[求助]为什么这样在R0下获取某模块的函数会出错，R3测试则没问题？-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]为什么这样在R0下获取某模块的函数会出错，R3测试则没问题？

发表于: 2010-7-2 14:02 6055

[求助]为什么这样在R0下获取某模块的函数会出错，R3测试则没问题？

sharenpk

2010-7-2 14:02

6055

我在R0下用PsSetLoadImageNotifyRoutine设置了个回调函数，用这个回调函数获取某模块的函数

    mov eax,ImageInfo
    assume eax:PIMAGE_INFO
    mov eax,[eax].ImageBase
    assume eax:nothing
    mov @hMod,eax
    invoke DbgPrint, $CTA0("Driver: ImageInfo.ImageBase: %08X\n"), @hMod
    .if  @hMod
      mov  edi,@hMod
      assume  edi:ptr IMAGE_DOS_HEADER                 ;指向IMAGE_DOS_HEADER
      .if  [edi].e_magic != IMAGE_DOS_SIGNATURE            ;是"MZ"?
        jmp  _Exit
      .endif
      add  edi,[edi].e_lfanew
      assume  edi:ptr IMAGE_NT_HEADERS                 ;指向IMAGE_NT_HEADERS 
      .if  [edi].Signature != IMAGE_NT_SIGNATURE           ;是"PE"?  
        jmp  _Exit
      .endif
      .if [edi].OptionalHeader.DataDirectory[8].VirtualAddress != 0 || [edi].OptionalHeader.DataDirectory[8].isize != 0
        mov edi,[edi].OptionalHeader.DataDirectory[8].VirtualAddress
        add edi,@hMod
        assume  edi:ptr IMAGE_IMPORT_DESCRIPTOR
        .while [edi].OriginalFirstThunk || [edi].TimeDateStamp || [edi].ForwarderChain || [edi].Name1 || [edi].FirstThunk
          mov eax,[edi].Name1
          add eax,@hMod
          push eax
          invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: %s\n"), eax
          pop eax
          ;invoke MemCmp,eax,$CTA0("user32.dll"),10
          ;.if eax == 0
            mov  eax,[edi].OriginalFirstThunk
            add  eax,@hMod
            mov  ebx,eax
            mov @iNum,0
            .while  dword ptr [ebx]
              mov eax,dword ptr [ebx]
              add  eax,@hMod
              assume  eax:ptr IMAGE_IMPORT_BY_NAME
              lea eax,[eax].Name1
              push eax
              invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n"), eax
              pop eax
              assume  eax:nothing
              add @iNum,4
              add  ebx,4
            .endw
          ;.endif
          add  edi,sizeof IMAGE_IMPORT_DESCRIPTOR
        .endw
      .endif
_Exit:
      assume  edi:nothing
    .endif
  .endif

这段代码我在R3下注入到一个进程获取函数是没问题的
但是为什么在R0下会出错蓝屏，注释掉invoke MemCmp,eax,$CTA0("user32.dll"),10下面.if 中的代码也不会出错
谁指点一下啊

