|
阅读:4219回复:10
UNEXPECTED_KERNEL_MODE_TRAP问题
我想在应用程序关闭文件时在内核中对该文件加密,因此HOOK了本地API函数ZwClose,工作过程是:
应用程序调用CloseHandle关闭文件,则转入我的函数,我先把文件关了,然后调用ZwCreateFile(也被Hook了)打开文件判断是否要加密,然后关闭。如果要加密则调用加密函数,在加密函数中创建一个新文件,再打开用户文件,一个读一个写完成加密文件,再替换原文件。 现在的问题是加密函数中一旦调用ZwCreateFile或ZwOpenFile就蓝屏,出现UNEXPECTED_KERNEL_MODE_TRAP错误,我用PsCreateSystemThread的方式也试过了,仍然在那里出错。想问问各位老大是为什么,以及问题如何解决。 在判断文件是否要加密时也用了ZwCreateFile或ZwOpenFile,现在可以确定这里是成功的。 不胜感激!!! |
|
|
|
沙发#
发布于:2004-12-01 17:13
Bug Check 0x7F: UNEXPECTED_KERNEL_MODE_TRAP
The UNEXPECTED_KERNEL_MODE_TRAP bug check has a value of 0x0000007F. This indicates that a trap was generated by the Intel CPU and the kernel failed to catch this trap. This could be either a bound trap (a trap the kernel is not permitted to catch) or a double fault (a fault that occurred while processing an earlier fault, which always results in a system crash). Parameters The first parameter displayed on the blue screen specifies the trap number. Here are some of the most common trap codes: 0x00000000, or Divide by Zero Error, is caused when a DIV instruction is executed and the divisor is zero. Memory corruption, other hardware problems, or software failures can cause this error. 0x00000004, or Overflow, occurs when the processor executes a call to an interrupt handler when the overflow (OF) flag is set. 0x00000005, or Bounds Check Fault, is generated when the processor, while executing a BOUND instruction, finds the operand exceeds the specified limits. A BOUND instruction is used to ensure that a signed array index is within a certain range. 0x00000006, or Invalid Opcode, is generated when the processor attempts to execute an invalid instruction. This is generally caused when the instruction pointer has become corrupted and is pointing to the wrong location. The most common cause of this is hardware memory corruption. 0x00000008, or Double Fault, is when an exception occurs while trying to call the handler for a prior exception. Normally, the two exceptions can be handled serially. However, there are several exceptions that cannot be handled serially, and in this situation the processor signals a double fault. There are two common causes of a double fault: A kernel stack overflow. This occurs when a guard page is hit, and then the kernel tries to push a trap frame. Since there is no stack left, a stack overflow results, causing the double fault. If you suspect this has occurred, use the !thread debugger extension to determine the stack limits, and then use the KB (Display Stack Backtrace) debugger command with a large parameter (for example, kb 100) to display the full stack. A hardware problem. The less-common trap codes include: 0x00000001 ― A system-debugger call 0x00000003 ― A debugger breakpoint 0x00000007 ― A hardware coprocessor instruction with no coprocessor present 0x0000000A ― A corrupted Task State Segment 0x0000000B ― An access to a memory segment that was not present 0x0000000C ― An access to memory beyond the limits of a stack 0x0000000D ― An exception not covered by some other exception; a protection fault that pertains to access violations for applications For other trap numbers, consult an Intel architecture manual. Cause Bug check 0x7F usually occurs after the installation of faulty or mismatched hardware (especially memory) or in the event that installed hardware fails. A double fault can occur when the kernel stack overflows. This can happen if multiple drivers are attached to the same stack. For example, two file system filter drivers can be attached to the same stack and then the file system can recurse back in, overflowing the stack. Resolving the Problem Debugging: Always begin with the !analyze debugger extension. If this is not sufficient, use the KV (Display Stack Backtrace) debugger command. If KV shows a taskGate, then use the .tss (Display Task State Segment) command on the part before the colon. If KV shows a trap frame, then use the .trap (Display Trap Frame) command to format the frame. Otherwise, use the .trap (Display Trap Frame) command on the appropriate frame. (On x86 platforms, this frame is associated with the procedure NT!KiTrap.) After this, use KV again to display the new stack. Troubleshooting: