A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows 7 7601 x64 target at (Sat Jul 13 10:17:30.820 2013 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
...................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................
........
Loading User Symbols
.................................
Loading unloaded module list
.....Unable to enumerate user-mode unloaded modules, Win32 error 0n30
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: fffffa80059c5c88, name of the driver having the issue.
Arg3: fffffa8004f5a010, verifier internal structure with driver information.
Arg4: 0000000000000001, total # of (paged+nonpaged) allocations that weren't freed.
Type !verifier 3 drivername.sys for info on the allocations
that were leaked that caused the bugcheck.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_62
IMAGE_NAME: test.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 51e0b488
MODULE_NAME: test
FAULTING_MODULE: fffff88004c72000 test
VERIFIER_DRIVER_ENTRY: dt nt!_MI_VERIFIER_DRIVER_ENTRY fffffa8004f5a010
Symbol nt!_MI_VERIFIER_DRIVER_ENTRY not found.
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: services.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff8000176e212 to fffff8000167bb90
再看:Arg3: fffffa8004f5a010, verifier internal structure with driver information.
估计这是一个结构,啥结构暂时没有深入查看.
不过windbg帮助文档说这个参数:Reserved.
再看:Arg4: 0000000000000001, total # of (paged+nonpaged) allocations that weren't freed.
这个是申请而没有释放的次数(包含分页的和不分页的),不是内存大小.
接下来就是乖乖的运行:
Type !verifier 3 drivername.sys for info on the allocations
that were leaked that caused the bugcheck.
的提示.
0: kd> !verifier 3 test.sys
Verify Level fbf ... enabled options are:
Special pool
Special irql
Inject random low-resource API failures
All pool allocations checked on unload
Io subsystem checking enabled
Deadlock detection enabled
DMA checking enabled
Security checks enabled
Force pending I/O requests
IRP Logging
Miscellaneous checks enabled
Pool Allocations Attempted 0x2757b
Pool Allocations Succeeded 0x2757b
Pool Allocations Succeeded SpecialPool 0x2757b
Pool Allocations With NO TAG 0x0
Pool Allocations Failed 0x0
Resource Allocations Failed Deliberately 0x0
Current paged pool allocations 0x0 for 00000000 bytes
Peak paged pool allocations 0x0 for 00000000 bytes
Current nonpaged pool allocations 0x1 for 0000000C bytes
Peak nonpaged pool allocations 0x1 for 0000000C bytes
Current Pool Allocations 00000001 00000000
Current Pool Bytes 0000000c 00000000
Peak Pool Allocations 00000001 00000000
Peak Pool Bytes 0000000c 00000000
PoolAddress SizeInBytes Tag CallersAddress
fffff9800933eff0 0x0000000c test fffff88004c73043
可以看到:
Peak Pool Allocations 00000001 00000000
Peak Pool Bytes 0000000c 00000000
PoolAddress SizeInBytes Tag CallersAddress
fffff9800933eff0 0x0000000c test fffff88004c73043
