-
-
[求助]蓝屏DUMP信息 求助
-
发表于: 2010-7-9 17:10
-
nt!RtlpBreakWithStatusInstruction:
818f1514 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 857903ca, The address that the exception occurred at
Arg3: 87c37980, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
ndis!ndisMSendCompleteNetBufferListsInternal+64
857903ca 8901 mov dword ptr [ecx],eax
TRAP_FRAME: 87c37980 -- (.trap 0xffffffff87c37980)
ErrCode = 00000002
eax=849d01c0 ebx=856fc000 ecx=00000000edx=00000000 esi=00000000 edi=00000000
eip=857903ca esp=87c379f4 ebp=87c37a14 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndis!ndisMSendCompleteNetBufferListsInternal+0x64:
857903ca 8901 mov dword ptr [ecx],eax ds:0023:00000000=????????
Resetting default scope
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: themida.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 819062d7 to 818f1514
STACK_TEXT:
87c37104 819062d7 00000003 25e61612 00000000 nt!RtlpBreakWithStatusInstruction
87c37154 81906dbd 00000003 87c37980 00000000 nt!KiBugCheckDebugBreak+0x1c
87c37520 81906163 0000008e c0000005 857903ca nt!KeBugCheck2+0x66d
87c37540 8186f5a0 0000008e c0000005 857903ca nt!KeBugCheckEx+0x1e
87c37910 8189163a 87c3792c 00000000 87c37980 nt!KiDispatchException+0x1a9
87c37978 818915ee 87c37a14 857903ca badb0d00 nt!CommonDispatchException+0x4a
87c3798c 818d577e 00000ff0 00000000 00000000 nt!Kei386EoiHelper+0x186
87c37a14 856c54f1 83e3c0e8 849d01c0 00000000 nt!MmResourcesAvailable+0x30
87c37a28 890dc0a2 846ea6b8 849d01c0 00000000 ndis!NdisFSendNetBufferListsComplete+0x1a
87c37a4c 857904dd 846a3d60 849d01c0 00000000 pacer!PcFilterSendNetBufferListsComplete+0xba
87c37a6c 856ee36e 83e3c0e8 849d01c0 00000000 ndis!NdisMSendNetBufferListsComplete+0x70
87c37aa0 857905ac 83e3c0e8 849d01c0 00000000 ndis!ndisMLoopbackNetBufferLists+0x119
87c37acc 856c5585 83e3c0e8 849d01c0 00000000 ndis!ndisMSendNBLToMiniport+0x9c
87c37aec 856c55a8 849d01c0 849d01c0 00000000 ndis!ndisFilterSendNetBufferLists+0x8b
87c37b04 890dc45f 846ea6b8 849d01c0 00000000 ndis!NdisFSendNetBufferLists+0x18
87c37b80 856c5638 846a3d60 849d01c0 00000000 pacer!PcFilterSendNetBufferLists+0x233
87c37b9c 8579064a 849d01c0 849d01c0 00000000 ndis!ndisSendNBLToFilter+0x87
87c37bc0 97315b91 846ec450 849d01c0 00000000 ndis!NdisSendNetBufferLists+0x4f
87c37c2c 818f5053 849fddc0 848f3a30 848f3a30 Firewall6!FirewallDeceiveControl+0x1d1 [d:\firewall6\firewall.c @ 319]
87c37c44 81a85515 849135a0 848f3a30 848f3aa0 nt!IofCallDriver+0x63
87c37c64 81a85cba 849fddc0 849135a0 0042bc00 nt!IopSynchronousServiceTail+0x1d9
87c37d00 81a6f98e 849fddc0 848f3a30 00000000 nt!IopXxxControlFile+0x6b7
87c37d34 81890a7a 00000028 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
87c37d34 77b89a94 00000028 00000000 00000000 nt!KiFastCallEntry+0x12a
0012fdf4 77b88444 7700c2a3 00000028 00000000 ntdll!KiFastSystemCallRet
0012fdf8 7700c2a3 00000028 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0012fe58 004012f1 00000028 00222000 0042bccc kernel32!DeviceIoControl+0x14a
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff48 00402299 00000001 001a0b50 001a0bb8 themida+0x12f1
0012ff88 77024911 7ffd5000 0012ffd4 77b6e4b6 themida+0x2299
0012ff94 77b6e4b6 7ffd5000 77a84665 00000000 kernel32!BaseThreadInitThunk+0xe
0012ffd4 77b6e489 004021b0 7ffd5000 00000000 ntdll!__RtlUserThreadStart+0x23
