[求助] 蓝屏故障如何分析出原因啊?-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (6)
kagayaki 雪币： 1272 活跃值： (5124) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1253 粉丝 25 关注私信	kagayaki 2 楼在网上看了一下, 别人的好像都有下面的"ExceptionAddress", 我的为什么没有 MachineImageType i386 NumberProcessors 1 BugCheckCode 0xc000021a BugCheckParameter1 0xe1270188 BugCheckParameter2 0x00000001 BugCheckParameter3 0x00000000 BugCheckParameter4 0x00000000 ExceptionCode 0x80000003 ExceptionFlags 0x00000001 ExceptionAddress 0x8014fb84 和我设的"小内存转存"无关吧? 上传的附件： Snap1.jpg （44.83kb，125次下载） 2010-3-18 15:33 0
PAC 雪币： 234 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	PAC 3 楼小内存转储也应该有异常地址啊 2010-3-18 17:15 0
kagayaki 雪币： 1272 活跃值： (5124) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1253 粉丝 25 关注私信	kagayaki 4 楼我找了成 6 吧机, 都找不到异常地址, 只有我上面的..... 2010-3-19 18:34 0
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 5 楼大致看了一下，TesSafe.sys引起的蓝屏。注意红色标出的部分： 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ***************************************************************************** DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: de076dfa, memory referenced Arg2: 000000ff, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: b75cf7fb, address which referenced memory Debugging Details: ------------------ * Kernel symbols are WRONG. Please fix symbols to do analysis. ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: nt!_KPRCB * * * ********************************************************************* ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: nt!_KPRCB * * * ********************************************************************* MODULE_NAME: TesSafe FAULTING_MODULE: 804d8000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 4b62962c WRITE_ADDRESS: de076dfa CURRENT_IRQL: ff FAULTING_IP: TesSafe+77fb b75cf7fb 088946148326 or byte ptr [ecx+26831446h],cl CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WRONG_SYMBOLS BUGCHECK_STR: 0xD1 LAST_CONTROL_TRANSFER: from b75cf854 to b75cf7fb STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b78459bc b75cf854 b7845d9c 83e65340 00000000 TesSafe+0x77fb b7845dc8 028f37df 0000001b 00000206 154cff08 TesSafe+0x7854 b7845dcc 00000000 00000206 154cff08 00000023 0x28f37df STACK_COMMAND: kb FOLLOWUP_IP: TesSafe+77fb b75cf7fb 088946148326 or byte ptr [ecx+26831446h],cl SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: TesSafe+77fb FOLLOWUP_NAME: MachineOwner IMAGE_NAME: TesSafe.sys** BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- 1: kd> lmvm TesSafe start end module name b75c8000 b7602000 TesSafe T (no symbols) Loaded symbol image file: TesSafe.sys Image path: TesSafe.sys Image name: TesSafe.sys Timestamp: Fri Jan 29 16:02:52 2010 (4B62962C) CheckSum: 00041D84 ImageSize: 0003A000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 2010-3-19 22:25 0
仙果雪币： 1491 活跃值： (985) 能力值： (RANK：860 ) 在线值：发帖 68 回帖 1507 粉丝 67 关注私信	仙果 19 6 楼一直都不怎么动调试DUMP文件 2010-3-19 22:59 0
kagayaki 雪币： 1272 活跃值： (5124) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1253 粉丝 25 关注私信	kagayaki 7 楼谢谢, 我明天回去按你的做一下!!!! 2010-3-20 05:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (6)
kagayaki 雪币： 1272 活跃值： (5124) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1253 粉丝 25 关注私信	kagayaki 2 楼在网上看了一下, 别人的好像都有下面的"ExceptionAddress", 我的为什么没有 MachineImageType i386 NumberProcessors 1 BugCheckCode 0xc000021a BugCheckParameter1 0xe1270188 BugCheckParameter2 0x00000001 BugCheckParameter3 0x00000000 BugCheckParameter4 0x00000000 ExceptionCode 0x80000003 ExceptionFlags 0x00000001 ExceptionAddress 0x8014fb84 和我设的"小内存转存"无关吧? 上传的附件： Snap1.jpg （44.83kb，125次下载） 2010-3-18 15:33 0
PAC 雪币： 234 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	PAC 3 楼小内存转储也应该有异常地址啊 2010-3-18 17:15 0
kagayaki 雪币： 1272 活跃值： (5124) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1253 粉丝 25 关注私信	kagayaki 4 楼我找了成 6 吧机, 都找不到异常地址, 只有我上面的..... 2010-3-19 18:34 0
木桩雪币： 296 活跃值： (89) 能力值： ( LV15，RANK：340 ) 在线值：发帖 13 回帖 241 粉丝 4 关注私信	木桩 8 5 楼大致看了一下，TesSafe.sys引起的蓝屏。注意红色标出的部分： 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ***************************************************************************** DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: de076dfa, memory referenced Arg2: 000000ff, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: b75cf7fb, address which referenced memory Debugging Details: ------------------ * Kernel symbols are WRONG. Please fix symbols to do analysis. ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: nt!_KPRCB * * * ********************************************************************* ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: nt!_KPRCB * * * ********************************************************************* MODULE_NAME: TesSafe FAULTING_MODULE: 804d8000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 4b62962c WRITE_ADDRESS: de076dfa CURRENT_IRQL: ff FAULTING_IP: TesSafe+77fb b75cf7fb 088946148326 or byte ptr [ecx+26831446h],cl CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WRONG_SYMBOLS BUGCHECK_STR: 0xD1 LAST_CONTROL_TRANSFER: from b75cf854 to b75cf7fb STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b78459bc b75cf854 b7845d9c 83e65340 00000000 TesSafe+0x77fb b7845dc8 028f37df 0000001b 00000206 154cff08 TesSafe+0x7854 b7845dcc 00000000 00000206 154cff08 00000023 0x28f37df STACK_COMMAND: kb FOLLOWUP_IP: TesSafe+77fb b75cf7fb 088946148326 or byte ptr [ecx+26831446h],cl SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: TesSafe+77fb FOLLOWUP_NAME: MachineOwner IMAGE_NAME: TesSafe.sys** BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- 1: kd> lmvm TesSafe start end module name b75c8000 b7602000 TesSafe T (no symbols) Loaded symbol image file: TesSafe.sys Image path: TesSafe.sys Image name: TesSafe.sys Timestamp: Fri Jan 29 16:02:52 2010 (4B62962C) CheckSum: 00041D84 ImageSize: 0003A000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 2010-3-19 22:25 0
仙果雪币： 1491 活跃值： (985) 能力值： (RANK：860 ) 在线值：发帖 68 回帖 1507 粉丝 67 关注私信	仙果 19 6 楼一直都不怎么动调试DUMP文件 2010-3-19 22:59 0
kagayaki 雪币： 1272 活跃值： (5124) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1253 粉丝 25 关注私信	kagayaki 7 楼谢谢, 我明天回去按你的做一下!!!! 2010-3-20 05:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复