【求助】调试狂人的代码出错，请高手看看。

错误提示：
=========================================================


SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f7830601, The address that the exception occurred at
Arg3: f6fd0b84, Exception Record Address
Arg4: f6fd0880, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
comcap!ccpAttachDevice+111 [d:\driverfiles\comcap\comcap.c @ 179]
f7830601 8911            mov     dword ptr [ecx],edx

EXCEPTION_RECORD:  f6fd0b84 -- (.exr 0xfffffffff6fd0b84)
ExceptionAddress: f7830601 (comcap!ccpAttachDevice+0x00000111)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

CONTEXT:  f6fd0880 -- (.cxr 0xfffffffff6fd0880)
eax=821ee030 ebx=00000000 ecx=00000000 edx=821ee030 esi=e19813a6 edi=81f37ed0
eip=f7830601 esp=f6fd0c4c ebp=f6fd0c54 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
comcap!ccpAttachDevice+0x111:
f7830601 8911            mov     dword ptr [ecx],edx  ds:0023:00000000=????????
Resetting default scope

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
comcap!ccpAttachDevice+111 [d:\driverfiles\comcap\comcap.c @ 179]
f7830601 8911            mov     dword ptr [ecx],edx

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_DEREFERENCE

LAST_CONTROL_TRANSFER:  from f783068b to f7830601

STACK_TEXT:  
f6fd0c54 f783068b 81f37ed0 821ee030 f7832008 comcap!ccpAttachDevice+0x111 [d:\driverfiles\comcap\comcap.c @ 179]
f6fd0c78 f78306e2 81f37ed0 0000001b f6fd0d58 comcap!ccpAttachAllComs+0x5b [d:\driverfiles\comcap\comcap.c @ 203]
f6fd0c88 808e0097 81f37ed0 81c7c000 00000000 comcap!DriverEntry+0x42 [d:\driverfiles\comcap\comcap.c @ 227]
f6fd0d58 808e1a58 8000039c 00000001 00000000 nt!IopLoadDriver+0x689
f6fd0d80 8082050b 8000039c 00000000 81f4ecb0 nt!IopLoadUnloadDriver+0x45
f6fd0dac 80905b5b f6720cf4 00000000 00000000 nt!ExpWorkerThread+0xeb
f6fd0ddc 808286ad 8082044e 80000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FAULTING_SOURCE_CODE:  
   175:       status = STATUS_UNSUCCESSFUL;
   176:       return status;
   177:     }
   178:  
>  179:   *next = topdev;
   180:
   181:   // ¨¦¨¨???a??¨¦¨¨¡À?¨°??-???¡¥
   182:   (*fltobj)->Flags = (*fltobj)->Flags & ~DO_DEVICE_INITIALIZING;
   183:   return STATUS_SUCCESS;
   184:  


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  comcap!ccpAttachDevice+111

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: comcap

IMAGE_NAME:  comcap.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a1bb2dd

STACK_COMMAND:  .cxr 0xfffffffff6fd0880 ; kb

FAILURE_BUCKET_ID:  0x7E_comcap!ccpAttachDevice+111

BUCKET_ID:  0x7E_comcap!ccpAttachDevice+111

Followup: MachineOwner


=========================================================


源码：

#include <wdm.h>
#include <ntddk.h>
#include <ntstrsafe.h>


// 计算机上最多只有32 个串口，这是笔者的假定
#define CCP_MAX_COM_ID 32

// 保存所有过滤设备指针
static PDEVICE_OBJECT s_fltobj[CCP_MAX_COM_ID] = {0};

// 保存所有真实设备指针
static PDEVICE_OBJECT s_nextobj[CCP_MAX_COM_ID] = {0};


//动态卸载
#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)


NTSTATUS ccpDispatch(PDEVICE_OBJECT driver,PIRP irp)
{
  //首先要通过函数IoGetCurrentIrpStackLocation()得到当前的IRP
  PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(irp);
  NTSTATUS status;
  
  ULONG i,j;

  for(i=0;i<CCP_MAX_COM_ID;i++)
    {
      if(s_fltobj == driver)
      {
        //跳过电源请求
        if(irpsp->MajorFunction == IRP_MJ_POWER)
          {
            PoStartNextPowerIrp(irp);
            IoSkipCurrentIrpStackLocation(irp);
            return PoCallDriver(s_nextobj,irp);
          }

        if(irpsp->MajorFunction == IRP_MJ_WRITE)
          {
            // 如果是写，先获得长度
            ULONG len = irpsp->Parameters.Write.Length;

            // 然后获得缓冲区
            PUCHAR buf = NULL;

            if(irp->MdlAddress != NULL)
              buf = (PUCHAR)MmGetSystemAddressForMdlSafe(irp->MdlAddress,NormalPagePriority);
            else
              buf = (PUCHAR)irp->UserBuffer;

            if(buf == NULL)
              buf = (PUCHAR)irp->AssociatedIrp.SystemBuffer;

            for(j=0;j<len;++j)
              {
                DbgPrint("Comcap: Send Data:%2x\r\n",buf[j]);
              }
            
