23 (0:00:00:00.359) Context Switch Count 366 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0156 Start Address 0x77e6b5c7 Win32 Start Address 0x01019634 Stack Init f67ac000 Current f67abc68 Base f67ac000 Limit f67a6000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f67abc80 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f67abc98 80828046 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f67abcdc bf875ecb nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall) f67abd38 bf87605f win32k!xxxSleepThread+0x1be (FPO: [Non-Fpo]) (CONV: stdcall) f67abd4c bf87607c win32k!xxxRealWaitMessageEx+0x12 (FPO: [Non-Fpo]) (CONV: stdcall) f67abd5c 80882fa8 win32k!NtUserWaitMessage+0x14 (FPO: [0,0,0]) (CONV: stdcall) f67abd5c 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f67abd64) 0007ff08 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa9db0 Cid 0630.063c Teb: 7ffde000 Win32Thread: e1393ea8 WAIT: (WrLpcReceive) UserMode Non-Alertable 8514d188 Semaphore Limit 0x7fffffff 84fa9e28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2536 Ticks: 1341 (0:00:00:20.953) Context Switch Count 21 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb LPC Server thread working on message Id 7c6 Stack Init f6bd3000 Current f6bd2c24 Base f6bd3000 Limit f6bcf000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 1 ChildEBP RetAddr f6bd2c3c 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f6bd2c54 80828046 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f6bd2c98 80919993 nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall) f6bd2d48 80882fa8 nt!NtReplyWaitReceivePortEx+0x521 (FPO: [Non-Fpo]) (CONV: stdcall) f6bd2d48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6bd2d64) 00d5ff84 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa8db0 Cid 0630.0640 Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Non-Alertable 84fa8e28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2498 Ticks: 1379 (0:00:00:21.546) Context Switch Count 1 UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb Win32 Start Address 0x776b23a8 Stack Init f67ec000 Current f67ebc98 Base f67ec000 Limit f67e9000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f67ebcb0 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f67ebcc8 808276b0 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f67ebd0c 8098b382 nt!KeDelayExecutionThread+0x254 (FPO: [Non-Fpo]) (CONV: stdcall) f67ebd54 80882fa8 nt!NtDelayExecution+0x84 (FPO: [Non-Fpo]) (CONV: stdcall) f67ebd54 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f67ebd64) 00d9ff7c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa7db0 Cid 0630.0644 Teb: 7ffdc000 Win32Thread: e1748220 WAIT: (WrUserRequest) UserMode Non-Alertable 8513c2f8 SynchronizationEvent Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 3846 Ticks: 31 (0:00:00:00.484) Context Switch Count 174 LargeStack UserTime 00:00:00.0015 KernelTime 00:00:00.0031 Start Address 0x77e6b5bb Win32 Start Address 0x77da5a59 Stack Init f679c000 Current f679bc68 Base f679c000 Limit f6796000 Call 0 Priority 11 BasePriority 9 PriorityDecrement 0 ChildEBP RetAddr f679bc80 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f679bc98 80828046 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f679bcdc bf875ecb nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall) f679bd38 bf87605f win32k!xxxSleepThread+0x1be (FPO: [Non-Fpo]) (CONV: stdcall) f679bd4c bf87607c win32k!xxxRealWaitMessageEx+0x12 (FPO: [Non-Fpo]) (CONV: stdcall) f679bd5c 80882fa8 win32k!NtUserWaitMessage+0x14 (FPO: [0,0,0]) (CONV: stdcall) f679bd5c 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f679bd64) 00ddff48 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa6db0 Cid 0630.0648 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable 84fa6e28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2519 Ticks: 1358 (0:00:00:21.218) Context Switch Count 5 UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb Win32 Start Address ntdll!RtlpTimerThread (0x7c81fddf) Stack Init f67d4000 Current f67d3c98 Base f67d4000 Limit f67d1000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f67d3cb0 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f67d3cc8 808276b0 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f67d3d0c 8098b382 nt!KeDelayExecutionThread+0x254 (FPO: [Non-Fpo]) (CONV: stdcall) f67d3d54 80882fa8 nt!NtDelayExecution+0x84 (FPO: [Non-Fpo]) (CONV: stdcall) f67d3d54 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f67d3d64) 00e1ffb8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa5db0 Cid 0630.064c Teb: 7ffda000 Win32Thread: e17937a8 WAIT: (WrQueue) UserMode Non-Alertable 8511ebc8 QueueObject 