首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]为什么这样在R0下获取某模块的函数会出错,R3测试则没问题?
发表于: 2010-7-2 14:02 6195

[求助]为什么这样在R0下获取某模块的函数会出错,R3测试则没问题?

sharenpk 活跃值
2010-7-2 14:02
6195
我在R0下用PsSetLoadImageNotifyRoutine设置了个回调函数,用这个回调函数获取某模块的函数
    mov eax,ImageInfo
    assume eax:PIMAGE_INFO
    mov eax,[eax].ImageBase
    assume eax:nothing
    mov @hMod,eax
    invoke DbgPrint, $CTA0("Driver: ImageInfo.ImageBase: %08X\n"), @hMod
    .if  @hMod
      mov  edi,@hMod
      assume  edi:ptr IMAGE_DOS_HEADER                 ;指向IMAGE_DOS_HEADER
      .if  [edi].e_magic != IMAGE_DOS_SIGNATURE            ;是"MZ"?
        jmp  _Exit
      .endif
      add  edi,[edi].e_lfanew
      assume  edi:ptr IMAGE_NT_HEADERS                 ;指向IMAGE_NT_HEADERS 
      .if  [edi].Signature != IMAGE_NT_SIGNATURE           ;是"PE"?  
        jmp  _Exit
      .endif
      .if [edi].OptionalHeader.DataDirectory[8].VirtualAddress != 0 || [edi].OptionalHeader.DataDirectory[8].isize != 0
        mov edi,[edi].OptionalHeader.DataDirectory[8].VirtualAddress
        add edi,@hMod
        assume  edi:ptr IMAGE_IMPORT_DESCRIPTOR
        .while [edi].OriginalFirstThunk || [edi].TimeDateStamp || [edi].ForwarderChain || [edi].Name1 || [edi].FirstThunk
          mov eax,[edi].Name1
          add eax,@hMod
          push eax
          invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: %s\n"), eax
          pop eax
          ;invoke MemCmp,eax,$CTA0("user32.dll"),10
          ;.if eax == 0
            mov  eax,[edi].OriginalFirstThunk
            add  eax,@hMod
            mov  ebx,eax
            mov @iNum,0
            .while  dword ptr [ebx]
              mov eax,dword ptr [ebx]
              add  eax,@hMod
              assume  eax:ptr IMAGE_IMPORT_BY_NAME
              lea eax,[eax].Name1
              push eax
              invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n"), eax
              pop eax
              assume  eax:nothing
              add @iNum,4
              add  ebx,4
            .endw
          ;.endif
          add  edi,sizeof IMAGE_IMPORT_DESCRIPTOR
        .endw
      .endif
_Exit:
      assume  edi:nothing
    .endif
  .endif
这段代码我在R3下 注入到一个进程 获取函数是没问题的
但是为什么在R0下会出错 蓝屏,注释掉invoke MemCmp,eax,$CTA0("user32.dll"),10下面.if 中的代码 也不会出错
谁指点一下啊

