-
-
[已解决]还原 MSR 寄存器
-
发表于: 2013-5-18 11:01
-
我在 DriverEntry 用 WRMSR 0x176 写入一个新的地址,在UnloadDriver 用 WRMSR 0x176 还原,还原必须降低IRQL,卸载驱动还原后,大概过1 2分钟就蓝屏了。
DUMP 是这样:
........
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e9606fa8, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 92ef6ffb, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
------------------
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbb70 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffda00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffda00c). Type ".hh dbgerr001" for details
WRITE_ADDRESS: e9606fa8
FAULTING_IP:
+643e952f038bdef4
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
92ef6ffb ?? ???
MM_INTERNAL_CODE: 2
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: Dbgview.exe
CURRENT_IRQL: 1
TRAP_FRAME: b107bc5c -- (.trap 0xffffffffb107bc5c)
ErrCode = 00000002
eax=9296f468 ebx=8c606b48 ecx=00000000 edx=00010020 esi=8efdb390 edi=8ed913d0
eip=92ef6ffb esp=b107bcd0 ebp=b107bd1c iopl=0 ov up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010a92
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
92ef6ffb ?? ???
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Resetting default scope
LAST_CONTROL_TRANSFER: from 8c678aa8 to 8c6c586f
STACK_TEXT:
b107bc44 8c678aa8 00000001 e9606fa8 00000000 nt!MmAccessFault+0x106
b107bc44 92ef6ffb 00000001 e9606fa8 00000000 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
b107bccc 92f70c1b b107bd34 75b8a809 00411340 0x92ef6ffb
b107bd1c 92efd974 00000001 00000000 b107bd34 0x92f70c1b
b107bd34 778e7094 badb0d00 0260fed8 00000000 0x92efd974
b107bd38 badb0d00 0260fed8 00000000 00000000 0x778e7094
b107bd3c 0260fed8 00000000 00000000 00000000 0xbadb0d00
b107bd40 00000000 00000000 00000000 00000000 0x260fed8
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiTrap0E+dc
8c678aa8 85c0 test eax,eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiTrap0E+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d331
FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+dc
BUCKET_ID: 0x50_nt!KiTrap0E+dc
Followup: MachineOwner
是在搞不明白,求指点。
已解决,笔误造成,对不起让大家费脑了,抱歉。
DUMP 是这样:
........
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e9606fa8, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 92ef6ffb, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
------------------
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbb70 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffda00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffda00c). Type ".hh dbgerr001" for details
WRITE_ADDRESS: e9606fa8
FAULTING_IP:
+643e952f038bdef4
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
92ef6ffb ?? ???
MM_INTERNAL_CODE: 2
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: Dbgview.exe
CURRENT_IRQL: 1
TRAP_FRAME: b107bc5c -- (.trap 0xffffffffb107bc5c)
ErrCode = 00000002
eax=9296f468 ebx=8c606b48 ecx=00000000 edx=00010020 esi=8efdb390 edi=8ed913d0
eip=92ef6ffb esp=b107bcd0 ebp=b107bd1c iopl=0 ov up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010a92
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
92ef6ffb ?? ???
Page bbaf6 not present in the dump file. Type ".hh dbgerr004" for details
Resetting default scope
LAST_CONTROL_TRANSFER: from 8c678aa8 to 8c6c586f
STACK_TEXT:
b107bc44 8c678aa8 00000001 e9606fa8 00000000 nt!MmAccessFault+0x106
b107bc44 92ef6ffb 00000001 e9606fa8 00000000 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
b107bccc 92f70c1b b107bd34 75b8a809 00411340 0x92ef6ffb
b107bd1c 92efd974 00000001 00000000 b107bd34 0x92f70c1b
b107bd34 778e7094 badb0d00 0260fed8 00000000 0x92efd974
b107bd38 badb0d00 0260fed8 00000000 00000000 0x778e7094
b107bd3c 0260fed8 00000000 00000000 00000000 0xbadb0d00
b107bd40 00000000 00000000 00000000 00000000 0x260fed8
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiTrap0E+dc
8c678aa8 85c0 test eax,eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiTrap0E+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d331
FAILURE_BUCKET_ID: 0x50_nt!KiTrap0E+dc
BUCKET_ID: 0x50_nt!KiTrap0E+dc
Followup: MachineOwner
是在搞不明白,求指点。
已解决,笔误造成,对不起让大家费脑了,抱歉。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
