-
-
[讨论] 求高手看看原因 NDISHOOK-发送自定义数据包
-
发表于: 2010-6-21 22:15
-
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 19, {20, 81e720b8, 81e72ec8, bc2dfb0}
GetUlongFromAddress: unable to read from 8055c6f0
Probably caused by : ntkrnlpa.exe ( nt!ExFreePoolWithTag+2a0 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 81e720b8, The pool entry we were looking for within the page.
Arg3: 81e72ec8, The next pool entry.
Arg4: 0bc2dfb0, (reserved)
Debugging Details:
------------------
GetUlongFromAddress: unable to read from 8055c6f0
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: 81e720b8
CUSTOMER_CRASH_COUNT: 21
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
PROCESS_NAME: IEXPLORE.EXE
LAST_CONTROL_TRANSFER: from 80544c86 to 804f9925
STACK_TEXT:
f0ec5b70 80544c86 00000019 00000020 81e720b8 nt!KeBugCheckEx+0x1b
f0ec5bc0 80615d8c 81e720c0 00000000 00000000 nt!ExFreePoolWithTag+0x2a0
f0ec5c48 8061686b 00000071 00000000 00000000 nt!CcPfPrefetchSections+0x3ea
f0ec5c88 80616c94 e11cf000 00080000 820c4020 nt!CcPfPrefetchScenario+0x7b
f0ec5d04 805c5975 820c4020 e23dc428 00000000 nt!CcPfBeginAppLaunch+0x158
f0ec5d50 80541fa2 00000000 7c810867 00000001 nt!PspUserThreadStartup+0xeb
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePoolWithTag+2a0
80544c86 8b45f8 mov eax,dword ptr [ebp-8]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExFreePoolWithTag+2a0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0c
FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2a0
BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2a0
Followup: MachineOwner
---------
蓝屏可疑代码:
完成函数:
VOID
HookProtocolSendComplete(
IN HOOK_CONTEXT_STRUCT *pOurContext,
IN NDIS_HANDLE ProtocolBindingContext,
IN PNDIS_PACKET PAcket,
IN NDIS_STATUS StAtus
)
{
if(pOurContext)
{
NDIS_HANDLE PoolHAndle = NULL;
PNDIS_BUFFER pNdisBuffer = NULL;
PoolHAndle = NdisGetPoolFromPacket(PAcket);
if (PoolHAndle == m_ourPacketPoolHandle)
{
while(1)
{
NdisUnchainBufferAtFront(
PAcket,
&pNdisBuffer
);
if(pNdisBuffer == NULL)
{
break;
}
else
{
NdisFreeBuffer(pNdisBuffer);
}
}
NdisUnchainBufferAtFront(
PAcket,
&pNdisBuffer
);
NdisFreePacket(PAcket);
}
else{
((SEND_COMPLETE_HANDLER)pOurContext->m_pOriginalProc)(
ProtocolBindingContext,
PAcket,
StAtus
);
}
}
}
发送函数: NdisAllocatePacket(&status,&pNdisPacket,m_ourPacketPoolHandle);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
NdisAllocateBuffer( &status,
&pNdisBuffer,
m_ourBufferPoolHandle,
kernel_address,
g_PacketSize
);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
// pNdisBuffer=Irp->MdlAddress;
NdisChainBufferAtFront(pNdisPacket,pNdisBuffer);
NdisSendPackets(((HOOK_CONTEXT_STRUCT*)g_tempPvoid)->m_pBindAdaptHandle,&pNdisPacket,1);
下面是句柄的分配等:
m_ourPacketPoolHandle = NULL;
NdisAllocatePacketPool(&status,&m_ourPacketPoolHandle,0xFFF,0x30);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//从由NdisAllocatePacketPool 返回的包池中分配一固定大小的包描述符
m_ourPacketHandle = NULL;
NdisAllocatePacket(&status,&m_ourPacketHandle,m_ourPacketPoolHandle);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
// 分配和初始化一个不分页的缓冲区池。 返回NdisAllocateBuffer 用来分配“缓存描述符”的句柄
m_ourBufferPoolHandle = NULL;
NdisAllocateBufferPool(&status,&m_ourBufferPoolHandle,0x30);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//分配一块内存
m_ourBuffer = NULL;
status = NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'NAMW');
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//在指定的已分配的不分页的内存块中创建一个映射虚存范围的“缓存描述符”。需给出由NdisAllocateBufferPool 返回的句柄
m_ourBufferHandle = NULL;
NdisAllocateBuffer(&status,&m_ourBufferHandle,m_ourBufferPoolHandle,m_ourBuffer,MAX_PACKET_SIZE);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//links a given buffer descriptor to the head of the buffer-descriptor chain
NdisChainBufferAtFront(m_ourPacketHandle,m_ourBufferHandle);
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 19, {20, 81e720b8, 81e72ec8, bc2dfb0}
GetUlongFromAddress: unable to read from 8055c6f0
Probably caused by : ntkrnlpa.exe ( nt!ExFreePoolWithTag+2a0 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 81e720b8, The pool entry we were looking for within the page.