用windbg 看了下,发现 代码的功能好像都没问题,但是始终要出错 而且每次出错的地方都不一样
搞不懂了,而且我也不怎么会用windbg
Driver: ImageInfo.ImageBase: 01000000
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: comdlg32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: PageSetupDlgW
Driver: IMAGE_IMPORT_BY_NAME.Name1: FindTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PrintDlgExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ChooseFontW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFileTitleW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetOpenFileNameW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ReplaceTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CommDlgExtendedError
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSaveFileNameW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: SHELL32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: DragFinish
Driver: IMAGE_IMPORT_BY_NAME.Name1: DragQueryFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: DragAcceptFiles
Driver: IMAGE_IMPORT_BY_NAME.Name1: ShellAboutW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: WINSPOOL.DRV
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetPrinterDriverW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ClosePrinter
Driver: IMAGE_IMPORT_BY_NAME.Name1: OpenPrinterW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: COMCTL32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateStatusWindowW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: msvcrt.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: _XcptFilter
Driver: IMAGE_IMPORT_BY_NAME.Name1: _exit
Driver: IMAGE_IMPORT_BY_NAME.Name1: _c_exit
Driver: IMAGE_IMPORT_BY_NAME.Name1: time
Driver: IMAGE_IMPORT_BY_NAME.Name1: localtime
Driver: IMAGE_IMPORT_BY_NAME.Name1: _cexit
Driver: IMAGE_IMPORT_BY_NAME.Name1: iswctype
Driver: IMAGE_IMPORT_BY_NAME.Name1: _except_handler3
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wtol
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncmp
Driver: IMAGE_IMPORT_BY_NAME.Name1: _snwprintf
Driver: IMAGE_IMPORT_BY_NAME.Name1: exit
Driver: IMAGE_IMPORT_BY_NAME.Name1: _acmdln
Driver: IMAGE_IMPORT_BY_NAME.Name1: __getmainargs
Driver: IMAGE_IMPORT_BY_NAME.Name1: _initterm
Driver: IMAGE_IMPORT_BY_NAME.Name1: __setusermatherr
Driver: IMAGE_IMPORT_BY_NAME.Name1: _adjust_fdiv
Driver: IMAGE_IMPORT_BY_NAME.Name1: __p__commode
Driver: IMAGE_IMPORT_BY_NAME.Name1: __p__fmode
Driver: IMAGE_IMPORT_BY_NAME.Name1: __set_app_type
Driver: IMAGE_IMPORT_BY_NAME.Name1: _controlfp
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncpy
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: ADVAPI32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegQueryValueExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegCloseKey
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegCreateKeyW
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsTextUnicode
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegQueryValueExA
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegOpenKeyExA
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegSetValueExW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: KERNEL32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCurrentThreadId
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTickCount
Driver: IMAGE_IMPORT_BY_NAME.Name1: QueryPerformanceCounter
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetLocalTime
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetUserDefaultLCID
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDateFormatW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTimeFormatW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GlobalLock
Driver: IMAGE_IMPORT_BY_NAME.Name1: GlobalUnlock
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFileInformationByHandle
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateFileMappingW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSystemTimeAsFileTime
Driver: IMAGE_IMPORT_BY_NAME.Name1: TerminateProcess
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCurrentProcess
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetUnhandledExceptionFilter
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadLibraryA
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetModuleHandleA
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetStartupInfoA
Driver: IMAGE_IMPORT_BY_NAME.Name1: GlobalFree
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetLocaleInfoW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalFree
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalAlloc
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrlenW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalUnlock
Driver: IMAGE_IMPORT_BY_NAME.Name1: CompareStringW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalLock
Driver: IMAGE_IMPORT_BY_NAME.Name1: FoldStringW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CloseHandle
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcpyW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ReadFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcmpiW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCurrentProcessId
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetProcAddress
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCommandLineW
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcatW
Driver: IMAGE_IMPORT_BY_NAME.Name1: FindClose
Driver: IMAGE_IMPORT_BY_NAME.Name1: FindFirstFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFileAttributesW
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcmpW
Driver: IMAGE_IMPORT_BY_NAME.Name1: MulDiv
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcpynW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalSize
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetLastError
Driver: IMAGE_IMPORT_BY_NAME.Name1: WriteFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetLastError
Driver: IMAGE_IMPORT_BY_NAME.Name1: WideCharToMultiByte
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalReAlloc
Driver: IMAGE_IMPORT_BY_NAME.Name1: FormatMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetUserDefaultUILanguage
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetEndOfFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: DeleteFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetACP
