|
阅读:2827回复:1
mimifilter驱动和虚拟光驱的d347bus.sys冲突, 恳请高手指点!!
写了个简单的Mimifilter驱动做测试,但在虚拟机上时发现有10%的概率会蓝屏
分析DUMP文件发现是虚拟光驱Daemon的3.47版的驱动d347bus.sys引发的 将其卸载后蓝屏就不再现了。 网上搜了一下资料,发现d347bus.sys引发的蓝屏问题很多,但提出的解决方法都是卸载虚拟光驱的。 感到比较疑惑的是:Daemon3.47版是一个用的很广的软件,而我引发蓝屏的操作就是写注册表 那其他软件就不会和Daemon冲突了? 贴出DUMP文件的具体分析,恳请高手指点一二 ================================================================== DRIVER_CORRUPTED_EXPOOL (c5) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is caused by drivers that have corrupted the system pool. Run the driver verifier against any new (or suspect) drivers, and if that doesn't turn up the culprit, then use gflags to enable special pool. Arguments: Arg1: e1a2d000, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: 805466e9, address which referenced memory Debugging Details: ------------------ BUGCHECK_STR: 0xC5_2 CURRENT_IRQL: 2 FAULTING_IP: nt!ExAllocatePoolWithTag+869 805466e9 8906 mov dword ptr [esi],eax DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO PROCESS_NAME: sdcsvc.exe TRAP_FRAME: f7181174 -- (.trap 0xfffffffff7181174) ErrCode = 00000002 eax=0c2f0200 ebx=81bf3028 ecx=00000041 edx=81bf6020 esi=e1a2d000 edi=000001ff eip=805466e9 esp=f71811e8 ebp=f718123c iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!ExAllocatePoolWithTag+0x869: 805466e9 8906 mov dword ptr [esi],eax ds:0023:e1a2d000=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 804f8b9d to 80528bdc STACK_TEXT: f7180d28 804f8b9d 00000003 f7181084 00000000 nt!RtlpBreakWithStatusInstruction f7180d74 804f978a 00000003 e1a2d000 805466e9 nt!KiBugCheckDebugBreak+0x19 f7181154 80541683 0000000a e1a2d000 00000002 nt!KeBugCheck2+0x574 f7181154 805466e9 0000000a e1a2d000 00000002 nt!KiTrap0E+0x233 f718123c 805b6791 00000001 00000000 7153624f nt!ExAllocatePoolWithTag+0x869 f7181260 805b6b44 e1a19c90 f718128c f7181280 nt!ObpGetObjectSecurity+0x53 f7181290 806266e4 e1a19c90 81a1c1c0 00000001 nt!ObCheckObjectAccess+0x2c f71812dc 80626f6e e10195a0 00000020 00000000 nt!CmpDoOpen+0x256 f71814d4 805b5cbc 00000020 00000000 81a1c1c0 nt!CmpParseKey+0x558 f718155c 805b2065 00000000 f718159c 00000040 nt!ObpLookupObjectName+0x56a f71815b0 8061c807 00000000 81bb6980 81bb6900 nt!ObOpenObjectByName+0xeb f7181684 f98587ac f7181748 80000000 f7181750 nt!NtOpenKey+0x1af WARNING: Stack unwind information not available. Following frames may be wrong. f71816b4 804ff6f5 badb0d00 f718172c 805b2b1f d347bus+0xd7ac <== d347bus.sys在此处 f7181724 f7138016 f7181748 80000000 f7181750 nt!ZwOpenKey+0x11 f718178c f71382ca 819f73d8 000babd5 8160f9f8 sdcfsflt!RegistyEx_IsKeyExist+0x96 f718181c f7137bec 8163dba8 000bab49 8160f9f8 sdcfsflt!RegistyEx_CreateKey+0x17a ...... STACK_COMMAND: kb FOLLOWUP_IP: d347bus+d7ac f98587ac 8bd8 mov ebx,eax SYMBOL_STACK_INDEX: c SYMBOL_NAME: d347bus+d7ac FOLLOWUP_NAME: MachineOwner MODULE_NAME: d347bus IMAGE_NAME: d347bus.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4128a01d FAILURE_BUCKET_ID: 0xC5_2_d347bus+d7ac BUCKET_ID: 0xC5_2_d347bus+d7ac Followup: MachineOwner |
|
|
沙发#
发布于:2010-06-04 10:19
问题解决了
并不是虚拟光驱d347bus.sys的问题 是我在将一个列表中的数据保存到注册表中时,加锁提升了IRQL 而ZwOpenKey函数在MSDN中表明了该函数需要运行在PassiveLevel模式下  |
|