想在ring0下启动ring3的程序,使用插入APC的方法,在xp下程序能够正确执行,但是Win7下老是蓝屏,求各路大神相助.thanks!
其中windbg分析的结果如下:
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 846f525b, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 0000000c
CURRENT_IRQL: 2
FAULTING_IP:
nt!KiInsertQueueApc+6d
846f525b 8b5104 mov edx,dword ptr [ecx+4]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: BCService.exe
TRAP_FRAME: 807cea54 -- (.trap 0xffffffff807cea54)
ErrCode = 00000000
eax=00000000 ebx=8c0da701 ecx=00000008 edx=00000001 esi=8c0da79c edi=8cd082f0
eip=846f525b esp=807ceac8 ebp=807ceaf4 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!KiInsertQueueApc+0x6d:
846f525b 8b5104 mov edx,dword ptr [ecx+4] ds:0023:0000000c=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 84727e71 to 846b6394
STACK_TEXT:
807ce61c 84727e71 00000003 fec9a7ca 00000065 nt!RtlpBreakWithStatusInstruction
807ce66c 8472896d 00000003 0000000c 846f525b nt!KiBugCheckDebugBreak+0x1c
807cea34 846917eb 0000000a 0000000c 00000002 nt!KeBugCheck2+0x68b
807cea34 846f525b 0000000a 0000000c 00000002 nt!KiTrap0E+0x2cf
807ceaf4 84705943 00000000 906b5dfa 8ccfad48 nt!KiInsertQueueApc+0x6d
807ceb20 94624ba7 8cd082f0 00000000 00000000 nt!KeInsertQueueApc+0x95
807ceba4 946234a5 906b5de0 941d53d8 00ec9edd Sfilter!RunProcess+0x387 [d:\secftp\driver\sfilter_changed\process.c @ 377]
807cec0c 848bcb97 00000208 00000650 00000000 Sfilter!CSSSProcessNotifyRoutine+0x355 [d:\secftp\driver\sfilter_changed\csss.c @ 673]
807cec38 84893c37 00000001 01cfcb90 fec9ad12 nt!PspExitProcess+0xa3
807cecb4 848c8151 00000001 8aec5838 00000001 nt!PspExitThread+0x598
807ceccc 846f3123 8aec5838 807cecf8 807ced04 nt!PsExitSpecialApc+0x22
807ced1c 8468e4e4 00000001 00000000 807ced34 nt!KiDeliverApc+0x28b
807ced1c 778f64f4 00000001 00000000 807ced34 nt!KiServiceExit+0x64
0012fcd8 778f5e6c 75a8179c 000000ac 00000000 ntdll!KiFastSystemCallRet
0012fcdc 75a8179c 000000ac 00000000 00000000 ntdll!NtWaitForSingleObject+0xc
0012fd48 7667f003 000000ac ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98
0012fd60 7667efb2 000000ac ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75
0012fd74 779f7be6 000000ac ffffffff 5b324905 kernel32!WaitForSingleObject+0x12
0012fe18 779f8040 00314c00 000000ac 00000000 sechost!ScSendResponseReceiveControls+0xea
0012fecc 779f8553 0012fee0 7ffdf000 00000000 sechost!ScDispatcherLoop+0xc2
0012fee4 004046ee 0012fef0 0041e348 00404020 sechost!StartServiceCtrlDispatcherA+0x68
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff88 76681174 7ffdf000 0012ffd4 7790b3f5 BCService+0x46ee
0012ff94 7790b3f5 7ffdf000 778a0655 00000000 kernel32!BaseThreadInitThunk+0xe
0012ffd4 7790b3c8 00408311 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
0012ffec 00000000 00408311 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
FOLLOWUP_IP:
Sfilter!RunProcess+387 [d:\secftp\driver\sfilter_changed\process.c @ 377]
94624ba7 0fb6d0 movzx edx,al
FAULTING_SOURCE_CODE:
373: pApcState->UserApcPending = TRUE;
374: }
375:
376: //...and queue it
> 377: if (!KeInsertQueueApc(pApc, NULL, NULL, IO_NO_INCREMENT))
378: {
379: KdPrint(("SFilter:: RunProcess,KernelExec -> Failed to insert APC\r\n"));
380: MmUnlockPages(pMdl);
381: IoFreeMdl (pMdl);
382: ExFreePool (pApc);
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: Sfilter!RunProcess+387
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Sfilter
IMAGE_NAME: Sfilter.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4d9a8b84
FAILURE_BUCKET_ID: 0xA_Sfilter!RunProcess+387
BUCKET_ID: 0xA_Sfilter!RunProcess+387
Followup: MachineOwner
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课