Driver: IMAGE_IMPORT_BY_NAME.Name1: UnmapViewOfFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: MultiByteToWideChar
Driver: IMAGE_IMPORT_BY_NAME.Name1: MapViewOfFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: UnhandledExceptionFilter
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: GDI32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: EndPage
Driver: IMAGE_IMPORT_BY_NAME.Name1: AbortDoc
Driver: IMAGE_IMPORT_BY_NAME.Name1: EndDoc
Driver: IMAGE_IMPORT_BY_NAME.Name1: DeleteDC
Driver: IMAGE_IMPORT_BY_NAME.Name1: StartPage
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTextExtentPoint32W
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateDCW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetAbortProc
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTextFaceW
Driver: IMAGE_IMPORT_BY_NAME.Name1: TextOutW
Driver: IMAGE_IMPORT_BY_NAME.Name1: StartDocW
Driver: IMAGE_IMPORT_BY_NAME.Name1: EnumFontsW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetStockObject
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetObjectW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDeviceCaps
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateFontIndirectW
Driver: IMAGE_IMPORT_BY_NAME.Name1: DeleteObject
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTextMetricsW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetBkMode
Driver: IMAGE_IMPORT_BY_NAME.Name1: LPtoDP
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowExtEx
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetViewportExtEx
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetMapMode
Driver: IMAGE_IMPORT_BY_NAME.Name1: SelectObject
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: USER32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetClientRect
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetCursor
Driver: IMAGE_IMPORT_BY_NAME.Name1: ReleaseDC
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDC
Driver: IMAGE_IMPORT_BY_NAME.Name1: DialogBoxParamW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetActiveWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetKeyboardLayout
Driver: IMAGE_IMPORT_BY_NAME.Name1: DefWindowProcW
Driver: IMAGE_IMPORT_BY_NAME.Name1: DestroyWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: MessageBeep
Driver: IMAGE_IMPORT_BY_NAME.Name1: ShowWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetForegroundWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsIconic
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetWindowPlacement
Driver: IMAGE_IMPORT_BY_NAME.Name1: CharUpperW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadStringW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadAcceleratorsW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSystemMenu
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegisterClassExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadImageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadCursorW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowPlacement
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateWindowExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDesktopWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFocus
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadIconW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PostQuitMessage
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegisterWindowMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: UpdateWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetScrollPos
Driver: IMAGE_IMPORT_BY_NAME.Name1: CharLowerW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PeekMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: EnableWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: DrawTextExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateDialogParamW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetWindowTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSystemMetrics
Driver: IMAGE_IMPORT_BY_NAME.Name1: MoveWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: InvalidateRect
Driver: IMAGE_IMPORT_BY_NAME.Name1: WinHelpW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDlgCtrlID
Driver: IMAGE_IMPORT_BY_NAME.Name1: ChildWindowFromPoint
Driver: IMAGE_IMPORT_BY_NAME.Name1: ScreenToClient
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCursorPos
Driver: IMAGE_IMPORT_BY_NAME.Name1: SendDlgItemMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SendMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CharNextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CheckMenuItem
Driver: IMAGE_IMPORT_BY_NAME.Name1: CloseClipboard
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsClipboardFormatAvailable
Driver: IMAGE_IMPORT_BY_NAME.Name1: OpenClipboard
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetMenuState
Driver: IMAGE_IMPORT_BY_NAME.Name1: EnableMenuItem
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSubMenu
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetMenu
Driver: IMAGE_IMPORT_BY_NAME.Name1: MessageBoxW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowLongW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetWindowLongW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDlgItem
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetFocus
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetDlgItemTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: wsprintfW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDlgItemTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: EndDialog
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetParent
Driver: IMAGE_IMPORT_BY_NAME.Name1: UnhookWinEvent
Driver: IMAGE_IMPORT_BY_NAME.Name1: DispatchMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: TranslateMessage
Driver: IMAGE_IMPORT_BY_NAME.Name1: TranslateAcceleratorW
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsDialogMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PostMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWinEventHook
Access violation - code c0000005 (!!! second chance !!!)
nt!ExAcquireRundownProtectionEx+0x9:
80603c87 8b19            mov     ebx,dword ptr [ecx]   此时ecx为0 肯定要出错,但不知道怎么解决

