阅读:1578回复:2
求助:关于icesword驱动的问题。
前几天打开了用了在驱动网这里下的cwjack_regmon加载了regsys.sys后就死机了。以后系统就经常死机,打开DBGVIEW.EXE和monitor.exe就死机,用windbg查看了一下是dbgv.sys出错.机子也变得很慢,刷新一下explorer占的cpu就达100%.现在打开icesword也死机,用windbg查看了一下是detport.sys出错,如下:
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pagable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 8058be1e, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: f4b0c21e, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 8058be1e CURRENT_IRQL: 2 FAULTING_IP: DetPort+321e f4b0c21e 0fb602 movzx eax,byte ptr [edx] DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 TRAP_FRAME: f50c28b8 -- (.trap fffffffff50c28b8) ErrCode = 00000000 eax=f50c293c ebx=00000005 ecx=f50c293c edx=8058be1e esi=894d6fe0 edi=8058be1e eip=f4b0c21e esp=f50c292c ebp=f50c2994 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 DetPort+321e: f4b0c21e 0fb602 movzx eax,byte ptr [edx] ds:0023:8058be1e=8b Resetting default context LAST_CONTROL_TRANSFER: from f4b0a706 to f4b0c21e STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f50c2994 f4b0a706 894d6fe0 8058be1e 00000000 DetPort+0x321e f50c29bc f4b0a844 894d6fe0 f4b0d5c4 81c59638 DetPort+0x1706 f50c2a18 f4b0a8bc 81c59638 00000000 f50c2a5c DetPort+0x1844 f50c2a28 804e4d77 81c59638 8d0d6f68 806ee2a4 DetPort+0x18bc f50c2a38 8066b2c5 8d0d6f78 8d0d6f68 81c599a0 nt!IopfCallDriver+0x31 f50c2a5c 80571f9c 81c59620 81b045a4 f50c2c04 nt!IovCallDriver+0xa0 f50c2b3c 8056486c 81c59638 00000000 81b04500 nt!IopParseDevice+0xa58 f50c2bc4 80568c63 00000000 f50c2c04 00000040 nt!ObpLookupObjectName+0x56a f50c2c18 80572477 00000000 00000000 57264c01 nt!ObOpenObjectByName+0xeb f50c2c94 80572546 0012f0a0 c0100080 0012f074 nt!IopCreateFile+0x407 f50c2cf0 8057267c 0012f0a0 c0100080 0012f074 nt!IoCreateFile+0x8e f50c2d30 804e006b 0012f0a0 c0100080 0012f074 nt!NtCreateFile+0x30 f50c2d30 0040c15b 0012f0a0 c0100080 0012f074 nt!KiFastCallEntry+0xf8 00000084 00000000 00000000 00000000 00000000 IceSword+0xc15b FOLLOWUP_IP: DetPort+321e f4b0c21e 0fb602 movzx eax,byte ptr [edx] FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: DetPort+321e MODULE_NAME: DetPort IMAGE_NAME: DetPort.sys DEBUG_FLR_IMAGE_TIMESTAMP: 418dd0b3 STACK_COMMAND: .trap fffffffff50c28b8 ; kb BUCKET_ID: 0xD1_DetPort+321e Followup: MachineOwner --------- 提示说是DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pagable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. 应该是说detport.sys在读内存8058be1e 时出错,但我查看了一下 nt!NtTerminateProcess: 8058be1e 8bff mov edi,edi 8058be20 55 push ebp 8058be21 8bec mov ebp,esp 8058be23 83ec10 sub esp,0x10 8058be26 53 push ebx 8058be27 56 push esi 8058be28 57 push edi 8058be29 64a124010000 mov eax,fs:[00000124] 8058be2f 837d0800 cmp dword ptr [ebp+0x8],0x0 8058be33 8bf8 mov edi,eax 8058be35 8b4744 mov eax,[edi+0x44] 8058be38 8945f0 mov [ebp-0x10],eax 8058be3b 0f84ce050000 je nt!NtTerminateProcess+0x25 (8058c40f) 8058be1e 处是nt!NtTerminateProcess:这个地址是有效的啊,什么 说“using improper addresses”? 请各位老大帮忙解决一下是什么问题,现在只要打开有驱动的东东就会死机! 我受不了了! |
|
|
沙发#
发布于:2005-04-11 13:37
这与detport.sys有什么关系?不是任何程序都出问题了么?
没把regsys.sys卸掉?!!! |
|
板凳#
发布于:2005-04-11 18:16
只是最近用了icesword时死机才把它贴上来,regsys.sys应该已经卸掉了,我进入安全模式则一切都正常,icesword可以打开。但我刚才把所有服务禁止再正常进入系统,打开dbgview.exe时又死机了:
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_VERIFIER_DETECTED_VIOLATION (c4) A device driver attempting to corrupt the system has been caught. This is because the driver was specified in the registry as being suspect (by the administrator) and the kernel has enabled substantial checking of this driver. If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will be among the most commonly seen crashes. Parameter 1 = 0x1000 .. 0x1020 - deadlock verifier error codes. Typically the code is 0x1001 (deadlock detected) and you can issue a \'!deadlock\' KD command to get more information. Arguments: Arg1: 00000081, MmMapLockedPages called without MDL_MAPPING_CAN_FAIL Arg2: 81f679c0, MDL address Arg3: 00000004, MDL flags Arg4: 00000000, 0 Debugging Details: ------------------ BUGCHECK_STR: 0xc4_81 DEFAULT_BUCKET_ID: DRIVER_FAULT LAST_CONTROL_TRANSFER: from 8066bd66 to 805349ae STACK_TEXT: f88f6adc 8066bd66 000000c4 00000081 81f679c0 nt!KeBugCheckEx+0x1b f88f6b08 f89f3396 81f679c0 00000000 f89f39a3 nt!VerifierMapLockedPages+0xbe WARNING: Stack unwind information not available. Following frames may be wrong. 00000008 00000000 00000000 00000000 00000000 Dbgv+0x396 FOLLOWUP_IP: Dbgv+396 f89f3396 a328419ff8 mov [Dbgv+0x1128 (f89f4128)],eax FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: Dbgv+396 MODULE_NAME: Dbgv IMAGE_NAME: Dbgv.sys DEBUG_FLR_IMAGE_TIMESTAMP: 411d06ff STACK_COMMAND: kb BUCKET_ID: 0xc4_81_Dbgv+396 Followup: MachineOwner 看不懂,请各位老大指点一下啊! |
|
|