object=*(PULONG)(table2+(i-0x800)*2);
if(MmIsAddressValid((PULONG)((table2+(i-0x800)*2)+NEXTFREETABLEENTRY)))
{
NextFreeTableEntry=*(PULONG)((table2+(i-0x800)*2)+NEXTFREETABLEENTRY);
WINDBG 加载了源程序 SYMBOL SRC 和Image 路径 然加载DUMP文件 分析
自动跳出上面最后一句 意思就是 这里导致的崩溃吧。担怎么都没看明白这里哪错了
高手指点啊。
下面是 WINDBG 分析结果
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {e3941000, 0, a745a02f, 1}
Could not read faulting driver name
Probably caused by : ProcessHide.sys ( ProcessHide+102f )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e3941000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: a745a02f, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: e3941000
FAULTING_IP:
ProcessHide+102f
a745a02f 8b944104f0ffff mov edx,dword ptr [ecx+eax*2-0FFCh]
MM_INTERNAL_CODE: 1
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from a745b0e9 to a745a02f
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
ba507c74 a745b0e9 00000000 a745b23e ba507d54 ProcessHide+0x102f
ba507c84 8058239d 8991b030 886b6000 00000000 ProcessHide+0x20e9
ba507d54 805824ad 800014b0 00000001 00000000 nt!IopLoadDriver+0x66d
ba507d7c 805397cb 800014b0 00000000 89bf3020 nt!IopLoadUnloadDriver+0x45
ba507dac 805d0fa8 a6c76c44 00000000 00000000 nt!ExpWorkerThread+0xef
ba507ddc 8054715e 805396dc 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
ProcessHide+102f
a745a02f 8b944104f0ffff mov edx,dword ptr [ecx+eax*2-0FFCh]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ProcessHide+102f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ProcessHide
IMAGE_NAME: ProcessHide.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4e1810fc
FAILURE_BUCKET_ID: 0x50_ProcessHide+102f
BUCKET_ID: 0x50_ProcessHide+102f
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法