|
阅读:2031回复:6
tooflat 的加密遇到的问题。
我注册 一个键盘 和鼠标钩子。
导致如下错误。这个是Windebug 抓下来的错误分析。 kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. This may or may not be due to the caller. The internal pool links must be walked to figure out a possible cause of the problem, and then special pool applied to the suspect tags or the driver verifier to a suspect driver. Arguments: Arg1: 00000020, a pool block header size is corrupt. Arg2: 81302e48, The pool entry we were looking for within the page. Arg3: 81302e68, The next pool entry. Arg4: 0a040002, (reserved) Debugging Details: ------------------ BUGCHECK_STR: 0x19_20 POOL_ADDRESS: 81302e48 Nonpaged pool DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: lsass.exe LAST_CONTROL_TRANSFER: from 804f880d to 80527da8 STACK_TEXT: f7cadd68 804f880d 00000003 f7cae0c4 00000000 nt!RtlpBreakWithStatusInstruction f7caddb4 804f93fa 00000003 81304c5f 81302e48 nt!KiBugCheckDebugBreak+0x19 f7cae194 804f9925 00000019 00000020 81302e48 nt!KeBugCheck2+0x574 f7cae1b4 80544c86 00000019 00000020 81302e48 nt!KeBugCheckEx+0x1b f7cae204 f7ede076 81302e50 746c4653 81343268 nt!ExFreePoolWithTag+0x2a0 f7cae21c 804f1362 814b47a8 81304af0 81343268 sfilter!SfWriteCompletion+0x76 [e:\codes\windows\driver\truecrypt-4.2a-source-code\truecrypt__c\driver\ntdriver.c @ 3058] f7cae24c f954973b e114ed90 f7cae458 f7cae448 nt!IopfCompleteRequest+0xa2 f7cae25c f954abba f7cae458 81304af0 00000000 Ntfs!NtfsCompleteRequest+0xac f7cae448 f954ac97 f7cae458 81304af0 0110070a Ntfs!NtfsCommonWrite+0x2095 f7cae5bc 804eedf9 81567020 81304af0 815b0030 Ntfs!NtfsFsdWrite+0xf3 f7cae5cc f95ed3ca 81304c78 814b47a8 f7caeb80 nt!IopfCallDriver+0x31 f7cae5dc 804eedf9 8159a2d8 81304af0 81304c9c sr!SrWrite+0xaa f7cae5ec f7eddfc4 81367270 814b4f38 814b47a8 nt!IopfCallDriver+0x31 f7caeb80 804eedf9 814b47a8 81304af0 00000000 sfilter!SfWrite+0x724 [e:\codes\windows\driver\truecrypt-4.2a-source-code\truecrypt__c\driver\ntdriver.c @ 3026] f7caeb90 804f00d5 f7caebcc f7caed14 00000000 nt!IopfCallDriver+0x31 f7caeba4 8050c799 81367209 f7caebcc f7caec60 nt!IoSynchronousPageWrite+0xaf f7caec88 805a1589 e18e5eb0 e18e5eb8 e18e5eb8 nt!MiFlushSectionInternal+0x3bf f7caecf0 805a16d5 00000000 e18e5eb0 8133b4f0 nt!MmFlushVirtualMemory+0x375 f7caed4c 8053d808 ffffffff 00dbeaf0 00dbeafc nt!NtFlushVirtualMemory+0xe7 f7caed4c 7c92eb94 ffffffff 00dbeaf0 00dbeafc nt!KiFastCallEntry+0xf8 00dbeacc 7c92da15 7c81ff2b ffffffff 00dbeaf0 ntdll!KiFastSystemCallRet 00dbead0 7c81ff2b ffffffff 00dbeaf0 00dbeafc ntdll!ZwFlushVirtualMemory+0xc 00dbeaf4 7450be42 00000018 00000018 00dbf840 kernel32!FlushViewOfFile+0x28 WARNING: Stack unwind information not available. Following frames may be wrong. 