|
阅读:2879回复:6
溢出导致蓝屏Use !analyze -v to get detailed debugging information. BugCheck 1000007F, {d, 0, 0, 0} Probably caused by : T-ProcMon.sys ( T_ProcMon!GetFullName+2c3 ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 0000000d, EXCEPTION_GP_FAULT Arg2: 00000000 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_d CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: explorer.exe LAST_CONTROL_TRANSFER: from 805d9648 to 805d8d9e STACK_TEXT: f7fac5c8 805d9648 ffffffff f7fac854 f9d9d530 nt!RtlxUnicodeStringToOemSize+0x8 f7fac5e0 f9d9e6e3 f7fac6cc ffffffff 00000001 nt!RtlUnicodeStringToAnsiString+0x1e f7fac6f0 f9d9d56f 7c92f648 ffffffff 813d3008 T_ProcMon!GetFullName+0x2c3 [e:\newsysmon\driver\t-procmon.c @ 1237] f7fac838 8053e638 0000007a 00000003 0007f120 T_ProcMon!HookRegOpenKey+0x3f [e:\newsysmon\driver\t-procmon.c @ 609] f7fac838 7c92e4f4 0000007a 00000003 0007f120 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 0007f0ac 7c92d84c 77dadc53 0000007a 00000003 0x7c92e4f4 0007f0ec 77dade49 0000007a 0007f338 0007f10c 0x7c92d84c 0007f2a8 77daddf5 0000007a 0007f338 00000000 0x77dade49 0007f310 77da6b85 0000007a 0007f338 00000000 0x77daddf5 0007f344 77f4412c 80000000 0007f5b0 00000000 0x77da6b85 0007f580 77f4ab0b 80000000 0007f5b0 00000000 0x77f4412c 0007f85c 7d5c5711 0007f8c0 7d598f3c 00000000 0x77f4ab0b 0007f878 7d5c5b30 00000000 0007f8fc 0009d7d0 0x7d5c5711 0007f890 7d5c5817 0007f8c0 00000000 00100022 0x7d5c5b30 0007f8d4 7d5c7887 00155690 20100000 0007f8fc 0x7d5c5817 0007f8f4 7d5c931a b0000170 00000001 0007f930 0x7d5c7887 0007f928 7d607eee 00000000 00001000 0015595c 0x7d5c931a 0007f944 7d607e41 00000000 000005a4 000f0470 0x7d607eee 0007fb6c 7d607db2 00001000 0015595c 00000000 0x7d607e41 0007fce4 7d5c44ff 00010090 000004a0 000005f0 0x7d607db2 0007fd28 77d18734 00010090 000004a0 000005f0 0x7d5c44ff 0007fd54 77d18816 7d5c44a9 00010090 000004a0 0x77d18734 0007fdbc 77d28ea0 0009d4f0 7d5c44a9 00010090 0x77d18816 0007fe10 77d28eec 0059a8d8 000004a0 000005f0 0x77d28ea0 0007fe38 7c92e453 0007fe48 00000018 0059a8d8 0x77d28eec 0007fe88 77d19402 0007fed4 00000000 00000000 0x7c92e453 0007feb4 7d5c4aa4 0007fed4 00000000 00000000 0x77d19402 0007ffd0 80545bfd 0007ffc8 81497020 ffffffff 0x7d5c4aa4 0007ffd0 00000000 0007ffc8 81497020 ffffffff nt!ExFreePoolWithTag+0x417 STACK_COMMAND: kb FOLLOWUP_IP: T_ProcMon!GetFullName+2c3 [e:\newsysmon\driver\t-procmon.c @ 1237] f9d9e6e3 85c0 test eax,eax FAULTING_SOURCE_CODE: 1233: try { 1234: 1235: if( lpszSubKeyVal ) { 1236: keyname.Buffer = NULL; > 1237: if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &keyname, lpszSubKeyVal, TRUE ))) { 1238: 1239: if( keyname.Buffer[0] ) { 1240: strcat( tmpname, "\\" ); 1241: strncat( tmpname, keyname.Buffer, Minimum( keyname.Length, MAXPATHLEN - 1 - strlen(tmpname) )); 1242: } SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: T_ProcMon!GetFullName+2c3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: T_ProcMon IMAGE_NAME: T-ProcMon.