0012ffec 00000000 004021b0 7ffd5000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !ndis
857905fb-857905ff 5 bytes - ndis!NdisSendNetBufferLists
[ 8b ff 55 8b ec:e9 60 4c b8 11 ]
5 errors : !ndis (857905fb-857905ff)
MODULE_NAME: Firewall6
IMAGE_NAME: Firewall6.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c36d8ca
FOLLOWUP_NAME: MachineOwner
MEMORY_CORRUPTOR: PATCH_Firewall6
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_Firewall6
BUCKET_ID: MEMORY_CORRUPTION_PATCH_Firewall6
Followup: Mac
源码:
发送部分:
pMdl = NdisAllocateMdl(MySendProtocolBindingContext,//那么这个也是对的 pFilter->FilterHandle
pArpPacket,
PacketSize);
ASSERT(pMdl!=NULL);
pNetBufferList = NdisAllocateNetBufferAndNetBufferList(
SendNetBufferListPool,//这是初始化时候得到的一个参数,见Init();
0, //Request control offset delta
0, // back fill size
pMdl,
0, // Data offset
PacketSize);
((PRECV_RSVD)(pNetBufferList->ProtocolReserved))->Mien=8;
SendFlags |= NDIS_SEND_FLAGS_CHECK_FOR_LOOPBACK;
NdisSendNetBufferLists(
MySendProtocolBindingContext,//这个是对的。相当于 pFilter->FilterHandle(ndis中的Filter例子中)
pNetBufferList,
NDIS_DEFAULT_PORT_NUMBER,
SendFlags);
// ExFreePool(pArpPacket);
COMPLETE部分:(调试器看了一下,还没有到这那)
if( ((PRECV_RSVD)(NetBufferLists->ProtocolReserved))->Mien==9||((PRECV_RSVD)(NetBufferLists->ProtocolReserved))->Mien==8)
{
KdPrint(("Send Complete MyPacket!!!!\n"));
MyFreePacket(NetBufferLists);
return;
}
void MyFreePacket(PNET_BUFFER_LIST p)
{
ULONG BufferLength;
PUCHAR pCopyData;
PMDL pMdl;
pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(p));
if(pMdl == NULL)
{
return;
}
NdisQueryMdl(
pMdl,
(PVOID *)&pCopyData,
&BufferLength,
NormalPagePriority);
if(pCopyData != NULL)
{
NdisFreeMdl(pMdl);
}
NdisFreeNetBufferList(p);
}
818f1514 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 857903ca, The address that the exception occurred at
Arg3: 87c37980, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
ndis!ndisMSendCompleteNetBufferListsInternal+64
857903ca 8901 mov dword ptr [ecx],eax
TRAP_FRAME: 87c37980 -- (.trap 0xffffffff87c37980)
ErrCode = 00000002
eax=849d01c0 ebx=856fc000 ecx=00000000
edx=00000000 esi=00000000 edi=00000000eip=857903ca esp=87c379f4 ebp=87c37a14 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndis!ndisMSendCompleteNetBufferListsInternal+0x64:
857903ca 8901 mov dword ptr [ecx],eax ds:0023:00000000=????????
Resetting default scope
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: themida.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 819062d7 to 818f1514
STACK_TEXT:
87c37104 819062d7 00000003 25e61612 00000000 nt!RtlpBreakWithStatusInstruction
87c37154 81906dbd 00000003 87c37980 00000000 nt!KiBugCheckDebugBreak+0x1c
87c37520 81906163 0000008e c0000005 857903ca nt!KeBugCheck2+0x66d
87c37540 8186f5a0 0000008e c0000005 857903ca nt!KeBugCheckEx+0x1e
87c37910 8189163a 87c3792c 00000000 87c37980 nt!KiDispatchException+0x1a9
87c37978 818915ee 87c37a14 857903ca badb0d00 nt!CommonDispatchException+0x4a
87c3798c 818d577e 00000ff0 00000000 00000000 nt!Kei386EoiHelper+0x186
87c37a14 856c54f1 83e3c0e8 849d01c0 00000000 nt!MmResourcesAvailable+0x30
87c37a28 890dc0a2 846ea6b8 849d01c0 00000000 ndis!NdisFSendNetBufferListsComplete+0x1a
87c37a4c 857904dd 846a3d60 849d01c0 00000000 pacer!PcFilterSendNetBufferListsComplete+0xba
87c37a6c 856ee36e 83e3c0e8 849d01c0 00000000 ndis!NdisMSendNetBufferListsComplete+0x70