00dbed34 7450beea 00000000 00dbeda4 00dbed58 LSASRV!LsaICryptUnprotectData+0xbf9 00dbed64 7450c602 00000000 00dbeda4 00dbed94 LSASRV!LsaICryptUnprotectData+0xca1 00dbf1fc 7450b006 00dbf55c 00dbf228 00000003 LSASRV!LsaICryptUnprotectData+0x13b9 00dbf238 744bcbff 00dbf840 00dbf55c 00000003 LSASRV!DsRolerDcAsDc+0xcb2e 00dbf48c 745111c6 00dbf840 00dbf55c 00000000 LSASRV!LsarSetSecret+0xd08d 00dbf5f8 744bd3c2 00dbf840 000c69b0 00dbf6e8 LSASRV!LsaICryptUnprotectData+0x5f7d 00dbf664 744bd585 00dbf840 00dbf6e8 00dbf6b4 LSASRV!LsarSetSecret+0xd850 00dbf7fc 7449fc80 00dbf840 00dbfc6c 00dbfc7c LSASRV!LsarSetSecret+0xda13 00dbf880 77e59dc9 000d6968 00dbfc6c 00dbfc7c LSASRV!LsaIRegisterNotification+0x1812 00dbf8c8 77ed321a 7449fc29 00dbf8dc 0000000d RPCRT4!Invoke+0x30 00dbfcf8 77ed36ee 00000000 00000000 000d6a8c RPCRT4!NdrStubCall2+0x297 00dbfd14 77e5988c 000d6a8c 000b1fa0 000d6a8c RPCRT4!NdrServerCall2+0x19 00dbfd48 77e597f1 74487255 000d6a8c 00dbfdf0 RPCRT4!DispatchToStubInC+0x38 00dbfd9c 77e5971d 00000000 00000000 7451f334 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x113 00dbfdc0 77e5bd0d 000d6a8c 00000000 7451f334 RPCRT4!RPC_INTERFACE::DispatchToStub+0x84 00dbfdfc 77e5bb6a 0009b380 000b2500 000d6830 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x2db 00dbfe20 77e56784 000b253c 00dbfe38 000d6830 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x16d 00dbff80 77e56c22 00dbffa8 77e56a3b 000b2500 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x28f 00dbff88 77e56a3b 000b2500 00000000 00400178 RPCRT4!RecvLotsaCallsWrapper+0xd 00dbffa8 77e56c0a 0009d688 00dbffec 7c80b50b RPCRT4!BaseCachedThreadRoutine+0x79 00dbffb4 7c80b50b 000b68c0 00000000 00400178 RPCRT4!ThreadStartRoutine+0x1a 00dbffec 00000000 77e56bf0 000b68c0 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: kb FOLLOWUP_IP: sfilter!SfWriteCompletion+76 [e:\codes\driver\ntdriver.c @ 3058] f7ede076 8b45f8 mov eax,dword ptr [ebp-8] FAULTING_SOURCE_CODE: 3054: Irp->UserBuffer = CompletionCtx->OldUserBuffer; 3055: Irp->AssociatedIrp.SystemBuffer = CompletionCtx->OldSystemBuffer; 3056: 3057: ExFreePoolWithTag(CompletionCtx->MyBuffer, SFLT_POOL_TAG); > 3058: ExFreeToNPagedLookasideList(&gReadWriteCompletionCtxLookAsideList, CompletionCtx); 3059: 3060: return STATUS_SUCCESS; 3061: } 3062: 3063: NTSTATUS SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: sfilter!SfWriteCompletion+76 FOLLOWUP_NAME: MachineOwner MODULE_NAME: sfilter IMAGE_NAME: sfilter.sys DEBUG_FLR_IMAGE_TIMESTAMP: 45fe17f4 FAILURE_BUCKET_ID: 0x19_20_sfilter!SfWriteCompletion+76 BUCKET_ID: 0x19_20_sfilter!SfWriteCompletion+76 Followup: MachineOwner --------- 按照上面说的是gReadWriteCompletionCtxLookAsideList block header 。或者内存混乱了。 导致释放锁失败,这个是什么问题。该如何改呢? |
|
|
|
沙发#
发布于:2007-03-19 16:56
我在学习测试tooflat的驱动的时候也遇到了这个问题,后来把代码改了,直接使用原来的缓冲区而不是自己另外分配mdl和缓冲区,才避免这个问题。虽然如此,还是搭车同请教大牛是怎么一回事。
|
|
|
板凳#
发布于:2007-03-20 06:45
内存操作出错,你write到了错误的地方。这种事情最大条,很难找,试试看DriverVerifier是否有效
|
|
|
|
地板#
发布于:2007-03-20 14:07
解决了。一个内存地址 逸出了。
 |
|
|
|
地下室#
发布于:2007-03-20 15:49
请问楼主是哪个地方溢出了?是不是toolfat的代码的问题?
|
|
|
5楼#
发布于:2007-03-21 13:37
if(FileCtxPtr2 > 0){
FileCtxPtr2->RefCount = 1; // ASSERT(FileName); if(FileName) wcscpy(FileCtxPtr2->Name, FileName); |
|
|
|
6楼#
发布于:2007-03-21 13:38
tooflat有时候对 有些文件解密 失败,导致无法运行,大家遇到过吗?
请各位 大哥指教! |
|
|