用windbg 看了下，发现代码的功能好像都没问题，但是始终要出错而且每次出错的地方都不一样
搞不懂了，而且我也不怎么会用windbg
Driver: ImageInfo.ImageBase: 01000000
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: comdlg32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: PageSetupDlgW
Driver: IMAGE_IMPORT_BY_NAME.Name1: FindTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PrintDlgExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ChooseFontW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFileTitleW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetOpenFileNameW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ReplaceTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CommDlgExtendedError
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSaveFileNameW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: SHELL32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: DragFinish
Driver: IMAGE_IMPORT_BY_NAME.Name1: DragQueryFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: DragAcceptFiles
Driver: IMAGE_IMPORT_BY_NAME.Name1: ShellAboutW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: WINSPOOL.DRV
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetPrinterDriverW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ClosePrinter
Driver: IMAGE_IMPORT_BY_NAME.Name1: OpenPrinterW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: COMCTL32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateStatusWindowW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: msvcrt.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: _XcptFilter
Driver: IMAGE_IMPORT_BY_NAME.Name1: _exit
Driver: IMAGE_IMPORT_BY_NAME.Name1: _c_exit
Driver: IMAGE_IMPORT_BY_NAME.Name1: time
Driver: IMAGE_IMPORT_BY_NAME.Name1: localtime
Driver: IMAGE_IMPORT_BY_NAME.Name1: _cexit
Driver: IMAGE_IMPORT_BY_NAME.Name1: iswctype
Driver: IMAGE_IMPORT_BY_NAME.Name1: _except_handler3
Driver: IMAGE_IMPORT_BY_NAME.Name1: _wtol
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncmp
Driver: IMAGE_IMPORT_BY_NAME.Name1: _snwprintf
Driver: IMAGE_IMPORT_BY_NAME.Name1: exit
Driver: IMAGE_IMPORT_BY_NAME.Name1: _acmdln
Driver: IMAGE_IMPORT_BY_NAME.Name1: __getmainargs
Driver: IMAGE_IMPORT_BY_NAME.Name1: _initterm
Driver: IMAGE_IMPORT_BY_NAME.Name1: __setusermatherr
Driver: IMAGE_IMPORT_BY_NAME.Name1: _adjust_fdiv
Driver: IMAGE_IMPORT_BY_NAME.Name1: __p__commode
Driver: IMAGE_IMPORT_BY_NAME.Name1: __p__fmode
Driver: IMAGE_IMPORT_BY_NAME.Name1: __set_app_type
Driver: IMAGE_IMPORT_BY_NAME.Name1: _controlfp
Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncpy
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: ADVAPI32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegQueryValueExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegCloseKey
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegCreateKeyW
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsTextUnicode
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegQueryValueExA
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegOpenKeyExA
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegSetValueExW
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: KERNEL32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCurrentThreadId
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTickCount
Driver: IMAGE_IMPORT_BY_NAME.Name1: QueryPerformanceCounter
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetLocalTime
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetUserDefaultLCID
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDateFormatW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTimeFormatW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GlobalLock
Driver: IMAGE_IMPORT_BY_NAME.Name1: GlobalUnlock
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFileInformationByHandle
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateFileMappingW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSystemTimeAsFileTime
Driver: IMAGE_IMPORT_BY_NAME.Name1: TerminateProcess
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCurrentProcess
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetUnhandledExceptionFilter
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadLibraryA
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetModuleHandleA
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetStartupInfoA
Driver: IMAGE_IMPORT_BY_NAME.Name1: GlobalFree
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetLocaleInfoW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalFree
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalAlloc
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrlenW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalUnlock
Driver: IMAGE_IMPORT_BY_NAME.Name1: CompareStringW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalLock
Driver: IMAGE_IMPORT_BY_NAME.Name1: FoldStringW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CloseHandle
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcpyW
Driver: IMAGE_IMPORT_BY_NAME.Name1: ReadFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcmpiW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCurrentProcessId
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetProcAddress
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCommandLineW
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcatW
Driver: IMAGE_IMPORT_BY_NAME.Name1: FindClose
Driver: IMAGE_IMPORT_BY_NAME.Name1: FindFirstFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFileAttributesW
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcmpW
Driver: IMAGE_IMPORT_BY_NAME.Name1: MulDiv
Driver: IMAGE_IMPORT_BY_NAME.Name1: lstrcpynW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalSize
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetLastError
Driver: IMAGE_IMPORT_BY_NAME.Name1: WriteFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetLastError
Driver: IMAGE_IMPORT_BY_NAME.Name1: WideCharToMultiByte
Driver: IMAGE_IMPORT_BY_NAME.Name1: LocalReAlloc
Driver: IMAGE_IMPORT_BY_NAME.Name1: FormatMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetUserDefaultUILanguage
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetEndOfFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: DeleteFileW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetACP
Driver: IMAGE_IMPORT_BY_NAME.Name1: UnmapViewOfFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: MultiByteToWideChar
Driver: IMAGE_IMPORT_BY_NAME.Name1: MapViewOfFile
Driver: IMAGE_IMPORT_BY_NAME.Name1: UnhandledExceptionFilter
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: GDI32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: EndPage
Driver: IMAGE_IMPORT_BY_NAME.Name1: AbortDoc
Driver: IMAGE_IMPORT_BY_NAME.Name1: EndDoc
Driver: IMAGE_IMPORT_BY_NAME.Name1: DeleteDC
Driver: IMAGE_IMPORT_BY_NAME.Name1: StartPage
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTextExtentPoint32W
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateDCW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetAbortProc
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTextFaceW
Driver: IMAGE_IMPORT_BY_NAME.Name1: TextOutW
Driver: IMAGE_IMPORT_BY_NAME.Name1: StartDocW
Driver: IMAGE_IMPORT_BY_NAME.Name1: EnumFontsW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetStockObject
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetObjectW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDeviceCaps
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateFontIndirectW
Driver: IMAGE_IMPORT_BY_NAME.Name1: DeleteObject
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetTextMetricsW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetBkMode
Driver: IMAGE_IMPORT_BY_NAME.Name1: LPtoDP
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowExtEx
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetViewportExtEx
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetMapMode
Driver: IMAGE_IMPORT_BY_NAME.Name1: SelectObject
Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: USER32.dll
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetClientRect
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetCursor
Driver: IMAGE_IMPORT_BY_NAME.Name1: ReleaseDC
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDC
Driver: IMAGE_IMPORT_BY_NAME.Name1: DialogBoxParamW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetActiveWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetKeyboardLayout
Driver: IMAGE_IMPORT_BY_NAME.Name1: DefWindowProcW
Driver: IMAGE_IMPORT_BY_NAME.Name1: DestroyWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: MessageBeep
Driver: IMAGE_IMPORT_BY_NAME.Name1: ShowWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetForegroundWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsIconic
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetWindowPlacement
Driver: IMAGE_IMPORT_BY_NAME.Name1: CharUpperW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadStringW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadAcceleratorsW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSystemMenu
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegisterClassExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadImageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadCursorW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowPlacement
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateWindowExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDesktopWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetFocus
Driver: IMAGE_IMPORT_BY_NAME.Name1: LoadIconW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PostQuitMessage
Driver: IMAGE_IMPORT_BY_NAME.Name1: RegisterWindowMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: UpdateWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetScrollPos
Driver: IMAGE_IMPORT_BY_NAME.Name1: CharLowerW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PeekMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: EnableWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: DrawTextExW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CreateDialogParamW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetWindowTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSystemMetrics
Driver: IMAGE_IMPORT_BY_NAME.Name1: MoveWindow
Driver: IMAGE_IMPORT_BY_NAME.Name1: InvalidateRect
Driver: IMAGE_IMPORT_BY_NAME.Name1: WinHelpW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDlgCtrlID
Driver: IMAGE_IMPORT_BY_NAME.Name1: ChildWindowFromPoint
Driver: IMAGE_IMPORT_BY_NAME.Name1: ScreenToClient
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetCursorPos
Driver: IMAGE_IMPORT_BY_NAME.Name1: SendDlgItemMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SendMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CharNextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: CheckMenuItem
Driver: IMAGE_IMPORT_BY_NAME.Name1: CloseClipboard
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsClipboardFormatAvailable
Driver: IMAGE_IMPORT_BY_NAME.Name1: OpenClipboard
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetMenuState
Driver: IMAGE_IMPORT_BY_NAME.Name1: EnableMenuItem
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetSubMenu
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetMenu
Driver: IMAGE_IMPORT_BY_NAME.Name1: MessageBoxW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWindowLongW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetWindowLongW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDlgItem
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetFocus
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetDlgItemTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: wsprintfW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetDlgItemTextW
Driver: IMAGE_IMPORT_BY_NAME.Name1: EndDialog
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetParent
Driver: IMAGE_IMPORT_BY_NAME.Name1: UnhookWinEvent
Driver: IMAGE_IMPORT_BY_NAME.Name1: DispatchMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: TranslateMessage
Driver: IMAGE_IMPORT_BY_NAME.Name1: TranslateAcceleratorW
Driver: IMAGE_IMPORT_BY_NAME.Name1: IsDialogMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: PostMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: GetMessageW
Driver: IMAGE_IMPORT_BY_NAME.Name1: SetWinEventHook
Access violation - code c0000005 (!!! second chance !!!)
nt!ExAcquireRundownProtectionEx+0x9:
80603c87 8b19 mov ebx,dword ptr [ecx] 此时ecx为0 肯定要出错，但不知道怎么解决

