首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 经典问答
    3. 发新帖
请高手分析下蓝屏的原因
发表于: 2013-12-25 14:20 5732

请高手分析下蓝屏的原因

漂流的鱼 活跃值
2013-12-25 14:20
5732
这是windbg,返回的蓝屏错误:
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000001e, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
        bit 0 : value 0 = read operation, 1 = write operation
        bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804fac6b, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS:  0000001e

CURRENT_IRQL:  2

FAULTING_IP:
nt!KeWaitForSingleObject+bb
804fac6b 803b02          cmp     byte ptr [ebx],2

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

BUGCHECK_STR:  0xA

PROCESS_NAME:  >14ã.exe

TRAP_FRAME:  b182aa48 -- (.trap 0xffffffffb182aa48)
ErrCode = 00000000
eax=00004e24 ebx=0000001e ecx=00000000 edx=b182ab00 esi=81e21da8 edi=81e21e18
eip=804fac6b esp=b182aabc ebp=b182aadc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!KeWaitForSingleObject+0xbb:
804fac6b 803b02          cmp     byte ptr [ebx],2           ds:0023:0000001e=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f8bad to 80528c0c

STACK_TEXT:  
b182a5fc 804f8bad 00000003 b182a958 00000000 nt!RtlpBreakWithStatusInstruction
b182a648 804f979a 00000003 0000001e 804fac6b nt!KiBugCheckDebugBreak+0x19
b182aa28 8054173b 0000000a 0000001e 00000002 nt!KeBugCheck2+0x574
b182aa28 804fac6b 0000000a 0000001e 00000002 nt!KiTrap0E+0x233
b182aadc 80533383 00000000 00000000 00000000 nt!KeWaitForSingleObject+0xbb
b182ab14 80533885 81f03380 00000003 b182aba8 nt!ExpWaitForResource+0x2f
b182ab24 805b3b2c 81b67a58 00000001 81b67900 nt!ExAcquireResourceExclusiveLite+0x6f
b182aba8 805b43e9 b182ac0c 81e21020 81f03398 nt!ObpIncrementUnnamedHandleCount+0x48
b182ac00 805b9ce8 81f03398 001f000f 00000001 nt!ObpCreateUnnamedHandle+0x89
b182acf4 8063a74c 81f03398 00000000 001f000f nt!ObInsertObject+0xbc
b182ad4c 8053e6d8 7ffdff24 001f000f 0012d740 nt!NtCreateDebugObject+0xca
b182ad4c 7c92e514 7ffdff24 001f000f 0012d740 nt!KiFastCallEntry+0xf8
0012d724 7c92d07a 7c972044 7ffdff24 001f000f ntdll!KiFastSystemCallRet
0012d728 7c972044 7ffdff24 001f000f 0012d740 ntdll!ZwCreateDebugObject+0xc
0012d758 7c85b105 0012da9c 027523ce 00000484 ntdll!DbgUiConnectToDbg+0x4a
0012d760 027523ce 00000484 0012db04 00477fa8 kernel32!DebugActiveProcess+0xa
WARNING: Stack unwind information not available. Following frames may be wrong.
0012da9c 77d18734 000202cc 00000111 00000001 advancedolly!ODBG_Plugininit+0x46d
0012dac8 77d23ce4 00477fa8 000202cc 00000111 USER32!InternalCallWinProc+0x28
0012db34 77d23b30 00000000 00477fa8 000202cc USER32!UserCallDlgProcCheckWow+0x146
0012db7c 77d3e599 00000000 00000111 00000001 USER32!DefDlgProcWorker+0xa8
0012db98 77d18734 000202cc 00000111 00000001 USER32!DefDlgProcA+0x22
