首页
社区
课程
招聘
[求助][求助]ndis hook!死机?
发表于: 2010-4-16 16:35 5322

[求助][求助]ndis hook!死机?

2010-4-16 16:35
5322
我采用的是注册假协议的方式,只hook了TCPIP协议的
PNDIS_PROTOCOL_CHARACTERISTICS中的ReceiveHandler,ReceivePacketHandler,BindAdapterHandler  以及
PNDIS_OPEN_BLOCK中的ReceiveHandler,ReceivePacketHandler,SendHandler,SendPacketsHandler
hook函数只有一句
    VOID HookNdisProc( IN  PVOID pHookProc,  IN  PVOID *ppOrigProc)
       {   ppOrigProc[0] = pHookProc;  }
而我自己的各个Handler函数均没有做任何操作,只是调用了原来的Handler。

刚开始是加载这个驱动后就BSOD了。现在用Windbg调试,虚拟机里加载后出现死机现象,就是整个屏幕一点反应都没了,我的程序里的调试信息,在windbg里可以看到进入了我的hook函数MysendHandler,其他的没看到。

有没有高手来帮我讲解一下啊,万分感谢啊

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 213
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
dump 分析:
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: b265c730, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
+0
00000000 ??              ???

TRAP_FRAME:  b265c730 -- (.trap 0xffffffffb265c730)
ErrCode = 00000000
eax=82e9fed8 ebx=00000000 ecx=82f65008 edx=00000012 esi=82e9fed8 edi=82e0f008
eip=00000000 esp=b265c7a4 ebp=b265c7b8 iopl=0         nv up ei ng nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010292
00000000 ??              ???
Resetting default scope

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  svchost.exe

LAST_CONTROL_TRANSFER:  from f8d48bc5 to 00000000

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
b265c7a0 f8d48bc5 82f65008 82e9fed8 00000049 0x0
b265c7b8 b2d77d40 82f65008 82e9fed8 82e0f008 Bogus!MySend+0x55 [d:\2010\proxy\mybogusprotocol\hookfunc.h @ 56]
b265c7e0 b2d77916 82e0f008 82e9fed8 82c4f870 tcpip!ARPSendData+0x198
b265c80c b2d7765a 82e0f008 b265c800 00000001 tcpip!ARPTransmit+0x193
b265c83c b2d7779f 82a69d50 021aa8c0 82e9fed8 tcpip!SendIPPacket+0x193
b265c988 b2d7e308 b2db5bb4 828ed798 828ec020 tcpip!IPTransmit+0x289e
b265ca28 b2d7e0cf 82dd34a0 828ed798 82c9f938 tcpip!UDPSend+0x41b
b265ca4c b2d7e135 0065ca70 82c9f900 828ec060 tcpip!TdiSendDatagram+0xd5
b265ca84 b2d7a881 82c9f938 82c9f9f0 82c9f900 tcpip!UDPSendDatagram+0x4f
b265caa0 804e47f7 82f18c88 82c9f938 82eae938 tcpip!TCPDispatchInternalDeviceControl+0xff
b265cab0 b2d35807 b265cb9c 00000008 b265cb10 nt!IopfCallDriver+0x31
b265cb08 b2d2cb5e 006bf240 b2d2cb5e 82eae938 afd!AfdFastDatagramSend+0x2fd
b265cc50 80590044 82f37c98 00000001 006bf110 afd!AfdFastIoDeviceControl+0x2a7
b265cd00 8058ffd7 000000ec 000000e8 00000000 nt!IopXxxControlFile+0x261
b265cd34 804df7ec 000000ec 000000e8 00000000 nt!NtDeviceIoControlFile+0x2a
b265cd34 7c92e4f4 000000ec 000000e8 00000000 nt!KiFastCallEntry+0xf8
006bf200 00000000 00000000 00000000 00000000 0x7c92e4f4

STACK_COMMAND:  kb

FOLLOWUP_IP:
Bogus!MySend+55 [d:\2010\proxy\mybogusprotocol\hookfunc.h @ 56]
f8d48bc5 8945fc          mov     dword ptr [ebp-4],eax

FAULTING_SOURCE_CODE:  
    52:     DWORD PacketSize = 0;
    53:     KdPrint(("---HOOK-----MySend\n"));
    54:     NdisQueryPacket(Packet, NULL, NULL, NULL, &PacketSize);
    55:     KdPrint(("PacketSize = 0x%x\n", PacketSize));
>   56:     Status = ((SEND_HANDLER)m_pSend)(NdisBindingHandle, Packet);
    57:     return Status;
    58: }
    59:
    60: //
    61: //

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  Bogus!MySend+55

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Bogus

IMAGE_NAME:  Bogus.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4bcbb51c

FAILURE_BUCKET_ID:  0x8E_Bogus!MySend+55

BUCKET_ID:  0x8E_Bogus!MySend+55

Followup: MachineOwner
---------
2010-4-19 10:12
0
雪    币: 213
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
解决了。MySend调用了空指针。
2010-4-19 14:51
0
游客
登录 | 注册 方可回帖
返回
//