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・1

免费・0

支持

最新回复 (3)
sharenpk 雪币： 253 活跃值： (169) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 37 粉丝 1 关注私信	sharenpk 2 楼又试了几次现在都是同样的错误了，但好像是DbgPrint的问题？ Driver: Loading... Driver: Creating... Driver: Closing... Driver: ImageInfo.ImageBase: 73CA0000 Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: msvcrt.dll Driver: IMAGE_IMPORT_BY_NAME.Name1: ??2@YAPAXI@Z Driver: IMAGE_IMPORT_BY_NAME.Name1: _onexit Driver: IMAGE_IMPORT_BY_NAME.Name1: __dllonexit Driver: IMAGE_IMPORT_BY_NAME.Name1: ?terminate@@YAXXZ Driver: IMAGE_IMPORT_BY_NAME.Name1: ??1type_info@@UAE@XZ Driver: IMAGE_IMPORT_BY_NAME.Name1: _adjust_fdiv Driver: IMAGE_IMPORT_BY_NAME.Name1: malloc Driver: IMAGE_IMPORT_BY_NAME.Name1: _initterm Driver: IMAGE_IMPORT_BY_NAME.Name1: free Driver: IMAGE_IMPORT_BY_NAME.Name1: wcslen Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsstr Driver: IMAGE_IMPORT_BY_NAME.Name1: wcscpy Driver: IMAGE_IMPORT_BY_NAME.Name1: wcscat Driver: IMAGE_IMPORT_BY_NAME.Name1: _wfindnexti64 Driver: IMAGE_IMPORT_BY_NAME.Name1: swprintf Driver: IMAGE_IMPORT_BY_NAME.Name1: _wremove Driver: IMAGE_IMPORT_BY_NAME.Name1: _wsplitpath Driver: IMAGE_IMPORT_BY_NAME.Name1: swscanf Driver: IMAGE_IMPORT_BY_NAME.Name1: _wfindfirsti64 Driver: IMAGE_IMPORT_BY_NAME.Name1: _findclose Driver: IMAGE_IMPORT_BY_NAME.Name1: __CxxFrameHandler Driver: IMAGE_IMPORT_BY_NAME.Name1: _except_handler3 Driver: IMAGE_IMPORT_BY_NAME.Name1: _vsnwprintf Driver: IMAGE_IMPORT_BY_NAME.Name1: wcschr Driver: IMAGE_IMPORT_BY_NAME.Name1: wcstoul Driver: IMAGE_IMPORT_BY_NAME.Name1: _CxxThrowException Driver: IMAGE_IMPORT_BY_NAME.Name1: _purecall Driver: IMAGE_IMPORT_BY_NAME.Name1: memmove Driver: IMAGE_IMPORT_BY_NAME.Name1: wcstombs Driver: IMAGE_IMPORT_BY_NAME.Name1: _vsnprintf Driver: IMAGE_IMPORT_BY_NAME.Name1: iswspace Driver: IMAGE_IMPORT_BY_NAME.Name1: asctime Driver: IMAGE_IMPORT_BY_NAME.Name1: localtime Driver: IMAGE_IMPORT_BY_NAME.Name1: time Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncpy Driver: IMAGE_IMPORT_BY_NAME.Name1: ??3@YAXPAX@Z Driver: IMAGE_IMPORT_BY_NAME.Name1: _wcsicmp Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: ole32.dll Driver: IMAGE_IMPORT_BY_NAME.Name1: CoUninitialize Driver: IMAGE_IMPORT_BY_NAME.Name1: CoInitializeEx Driver: IMAGE_IMPORT_BY_NAME.Name1: CoInitialize Driver: IMAGE_IMPORT_BY_NAME.Name1: StringFromGUID2 Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: OLEAUT32.dll * Fatal System Error: 0x00000050 (0xF3CA0009,0x00000000,0x80539F16,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Sat Jul 3 12:18:07.453 2010 (GMT+8)), ptr64 FALSE Loading Kernel Symbols ............................................................... ......................................................... Loading User Symbols ................................................................ ................................................................ .......... Loading unloaded module list ........... ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 50, {f3ca0009, 0, 80539f16, 0} * ERROR: Module load completed but symbols could not be loaded for Driver.sys *********************************************************************** * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * ********************************************************************* ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * ********************************************************************* Probably caused by : Driver.sys ( Driver+50f ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 80528bf4 cc int 3 kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: f3ca0009, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 80539f16, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * ********************************************************************* ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * *********************************************************************** READ_ADDRESS: f3ca0009 FAULTING_IP: nt!_output+64d 80539f16 803800 cmp byte ptr [eax],0 MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: svchost.exe TRAP_FRAME: b222a628 -- (.trap 0xffffffffb222a628) ErrCode = 00000000 eax=f3ca0009 ebx=00000073 ecx=7ffffffe edx=b222a9a5 esi=b222a6e0 edi=80528e75 eip=80539f16 esp=b222a69c ebp=b222a904 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 nt!