|
阅读:874回复:2
请教一个dump的问题
调试filter.sys过程中,我的xp系统为什么有时侯在能出现dump,有时侯不会呢??
在蓝屏的时候总能出现dump吗???我想要我调试过程中所有的dump文件怎么设置???? |
|
|
沙发#
发布于:2007-07-11 15:33
如果bsod出现在Windows启动的boot start阶段,或者bsod的driver在系统分区所在的fsd/disk device stack中,Windows就不会写入dump file
|
|
|
|
板凳#
发布于:2007-07-11 19:22
看看这段创建irp,发送irp的代码,我只能跟踪到IoCallDriver调用开始出黑屏,但我怎么设置断点,或者dump错误??????
NTSTATUS SpyBuildMyRWIrp( IN PDEVICE_OBJECT olddev, IN PIRP oldirp ) { PIRP irp; PVOID Buffer = NULL; ULONG Length = MARKLEN; LARGE_INTEGER offset; CHAR RWFlag = 1; MY_READ_CONTEXT my_context; NTSTATUS Status = STATUS_SUCCESS; PFILE_OBJECT pFileObject; PIO_STACK_LOCATION irpsp; pFileObject = IoGetCurrentIrpStackLocation(oldirp)->FileObject; Buffer = ExAllocatePoolWithTag(NonPagedPool, 4096, FILESPY_POOL_TAG); if(Buffer == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } //RtlCopyMemory( Buffer, MARKSTRING, MARKLEN); offset.QuadPart = 0; if(RWFlag) irp = IoBuildAsynchronousFsdRequest(IRP_MJ_READ,olddev,Buffer,Length,&offset,NULL); else irp = IoBuildAsynchronousFsdRequest(IRP_MJ_WRITE,olddev,Buffer,Length,&offset,NULL); if(irp == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } irp->Flags = IRP_NOCACHE | IRP_READ_OPERATION; irp->Tail.Overlay.Thread = oldirp->Tail.Overlay.Thread; irp->Tail.Overlay.OriginalFileObject = pFileObject; irp->RequestorMode = KernelMode; irp->Flags = 0x43; // irpsp = IoGetNextIrpStackLocation(irp); irpsp->FileObject = pFileObject;// We need a FileObject to identify the file we are reading irpsp->FileObject->CurrentByteOffset = offset; irpsp->DeviceObject = olddev; KeInitializeEvent(&my_context.event,NotificationEvent,FALSE); IoSetCompletionRoutine(irp,MyIrpComplete,&my_context,TRUE,TRUE,TRUE); //Buffer是缓冲。在Irp中被用做UserBuffer接收数据。offset是 这次读的偏移量。以上代码构造一个读irp.请注意,此时您还没有设置FileObject.实际上我是这样发出请求的: WITDoItInThread(pmythread, "11111111111111111111111111111", do_something); // 关键: FileObject是否只需要设置此元素???如果我的加密标识放在文件尾部,我怎么得倒尾部的offset呢??? Status = IoCallDriver(olddev,irp); WITDoItInThread(pmythread, "xxxxxxxxxxxxxxxxxxxxx", do_something); //irp = NULL; return STATUS_SUCCESS; if(Status == STATUS_PENDING) { WITDoItInThread(pmythread, "aaaaaaaaaaaaaaaaaaaaaa", do_something); KeWaitForSingleObject(&my_context.event,Executive,KernelMode,FALSE,NULL); WITDoItInThread(pmythread, "bbbbbbbbbbbbbbbbbbbbbbbbb", do_something); } { ANSI_STRING tempstr; RtlInitAnsiString( &tempstr, "waintech20070708" ); //WITDoItInThread(pmythread, "ccccccccccccccccccccccccccccc", do_something); WITDoItInThread(pmythread, Buffer, do_something); if(!RtlCompareMemory(MARKSTRING , &tempstr, MARKLEN)) { //KdPrint(("spy! SpyBuildMyRWIrp jjjjjjjjjjjjjjjjjjjjjjjjj: %s", Buffer)); WITDoItInThread(pmythread, Buffer, do_something); } } //IoCompleteRequest( irp, IO_NO_INCREMENT ); ExFreePoolWithTag(Buffer, FILESPY_POOL_TAG); return STATUS_SUCCESS; } // 再看看MyIrpComplete如何收场: // 一个通用的irp完成函数: static NTSTATUS MyIrpComplete ( PDEVICE_OBJECT dev, PIRP irp, PVOID context) { PFILESPY_DEVICE_EXTENSION DevExt = (PFILESPY_DEVICE_EXTENSION) dev->DeviceExtension; PMY_READ_CONTEXT my_context = (PMY_READ_CONTEXT)context; KeSetEvent(&my_context->event,IO_NO_INCREMENT,FALSE); my_context->Information = irp->IoStatus.Information; my_context->Status = irp->IoStatus.Status; // 释放irp,过程非常复杂 WITDoItInThread(pmythread, "eeeeeeeeeeeeeeeeeee", do_something); // if (irp->MdlAddress) // { // MmUnmapLockedPages( // MmGetSystemAddressForMdl(irp->MdlAddress), // irp->MdlAddress); // MmUnlockPages(irp->MdlAddress); // IoFreeMdl(irp->MdlAddress); // } // WITDoItInThread(pmythread, "fffffffffffffffffff", do_something); // IoFreeIrp(irp); WITDoItInThread(pmythread, "ggggggggggggggggggg", do_something); // 返回处理未结束.??? return STATUS_MORE_PROCESSING_REQUIRED; } |
|