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (3)
sharenpk
雪    币: 253
活跃值: (169)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
又试了几次 现在都是同样的错误了,但好像是DbgPrint的问题?

Driver: Loading...
Driver: Creating...
Driver: Closing...
Driver: ImageInfo.ImageBase: 73CA0000
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: msvcrt.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: ??2@YAPAXI@Z
Driver: IMAGE_IMPORT_BY_NAME.Name1: _onexit
Driver: IMAGE_IMPORT_BY_NAME.Name1: __dllonexit
Driver: IMAGE_IMPORT_BY_NAME.Name1: ?terminate@@YAXXZ
Driver: IMAGE_IMPORT_BY_NAME.Name1: ??1type_info@@UAE@XZ
Driver: IMAGE_IMPORT_BY_NAME.Name1: _adjust_fdiv
Driver: IMAGE_IMPORT_BY_NAME.Name1: malloc
Driver: IMAGE_IMPORT_BY_NAME.Name1: _initterm
Driver: IMAGE_IMPORT_BY_NAME.Name1: free
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcslen
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsstr
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcscpy
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcscat
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wfindnexti64
Driver: IMAGE_IMPORT_BY_NAME.Name1: swprintf
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wremove
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wsplitpath
Driver: IMAGE_IMPORT_BY_NAME.Name1: swscanf
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wfindfirsti64
Driver: IMAGE_IMPORT_BY_NAME.Name1: _findclose
Driver: IMAGE_IMPORT_BY_NAME.Name1: __CxxFrameHandler
Driver: IMAGE_IMPORT_BY_NAME.Name1: _except_handler3
Driver: IMAGE_IMPORT_BY_NAME.Name1: _vsnwprintf
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcschr
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcstoul
Driver: IMAGE_IMPORT_BY_NAME.Name1: _CxxThrowException
Driver: IMAGE_IMPORT_BY_NAME.Name1: _purecall
Driver: IMAGE_IMPORT_BY_NAME.Name1: memmove
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcstombs
Driver: IMAGE_IMPORT_BY_NAME.Name1: _vsnprintf
Driver: IMAGE_IMPORT_BY_NAME.Name1: iswspace
Driver: IMAGE_IMPORT_BY_NAME.Name1: asctime
Driver: IMAGE_IMPORT_BY_NAME.Name1: localtime
Driver: IMAGE_IMPORT_BY_NAME.Name1: time
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncpy
Driver: IMAGE_IMPORT_BY_NAME.Name1: ??3@YAXPAX@Z
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wcsicmp
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: ole32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: CoUninitialize
Driver: IMAGE_IMPORT_BY_NAME.Name1: CoInitializeEx
Driver: IMAGE_IMPORT_BY_NAME.Name1: CoInitialize
Driver: IMAGE_IMPORT_BY_NAME.Name1: StringFromGUID2
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: OLEAUT32.dll

*** Fatal System Error: 0x00000050
                       (0xF3CA0009,0x00000000,0x80539F16,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Sat Jul  3 12:18:07.453 2010 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
.........................................................
Loading User Symbols
................................................................
................................................................
..........
Loading unloaded module list
...........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f3ca0009, 0, 80539f16, 0}

*** ERROR: Module load completed but symbols could not be loaded for Driver.sys
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
Probably caused by : Driver.sys ( Driver+50f )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
80528bf4 cc              int     3
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f3ca0009, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80539f16, If non-zero, the instruction address which referenced the bad memory
        address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************

READ_ADDRESS:  f3ca0009

FAULTING_IP:
nt!_output+64d
80539f16 803800          cmp     byte ptr [eax],0

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  b222a628 -- (.trap 0xffffffffb222a628)
ErrCode = 00000000
eax=f3ca0009 ebx=00000073 ecx=7ffffffe edx=b222a9a5 esi=b222a6e0 edi=80528e75
eip=80539f16 esp=b222a69c ebp=b222a904 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!_output+0x64d:
80539f16 803800          cmp     byte ptr [eax],0           ds:0023:f3ca0009=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f8bad to 80528bf4