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4be2bc8d FAILURE_BUCKET_ID: 0x7f_d_T_ProcMon!GetFullName+2c3 BUCKET_ID: 0x7f_d_T_ProcMon!GetFullName+2c3 Followup: MachineOwner --------- 不知道为什么会溢出?哪位高手指点下~~不胜感激!!!! 代码是获取注册表的全名,用的是Regmon上的代码: VOID GetFullName( HANDLE hKey, PUNICODE_STRING lpszSubKeyVal, PCHAR fullname ) { PHASH_ENTRY hashEntry; POBJECT pKey = NULL; CHAR tmpkey[16]; ANSI_STRING keyname; PCHAR tmpname; PCHAR cmpname; PCHAR nameptr; PUNICODE_STRING fullUniName; ULONG actualLen; int i; POBJECT_NAME_INFORMATION keyNameInformation=0; // // If the fullname buffer is NULL, bail now // if( !fullname ) return; // // Allocate a temporary buffer // cmpname = ExAllocatePool( PagedPool, MAXROOTLEN ); tmpname = ExAllocateFromPagedLookasideList( &FullPathLookaside ); if( !tmpname || !cmpname ) { // // Not enough memory for a buffer // if( cmpname ) ExFreePool( cmpname ); if( tmpname ) ExFreeToPagedLookasideList( &FullPathLookaside, tmpname ); strcpy( fullname, "<INSUFFICIENT MEMORY>"); return; } // // Translate the hkey into a pointer // fullname[0] = 0; tmpname[0] = 0; // // Is it a valid handle? // if( pKey = GetPointer( hKey )) { // // See if we find the key in the hash table // ReleasePointer( pKey ); MUTEX_P( HashMutex ); hashEntry = HashTable[ HASHOBJECT( pKey ) ]; while( hashEntry && hashEntry->Object != pKey ) { hashEntry = hashEntry->Next; } if( hashEntry ) { strcpy( tmpname, hashEntry->FullPathName ); MUTEX_V( HashMutex ); } else { // // We will only get here if key was created before we loaded - ask the Configuration // Manager what the name of the key is. // MUTEX_V( HashMutex ); if( pKey ) { fullUniName = ExAllocatePool( PagedPool, MAXPATHLEN*sizeof(WCHAR)+2*sizeof(ULONG)); if( !fullUniName ) { // // Out of memory // strcpy( fullname, "<INSUFFICIENT MEMORY>" ); ExFreePool( cmpname ); ExFreeToPagedLookasideList( &FullPathLookaside, tmpname ); return; } // NTKERNELAPI // NTSTATUS // ObQueryNameString ( // IN PVOID Object, // OUT POBJECT_NAME_INFORMATION ObjectNameInfo, // IN ULONG Length, // OUT PULONG ReturnLength // ); fullUniName->MaximumLength = MAXPATHLEN*sizeof(WCHAR); //&keyNameInformation->Name=fullUniName; if( NT_SUCCESS(ObQueryNameString( pKey, fullUniName, MAXPATHLEN, &actualLen ) )) { //fullUniName=&keyNameInformation->Name; if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &keyname, fullUniName, TRUE ))) { if( keyname.Buffer[0] ) { strcpy( tmpname, "\\" ); strncat( tmpname, keyname.Buffer, Minimum( keyname.Length, MAXPATHLEN -2 )); } RtlFreeAnsiString( &keyname ); } } ExFreePool( fullUniName ); } } } // // Append subkey and value, if they are there // try { if( lpszSubKeyVal ) { keyname.Buffer = NULL; if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &keyname, lpszSubKeyVal, TRUE ))) { if( keyname.Buffer[0] ) { // // See if this is an absolute rather than relative path, which // can be the case on Open/Create when the Registry callback API // is used (.NET Server and higher) // ConvertToUpper( cmpname, keyname.Buffer, strlen("\\REGISTRY")+1); if( !strncmp( cmpname, "\\REGISTRY", strlen("\\REGISTRY"))) { strcpy( tmpname, "\\" ); } else { strcat( tmpname, "\\" ); } strncat( tmpname, keyname.Buffer, Minimum( keyname.Length, MAXPATHLEN - 1 - strlen(tmpname) )); } RtlFreeAnsiString( &keyname ); } } } except( EXCEPTION_EXECUTE_HANDLER ) { if( keyname.Buffer ) RtlFreeAnsiString( &keyname ); strcat( tmpname, "*** Invalid Name ****" ); } // // See if it matches current user // for( i = 0; i < 2; i++ ) { ConvertToUpper( cmpname, tmpname, CurrentUser.RootNameLen ); if( !strncmp( cmpname, CurrentUser.RootName, CurrentUser.RootNameLen )) { // KdPrint(( " CurrentUser(%d) %s ==> %s\n", i, // tmpname, CurrentUser.RootName )); // // Its current user. Process to next slash // nameptr = tmpname + CurrentUser.RootNameLen; while( *nameptr && *nameptr != '\\' ) nameptr++; strcpy( fullname, CurrentUser.RootShort ); #if 0 cmpname = nameptr - sizeof(USER_CLASSES); ConvertToUpper (cmpname, cmpname, sizeof(USER_CLASSES)); if (!strncmp( cmpname, USER_CLASSES, sizeof(USER_CLASSES))) { strcat (fullname, "\\Software\\Classes"); } #endif strcat( fullname, nameptr ); ExFreePool( cmpname ); ExFreeToPagedLookasideList( &FullPathLookaside, tmpname ); return; } } // // Now, see if we can translate a root key name // for( i = 0; i < NUMROOTKEYS; i++ ) { ConvertToUpper( cmpname, tmpname, RootKey.RootNameLen ); if( !strncmp( cmpname, RootKey.RootName, RootKey.RootNameLen )) { nameptr = tmpname + RootKey.RootNameLen; strcpy( fullname, RootKey.RootShort ); strcat( fullname, nameptr ); ExFreePool( cmpname ); ExFreeToPagedLookasideList( &FullPathLookaside, tmpname ); return; } } // // No translation // strcpy( fullname, tmpname ); ExFreeToPagedLookasideList( &FullPathLookaside, tmpname ); ExFreePool( cmpname ); } |
|
|
沙发#
发布于:2010-05-08 00:59
相当明显嘛
> 1237: if( NT_SUCCESS( RtlUnicodeStringToAnsiString( &keyname, lpszSubKeyVal, TRUE ))) { lpszSubKeyVal 指针值为 0xFFFFFFFF, 访问这个地址肯定中BOSD UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f) 错误 |
|
|
板凳#
发布于:2010-05-08 12:01
回 1楼(treeyan) 的帖子
是不是从STACK_TEXT看出来那个是0xFFFFFFFF?我对STACK_TEXT还不了解? 大哥能不能指点下为什么会出现这种情况?? |
|
|
地板#
发布于:2010-05-08 22:55
不了解您的应用是做什么,在什么时刻运行。很难给什么建议哦。
从代码上看,在进函数 GetFullName 之前 lpszSubKeyVal 已经是 0xFFFFFFFF 了。抱歉 |
|
|
地下室#
发布于:2010-05-08 23:26
回 3楼(treeyan) 的帖子
就是Hook一些跟注册表有关的函数来监视程序的行为,当监视到OpenKey函数时,首先获取注册表的值,调用GetFullName,具体代码如下NTSTATUS HookRegOpenKey( IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess, IN POBJECT_ATTRIBUTES pOpenInfo ) { NTSTATUS ntstatus; POBJECT regobj; CHAR name[MAXPROCNAMELEN]; TCHAR pMessage[256]; PCHAR fullname; fullname = ExAllocateFromNPagedLookasideList( &FullPathLookaside ); GetFullName( pOpenInfo->RootDirectory, pOpenInfo->ObjectName, fullname ); ntstatus = RealRegOpenKey( pHandle, ReqAccess, pOpenInfo ); |
|
|
5楼#
发布于:2010-05-09 09:41
没有正确的hook ZwOpenKey,大约这样吧。
KdPrint(( "pHandle=%08x AccessMask=%08x ObjectAttributes=%08x\n", pHandle, ReqAccess, pOpenInfo)); 可以看到 pHandle 的值是不正确的。 |
|
|
6楼#
发布于:2010-05-09 20:19
回 5楼(treeyan) 的帖子
哦!多谢大哥的提醒!我再看下! |
|