_output+0x64d: 80539f16 803800 cmp byte ptr [eax],0 ds:0023:f3ca0009=?? Resetting default scope LAST_CONTROL_TRANSFER: from 804f8bad to 80528bf4 STACK_TEXT: b222a164 804f8bad 00000003 f3ca0009 00000000 nt!RtlpBreakWithStatusInstruction b222a1b0 804f979a 00000003 00000000 c079e500 nt!KiBugCheckDebugBreak+0x19 b222a590 804f9cc5 00000050 f3ca0009 00000000 nt!KeBugCheck2+0x574 b222a5b0 8051dc67 00000050 f3ca0009 00000000 nt!KeBugCheckEx+0x1b b222a610 80541554 00000000 f3ca0009 00000000 nt!MmAccessFault+0x8e7 b222a610 80539f16 00000000 f3ca0009 00000000 nt!KiTrap0E+0xcc b222a904 80537281 b222a920 f8cda7ef b222abc0 nt!_output+0x64d b222a940 80528c8f b222a97c 00000200 f8cda7ef nt!_vsnprintf+0x2f b222ab98 80528e94 80528e74 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x91 b222abb4 f8cda50f f8cda7ef f3ca0009 f3ca0009 nt!DbgPrint+0x1a WARNING: Stack unwind information not available. Following frames may be wrong. b222abe0 805c735e 81fd2fc0 00000408 b222ac20 Driver+0x50f b222ac00 805a7927 81fd2fc0 00000408 b222ac20 nt!PsCallImageNotifyRoutines+0x36 b222ac48 805a8414 81fd9f30 73ca0000 b222ad18 nt!MiMapViewOfImageSection+0x4c1 b222aca4 805a87d9 00000004 81d00878 b222ad18 nt!MmMapViewOfSection+0x13c b222ad34 8053e658 00000cb8 ffffffff 0273e0dc nt!NtMapViewOfSection+0x2bd b222ad34 7c92e514 00000cb8 ffffffff 0273e0dc nt!KiFastCallEntry+0xf8 0273e000 7c92d52a 7c93b753 00000cb8 ffffffff ntdll!KiFastSystemCallRet 0273e004 7c93b753 00000cb8 ffffffff 0273e0dc ntdll!NtMapViewOfSection+0xc 0273e0f8 7c935b7a 033a5570 0273e184 0273e6ac ntdll!LdrpMapDll+0x330 0273e3b8 7c935de3 00000000 033a5570 0273e6ac ntdll!LdrpLoadDll+0x1e9 0273e660 7c801bbd 033a5570 0273e6ac 0273e68c ntdll!LdrLoadDll+0x230 0273e6c8 769c2485 0273e744 00000000 00000008 kernel32!LoadLibraryExW+0x18e 0273e6ec 769c23a1 0273e744 0273e710 0273e714 ole32!CClassCache::CDllPathEntry::LoadDll+0x6c 0273e71c 769c1824 0273e744 0273ea18 0273e73c ole32!CClassCache::CDllPathEntry::Create_rl+0x37 0273e968 769c1747 00000001 0273ea18 0273e998 ole32!CClassCache::CClassEntry::CreateDllClassEntry_rl+0xd6 0273e9b0 769c16a5 00000001 0010e434 0273e9d8 ole32!CClassCache::GetClassObjectActivator+0x195 0273e9dc 769c5b25 0273ea18 0273f4e8 0273efac ole32!CClassCache::GetClassObject+0x23 0273ea50 769c5a11 76ab7150 0273efac 0273f4e8 ole32!CServerContextActivator::GetClassObject+0xf5 0273ea88 769c5bf7 0273efac 0273f4e8 0273efac ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3 0273eaa8 769c5ba3 76ab7154 0273efac 0273f4e8 ole32!CApartmentActivator::GetClassObject+0x4d 0273eac0 769c20c8 76ab7154 00000001 00000000 ole32!CProcessActivator::GCOCallback+0x2b 0273eae0 769c207f 76ab714c 0273ee08 00000000 ole32!CProcessActivator::AttemptActivation+0x2c 0273eb18 769c5c4a 76ab714c 0273ee08 00000000 ole32!CProcessActivator::ActivateByContext+0x42 0273eb40 769c5a11 76ab714c 0273efac 0273f4e8 ole32!CProcessActivator::GetClassObject+0x48 0273eb78 769c5a2b 0273efac 0273f4e8 003a0043 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3 0273edc0 769c5a11 76ab7114 00000001 0273f4e8 ole32!CClientContextActivator::GetClassObject+0x88 0273edf8 769c58a5 0273efac 0273f4e8 7699ca20 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3 0273f5a4 769c575e 0011dad0 00000001 0273f618 ole32!ICoGetClassObject+0x334 0273f5d0 769c56e0 0011dad0 00000001 0273f618 ole32!CComActivator::DoGetClassObject+0x93 0273f5f0 3fcfc879 0011dad0 00000001 0273f618 ole32!CoGetClassObject+0x1b 0273f6dc 3fcfc9b6 0011d418 0011dad0 00000000 wmiprvsd!CServerObject_RawFactory::CreateInstance+0xc0 0273f7b8 3fcfdd8b 0011d418 00000000 00000000 wmiprvsd!CServerObject_RawFactory::CreateServerSide+0xb1 0273f8b8 3fcffa3d 00000000 027bb678 00000000 wmiprvsd!CServerObject_RawFactory::GetNonApartmentProvider+0x9f 0273f964 3fcdb480 0012a378 00000000 00000000 wmiprvsd!CServerObject_RawFactory::GetProvider+0x257 0273fa24 3fcdc98a 0012a158 0012a290 00000000 wmiprvsd!CServerObject_BindingFactory::InternalGetProvider+0x110 0273fac4 3fce01df 02807948 027827f0 033a7a20 wmiprvsd!CServerObject_BindingFactory::InternalGetProviderViaProxyRoute+0x183 0273fbb0 3fce05f3 02807948 