STACK_TEXT:  
b222a164 804f8bad 00000003 f3ca0009 00000000 nt!RtlpBreakWithStatusInstruction
b222a1b0 804f979a 00000003 00000000 c079e500 nt!KiBugCheckDebugBreak+0x19
b222a590 804f9cc5 00000050 f3ca0009 00000000 nt!KeBugCheck2+0x574
b222a5b0 8051dc67 00000050 f3ca0009 00000000 nt!KeBugCheckEx+0x1b
b222a610 80541554 00000000 f3ca0009 00000000 nt!MmAccessFault+0x8e7
b222a610 80539f16 00000000 f3ca0009 00000000 nt!KiTrap0E+0xcc
b222a904 80537281 b222a920 f8cda7ef b222abc0 nt!_output+0x64d
b222a940 80528c8f b222a97c 00000200 f8cda7ef nt!_vsnprintf+0x2f
b222ab98 80528e94 80528e74 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x91
b222abb4 f8cda50f f8cda7ef f3ca0009 f3ca0009 nt!DbgPrint+0x1a
WARNING: Stack unwind information not available. Following frames may be wrong.
b222abe0 805c735e 81fd2fc0 00000408 b222ac20 Driver+0x50f
b222ac00 805a7927 81fd2fc0 00000408 b222ac20 nt!PsCallImageNotifyRoutines+0x36
b222ac48 805a8414 81fd9f30 73ca0000 b222ad18 nt!MiMapViewOfImageSection+0x4c1
b222aca4 805a87d9 00000004 81d00878 b222ad18 nt!MmMapViewOfSection+0x13c
b222ad34 8053e658 00000cb8 ffffffff 0273e0dc nt!NtMapViewOfSection+0x2bd
b222ad34 7c92e514 00000cb8 ffffffff 0273e0dc nt!KiFastCallEntry+0xf8
0273e000 7c92d52a 7c93b753 00000cb8 ffffffff ntdll!KiFastSystemCallRet
0273e004 7c93b753 00000cb8 ffffffff 0273e0dc ntdll!NtMapViewOfSection+0xc
0273e0f8 7c935b7a 033a5570 0273e184 0273e6ac ntdll!LdrpMapDll+0x330
0273e3b8 7c935de3 00000000 033a5570 0273e6ac ntdll!LdrpLoadDll+0x1e9
0273e660 7c801bbd 033a5570 0273e6ac 0273e68c ntdll!LdrLoadDll+0x230
0273e6c8 769c2485 0273e744 00000000 00000008 kernel32!LoadLibraryExW+0x18e
0273e6ec 769c23a1 0273e744 0273e710 0273e714 ole32!CClassCache::CDllPathEntry::LoadDll+0x6c
0273e71c 769c1824 0273e744 0273ea18 0273e73c ole32!CClassCache::CDllPathEntry::Create_rl+0x37
0273e968 769c1747 00000001 0273ea18 0273e998 ole32!CClassCache::CClassEntry::CreateDllClassEntry_rl+0xd6
0273e9b0 769c16a5 00000001 0010e434 0273e9d8 ole32!CClassCache::GetClassObjectActivator+0x195
0273e9dc 769c5b25 0273ea18 0273f4e8 0273efac ole32!CClassCache::GetClassObject+0x23
0273ea50 769c5a11 76ab7150 0273efac 0273f4e8 ole32!CServerContextActivator::GetClassObject+0xf5
0273ea88 769c5bf7 0273efac 0273f4e8 0273efac ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3
0273eaa8 769c5ba3 76ab7154 0273efac 0273f4e8 ole32!CApartmentActivator::GetClassObject+0x4d
0273eac0 769c20c8 76ab7154 00000001 00000000 ole32!CProcessActivator::GCOCallback+0x2b
0273eae0 769c207f 76ab714c 0273ee08 00000000 ole32!CProcessActivator::AttemptActivation+0x2c
0273eb18 769c5c4a 76ab714c 0273ee08 00000000 ole32!CProcessActivator::ActivateByContext+0x42
0273eb40 769c5a11 76ab714c 0273efac 0273f4e8 ole32!CProcessActivator::GetClassObject+0x48
