EncFilter调试的问题

楼主^#

更多发布于：2011-03-03 10:45

在windbg与虚拟机双机调试时总是出现：
kd> g
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034
SFilter!SfDriverReinitialization: SfLoadRules failed, Status=c0000034

SfDriverReinitialization的函数代码如下：
VOID
SfDriverReinitialization(
   IN PDRIVER_OBJECT DriverObject,
   IN PVOID Context,
   IN ULONG Count
   )
{
   NTSTATUS Status;

   UNREFERENCED_PARAMETER(Count);

   Status = SfLoadRules(&gRuleFileHandle);
   if (!NT_SUCCESS(Status))
   {
   KdPrint(("SFilter!SfDriverReinitialization: SfLoadRules failed, Status=%08x\n", Status));
   IoRegisterDriverReinitialization(DriverObject, SfDriverReinitialization, Context);
   }
}

SfLoadRules 的函数代码如下：

NTSTATUS
SfLoadRules(
   OUT PHANDLE FileHandle
   )
{
   UNICODE_STRING FileName;
   IO_STATUS_BLOCK IoStatus;
   FILE_STANDARD_INFORMATION StandardInfo;
   ULONG Length;
   OBJECT_ATTRIBUTES ObjectAttributes;
   NTSTATUS Status;
   PRULE Rule;

   RtlInitUnicodeString(&FileName, RULE_FILE_NAME);

   InitializeObjectAttributes(&ObjectAttributes,
   &FileName,
   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
   NULL,
   NULL
   );

   do
   {
   Status = ZwCreateFile(FileHandle,
   (SYNCHRONIZE | FILE_READ_DATA),
   &ObjectAttributes,
   &IoStatus,
   NULL,
   FILE_ATTRIBUTE_NORMAL,
   0,
   FILE_OPEN,
   FILE_SYNCHRONOUS_IO_NONALERT | FILE_NO_INTERMEDIATE_BUFFERING,
   NULL,
   0
   );
   if (!NT_SUCCESS(Status))
   {
   *FileHandle = NULL;
   break;
   }

   Status = ZwQueryInformationFile(*FileHandle,
   &IoStatus,
   &StandardInfo,
   sizeof(FILE_STANDARD_INFORMATION),
   FileStandardInformation
   );
   if (!NT_SUCCESS(Status))
   {
   ZwClose(*FileHandle);
   *FileHandle = NULL;
   break;
   }

   Length = StandardInfo.EndOfFile.LowPart;
   if (Length % sizeof(RULE) != 4)
   {
   Status = STATUS_INVALID_PARAMETER;
   ZwClose(*FileHandle);
   *FileHandle = NULL;
   break;
   }

   Rule = (PRULE) ExAllocatePoolWithTag(NonPagedPool, Length - 4 + sizeof(RULE), SFLT_POOL_TAG);
   if (!Rule)
   {
   Status = STATUS_INSUFFICIENT_RESOURCES;
   ZwClose(*FileHandle);
   *FileHandle = NULL;
   break;
   }

   Status = ZwReadFile(*FileHandle,
   NULL,
   NULL,
   NULL,
   &IoStatus,
   Rule,
   Length,
   NULL,
   NULL
   );
   if ((!NT_SUCCESS(Status)) || (IoStatus.Information != Length))
   {
   ExFreePoolWithTag(Rule, SFLT_POOL_TAG);
   Rule = NULL;
   ZwClose(*FileHandle);
   *FileHandle = NULL;
   break;
   }

   ZwClose(*FileHandle);
   *FileHandle = NULL;
   ((PRULE)((PUCHAR) Rule + Length - 4))->Policy = POLICY_END;

   ExAcquireResourceSharedLite(&gRulesResource, TRUE);
   if (gRules)
   ExFreePool(gRules);
   gRules = Rule;
   ExReleaseResourceLite(&gRulesResource);

   } while (FALSE);

   return Status;
}
输出的错误是SfDriverReinitialization函数里的语句，貌似SfLoadRules函数也没什么毛病。。
难道是我符号表的问题吗？但是windbg里Symbol path里的值为SRV*C:\Windows\Symbols*http://msdl.microsoft.com/download/symbols;E:\EncFilter\EncFilter\objchk_win7_x86\i386，也没有错误啊，很是迷惑，大家有解决的方法吗？

喜欢0

wwg266543 驱动小牛注册日期2007-07-03 最后登录2014-08-27 粉丝3 关注1 积分3分威望882点贡献值0点好评度9点原创分0分专家分54分加关注写私信	沙发^# 发布于：2011-03-03 17:13 看下你的规则文件，坛子里有篇专门产生规则文件的代码，可以参考下！
	回复(0) 喜欢(0)

mengyuxin520 论坛版主注册日期2010-11-01 最后登录2011-07-28 粉丝9 关注12 积分306分威望451点贡献值0点好评度0点原创分0分专家分0分加关注写私信	板凳^# 发布于：2011-03-04 09:27 回 1楼(wwg266543) 的帖子貌似我米有规则文件。。。知道是哪里错了，多谢！
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

EncFilter调试的问题

最新喜欢：