027827f0 00116b20 wmiprvsd!CServerObject_BindingFactory::InternalFindProvider+0x452 0273fcbc 75312253 00111a88 00000000 00000000 wmiprvsd!CServerObject_BindingFactory::GetProvider+0x372 0273fd18 7530eec7 027f62f0 3fcc4988 0273fdac wbemess!CEssNamespace::LoadConsumerProvider+0x56 0273fd54 7530eff1 0273fdac 0273fdb4 0273fdb0 wbemess!CConsumerProviderRecord::Resolve+0x213 0273fd88 7530f799 0273fdac 0273fdb4 0273fdb0 wbemess!CConsumerProviderRecord::ResolveAndCache+0x21 0273fdc4 7530c9c2 02811218 0278b528 0273fe4c wbemess!CConsumerProviderRecord::GetGlobalObjectSink+0x84 0273fdfc 7530ce6e 0273fe4c 0273fe50 00000000 wbemess!CPermanentConsumer::ObtainSink+0x53 0273fe28 7530d371 0273fe4c 0273fe50 00000000 wbemess!CPermanentConsumer::RetrieveSink+0x7b 0273fe64 752f912d 00000001 0273fe9c 00000000 wbemess!CPermanentConsumer::ActuallyDeliver+0x35 0273fe88 752f9648 00000000 00000001 0273fe9c wbemess!CQueueingEventSink::DeliverEvents+0x3a 0273ff04 752f98a7 027c5768 027d0908 02795b90 wbemess!CQueueingEventSink::DeliverSome+0x24f 0273ff38 751ff004 027c5768 02795b90 7c9210e0 wbemess!CQueueingEventSink::DeliverAll+0x56 0273ff4c 751fed05 027c5768 00000000 027c5768 wbemcomn!CExecQueue::Execute+0x17 0273ff7c 7530c2da 027c5768 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f 0273ffa8 751fed1e 027c5768 0273ffec 7c80b729 wbemess!CEventQueue::ThreadMain+0x22 0273ffb4 7c80b729 027c5768 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf 0273ffec 00000000 751fed0f 027c5768 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: kb FOLLOWUP_IP: Driver+50f f8cda50f 83c408 add esp,8 SYMBOL_STACK_INDEX: a SYMBOL_NAME: Driver+50f FOLLOWUP_NAME: MachineOwner MODULE_NAME: Driver IMAGE_NAME: Driver.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4c2eb9d8 FAILURE_BUCKET_ID: 0x50_Driver+50f BUCKET_ID: 0x50_Driver+50f Followup: MachineOwner --------- f8cda4db 50 push eax f8cda4dc 50 push eax ;push eax f8cda4dd 68bda7cdf8 push offset Driver+0x7bd (f8cda7bd) ;push $CTA0("Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: %s\n") f8cda4e2 e85f010000 call Driver+0x646 (f8cda646) ;call DbgPrint f8cda4e7 83c408 add esp,8 ;这里都没出错 f8cda4ea 58 pop eax f8cda4eb 8b07 mov eax,dword ptr [edi] f8cda4ed 0345fc add eax,dword ptr [ebp-4] f8cda4f0 8bd8 mov ebx,eax f8cda4f2 c745f800000000 mov dword ptr [ebp-8],0 f8cda4f9 eb1f jmp Driver+0x51a (f8cda51a) f8cda4fb 8b03 mov eax,dword ptr [ebx] f8cda4fd 0345fc add eax,dword ptr [ebp-4] f8cda500 8d4002 lea eax,[eax+2] f8cda503 50 push eax f8cda504 50 push eax ;push eax f8cda505 68efa7cdf8 push offset Driver+0x7ef (f8cda7ef) ;push $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n") f8cda50a e837010000 call Driver+0x646 (f8cda646) ;call DbgPrint f8cda50f 83c408 add esp,8 ; ?????? 为什么这里出错? f8cda512 58 pop eax f8cda513 8345f804 add dword ptr [ebp-8],4 f8cda517 83c304 add ebx,4 2010-7-3 00:22 0
轩辕小聪雪币： 722 活跃值： (123) 能力值： ( LV12，RANK：300 ) 在线值：发帖 10 回帖 547 粉丝 5 关注私信	轩辕小聪 7 3 楼 .while dword ptr [ebx];当项目中的值不为0 mov eax,dword ptr [ebx];认为该值即为IMAGE_IMPORT_BY_NAME结构偏移 add eax,@hMod;加上基址得到IMAGE_IMPORT_BY_NAME结构指针 assume eax:ptr IMAGE_IMPORT_BY_NAME lea eax,[eax].Name1;得到函数名字符串指针 push eax invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n"), eax;DbgPrint打印函数名 pop eax assume eax:nothing add @iNum,4 add ebx,4 .endw 你的这个判断逻辑，在函数是以函数名导入的情况下是对的，但是没有考虑函数以序号导入的情况。当函数以序号导入的时候，dword ptr [ebx]中保存的是0x80000000+函数序号，而不是IMAGE_IMPORT_BY_NAME结构指针，这样被你加上基址再加2之后，再DbgPrint时，相当于%s参数的字符串指针变成了一个错误的内核态地址，因此导致不可预知的结果，通常会BSOD。分析你提供的crash dump内容可以证实： Driver: ImageInfo.ImageBase: 73CA0000 ...... Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: OLEAUT32.dll b222abb4 f8cda50f f8cda7ef f3ca0009 f3ca0009 nt!DbgPrint+0x1a 从你提供的信息看来，该问题出现在系统加载一个基址为73CA0000的dll时，从栈回溯的这一行可以看到DbgPrint的输入参数，第一个参数是f8cda7ef，也就是$CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n")，而第二个参数本来应该是指向这个dll中的一个字符串指针，结果却是f3ca0009。那么这个值是怎么来的呢，就是我上面说的函数使用序号导入。 f3ca0009=80000000+73ca0000（被加上的基址）+2（lea eax, [eax+2]的结果）+7 可以看到dword ptr [ebx]里原来保存的应该是0x80000007，即说明这个函数是以序号7导入的。知道了这个问题，解决方法楼主自己应该就能搞清楚了。 2010-7-3 20:11 0
sharenpk 雪币： 253 活跃值： (169) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 37 粉丝 1 关注私信	sharenpk 4 楼非常感谢非常感谢，一语点醒梦中人啊 2010-7-3 20:51 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

