急！！！请教一个关于IRQL级别的问题

楼主^#

更多发布于：2007-08-22 15:32

我在passthru中写了以下的比对URL的函数，可能里边用的有些函数级别不对，经常就会蓝屏，下边是代码和windbg分析的dump文件信息，请大家看看，指正以下问题处在什么地方

BOOLEAN URLAim(CHAR URLBuffer[256], PUCHAR pHttpURL)
{
   CHAR HostChar[256] = {0};
   UINT URLLength = 0;
   UINT HostLength = 0;
   //查找URL长度
   while(pHttpURL[URLLength] != 0x20)
   {
   URLLength++;
   }
   while(URLBuffer[HostLength] != 0x2f && HostLength<strlen(URLBuffer))
   {
   HostLength++;
   }


   RtlZeroMemory(HostChar,256);
   URLLength = (URLLength < 256)?URLLength:256;
   memcpy(HostChar,pHttpURL,URLLength);

   if((strlen(URLBuffer) - HostLength) == 1)
   {
   if(URLLength != 1)
   {
   return FALSE;
   }
   }

   if(!memcmp((URLBuffer + HostLength),pHttpURL,strlen(URLBuffer) - HostLength))
   {
   RtlZeroMemory(HostChar,256);
   memcpy(HostChar,URLBuffer,HostLength);

   if(strstr((pHttpURL + URLLength),HostChar))
   {
   return TRUE;
   }
   }
   else if(strstr(HostChar,(URLBuffer + HostLength + 1)))
   {
   RtlZeroMemory(HostChar,256);
   HostChar[0] = 0x48;
   HostChar[1] = 0x6f;
   HostChar[2] = 0x73;
   HostChar[3] = 0x74;
   HostChar[4] = 0x3a;
   HostChar[5] = 0x20;
   memcpy(HostChar+6,URLBuffer,HostLength);
   if(strstr((pHttpURL + URLLength),HostChar))
   {
   return TRUE;
   }
   }
   return FALSE;
}

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
windbg分析dump文件和disassembly前后3屏的信息

Use !analyze -v to get detailed debugging information.

BugCheck D1, {26, 2, 1, eb4a2210}

*** WARNING: Unable to verify timestamp for Unknown_Module_eb4a0000
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_eb4a0000
Probably caused by : Unknown_Image ( Unknown_Module_eb4a0000+2210 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000026, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: eb4a2210, address which referenced memory

Debugging Details:
------------------

WRITE_ADDRESS: 00000026

CURRENT_IRQL: 2

FAULTING_IP:
Unknown_Module_eb4a0000+2210
eb4a2210 0000 add [eax],al

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 8046b12c

STACK_TEXT:
80475b80 00000000 00000000 00000000 00000000 nt!RtlFillMemory+0x2c

FOLLOWUP_IP:
Unknown_Module_eb4a0000+2210
eb4a2210 0000 add [eax],al

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Unknown_Module_eb4a0000+2210

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: kb

BUCKET_ID: 0xD1_W_Unknown_Module_eb4a0000+2210

Followup: MachineOwner
---------

8046b0aa 742c jz nt!RtlCompareMemoryUlong+0x8 (8046b0d8)
8046b0ac 3d01000080 cmp eax,0x80000001
8046b0b1 7425 jz nt!RtlCompareMemoryUlong+0x8 (8046b0d8)
8046b0b3 3dfd0000c0 cmp eax,0xc00000fd
8046b0b8 741e jz nt!RtlCompareMemoryUlong+0x8 (8046b0d8)
8046b0ba 3d060000d0 cmp eax,0xd0000006
8046b0bf 7448 jz nt!RtlFillMemory+0x9 (8046b109)
8046b0c1 8bd1 mov edx,ecx
8046b0c3 8bde mov ebx,esi
8046b0c5 8bf7 mov esi,edi
8046b0c7 b903000000 mov ecx,0x3
8046b0cc 8bf8 mov edi,eax
8046b0ce b8060000c0 mov eax,0xc0000006
8046b0d3 e800ddffff call nt!KiTrap0D+0x24c (80468dd8)
8046b0d8 8bde mov ebx,esi
8046b0da 8bd1 mov edx,ecx
8046b0dc 8bf7 mov esi,edi
8046b0de e9e9dcffff jmp nt!KiTrap0D+0x240 (80468dcc)
8046b0e3 b9e4714680 mov ecx,0x804671e4
8046b0e8 894d68 mov [ebp+0x68],ecx
8046b0eb 8be5 mov esp,ebp
8046b0ed f705b0c7478001000000 test dword ptr [nt!KdpSearchPageHitOffsets+0x18d0 (8047c7b0)],0x1
8046b0f7 0f84d3d8ffff je nt!KiTrap0C+0x50 (804689d0)
8046b0fd e896fefbff call nt!KeBugCheckEx+0x326 (8042af98)
8046b102 8be5 mov esp,ebp
8046b104 e9c7d8ffff jmp nt!KiTrap0C+0x50 (804689d0)
8046b109 ff153c064080 call dword ptr [nt!_imp__KeFlushWriteBuffer (8040063c)]
8046b10f f0ff05400c4780 lock inc dword ptr [nt!P0BootThread+0x640 (80470c40)]
8046b116 8b4d64 mov ecx,[ebp+0x64]
8046b119 83e102 and ecx,0x2
8046b11c d1e9 shr ecx,1
8046b11e 8b7568 mov esi,[ebp+0x68]
8046b121 56 push esi
8046b122 51 push ecx
8046b123 50 push eax
8046b124 57 push edi
8046b125 6a0a push 0xa
8046b127 e8c010fcff call nt!KeWaitForSingleObject+0x6e (8042c1ec)