If hardware was recently added to the system, remove it to see if the error recurs. If existing hardware has failed, remove or replace the faulty component. Run hardware diagnostics supplied by the system manufacturer, to determine which hardware component has failed. The memory scanner is especially important; faulty or mismatched memory can cause this bug check. For details on these procedures, see the owner’s manual for your computer. Check that all adapter cards in the computer are properly seated. Use an ink eraser or an electrical contact treatment, available at electronics supply stores, to ensure adapter card contacts are clean. If the error appears on a newly installed system, check the availability of updates for the BIOS, the SCSI controller or network cards. Updates of this kind are typically available on the Web site or BBS of the hardware manufacturer. Confirm that all hard disks, hard disk controllers, and SCSI adapters are listed on the Microsoft Windows Hardware Compatibility List (HCL). If the error occurred after the installation of a new or updated device driver, the driver should be removed or replaced. If, under this circumstance, the error occurs during the startup sequence and the system partition is formatted with NTFS, you might be able to use Safe Mode to rename or delete the faulty driver. If the driver is used as part of the system startup process in Safe Mode, you need to start the computer using the Recovery Console in order to access the file. Also try restarting your computer, and press F8 at the character-based menu that displays the operating system choices. At the resulting Windows Advanced Options menu, choose the Last Known Good Configuration option. This option is most effective when only one driver or service is added at a time. Overclocking (setting the CPU to run at speeds above the rated specification) can cause this error. If this has been done to the computer experiencing the error, return the CPU to the default clock speed setting. Check the System Log in Event Viewer for additional error messages that might help pinpoint the device or driver that is causing the error. Disabling memory caching of the BIOS might also resolve it. If you encountered this error while upgrading to a new version of Windows, it might be caused by a device driver, a system service, a virus scanner, or a backup tool that is incompatible with the new version. If possible, remove all third-party device drivers and system services and disable any virus scanners prior to upgrading. Contact the software manufacturer to obtain updates of these tools. Also make sure that you have installed the latest Windows Service Pack. Finally, if all the above steps fail to resolve the error, take the system motherboard to a repair facility for diagnostic testing. A crack, a scratched trace, or a defective component on the motherboard can also cause this error. |
|
|
|
板凳#
发布于:2004-12-01 18:33
在ddk上有讲的,搜索一下就行了。
|
|
|
地板#
发布于:2004-12-02 09:24
首先感谢两位的指点,特别是wowocock老大,确实帮我解决了问题。但是我在DDK中找了,没找到楼上兄弟所说的内容,而wowocock老大提供的资料我看也不像是DDK中的(我想DDK中没有这么详细吧),在此向wowocock老大提出一个可能过分的要求(如果您认为过分那就算了):
能不能把上面资料所出的电子书全本发给我一份?实在不方便给个书名也行啊。因为我想您帮我们解决问题,而更重要的是想让我们能够掌握解决问题的方法而能够解决更多的问题是吧? 我的email:lijl@30san.com 再次表示感谢!!! [编辑 - 12/2/04 by liwashington] |
|
|
|
地下室#
发布于:2004-12-02 09:28
还有,能把分给出去是幸福的,祝大家都好运!
|
|
|
|
5楼#
发布于:2004-12-02 10:54
我想在应用程序关闭文件时在内核中对该文件加密,因此HOOK了本地API函数ZwClose,工作过程是: 因为你hook了ZwCreateFile,又调用ZwCreateFile可能会造成的规调用,导致内核堆栈溢出。 |
|
|
|
6楼#
发布于:2004-12-02 11:39
在ddk上有讲的,搜索一下就行了。 我引用的就是DDK里面的说明. |
|
|
|
7楼#
发布于:2004-12-02 11:41
[quote]我想在应用程序关闭文件时在内核中对该文件加密,因此HOOK了本地API函数ZwClose,工作过程是: 因为你hook了ZwCreateFile,又调用ZwCreateFile可能会造成的规调用,导致内核堆栈溢出。 [/quote] 有可能,你在再次使用的时候,应该先驱除HOOK,执行完成后再恢复HOOK. |
|
|
|
8楼#
发布于:2004-12-02 12:43
两次HOOK的问题我之前已经考虑到并已经解决了,这次是因为在用户态编程习惯了,定义的一个字符数组,大了点,可能导致溢出了.我把它改了就OK了,不好意思,由于刚学写驱动没多久,让大家见笑了!
还有,在DDK的那个文件里呢,我怎么没找到? |
|
|
|
9楼#
发布于:2004-12-02 13:29
一般来讲,碰到UNEXPECTED_KERNEL_MODE_TRAP,首先就想是不是kernel stack溢出了
2K DDK的Debugger Documents的Reference |
|
|
10楼#
发布于:2004-12-02 16:32
Ok,终于找到了!原来是在WinDbg的帮助文件里呀。
主要是经验问题,一般来说,一旦蓝屏就用WinDbg来看问题出处,可这次是在ntoskernel里,就不知如何是好了。 To:arthurtu 不好意思,分都给完了,下次吧。 总之,这次还是获益良多,希望以后跟各位前辈多学习! |
|
|