0273eb78 769c5a2b 0273efac 0273f4e8 003a0043 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3
0273edc0 769c5a11 76ab7114 00000001 0273f4e8 ole32!CClientContextActivator::GetClassObject+0x88
0273edf8 769c58a5 0273efac 0273f4e8 7699ca20 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3
0273f5a4 769c575e 0011dad0 00000001 0273f618 ole32!ICoGetClassObject+0x334
0273f5d0 769c56e0 0011dad0 00000001 0273f618 ole32!CComActivator::DoGetClassObject+0x93
0273f5f0 3fcfc879 0011dad0 00000001 0273f618 ole32!CoGetClassObject+0x1b
0273f6dc 3fcfc9b6 0011d418 0011dad0 00000000 wmiprvsd!CServerObject_RawFactory::CreateInstance+0xc0
0273f7b8 3fcfdd8b 0011d418 00000000 00000000 wmiprvsd!CServerObject_RawFactory::CreateServerSide+0xb1
0273f8b8 3fcffa3d 00000000 027bb678 00000000 wmiprvsd!CServerObject_RawFactory::GetNonApartmentProvider+0x9f
0273f964 3fcdb480 0012a378 00000000 00000000 wmiprvsd!CServerObject_RawFactory::GetProvider+0x257
0273fa24 3fcdc98a 0012a158 0012a290 00000000 wmiprvsd!CServerObject_BindingFactory::InternalGetProvider+0x110
0273fac4 3fce01df 02807948 027827f0 033a7a20 wmiprvsd!CServerObject_BindingFactory::InternalGetProviderViaProxyRoute+0x183
0273fbb0 3fce05f3 02807948 027827f0 00116b20 wmiprvsd!CServerObject_BindingFactory::InternalFindProvider+0x452
0273fcbc 75312253 00111a88 00000000 00000000 wmiprvsd!CServerObject_BindingFactory::GetProvider+0x372
0273fd18 7530eec7 027f62f0 3fcc4988 0273fdac wbemess!CEssNamespace::LoadConsumerProvider+0x56
0273fd54 7530eff1 0273fdac 0273fdb4 0273fdb0 wbemess!CConsumerProviderRecord::Resolve+0x213
0273fd88 7530f799 0273fdac 0273fdb4 0273fdb0 wbemess!CConsumerProviderRecord::ResolveAndCache+0x21
0273fdc4 7530c9c2 02811218 0278b528 0273fe4c wbemess!CConsumerProviderRecord::GetGlobalObjectSink+0x84
0273fdfc 7530ce6e 0273fe4c 0273fe50 00000000 wbemess!CPermanentConsumer::ObtainSink+0x53
0273fe28 7530d371 0273fe4c 0273fe50 00000000 wbemess!CPermanentConsumer::RetrieveSink+0x7b
0273fe64 752f912d 00000001 0273fe9c 00000000 wbemess!CPermanentConsumer::ActuallyDeliver+0x35
0273fe88 752f9648 00000000 00000001 0273fe9c wbemess!CQueueingEventSink::DeliverEvents+0x3a
0273ff04 752f98a7 027c5768 027d0908 02795b90 wbemess!CQueueingEventSink::DeliverSome+0x24f
0273ff38 751ff004 027c5768 02795b90 7c9210e0 wbemess!CQueueingEventSink::DeliverAll+0x56
0273ff4c 751fed05 027c5768 00000000 027c5768 wbemcomn!CExecQueue::Execute+0x17
0273ff7c 7530c2da 027c5768 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f
0273ffa8 751fed1e 027c5768 0273ffec 7c80b729 wbemess!CEventQueue::ThreadMain+0x22
0273ffb4 7c80b729 027c5768 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf
0273ffec 00000000 751fed0f 027c5768 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND:  kb