8046b0e8 894d68 mov [ebp+0x68],ecx
8046b0eb 8be5 mov esp,ebp
8046b0ed f705b0c7478001000000 test dword ptr [nt!KdpSearchPageHitOffsets+0x18d0 (8047c7b0)],0x1
8046b0f7 0f84d3d8ffff je nt!KiTrap0C+0x50 (804689d0)
8046b0fd e896fefbff call nt!KeBugCheckEx+0x326 (8042af98)
8046b102 8be5 mov esp,ebp
8046b104 e9c7d8ffff jmp nt!KiTrap0C+0x50 (804689d0)
8046b109 ff153c064080 call dword ptr [nt!_imp__KeFlushWriteBuffer (8040063c)]
8046b10f f0ff05400c4780 lock inc dword ptr [nt!P0BootThread+0x640 (80470c40)]
8046b116 8b4d64 mov ecx,[ebp+0x64]
8046b119 83e102 and ecx,0x2
8046b11c d1e9 shr ecx,1
8046b11e 8b7568 mov esi,[ebp+0x68]
8046b121 56 push esi
8046b122 51 push ecx
8046b123 50 push eax
8046b124 57 push edi
8046b125 6a0a push 0xa
8046b127 e8c010fcff call nt!KeWaitForSingleObject+0x6e (8042c1ec)
8046b12c f7457000000200 test dword ptr [ebp+0x70],0x20000 ss:0010:80475bf0=00010246
8046b133 740d jz nt!RtlFillMemoryUlonglong+0x2 (8046b142)
8046b135 833d4882478000 cmp dword ptr [nt!ExpSmallPagedPoolLookasideLists+0x248 (80478248)],0x0
8046b13c 0f857cfeffff jne nt!KiComputeTimerTableIndex+0x4a (8046afbe)
8046b142 833d344f488000 cmp dword ptr [nt!MmPagingFile+0x34 (80484f34)],0x0
8046b149 0f856ffeffff jne nt!KiComputeTimerTableIndex+0x4a (8046afbe)
8046b14f 833dc055488000 cmp dword ptr [nt!PopSIdle+0x20 (804855c0)],0x0
8046b156 0f8562feffff jne nt!KiComputeTimerTableIndex+0x4a (8046afbe)
8046b15c b8ff000000 mov eax,0xff
8046b161 ebac jmp nt!RtlFillMemory+0xf (8046b10f)
8046b163 64a154000000 mov eax,fs:[00000054]
8046b169 64c7055400000000000000 mov dword ptr fs:[00000054],0x0
8046b174 894568 mov [ebp+0x68],eax
8046b177 8be5 mov esp,ebp
8046b179 e952d8ffff jmp nt!KiTrap0C+0x50 (804689d0)
8046b17e 8bff mov edi,edi
8046b180 f7457000000200 test dword ptr [ebp+0x70],0x20000
8046b187 750d jnz nt!RtlZeroMemory+0x6 (8046b196)
8046b189 f7456c01000000 test dword ptr [ebp+0x6c],0x1

