PAGE_FAULT_IN_NONPAGED_AREA
今天调程序遇到了问题:
驱动跟应用层通信用的方法是从网上找的,自己加的第三个参数
//--------------------------------------------------------------------------//发往应用层裁决
BOOL GoOrNot(char *fathername,char *procname,char *Pid)
{
char buff[512] = {0};
ULONG a;
LARGE_INTEGER li;
KdPrint(("GoOrNot调用\n"));
li.QuadPart=-10000;
KeWaitForSingleObject(&event,Executive,KernelMode,0,0);
strcpy(buff,fathername);
strcat(buff,procname);
strcat(buff,Pid);
strncpy(&output[8],buff,sizeof(buff));
//DbgPrint(&output[8]);
a = 1;
memmove(&output[0],&a,4);
while (1)
{
KeDelayExecutionThread(KernelMode,0,&li);
memmove(&a,&output[0],4);
if (!a)
{
break;
}
}
memmove(&a,&output[4],4);
KeSetEvent(&event,0,0);
return a;
}
1、我的应用层程序前两天的一个备份可以正常加载驱动并正常工作
2、我这两天一直在用SkinSe库修改界面,跟驱动相关的代码一点都没动
3、半个小时前程序还好好的(在虚拟机里测试),等我换了一个快照再换回来,一跑现在的程序就蓝屏,期间没有更改任何代码
4、两天前的程序加载相同的驱动没有任何问题
5、WinDbg输出:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f8d3f000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 8053c519, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
WRITE_ADDRESS: f8d3f000
FAULTING_IP:
nt!strncpy+e9
8053c519 8907 mov dword ptr [edi],eax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: explorer.exe
TRAP_FRAME: f823b970 -- (.trap 0xfffffffff823b970)
ErrCode = 00000002
eax=00000000 ebx=00000200 ecx=00000002 edx=00363736 esi=f823bb2c edi=f8d3f000
eip=8053c519 esp=f823b9e4 ebp=f823bc60 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!strncpy+0xe9:
8053c519 8907 mov dword ptr [edi],eax ds:0023:f8d3f000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f9df9 to 8052c5dc
这是WinDbg输出的出问题的地方
FAULTING_SOURCE_CODE:
330: strcpy(buff,fathername);
331: strcat(buff,procname);
332: strcat(buff,Pid);
333:
> 334: strncpy(&output[8],buff,sizeof(buff)); //这里
335: //DbgPrint(&output[8]);
336: a = 1;
337: memmove(&output[0],&a,4);
338: while (1)
339: {
地址无效?
应用层程序我只改了界面啊。。。。。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)