87c37aa0 857905ac 83e3c0e8 849d01c0 00000000 ndis!ndisMLoopbackNetBufferLists+0x119
87c37acc 856c5585 83e3c0e8 849d01c0 00000000 ndis!ndisMSendNBLToMiniport+0x9c
87c37aec 856c55a8 849d01c0 849d01c0 00000000 ndis!ndisFilterSendNetBufferLists+0x8b
87c37b04 890dc45f 846ea6b8 849d01c0 00000000 ndis!NdisFSendNetBufferLists+0x18
87c37b80 856c5638 846a3d60 849d01c0 00000000 pacer!PcFilterSendNetBufferLists+0x233
87c37b9c 8579064a 849d01c0 849d01c0 00000000 ndis!ndisSendNBLToFilter+0x87
87c37bc0 97315b91 846ec450 849d01c0 00000000 ndis!NdisSendNetBufferLists+0x4f
87c37c2c 818f5053 849fddc0 848f3a30 848f3a30 Firewall6!FirewallDeceiveControl+0x1d1 [d:\firewall6\firewall.c @ 319]
87c37c44 81a85515 849135a0 848f3a30 848f3aa0 nt!IofCallDriver+0x63
87c37c64 81a85cba 849fddc0 849135a0 0042bc00 nt!IopSynchronousServiceTail+0x1d9
87c37d00 81a6f98e 849fddc0 848f3a30 00000000 nt!IopXxxControlFile+0x6b7
87c37d34 81890a7a 00000028 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
87c37d34 77b89a94 00000028 00000000 00000000 nt!KiFastCallEntry+0x12a
0012fdf4 77b88444 7700c2a3 00000028 00000000 ntdll!KiFastSystemCallRet
0012fdf8 7700c2a3 00000028 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0012fe58 004012f1 00000028 00222000 0042bccc kernel32!DeviceIoControl+0x14a
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff48 00402299 00000001 001a0b50 001a0bb8 themida+0x12f1
0012ff88 77024911 7ffd5000 0012ffd4 77b6e4b6 themida+0x2299
0012ff94 77b6e4b6 7ffd5000 77a84665 00000000 kernel32!BaseThreadInitThunk+0xe
0012ffd4 77b6e489 004021b0 7ffd5000 00000000 ntdll!__RtlUserThreadStart+0x23
0012ffec 00000000 004021b0 7ffd5000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !ndis
857905fb-857905ff 5 bytes - ndis!NdisSendNetBufferLists
[ 8b ff 55 8b ec:e9 60 4c b8 11 ]
5 errors : !ndis (857905fb-857905ff)
MODULE_NAME: Firewall6
IMAGE_NAME: Firewall6.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c36d8ca
FOLLOWUP_NAME: MachineOwner
MEMORY_CORRUPTOR: PATCH_Firewall6
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_Firewall6
BUCKET_ID: MEMORY_CORRUPTION_PATCH_Firewall6
Followup: Mac
源码:
发送部分:
pMdl = NdisAllocateMdl(MySendProtocolBindingContext,//那么这个也是对的 pFilter->FilterHandle
pArpPacket,
PacketSize);
ASSERT(pMdl!=NULL);
pNetBufferList = NdisAllocateNetBufferAndNetBufferList(
SendNetBufferListPool,//这是初始化时候得到的一个参数,见Init();
0, //Request control offset delta
0, // back fill size
pMdl,
0, // Data offset
PacketSize);
((PRECV_RSVD)(pNetBufferList->ProtocolReserved))->Mien=8;
SendFlags |= NDIS_SEND_FLAGS_CHECK_FOR_LOOPBACK;
NdisSendNetBufferLists(
MySendProtocolBindingContext,//这个是对的。相当于 pFilter->FilterHandle(ndis中的Filter例子中)
pNetBufferList,
NDIS_DEFAULT_PORT_NUMBER,
SendFlags);
// ExFreePool(pArpPacket);
COMPLETE部分:(调试器看了一下,还没有到这那)
if( ((PRECV_RSVD)(NetBufferLists->ProtocolReserved))->Mien==9||((PRECV_RSVD)(NetBufferLists->ProtocolReserved))->Mien==8)
{
KdPrint(("Send Complete MyPacket!!!!\n"));
MyFreePacket(NetBufferLists);
return;
}
void MyFreePacket(PNET_BUFFER_LIST p)
{
ULONG BufferLength;
PUCHAR pCopyData;
PMDL pMdl;
pMdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(p));
if(pMdl == NULL)
{
return;
}
NdisQueryMdl(
pMdl,
(PVOID *)&pCopyData,
&BufferLength,
NormalPagePriority);
if(pCopyData != NULL)
{
NdisFreeMdl(pMdl);
}
NdisFreeNetBufferList(p);
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