sharenpk

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
sharenpk 雪币： 253 活跃值： (169) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 37 粉丝 1 关注私信	sharenpk 2 楼又试了几次现在都是同样的错误了，但好像是DbgPrint的问题？ Driver: Loading... Driver: Creating... Driver: Closing... Driver: ImageInfo.ImageBase: 73CA0000 Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: msvcrt.dll Driver: IMAGE_IMPORT_BY_NAME.Name1: ??2@YAPAXI@Z Driver: IMAGE_IMPORT_BY_NAME.Name1: _onexit Driver: IMAGE_IMPORT_BY_NAME.Name1: __dllonexit Driver: IMAGE_IMPORT_BY_NAME.Name1: ?terminate@@YAXXZ Driver: IMAGE_IMPORT_BY_NAME.Name1: ??1type_info@@UAE@XZ Driver: IMAGE_IMPORT_BY_NAME.Name1: _adjust_fdiv Driver: IMAGE_IMPORT_BY_NAME.Name1: malloc Driver: IMAGE_IMPORT_BY_NAME.Name1: _initterm Driver: IMAGE_IMPORT_BY_NAME.Name1: free Driver: IMAGE_IMPORT_BY_NAME.Name1: wcslen Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsstr Driver: IMAGE_IMPORT_BY_NAME.Name1: wcscpy Driver: IMAGE_IMPORT_BY_NAME.Name1: wcscat Driver: IMAGE_IMPORT_BY_NAME.Name1: _wfindnexti64 Driver: IMAGE_IMPORT_BY_NAME.Name1: swprintf Driver: IMAGE_IMPORT_BY_NAME.Name1: _wremove Driver: IMAGE_IMPORT_BY_NAME.Name1: _wsplitpath Driver: IMAGE_IMPORT_BY_NAME.Name1: swscanf Driver: IMAGE_IMPORT_BY_NAME.Name1: _wfindfirsti64 Driver: IMAGE_IMPORT_BY_NAME.Name1: _findclose Driver: IMAGE_IMPORT_BY_NAME.Name1: __CxxFrameHandler Driver: IMAGE_IMPORT_BY_NAME.Name1: _except_handler3 Driver: IMAGE_IMPORT_BY_NAME.Name1: _vsnwprintf Driver: IMAGE_IMPORT_BY_NAME.Name1: wcschr Driver: IMAGE_IMPORT_BY_NAME.Name1: wcstoul Driver: IMAGE_IMPORT_BY_NAME.Name1: _CxxThrowException Driver: IMAGE_IMPORT_BY_NAME.Name1: _purecall Driver: IMAGE_IMPORT_BY_NAME.Name1: memmove Driver: IMAGE_IMPORT_BY_NAME.Name1: wcstombs Driver: IMAGE_IMPORT_BY_NAME.Name1: _vsnprintf Driver: IMAGE_IMPORT_BY_NAME.Name1: iswspace Driver: IMAGE_IMPORT_BY_NAME.Name1: asctime Driver: IMAGE_IMPORT_BY_NAME.Name1: localtime Driver: IMAGE_IMPORT_BY_NAME.Name1: time Driver: IMAGE_IMPORT_BY_NAME.Name1: wcsncpy Driver: IMAGE_IMPORT_BY_NAME.Name1: ??3@YAXPAX@Z Driver: IMAGE_IMPORT_BY_NAME.Name1: _wcsicmp Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: ole32.dll Driver: IMAGE_IMPORT_BY_NAME.Name1: CoUninitialize Driver: IMAGE_IMPORT_BY_NAME.Name1: CoInitializeEx Driver: IMAGE_IMPORT_BY_NAME.Name1: CoInitialize Driver: IMAGE_IMPORT_BY_NAME.Name1: StringFromGUID2 Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: OLEAUT32.dll * Fatal System Error: 0x00000050 (0xF3CA0009,0x00000000,0x80539F16,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Sat Jul 3 12:18:07.453 2010 (GMT+8)), ptr64 FALSE Loading Kernel Symbols ............................................................... ......................................................... Loading User Symbols ................................................................ ................................................................ .......... Loading unloaded module list ........... ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** Use !analyze -v to get detailed debugging information. BugCheck 50, {f3ca0009, 0, 80539f16, 0} * ERROR: Module load completed but symbols could not be loaded for Driver.sys *********************************************************************** * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * ********************************************************************* ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * ********************************************************************* Probably caused by : Driver.sys ( Driver+50f ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 80528bf4 cc int 3 kd> !analyze -v ***************************************************************************** * * * Bugcheck Analysis * * * ***************************************************************************** PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: f3ca0009, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 80539f16, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * ********************************************************************* ********************************************************************* * * * * * Your debugger is not using the correct symbols * * * * In order for this command to work properly, your symbol path * * must point to .pdb files that have full type information. * * * * Certain .pdb files (such as the public OS symbols) do not * * contain the required information. Contact the group that * * provided you with these symbols if you need this command to * * work. * * * * Type referenced: kernel32!pNlsUserInfo * * * *********************************************************************** READ_ADDRESS: f3ca0009 FAULTING_IP: nt!