-
-
求解驱动蓝屏
-
发表于:
2011-6-19 01:27
5194
-
本人是菜鸟,求高手解释一下详细意思,谢谢!
Driver is loaded!
BuildNumber = 2600
KeyControlBlock = e2747418
GetCellRoutine = 8062fb1c
HideRegKey Success!
KernelImageBase: 0x00400000KernelVirtualBase: 0x804D8000Kernel Module Path: \SystemRoot\System32\ntkrnlpa.exeSSDT BaseAddress: 0x80502BBC, NumberOfServices: 0x11CSSDT RAW: 0x0002ABBCSSDT TheEnd...
*** Fatal System Error: 0x0000007e
(0xC0000005,0xF88338A5,0xF8991AB4,0xF89917B0)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Sun Jun 19 01:04:38.904 2011 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
........
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, f88338a5, f8991ab4, f89917b0}
*** ERROR: Module load completed but symbols could not be loaded for Rootkit.sys
Probably caused by : Rootkit.sys ( Rootkit+18a5 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
80528c0c cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f88338a5, The address that the exception occurred at
Arg3: f8991ab4, Exception Record Address
Arg4: f89917b0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
Rootkit+18a5
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch]
EXCEPTION_RECORD: f8991ab4 -- (.exr 0xfffffffff8991ab4)
ExceptionAddress: f88338a5 (Rootkit+0x000018a5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000003c
Attempt to read from address 0000003c
CONTEXT: f89917b0 -- (.cxr 0xfffffffff89917b0)
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=e25567a8 edi=8262cad0
eip=f88338a5 esp=f8991b7c ebp=f8991c20 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
Rootkit+0x18a5:
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch] ds:0023:0000003c=????????
Resetting default scope
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0000003c
READ_ADDRESS: 0000003c
FOLLOWUP_IP:
Rootkit+18a5
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f8833a64 to f88338a5
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f8991c20 f8833a64 f88346c0 f8991c34 825c5e94 Rootkit+0x18a5
f8991c40 f8834790 f88346c0 804d8000 0000011c Rootkit+0x1a64
f8991c54 f8832761 829a1e80 00000000 002a0028 Rootkit+0x2790
f8991c7c 80577891 8262cad0 826a4000 00000000 Rootkit+0x761
f8991d4c 805779a1 80001104 00000001 00000000 nt!IopLoadDriver+0x66d
f8991d74 80535ca0 80001104 00000000 82bb6388 nt!IopLoadUnloadDriver+0x45
f8991dac 805c72c2 b1ee7cf4 00000000 00000000 nt!ExpWorkerThread+0x100
f8991ddc 80542e82 80535ba0 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Rootkit+18a5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Rootkit
IMAGE_NAME: Rootkit.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48986ca9
STACK_COMMAND: .cxr 0xfffffffff89917b0 ; kb
FAILURE_BUCKET_ID: 0x7E_Rootkit+18a5
BUCKET_ID: 0x7E_Rootkit+18a5
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f88338a5, The address that the exception occurred at
Arg3: f8991ab4, Exception Record Address
Arg4: f89917b0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
Rootkit+18a5
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch]
EXCEPTION_RECORD: f8991ab4 -- (.exr 0xfffffffff8991ab4)
ExceptionAddress: f88338a5 (Rootkit+0x000018a5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000003c
Attempt to read from address 0000003c
CONTEXT: f89917b0 -- (.cxr 0xfffffffff89917b0)
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=e25567a8 edi=8262cad0
eip=f88338a5 esp=f8991b7c ebp=f8991c20 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
Rootkit+0x18a5:
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch] ds:0023:0000003c=????????
Resetting default scope
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0000003c
READ_ADDRESS: 0000003c
FOLLOWUP_IP:
Rootkit+18a5
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f8833a64 to f88338a5
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f8991c20 f8833a64 f88346c0 f8991c34 825c5e94 Rootkit+0x18a5
f8991c40 f8834790 f88346c0 804d8000 0000011c Rootkit+0x1a64
f8991c54 f8832761 829a1e80 00000000 002a0028 Rootkit+0x2790
f8991c7c 80577891 8262cad0 826a4000 00000000 Rootkit+0x761
f8991d4c 805779a1 80001104 00000001 00000000 nt!IopLoadDriver+0x66d
f8991d74 80535ca0 80001104 00000000 82bb6388 nt!IopLoadUnloadDriver+0x45
f8991dac 805c72c2 b1ee7cf4 00000000 00000000 nt!ExpWorkerThread+0x100
f8991ddc 80542e82 80535ba0 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Rootkit+18a5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Rootkit
IMAGE_NAME: Rootkit.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48986ca9
STACK_COMMAND: .cxr 0xfffffffff89917b0 ; kb
FAILURE_BUCKET_ID: 0x7E_Rootkit+18a5
BUCKET_ID: 0x7E_Rootkit+18a5
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f88338a5, The address that the exception occurred at
Arg3: f8991ab4, Exception Record Address
Arg4: f89917b0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
Rootkit+18a5
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch]
EXCEPTION_RECORD: f8991ab4 -- (.exr 0xfffffffff8991ab4)
ExceptionAddress: f88338a5 (Rootkit+0x000018a5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000003c
Attempt to read from address 0000003c
CONTEXT: f89917b0 -- (.cxr 0xfffffffff89917b0)
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=e25567a8 edi=8262cad0
eip=f88338a5 esp=f8991b7c ebp=f8991c20 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
Rootkit+0x18a5:
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch] ds:0023:0000003c=????????
Resetting default scope
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0000003c
READ_ADDRESS: 0000003c
FOLLOWUP_IP:
Rootkit+18a5
f88338a5 8b513c mov edx,dword ptr [ecx+3Ch]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f8833a64 to f88338a5
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f8991c20 f8833a64 f88346c0 f8991c34 825c5e94 Rootkit+0x18a5
f8991c40 f8834790 f88346c0 804d8000 0000011c Rootkit+0x1a64
f8991c54 f8832761 829a1e80 00000000 002a0028 Rootkit+0x2790
f8991c7c 80577891 8262cad0 826a4000 00000000 Rootkit+0x761
f8991d4c 805779a1 80001104 00000001 00000000 nt!IopLoadDriver+0x66d
f8991d74 80535ca0 80001104 00000000 82bb6388 nt!IopLoadUnloadDriver+0x45
f8991dac 805c72c2 b1ee7cf4 00000000 00000000 nt!ExpWorkerThread+0x100
f8991ddc 80542e82 80535ba0 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Rootkit+18a5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Rootkit
IMAGE_NAME: Rootkit.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48986ca9
STACK_COMMAND: .cxr 0xfffffffff89917b0 ; kb
FAILURE_BUCKET_ID: 0x7E_Rootkit+18a5
BUCKET_ID: 0x7E_Rootkit+18a5
Followup: MachineOwner
---------
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