0012dbc4 77d18816 77d3e577 000202cc 00000111 USER32!InternalCallWinProc+0x28
0012dc2c 77d2927b 00000000 77d3e577 000202cc USER32!UserCallWinProcCheckWow+0x150
0012dc68 77d292e3 00700fb8 016f5938 00000001 USER32!SendMessageWorker+0x4a5
0012dc88 77d4ff7d 000202cc 00000111 00000001 USER32!SendMessageW+0x7f
0012dca0 77d465d2 0171bf78 00000000 0171bf78 USER32!xxxButtonNotifyParent+0x41
0012dcbc 77d25e94 006398c8 00000001 00000000 USER32!xxxBNReleaseCapture+0xf8
0012dd40 77d3b082 0171bf78 00000202 00000000 USER32!ButtonWndProcWorker+0x6df
0012dd60 77d18734 000102ce 00000202 00000000 USER32!ButtonWndProcA+0x5d
0012dd8c 77d18816 77d3b036 000102ce 00000202 USER32!InternalCallWinProc+0x28
0012ddf4 77d189cd 00000000 77d3b036 000102ce USER32!UserCallWinProcCheckWow+0x150
0012de54 77d18a10 0012dea4 00000000 0012de88 USER32!DispatchMessageWorker+0x306
0012de64 77d274ff 0012dea4 00000000 01700fb8 USER32!DispatchMessageW+0xf
0012de88 77d2763c 000202cc 0171bf78 0002028a USER32!IsDialogMessageW+0x572
0012dec4 77d249c4 000202cc 0002028a 00000010 USER32!DialogBox2+0x144
0012deec 77d24a06 00400000 005ad484 00020294 USER32!InternalDialogBox+0xd0
0012df0c 77d3b190 00400000 005ad484 00020294 USER32!DialogBoxIndirectParamAorW+0x37
0012df38 7084b679 00400000 004c2198 00020294 USER32!DialogBoxParamA+0x4c
0012df94 004786aa 00400000 004c2198 00020294 SOD____!ODBG_Plugindestroy+0x1425
0012f290 77d18734 0002028a 00000111 000007d2 ____!Attachtoactiveprocess+0x91e
0012f2bc 77d18816 004323d4 0002028a 00000111 USER32!InternalCallWinProc+0x28
0012f324 77d2a013 00000000 004323d4 0002028a USER32!UserCallWinProcCheckWow+0x150
0012f354 77d2a998 004323d4 0002028a 00000111 USER32!CallWindowProcAorW+0x98
0012f374 20003f71 004323d4 0002028a 00000111 USER32!CallWindowProcA+0x1b
0012f3a0 77d18734 0002028a 00000111 000007d2 IDAFicator+0x3f71
0012f3cc 77d18816 20003864 0002028a 00000111 USER32!InternalCallWinProc+0x28
0012f434 77d2a013 00000000 20003864 0002028a USER32!UserCallWinProcCheckWow+0x150
0012f464 77d2a998 20003864 0002028a 00000111 USER32!CallWindowProcAorW+0x98
0012f484 7084904b 20003864 0002028a 00000111 USER32!CallWindowProcA+0x1b
0012f4a4 77d18734 0002028a 00000111 000007d2 SOD____!ODBG_Plugincmd+0x6fcb
0012f4d0 77d18816 70848fef 0002028a 00000111 USER32!InternalCallWinProc+0x28
0012f538 77d189cd 00000000 70848fef 0002028a USER32!UserCallWinProcCheckWow+0x150
0012f598 77d196c7 0012f5c0 00000001 0012ff88 USER32!DispatchMessageWorker+0x306
0012f5a8 00439442 0012f5c0 00000000 004b00c4 USER32!DispatchMessageA+0xf
0012ff88 004ad357 00400000 00000000 005b2410 ____!Go+0x4a2e
0012ffc0 7c817077 00340036 00360033 7ffd8000 ____!Createpatchwindow+0xe0f7
0012fff0 00000000 00401000 00000000 78746341 kernel32!BaseProcessStart+0x23

STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    804f779c - nt!KdDisableDebugger
        [ 8b:c3 ]
    804f87d8-804f87de  7 bytes - nt!KiAttachProcess (+0x103c)
        [ 8b ff 55 8b ec 53 8b:b8 1c df 5f b1 ff e0 ]
    80502c20-80502c23  4 bytes - nt!KiServiceTable+64 (+0xa448)
        [ 8e 2d 5b 80:64 c9 59 b1 ]
    80502d40-80502d43  4 bytes - nt!KiServiceTable+184 (+0x120)
        [ 9a a6 57 80:d9 0a 73 f8 ]
    80502da4-80502da7  4 bytes - nt!KiServiceTable+1e8 (+0x64)
        [ f8 23 5c 80:34 cc 59 b1 ]
    80502dbc-80502dbf  4 bytes - nt!KiServiceTable+200 (+0x18)
        [ 84 26 5c 80:44 cb 59 b1 ]
    80502e24-80502e27  4 bytes - nt!KiServiceTable+268 (+0x68)
        [ 5e 3d 5c 80:e4 c9 59 b1 ]
    80502e48-80502e4b  4 bytes - nt!KiServiceTable+28c (+0x24)
        [ a0 c1 5b 80:44 cd 59 b1 ]
    80502e70-80502e73  4 bytes - nt!KiServiceTable+2b4 (+0x28)
        [ a8 95 60 80:04 ce 59 b1 ]
    80502f50-80502f53  4 bytes - nt!KiServiceTable+394 (+0xe0)
        [ 76 2e 5c 80:94 b9 59 b1 ]
    80502f7c-80502f7f  4 bytes - nt!KiServiceTable+3c0 (+0x2c)
        [ d6 78 60 80:a1 14 73 f8 ]
    80503014-80503017  4 bytes - nt!KiServiceTable+458 (+0x98)
        [ 5c 32 50 80:e4 b9 59 b1 ]
    805aa85a-805aa860  7 bytes - nt!NtReadVirtualMemory
        [ 6a 1c 68 e0 a4 4d 80:b8 10 dd 5f b1 ff e0 ]
    805aa964-805aa96a  7 bytes - nt!NtWriteVirtualMemory (+0x10a)
        [ 6a 1c 68 f8 a4 4d 80:b8 16 de 5f b1 ff e0 ]
    805c2616-805c261b  6 bytes - nt!NtOpenProcess+21e (+0x17cb2)
        [ ff 75 c8 ff 75 dc:e9 f5 17 2b 31 90 ]
    805c261d-805c2620  4 bytes - nt!NtOpenProcess+225 (+0x07)
        [ 7d fe fe ff:29 58 04 31 ]
    805c2898-805c289d  6 bytes - nt!NtOpenThread+214 (+0x27b)
        [ ff 75 cc ff 75 e0:e9 03 18 2b 31 90 ]
    805c289f-805c28a2  4 bytes - nt!NtOpenThread+21b (+0x07)
        [ fb fb fe ff:73 b8 03 31 ]
    8063a6e2-8063a6e5  4 bytes - nt!NtCreateDebugObject+60 (+0x77e43)
        [ c0 10 55 80:50 78 b6 81 ]
    8063b007-8063b00a  4 bytes - nt!NtWaitForDebugEvent+a7 (+0x925)
        [ c0 10 55 80:50 78 b6 81 ]
    8063b7ba-8063b7bd  4 bytes - nt!NtDebugActiveProcess+5c (+0x7b3)
        [ c0 10 55 80:50 78 b6 81 ]
    8063b870-8063b873  4 bytes - nt!NtRemoveProcessDebug+42 (+0xb6)
        [ c0 10 55 80:50 78 b6 81 ]
    8063b929-8063b92c  4 bytes - nt!NtDebugContinue+7b (+0xb9)
        [ c0 10 55 80:50 78 b6 81 ]
102 errors : !nt (804f779c-8063b92c)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------

请问是什么原因导致了该错误?

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (6)
安于此生
雪    币: 2664
活跃值: (3401)
能力值: ( LV13,RANK:1760 )
在线值:
发帖
回帖
粉丝
私信
2
IRQL导致的呀,描述信息说的很明白了呀
2013-12-25 14:35
0
学雄
雪    币: 371
活跃值: (72)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
3
访问内存地址 804fac6b   >>> 此地址有问题导致蓝屏.
2013-12-25 15:15
0
IDGHOST
雪    币: 115
活跃值: (46)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
4
很明显创建一个Object后,却用了一个错值去执行等待,在企图读取Object->Type时蓝掉了。
可能:1.有hook; 2.你在用XP。
2013-12-25 17:47
0
sidyh
雪    币: 160
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
又是一个在研究TP的骚年
妄图修改DebugPort
鉴定完毕
2013-12-25 18:40
0
漂流的鱼
雪    币: 135
活跃值: (1891)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
是的,我是用Xp的,处理tp 的object hook时一直蓝屏,请您解释下 ,用xp不行吗?
2013-12-25 19:56
0
IDGHOST
雪    币: 115
活跃值: (46)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
7
tp很久没玩了,它的确会阻止DebugObject创建,并有没处理好hook的情况。
本身堆栈就怪怪的,NtCreateDebugObject直接到了ObInsertObject。
而XP本身就不少bug,像有个是没处理Object值的,微软现在都没给补丁。
2013-12-26 18:53
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//