_output+64d 80539f16 803800 cmp byte ptr [eax],0 MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: svchost.exe TRAP_FRAME: b222a628 -- (.trap 0xffffffffb222a628) ErrCode = 00000000 eax=f3ca0009 ebx=00000073 ecx=7ffffffe edx=b222a9a5 esi=b222a6e0 edi=80528e75 eip=80539f16 esp=b222a69c ebp=b222a904 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 nt!_output+0x64d: 80539f16 803800 cmp byte ptr [eax],0 ds:0023:f3ca0009=?? Resetting default scope LAST_CONTROL_TRANSFER: from 804f8bad to 80528bf4 STACK_TEXT: b222a164 804f8bad 00000003 f3ca0009 00000000 nt!RtlpBreakWithStatusInstruction b222a1b0 804f979a 00000003 00000000 c079e500 nt!KiBugCheckDebugBreak+0x19 b222a590 804f9cc5 00000050 f3ca0009 00000000 nt!KeBugCheck2+0x574 b222a5b0 8051dc67 00000050 f3ca0009 00000000 nt!KeBugCheckEx+0x1b b222a610 80541554 00000000 f3ca0009 00000000 nt!MmAccessFault+0x8e7 b222a610 80539f16 00000000 f3ca0009 00000000 nt!KiTrap0E+0xcc b222a904 80537281 b222a920 f8cda7ef b222abc0 nt!_output+0x64d b222a940 80528c8f b222a97c 00000200 f8cda7ef nt!_vsnprintf+0x2f b222ab98 80528e94 80528e74 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x91 b222abb4 f8cda50f f8cda7ef f3ca0009 f3ca0009 nt!DbgPrint+0x1a WARNING: Stack unwind information not available. Following frames may be wrong. b222abe0 805c735e 81fd2fc0 00000408 b222ac20 Driver+0x50f b222ac00 805a7927 81fd2fc0 00000408 b222ac20 nt!PsCallImageNotifyRoutines+0x36 b222ac48 805a8414 81fd9f30 73ca0000 b222ad18 nt!MiMapViewOfImageSection+0x4c1 b222aca4 805a87d9 00000004 81d00878 b222ad18 nt!MmMapViewOfSection+0x13c b222ad34 8053e658 00000cb8 ffffffff 0273e0dc nt!NtMapViewOfSection+0x2bd b222ad34 7c92e514 00000cb8 ffffffff 0273e0dc nt!KiFastCallEntry+0xf8 0273e000 7c92d52a 7c93b753 00000cb8 ffffffff ntdll!KiFastSystemCallRet 0273e004 7c93b753 00000cb8 ffffffff 0273e0dc ntdll!NtMapViewOfSection+0xc 0273e0f8 7c935b7a 033a5570 0273e184 0273e6ac ntdll!LdrpMapDll+0x330 0273e3b8 7c935de3 00000000 033a5570 0273e6ac ntdll!LdrpLoadDll+0x1e9 0273e660 7c801bbd 033a5570 0273e6ac 0273e68c ntdll!LdrLoadDll+0x230 0273e6c8 769c2485 0273e744 00000000 00000008 kernel32!LoadLibraryExW+0x18e 0273e6ec 769c23a1 0273e744 0273e710 0273e714 ole32!CClassCache::CDllPathEntry::LoadDll+0x6c 0273e71c 769c1824 0273e744 0273ea18 0273e73c ole32!CClassCache::CDllPathEntry::Create_rl+0x37 0273e968 769c1747 00000001 0273ea18 0273e998 ole32!CClassCache::CClassEntry::CreateDllClassEntry_rl+0xd6 0273e9b0 769c16a5 00000001 0010e434 0273e9d8 ole32!CClassCache::GetClassObjectActivator+0x195 0273e9dc 769c5b25 0273ea18 0273f4e8 0273efac ole32!CClassCache::GetClassObject+0x23 0273ea50 769c5a11 76ab7150 0273efac 0273f4e8 ole32!CServerContextActivator::GetClassObject+0xf5 0273ea88 769c5bf7 0273efac 0273f4e8 0273efac ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3 0273eaa8 769c5ba3 76ab7154 0273efac 0273f4e8 ole32!CApartmentActivator::GetClassObject+0x4d 0273eac0 769c20c8 76ab7154 00000001 00000000 ole32!CProcessActivator::GCOCallback+0x2b 0273eae0 769c207f 76ab714c 0273ee08 00000000 ole32!CProcessActivator::AttemptActivation+0x2c 0273eb18 769c5c4a 76ab714c 0273ee08 00000000 ole32!CProcessActivator::ActivateByContext+0x42 0273eb40 769c5a11 76ab714c 0273efac 0273f4e8 ole32!CProcessActivator::GetClassObject+0x48 0273eb78 769c5a2b 0273efac 0273f4e8 003a0043 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3 0273edc0 769c5a11 76ab7114 00000001 0273f4e8 ole32!CClientContextActivator::GetClassObject+0x88 0273edf8 769c58a5 0273efac 0273f4e8 7699ca20 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3 0273f5a4 769c575e 0011dad0 00000001 0273f618 ole32!ICoGetClassObject+0x334 0273f5d0 769c56e0 0011dad0 00000001 0273f618 ole32!CComActivator::DoGetClassObject+0x93 0273f5f0 3fcfc879 0011dad0 00000001 0273f618 ole32!CoGetClassObject+0x1b 0273f6dc 3fcfc9b6 0011d418 0011dad0 00000000 wmiprvsd!CServerObject_RawFactory::CreateInstance+0xc0 0273f7b8 3fcfdd8b 0011d418 00000000 00000000 wmiprvsd!CServerObject_RawFactory::CreateServerSide+0xb1 0273f8b8 3fcffa3d 00000000 027bb678 00000000 wmiprvsd!CServerObject_RawFactory::GetNonApartmentProvider+0x9f 0273f964 3fcdb480 0012a378 00000000 00000000 wmiprvsd!CServerObject_RawFactory::GetProvider+0x257 0273fa24 3fcdc98a 0012a158 