8046b0e8 894d68 mov [ebp+0x68],ecx
8046b0eb 8be5 mov esp,ebp
8046b0ed f705b0c7478001000000 test dword ptr [nt!KdpSearchPageHitOffsets+0x18d0 (8047c7b0)],0x1
8046b0f7 0f84d3d8ffff je nt!KiTrap0C+0x50 (804689d0)
8046b0fd e896fefbff call nt!KeBugCheckEx+0x326 (8042af98)
8046b102 8be5 mov esp,ebp
8046b104 e9c7d8ffff jmp nt!KiTrap0C+0x50 (804689d0)
8046b109 ff153c064080 call dword ptr [nt!_imp__KeFlushWriteBuffer (8040063c)]
8046b10f f0ff05400c4780 lock inc dword ptr [nt!P0BootThread+0x640 (80470c40)]
8046b116 8b4d64 mov ecx,[ebp+0x64]
8046b119 83e102 and ecx,0x2
8046b11c d1e9 shr ecx,1
8046b11e 8b7568 mov esi,[ebp+0x68]
8046b121 56 push esi
8046b122 51 push ecx
8046b123 50 push eax
8046b124 57 push edi
8046b125 6a0a push 0xa
8046b127 e8c010fcff call nt!KeWaitForSingleObject+0x6e (8042c1ec)
8046b12c f7457000000200 test dword ptr [ebp+0x70],0x20000 ss:0010:80475bf0=00010246
8046b133 740d jz nt!RtlFillMemoryUlonglong+0x2 (8046b142)
8046b135 833d4882478000 cmp dword ptr [nt!ExpSmallPagedPoolLookasideLists+0x248 (80478248)],0x0
8046b13c 0f857cfeffff jne nt!KiComputeTimerTableIndex+0x4a (8046afbe)
8046b142 833d344f488000 cmp dword ptr [nt!MmPagingFile+0x34 (80484f34)],0x0
8046b149 0f856ffeffff jne nt!KiComputeTimerTableIndex+0x4a (8046afbe)
8046b14f 833dc055488000 cmp dword ptr [nt!PopSIdle+0x20 (804855c0)],0x0
8046b156 0f8562feffff jne nt!KiComputeTimerTableIndex+0x4a (8046afbe)
8046b15c b8ff000000 mov eax,0xff
8046b161 ebac jmp nt!RtlFillMemory+0xf (8046b10f)
8046b163 64a154000000 mov eax,fs:[00000054]
8046b169 64c7055400000000000000 mov dword ptr fs:[00000054],0x0
8046b174 894568 mov [ebp+0x68],eax
8046b177 8be5 mov esp,ebp
8046b179 e952d8ffff jmp nt!KiTrap0C+0x50 (804689d0)
8046b17e 8bff mov edi,edi
8046b180 f7457000000200 test dword ptr [ebp+0x70],0x20000
8046b187 750d jnz nt!RtlZeroMemory+0x6 (8046b196)
8046b189 f7456c01000000 test dword ptr [ebp+0x6c],0x1

喜欢0

ProPlayboy

驱动大牛

注册日期2005-07-07
最后登录2022-02-15
粉丝0
关注0
积分1016分
威望811点
贡献值0点
好评度719点
原创分0分
专家分0分

加关注写私信

沙发^#

发布于：2007-08-23 15:28

越界操作或者操作空指针。。

人不靓仔心灵美，版头不正红花仔！

回复喜欢

ProPlayboy

驱动大牛

注册日期2005-07-07
最后登录2022-02-15
粉丝0
关注0
积分1016分
威望811点
贡献值0点
好评度719点
原创分0分
专家分0分

加关注写私信

板凳^#

发布于：2007-08-23 15:29

你的写法很有问题

人不靓仔心灵美，版头不正红花仔！

回复喜欢

wink624 驱动牛犊注册日期2005-12-06 最后登录2016-01-09 粉丝0 关注0 积分364分威望59点贡献值0点好评度41点原创分0分专家分0分加关注写私信	地板^# 发布于：2007-08-26 10:00 楼上能不能讲详细点，应该怎么改，我也没有过经验，只是看了一些例子，这样写的，望不吝指教
	回复(0) 喜欢(0)

throb 驱动牛犊注册日期2005-02-23 最后登录2022-03-04 粉丝0 关注0 积分5分威望86点贡献值0点好评度36点原创分0分专家分0分加关注写私信	地下室^# 发布于：2007-08-26 10:26 自己在windbg 的符号路径中加上自己程序的符号路径，然后dump ，就能看见在那里了
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

急！！！请教一个关于IRQL级别的问题

最新喜欢：