Arg3: 81e72ec8, The next pool entry.
Arg4: 0bc2dfb0, (reserved)
Debugging Details:
------------------
GetUlongFromAddress: unable to read from 8055c6f0
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: 81e720b8
CUSTOMER_CRASH_COUNT: 21
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
PROCESS_NAME: IEXPLORE.EXE
LAST_CONTROL_TRANSFER: from 80544c86 to 804f9925
STACK_TEXT:
f0ec5b70 80544c86 00000019 00000020 81e720b8 nt!KeBugCheckEx+0x1b
f0ec5bc0 80615d8c 81e720c0 00000000 00000000 nt!ExFreePoolWithTag+0x2a0
f0ec5c48 8061686b 00000071 00000000 00000000 nt!CcPfPrefetchSections+0x3ea
f0ec5c88 80616c94 e11cf000 00080000 820c4020 nt!CcPfPrefetchScenario+0x7b
f0ec5d04 805c5975 820c4020 e23dc428 00000000 nt!CcPfBeginAppLaunch+0x158
f0ec5d50 80541fa2 00000000 7c810867 00000001 nt!PspUserThreadStartup+0xeb
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePoolWithTag+2a0
80544c86 8b45f8 mov eax,dword ptr [ebp-8]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExFreePoolWithTag+2a0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0c
FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2a0
BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2a0
Followup: MachineOwner
---------
蓝屏可疑代码:
完成函数:
VOID
HookProtocolSendComplete(
IN HOOK_CONTEXT_STRUCT *pOurContext,
IN NDIS_HANDLE ProtocolBindingContext,
IN PNDIS_PACKET PAcket,
IN NDIS_STATUS StAtus
)
{
if(pOurContext)
{
NDIS_HANDLE PoolHAndle = NULL;
PNDIS_BUFFER pNdisBuffer = NULL;
PoolHAndle = NdisGetPoolFromPacket(PAcket);
if (PoolHAndle == m_ourPacketPoolHandle)
{
while(1)
{
NdisUnchainBufferAtFront(
PAcket,
&pNdisBuffer
);
if(pNdisBuffer == NULL)
{
break;
}
else
{
NdisFreeBuffer(pNdisBuffer);
}
}
NdisUnchainBufferAtFront(
PAcket,
&pNdisBuffer
);
NdisFreePacket(PAcket);
}
else{
((SEND_COMPLETE_HANDLER)pOurContext->m_pOriginalProc)(
ProtocolBindingContext,
PAcket,
StAtus
);
}
}
}
发送函数: NdisAllocatePacket(&status,&pNdisPacket,m_ourPacketPoolHandle);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
NdisAllocateBuffer( &status,
&pNdisBuffer,
m_ourBufferPoolHandle,
kernel_address,
g_PacketSize
);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
// pNdisBuffer=Irp->MdlAddress;
NdisChainBufferAtFront(pNdisPacket,pNdisBuffer);
NdisSendPackets(((HOOK_CONTEXT_STRUCT*)g_tempPvoid)->m_pBindAdaptHandle,&pNdisPacket,1);
下面是句柄的分配等:
m_ourPacketPoolHandle = NULL;
NdisAllocatePacketPool(&status,&m_ourPacketPoolHandle,0xFFF,0x30);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//从由NdisAllocatePacketPool 返回的包池中分配一固定大小的包描述符
m_ourPacketHandle = NULL;
NdisAllocatePacket(&status,&m_ourPacketHandle,m_ourPacketPoolHandle);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
// 分配和初始化一个不分页的缓冲区池。 返回NdisAllocateBuffer 用来分配“缓存描述符”的句柄
m_ourBufferPoolHandle = NULL;
NdisAllocateBufferPool(&status,&m_ourBufferPoolHandle,0x30);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//分配一块内存
m_ourBuffer = NULL;
status = NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'NAMW');
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//在指定的已分配的不分页的内存块中创建一个映射虚存范围的“缓存描述符”。需给出由NdisAllocateBufferPool 返回的句柄
m_ourBufferHandle = NULL;
NdisAllocateBuffer(&status,&m_ourBufferHandle,m_ourBufferPoolHandle,m_ourBuffer,MAX_PACKET_SIZE);
if( status != NDIS_STATUS_SUCCESS )
return FALSE;
//links a given buffer descriptor to the head of the buffer-descriptor chain
NdisChainBufferAtFront(m_ourPacketHandle,m_ourBufferHandle);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