0012a290 00000000 wmiprvsd!CServerObject_BindingFactory::InternalGetProvider+0x110 0273fac4 3fce01df 02807948 027827f0 033a7a20 wmiprvsd!CServerObject_BindingFactory::InternalGetProviderViaProxyRoute+0x183 0273fbb0 3fce05f3 02807948 027827f0 00116b20 wmiprvsd!CServerObject_BindingFactory::InternalFindProvider+0x452 0273fcbc 75312253 00111a88 00000000 00000000 wmiprvsd!CServerObject_BindingFactory::GetProvider+0x372 0273fd18 7530eec7 027f62f0 3fcc4988 0273fdac wbemess!CEssNamespace::LoadConsumerProvider+0x56 0273fd54 7530eff1 0273fdac 0273fdb4 0273fdb0 wbemess!CConsumerProviderRecord::Resolve+0x213 0273fd88 7530f799 0273fdac 0273fdb4 0273fdb0 wbemess!CConsumerProviderRecord::ResolveAndCache+0x21 0273fdc4 7530c9c2 02811218 0278b528 0273fe4c wbemess!CConsumerProviderRecord::GetGlobalObjectSink+0x84 0273fdfc 7530ce6e 0273fe4c 0273fe50 00000000 wbemess!CPermanentConsumer::ObtainSink+0x53 0273fe28 7530d371 0273fe4c 0273fe50 00000000 wbemess!CPermanentConsumer::RetrieveSink+0x7b 0273fe64 752f912d 00000001 0273fe9c 00000000 wbemess!CPermanentConsumer::ActuallyDeliver+0x35 0273fe88 752f9648 00000000 00000001 0273fe9c wbemess!CQueueingEventSink::DeliverEvents+0x3a 0273ff04 752f98a7 027c5768 027d0908 02795b90 wbemess!CQueueingEventSink::DeliverSome+0x24f 0273ff38 751ff004 027c5768 02795b90 7c9210e0 wbemess!CQueueingEventSink::DeliverAll+0x56 0273ff4c 751fed05 027c5768 00000000 027c5768 wbemcomn!CExecQueue::Execute+0x17 0273ff7c 7530c2da 027c5768 00000000 00000000 wbemcomn!CExecQueue::ThreadMain+0x11f 0273ffa8 751fed1e 027c5768 0273ffec 7c80b729 wbemess!CEventQueue::ThreadMain+0x22 0273ffb4 7c80b729 027c5768 00000000 00000000 wbemcomn!CExecQueue::_ThreadEntry+0xf 0273ffec 00000000 751fed0f 027c5768 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: kb FOLLOWUP_IP: Driver+50f f8cda50f 83c408 add esp,8 SYMBOL_STACK_INDEX: a SYMBOL_NAME: Driver+50f FOLLOWUP_NAME: MachineOwner MODULE_NAME: Driver IMAGE_NAME: Driver.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4c2eb9d8 FAILURE_BUCKET_ID: 0x50_Driver+50f BUCKET_ID: 0x50_Driver+50f Followup: MachineOwner --------- f8cda4db 50 push eax f8cda4dc 50 push eax ;push eax f8cda4dd 68bda7cdf8 push offset Driver+0x7bd (f8cda7bd) ;push $CTA0("Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: %s\n") f8cda4e2 e85f010000 call Driver+0x646 (f8cda646) ;call DbgPrint f8cda4e7 83c408 add esp,8 ;这里都没出错 f8cda4ea 58 pop eax f8cda4eb 8b07 mov eax,dword ptr [edi] f8cda4ed 0345fc add eax,dword ptr [ebp-4] f8cda4f0 8bd8 mov ebx,eax f8cda4f2 c745f800000000 mov dword ptr [ebp-8],0 f8cda4f9 eb1f jmp Driver+0x51a (f8cda51a) f8cda4fb 8b03 mov eax,dword ptr [ebx] f8cda4fd 0345fc add eax,dword ptr [ebp-4] f8cda500 8d4002 lea eax,[eax+2] f8cda503 50 push eax f8cda504 50 push eax ;push eax f8cda505 68efa7cdf8 push offset Driver+0x7ef (f8cda7ef) ;push $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n") f8cda50a e837010000 call Driver+0x646 (f8cda646) ;call DbgPrint f8cda50f 83c408 add esp,8 ; ?????? 为什么这里出错? f8cda512 58 pop eax f8cda513 8345f804 add dword ptr [ebp-8],4 f8cda517 83c304 add ebx,4 2010-7-3 00:22 0
轩辕小聪雪币： 722 活跃值： (123) 能力值： ( LV12，RANK：300 ) 在线值：发帖 10 回帖 547 粉丝 5 关注私信	轩辕小聪 7 3 楼 .while dword ptr [ebx];当项目中的值不为0 mov eax,dword ptr [ebx];认为该值即为IMAGE_IMPORT_BY_NAME结构偏移 add eax,@hMod;加上基址得到IMAGE_IMPORT_BY_NAME结构指针 assume eax:ptr IMAGE_IMPORT_BY_NAME lea eax,[eax].Name1;得到函数名字符串指针 push eax invoke DbgPrint, $CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n"), eax;DbgPrint打印函数名 pop eax assume eax:nothing add @iNum,4 add ebx,4 .endw 你的这个判断逻辑，在函数是以函数名导入的情况下是对的，但是没有考虑函数以序号导入的情况。当函数以序号导入的时候，dword ptr [ebx]中保存的是0x80000000+函数序号，而不是IMAGE_IMPORT_BY_NAME结构指针，这样被你加上基址再加2之后，再DbgPrint时，相当于%s参数的字符串指针变成了一个错误的内核态地址，因此导致不可预知的结果，通常会BSOD。分析你提供的crash dump内容可以证实： Driver: ImageInfo.ImageBase: 73CA0000 ...... Driver: IMAGE_IMPORT_DESCRIPTOR.Name1: OLEAUT32.dll b222abb4 f8cda50f f8cda7ef f3ca0009 f3ca0009 nt!DbgPrint+0x1a 从你提供的信息看来，该问题出现在系统加载一个基址为73CA0000的dll时，从栈回溯的这一行可以看到DbgPrint的输入参数，第一个参数是f8cda7ef，也就是$CTA0("Driver: IMAGE_IMPORT_BY_NAME.Name1: %s\n")，而第二个参数本来应该是指向这个dll中的一个字符串指针，结果却是f3ca0009。那么这个值是怎么来的呢，就是我上面说的函数使用序号导入。 f3ca0009=80000000+73ca0000（被加上的基址）+2（lea eax, [eax+2]的结果）+7 可以看到dword ptr [ebx]里原来保存的应该是0x80000007，即说明这个函数是以序号7导入的。知道了这个问题，解决方法楼主自己应该就能搞清楚了。 2010-7-3 20:11 0
sharenpk 雪币： 253 活跃值： (169) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 37 粉丝 1 关注私信	sharenpk 4 楼非常感谢非常感谢，一语点醒梦中人啊 2010-7-3 20:51 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复