84fa5e28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2517 Ticks: 1360 (0:00:00:21.250) Context Switch Count 22 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0062 Start Address 0x77e6b5bb Win32 Start Address ntdll!RtlpWorkerThread (0x7c83ad38) Stack Init f676c000 Current f676bc4c Base f676c000 Limit f6768000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f676bc64 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f676bc7c 80829859 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f676bcc4 808e49da nt!KeRemoveQueue+0x3a1 (FPO: [Non-Fpo]) (CONV: stdcall) f676bd48 80882fa8 nt!NtRemoveIoCompletion+0xdc (FPO: [Non-Fpo]) (CONV: stdcall) f676bd48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f676bd64) 00e5ffb8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa4db0 Cid 0630.0650 Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable 85165cf0 NotificationTimer 8516a408 SynchronizationEvent 851a6228 NotificationEvent Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2833 Ticks: 1044 (0:00:00:16.312) Context Switch Count 3 UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb Win32 Start Address ntdll!RtlpWaitThread (0x7c83abb0) Stack Init f672c000 Current f672b914 Base f672c000 Limit f6729000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f672b92c 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f672b944 80827b42 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f672b978 8092fea4 nt!KeWaitForMultipleObjects+0x320 (FPO: [Non-Fpo]) (CONV: stdcall) f672bbf4 80930006 nt!ObpWaitForMultipleObjects+0x202 (FPO: [Non-Fpo]) (CONV: stdcall) f672bd48 80882fa8 nt!NtWaitForMultipleObjects+0xc8 (FPO: [Non-Fpo]) (CONV: stdcall) f672bd48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f672bd64) 00e9ffb8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fa1db0 Cid 0630.0658 Teb: 7ffd8000 Win32Thread: e1747ae0 READY IRP List: 84f80cd8: (0006,0190) Flags: 00000000 Mdl: 00000000 84f76d38: (0006,0190) Flags: 00000000 Mdl: 00000000 84f7ce70: (0006,0190) Flags: 00000000 Mdl: 00000000 84f80e70: (0006,0190) Flags: 00000000 Mdl: 00000000 851e4378: (0006,0190) Flags: 00000000 Mdl: 00000000 854b95f8: (0006,0190) Flags: 00000000 Mdl: 00000000 8547c570: (0006,0190) Flags: 00000000 Mdl: 00000000 85180008: (0006,0190) Flags: 00000000 Mdl: 00000000 Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 3875 Ticks: 2 (0:00:00:00.031) Context Switch Count 41 LargeStack UserTime 00:00:00.0015 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb Win32 Start Address 0x77da5a59 Stack Init f677c000 Current f677b914 Base f677c000 Limit f6778000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f677b92c 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f677b944 80827b42 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f677b978 8092fea4 nt!KeWaitForMultipleObjects+0x320 (FPO: [Non-Fpo]) (CONV: stdcall) f677bbf4 80930006 nt!ObpWaitForMultipleObjects+0x202 (FPO: [Non-Fpo]) (CONV: stdcall) f677bd48 80882fa8 nt!NtWaitForMultipleObjects+0xc8 (FPO: [Non-Fpo]) (CONV: stdcall) f677bd48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f677bd64) 00eefdd0 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84f83db0 Cid 0630.0660 Teb: 7ffd7000 Win32Thread: e18065f8 WAIT: (WrQueue) UserMode Non-Alertable 8511ebc8 QueueObject 84f83e28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2528 Ticks: 1349 (0:00:00:21.078) Context Switch Count 25 LargeStack UserTime 00:00:00.0015 KernelTime 00:00:00.0015 Start Address 0x77e6b5bb Win32 Start Address ntdll!RtlpWorkerThread (0x7c83ad38) Stack Init f675c000 Current f675bc4c Base f675c000 Limit f6758000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f675bc64 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f675bc7c 80829859 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f675bcc4 808e49da nt!KeRemoveQueue+0x3a1 (FPO: [Non-Fpo]) (CONV: stdcall) f675bd48 80882fa8 nt!NtRemoveIoCompletion+0xdc (FPO: [Non-Fpo]) (CONV: stdcall) f675bd48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f675bd64) 00faffb8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84f82db0 Cid 0630.0664 Teb: 7ffd6000 Win32Thread: e180a160 WAIT: (WrQueue) UserMode Non-Alertable 8511ebc8 QueueObject 84f82e28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2845 Ticks: 1032 (0:00:00:16.125) Context Switch Count 23 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0109 Start Address 0x77e6b5bb Win32 Start Address ntdll!RtlpWorkerThread (0x7c83ad38) Stack Init f673c000 Current f673bc4c Base f673c000 Limit f6738000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f673bc64 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f673bc7c 80829859 