|
阅读:2554回复:10
用加载映像监视禁止加载驱动的问题!
小弟用下边的代码实现禁止加载驱动,在2003 and SP1用的很好,可在XP下有时会出现蓝屏(SP0,SP1,SP2都出现过,而2003重来没出现过),出现蓝屏的频率很小,所以也没找到什么"特征".
通过分析Dump文件,知道了出错的位置,但对为什么出错以及怎么修复是一筹莫展,希望有经验的朋友能给予一些帮助,非常感谢! 我的CPU是PD 820(双核),出现蓝屏的系统是XP SP0/SP1/SP2,下面给出的Dump文件信息是XP SP0的 //核心代码 VOID LoadImageNotify (IN PUNICODE_STRING ImageName,IN HANDLE ProcessId,IN PIMAGE_INFO ImageInfo)
{
//前边的代码就是分析PE结构,可以保证没有问题!
lpEntryPoint=(LPVOID)((ULONG)ImageInfo->ImageBase + lpNtHdr->OptionalHeader.AddressOfEntryPoint);
if (!(IsSpanPageValid(lpEntryPoint,8)))
return ;
DisableDriver(lpEntryPoint);
}
VOID DisableDriver (IN LPVOID lpEntryPoint)
{
UCHAR HookCode[]={0xB8,0x05,0x00,0x00,0xC0, //mov eax,STATUS_ACCESS_VIOLATION
0xC2,0x08,0x00}; //retn 8
ULONG ValueCR0=0;
__asm
{
mov eax,CR0
mov ValueCR0,eax
and eax,0xFFFEFFFF
mov CR0,eax
pushf
cli
mov ebx,dword ptr lpEntryPoint
mov eax,dword ptr HookCode
mov [ebx],eax
mov eax,dword ptr HookCode + 4
mov [ebx + 4],eax
mov eax,ValueCR0
mov CR0,eax
popf
}
}//Dump文件系统 Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
Symbol search path is: C:\symbols\ntkrnlmp.pdb\17B393516A4C4AB0B3D5485A01EAD8002
Executable search path is:
Windows XP Kernel Version 2600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpclient.010817-1148
Kernel base = 0x804d1000 PsLoadedModuleList = 0x8054be28
Debug session time: Tue Mar 13 16:38:58.077 2007 (GMT+8)
System Uptime: 0 days 0:10:24.796
Loading Kernel Symbols
...........................................................................................................
Loading User Symbols
Loading unloaded module list
.............................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {f78de81a, ff, 1, f9c8eb33}
Probably caused by : fstab.sys ( fstab!DisableDriver+55 )
Followup: MachineOwner
---------
0: kd> lm
start end module name
804d1000 806b9000 nt (pdb symbols) C:\symbols\ntkrnlmp.pdb\17B393516A4C4AB0B3D5485A01EAD8002\ntkrnlmp.pdb
f9c8b000 f9c97000 fstab (private pdb symbols) C:\symbols\ntkrnlmp.pdb\17B393516A4C4AB0B3D5485A01EAD8002\fstab.pdb
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f78de81a, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f9c8eb33, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: f78de81a
CURRENT_IRQL: ff
FAULTING_IP:
fstab!DisableDriver+55 [c:\dev\disabledriver.c @ 193]
f9c8eb33 8903 mov dword ptr [ebx],eax
DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: f9ea6a14 -- (.trap fffffffff9ea6a14)
ErrCode = 00000003
eax=000005b8 ebx=f78de81a ecx=f9c8eac4 edx=00000019 esi=81511838 edi=f78de81a
eip=f9c8eb33 esp=f9ea6a88 ebp=f9ea6aa4 iopl=0 nv up di ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010082
fstab!DisableDriver+0x55:
f9c8eb33 8903 mov dword ptr [ebx],eax ds:0023:f78de81a=81ec8b55
Resetting default scope
LAST_CONTROL_TRANSFER: from 804fe12e to 80518ee6
STACK_TEXT:
f9ea69f8 804fe12e 0000000a f78de81a 000000ff nt!KeBugCheckEx+0x19
f9ea69f8 f9c8eb33 0000000a f78de81a 000000ff nt!KiTrap0E+0x2b5
f9ea6aa4 f9c8ed43 f78de81a 8054df80 00000008 fstab!DisableDriver+0x55 [c:\dev\disabledriver.c @ 193]
f9ea6ac8 805dc883 f9ea6d48 00000000 f78de81a fstab!LoadImageNotify+0x157 [c:\dev\disabledriver.c @ 117]
f9ea6ae4 805cecc9 f9ea6d48 00000000 f9ea6bac nt!PsCallImageNotifyRoutines+0x34
f9ea6c88 805ad126 f9ea6d48 00000000 00000000 nt!MmLoadSystemImage+0x9ab
f9ea6d54 805ad4f7 000001c4 00000001 00000000 nt!IopLoadDriver+0x311
f9ea6d7c 804d8e98 000001c4 00000000 817bb8b8 nt!IopLoadUnloadDriver+0x43
f9ea6dac 8055f764 f7d2ecf4 00000000 00000000 nt!ExpWorkerThread+0xed
f9ea6ddc 804fef4d 8050d398 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
fstab!DisableDriver+55 [c:\dev\disabledriver.c @ 193]
f9c8eb33 8903 mov dword ptr [ebx],eax
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: fstab!DisableDriver+55
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fstab
IMAGE_NAME: fstab.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45f6627c
FAILURE_BUCKET_ID: 0xD1_W_fstab!DisableDriver+55
BUCKET_ID: 0xD1_W_fstab!DisableDriver+55
Followup: MachineOwner
--------- |
|
最新喜欢: Leopar...
|
|
沙发#
发布于:2007-03-13 21:50
双核...默哀~
|
|
|
|
板凳#
发布于:2007-03-14 09:58
果然是双核的问题,那到底应该怎么解决呢?
vxk大哥给点帮助啊!!! |
|
|
地板#
发布于:2007-03-16 14:01
帮帮忙啊!!!
|
|
|
地下室#
发布于:2007-03-17 00:16
当IRQL比较高时,访问分页内存导致的蓝屏
|
|
|
5楼#
发布于:2007-03-17 09:39
引用第4楼packze于2007-03-17 00:16发表的“”: 很可能~也不好说~ 不过双核那样cli/sti实在恐怖~ 毕竟微软推荐KeXXX来做~ |
|
|
|
6楼#
发布于:2007-03-17 16:03
KeXXX具体是指什么?
|
|
|
7楼#
发布于:2007-03-18 11:40
引用第0楼dahubaobao于2007-03-13 17:22发表的“用加载映像监视禁止加载驱动的问题!”: 第一:你好象只用cli还没用sti还原,难道这样也可以? 第二:你可以用KeAcquireSpinLock和KeReleaseSpinLock来试一试,因为还不知道lpEntryPoint是全局的还局部变量. |
|
|
8楼#
发布于:2007-03-20 13:11
问题是否解决,请说一声!
|
|
|
9楼#
发布于:2007-03-20 15:16
还是老实的使用MDL方式修改内存安全点~
|
|
|
|
10楼#
发布于:2007-03-21 17:14
引用第5楼killvxk于2007-03-17 09:39发表的“”: 谢谢V大,也谢谢所有回复的朋友.我已经改用MDL方式了. 不过我还是想知道您说的"KeXXX"到底是指什么? |
|