FOLLOWUP_IP:
Driver+50f
f8cda50f 83c408          add     esp,8

SYMBOL_STACK_INDEX:  a

SYMBOL_NAME:  Driver+50f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Driver

IMAGE_NAME:  Driver.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c2eb9d8

FAILURE_BUCKET_ID:  0x50_Driver+50f

BUCKET_ID:  0x50_Driver+50f

Followup: MachineOwner
---------

f8cda4db 50              push    eax
f8cda4dc 50              push    eax                                ;push eax
f8cda4dd 68bda7cdf8      push    offset Driver+0x7bd (f8cda7bd) ;push $CTA0("Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: %s\n")
f8cda4e2 e85f010000      call    Driver+0x646 (f8cda646)              ;call DbgPrint
f8cda4e7 83c408          add     esp,8                                      ;这里都没出错
f8cda4ea 58              pop     eax
f8cda4eb 8b07            mov     eax,dword ptr [edi]
f8cda4ed 0345fc          add     eax,dword ptr [ebp-4]
f8cda4f0 8bd8            mov     ebx,eax
f8cda4f2 c745f800000000  mov     dword ptr [ebp-8],0
f8cda4f9 eb1f            jmp     Driver+0x51a (f8cda51a)
f8cda4fb 8b03            mov     eax,dword ptr [ebx]
f8cda4fd 0345fc          add     eax,dword ptr [ebp-4]
f8cda500 8d4002          lea     eax,[eax+2]
f8cda503 50              push    eax
f8cda504 50              push    eax                                        ;push eax
f8cda505 68efa7cdf8      push    offset Driver+0x7ef (f8cda7ef) ;push $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n")
f8cda50a e837010000      call    Driver+0x646 (f8cda646)              ;call DbgPrint
f8cda50f 83c408          add     esp,8                                      ; ?????? 为什么这里出错?
f8cda512 58              pop     eax
f8cda513 8345f804        add     dword ptr [ebp-8],4
f8cda517 83c304          add     ebx,4
2010-7-3 00:22
0
轩辕小聪
雪    币: 722
活跃值: (123)
能力值: ( LV12,RANK:300 )
在线值:
发帖
回帖
粉丝
私信
3 
            .while  dword ptr [ebx];当项目中的值不为0
              mov eax,dword ptr [ebx];认为该值即为IMAGE_IMPORT_BY_NAME结构偏移
              add  eax,@hMod;加上基址得到IMAGE_IMPORT_BY_NAME结构指针
              assume  eax:ptr IMAGE_IMPORT_BY_NAME
              lea eax,[eax].Name1;得到函数名字符串指针
              push eax
              invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n"), eax;DbgPrint打印函数名
              pop eax
              assume  eax:nothing
              add @iNum,4
              add  ebx,4
            .endw

你的这个判断逻辑,在函数是以函数名导入的情况下是对的,但是没有考虑函数以序号导入的情况。
当函数以序号导入的时候,dword ptr [ebx]中保存的是0x80000000+函数序号,而不是IMAGE_IMPORT_BY_NAME结构指针,这样被你加上基址再加2之后,再DbgPrint时,相当于%s参数的字符串指针变成了一个错误的内核态地址,因此导致不可预知的结果,通常会BSOD。

分析你提供的crash dump内容可以证实:


Driver: ImageInfo.ImageBase: 73CA0000
......
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: OLEAUT32.dll

b222abb4 f8cda50f f8cda7ef f3ca0009 f3ca0009 nt!DbgPrint+0x1a

从你提供的信息看来,该问题出现在系统加载一个基址为73CA0000的dll时,从栈回溯的这一行可以看到DbgPrint的输入参数,第一个参数是f8cda7ef,也就是$CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n"),而第二个参数本来应该是指向这个dll中的一个字符串指针,结果却是f3ca0009。
那么这个值是怎么来的呢,就是我上面说的函数使用序号导入。
f3ca0009=80000000+73ca0000(被加上的基址)+2(lea eax, [eax+2]的结果)+7
可以看到dword ptr [ebx]里原来保存的应该是0x80000007,即说明这个函数是以序号7导入的。

知道了这个问题,解决方法楼主自己应该就能搞清楚了。
2010-7-3 20:11
0
sharenpk
雪    币: 253
活跃值: (169)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
非常感谢非常感谢,一语点醒梦中人啊
2010-7-3 20:51
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//