          }

        IoSkipCurrentIrpStackLocation(irp);
        return IoCallDriver(s_nextobj,irp);
        
      }
    }
  
  irp->IoStatus.Information = 0;
  irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
  IoCompleteRequest(irp,IO_NO_INCREMENT);
  return STATUS_SUCCESS;
  
}


void ccpUnload()
{
  ULONG i;
  LARGE_INTEGER interval;

  // 首先解除绑定
  for(i=0;i<CCP_MAX_COM_ID;i++)
  {
    if(s_nextobj != NULL)
    IoDetachDevice(s_nextobj);
  }

  
  // 睡眠5 秒。等待所有IRP 处理结束
  interval.QuadPart = (5*1000 * DELAY_ONE_MILLISECOND);
  KeDelayExecutionThread(KernelMode,FALSE,&interval);
  
  // 删除这些设备
  for(i=0;i<CCP_MAX_COM_ID;i++)
  {
    if(s_fltobj != NULL)
    IoDeleteDevice(s_fltobj);
  }
}


PDEVICE_OBJECT ccpOpenCom(ULONG id,NTSTATUS *status)
  {
  // 将获取的串口ID 转换为字符串型的串口名
  UNICODE_STRING name_str;
  static WCHAR name[32]={0};
  PFILE_OBJECT fileobj = NULL;


  PDEVICE_OBJECT devobj = NULL;

  //清空name 数组所占用内存
  memset(name,0,sizeof(WCHAR)*32);

  //组合字符串(生成一个完整的设备名，存入name 数组)
  RtlStringCchPrintfW(name,32,L"\\Device\\Serial%d",id);

  //赋值给字符串name_str
  RtlInitUnicodeString(&name_str,name);

  //从名字获得设备对象，也就是打开设备
  *status = IoGetDeviceObjectPointer(&name_str,FILE_ALL_ACCESS,&fileobj,&devobj);

  //如果打开成功就删除文件对像
  if(*status == STATUS_SUCCESS)
    ObDereferenceObject(fileobj);

  //返回该设备
  return devobj;

}


NTSTATUS ccpAttachDevice(PDRIVER_OBJECT driver,PDEVICE_OBJECT oldobj,PDEVICE_OBJECT *fltobj,PDEVICE_OBJECT *next)
  {
  NTSTATUS status;
  PDEVICE_OBJECT topdev = NULL;

  //生成设备，然后绑定
  status = IoCreateDevice(driver,0,NULL,oldobj->DeviceType,0,FALSE,fltobj);

  if(status != STATUS_SUCCESS)
    return status;

  //拷贝重要标志位
  if(oldobj->Flags & DO_BUFFERED_IO)
  (*fltobj)->Flags |= DO_BUFFERED_IO;

  if(oldobj->Flags & DO_DIRECT_IO)
  (*fltobj)->Flags |= DO_DIRECT_IO;

  if(oldobj->Flags & DO_BUFFERED_IO)
  (*fltobj)->Flags |= DO_BUFFERED_IO;
  
  if(oldobj->Characteristics & FILE_DEVICE_SECURE_OPEN)
  (*fltobj)->Characteristics |= FILE_DEVICE_SECURE_OPEN;
  
  (*fltobj)->Flags |= DO_POWER_PAGABLE;

  // 将一个设备绑定到另一个设备上
  topdev = IoAttachDeviceToDeviceStack(*fltobj,oldobj);

  if(topdev == NULL)
    {
      IoDeleteDevice(*fltobj);
      *fltobj = NULL;
      status = STATUS_UNSUCCESSFUL;
      return status;
    }
  
 *next = topdev;

  // 设置这个设备已经启动
  (*fltobj)->Flags = (*fltobj)->Flags & ~DO_DEVICE_INITIALIZING;
  return STATUS_SUCCESS;
  
}


void ccpAttachAllComs(PDRIVER_OBJECT driver)
{
  ULONG i;
  PDEVICE_OBJECT com_ob;
  NTSTATUS status;
  
  for(i=0;i<CCP_MAX_COM_ID;i++)
    {
      //获得objce 引用
      com_ob = ccpOpenCom(i,&status);
      if(com_ob == NULL)
        continue;

      //将生成的设备绑定到真实的设备上
      ccpAttachDevice(driver,com_ob,&s_fltobj,s_nextobj);
    }
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING reg_path)
{
  unsigned int i;

#if DBG
  _asm int 3
#endif


  //设置分发函数
  for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
    {
      driver->MajorFunction = ccpDispatch;
    }

  //支持动态卸载函数
  driver->DriverUnload = ccpUnload;

  //绑定串口
  ccpAttachAllComs(driver);

  return STATUS_SUCCESS;
}