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f673bcc4 808e49da nt!KeRemoveQueue+0x3a1 (FPO: [Non-Fpo]) (CONV: stdcall) f673bd48 80882fa8 nt!NtRemoveIoCompletion+0xdc (FPO: [Non-Fpo]) (CONV: stdcall) f673bd48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f673bd64) 00feffb8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84f73db0 Cid 0630.0674 Teb: 7ffaf000 Win32Thread: e1814ce0 WAIT: (WrUserRequest) UserMode Non-Alertable 851e0f58 SynchronizationEvent Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2535 Ticks: 1342 (0:00:00:20.968) Context Switch Count 23 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb Win32 Start Address 0x7634ebb6 Stack Init f6c13000 Current f6c12bc4 Base f6c13000 Limit f6c0f000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f6c12bdc 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f6c12bf4 80828046 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f6c12c38 bf875ecb nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall) f6c12c94 bf87467d win32k!xxxSleepThread+0x1be (FPO: [Non-Fpo]) (CONV: stdcall) f6c12cec bf87ad25 win32k!xxxRealInternalGetMessage+0x46a (FPO: [Non-Fpo]) (CONV: stdcall) f6c12d4c 80882fa8 win32k!NtUserGetMessage+0x3f (FPO: [Non-Fpo]) (CONV: stdcall) f6c12d4c 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6c12d64) 019dff78 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84f7fdb0 Cid 0630.067c Teb: 7ffd4000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable 8514d188 Semaphore Limit 0x7fffffff 84f7fe28 NotificationTimer Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2536 Ticks: 1341 (0:00:00:20.953) Context Switch Count 6 UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Start Address 0x77e6b5bb LPC Server thread working on message Id 7c8 Stack Init f6724000 Current f6723c24 Base f6724000 Limit f6721000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f6723c3c 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f6723c54 80828046 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f6723c98 80919993 nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall) f6723d48 80882fa8 nt!NtReplyWaitReceivePortEx+0x521 (FPO: [Non-Fpo]) (CONV: stdcall) f6723d48 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6723d64) 0114ff84 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) THREAD 84fb3db0 Cid 0630.0694 Teb: 7ffae000 Win32Thread: e182b530 WAIT: (WrUserRequest) UserMode Non-Alertable 8516c198 SynchronizationEvent Not impersonating DeviceMap e1793fa0 Owning Process 8519c8b8 Image: explorer.exe Wait Start TickCount 2833 Ticks: 1044 (0:00:00:16.312) Context Switch Count 389 LargeStack UserTime 00:00:00.0015 KernelTime 00:00:00.0015 Start Address 0x77e6b5bb Win32 Start Address 0x748f3024 Stack Init f697b000 Current f697abc4 Base f697b000 Limit f6977000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr f697abdc 8082fc11 nt!KiSwapContext+0x25 (FPO: [Uses EBP] [0,0,4]) f697abf4 80828046 nt!KiSwapThread+0x83 (FPO: [Non-Fpo]) (CONV: fastcall) f697ac38 bf875ecb nt!KeWaitForSingleObject+0x2e0 (FPO: [Non-Fpo]) (CONV: stdcall) f697ac94 bf87467d win32k!xxxSleepThread+0x1be (FPO: [Non-Fpo]) (CONV: stdcall) f697acec bf87ad25 win32k!xxxRealInternalGetMessage+0x46a (FPO: [Non-Fpo]) (CONV: stdcall) f697ad4c 80882fa8 win32k!NtUserGetMessage+0x3f (FPO: [Non-Fpo]) (CONV: stdcall) f697ad4c 7c82ed54 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f697ad64) 011bfd18 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) |
|
|
6楼#
发布于:2008-04-16 11:19
不知道你的这段程序是否具有原子性.
实际上你的code在2003并不是总是bugcheck,如果 pTargetThread 是个kthread,就没问题. //枚举线程 pCurrentList = (PLIST_ENTRY)((PUCHAR)g_EProcessWinlogon + BASE_KPROCESS_THREAD_OFFSET); pTempList = pCurrentList; do { lpThreadAlertable = (PUCHAR)pTempList - g_KThreadOffset.wOffsetThreadListEntry + g_KThreadOffset.wOffsetAlertable; if (*lpThreadAlertable) { pTargetThread = (PKTHREAD)(lpThreadAlertable - g_KThreadOffset.wOffsetAlertable); KdPrint(("Alert Thread: %08x\n", pTargetThread)); break; } pTempList = pTempList->Flink; } while(pTempList != pCurrentList); |
|
|
7楼#
发布于:2008-04-16 14:34
那我该怎么才能知道我的pTargetThread在InsertAPC时候有效呢?
|
|
|
8楼#
发布于:2008-04-16 15:03
check object type. or check *(WORD*)pThread == 6
|
|
|
|
9楼#
发布于:2008-04-16 17:10
检查有效性可以减少bugcheck的机会,但或许不能从根本上避免.
|
|
|
10楼#
发布于:2008-04-16 19:31
哪位牛人给个解决方案啊? |
|
|
11楼#
发布于:2008-04-16 22:00
把整个项目文件发上来啊
|
|
|
12楼#
发布于:2010-01-26 22:16
碰到同样问题。顶起。
|
|
|
13楼#
发布于:2010-01-29 10:47
基本已经解决,得到很多提示,不敢独享,分享如下:
1.在找插入线程时判断是否为“真线程”,否则会出现0xa BSOD,我用的方法是check *(WORD*)pThread == 6 但不知道为何会找出非线程 2.不能在userinit.exe和csrss.exe启动时同时插入,否则可能出现0x8e BSOD 也不知道是什么原因 3.我插的是explorer.exe, 在Win32ProcessMonitor里启动指定进程。经上述处理后运行稳定。 望大牛们能进一步解惑。 |
|