首页
社区
课程
招聘
[求助]这种蓝屏一般是什么问题
发表于: 2015-2-6 09:42 4818

[求助]这种蓝屏一般是什么问题

2015-2-6 09:42
4818
Symbol search path is: SRV*d:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.120821-1629
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Wed Feb  4 13:01:47.875 2015 (UTC + 8:00)
System Uptime: 0 days 9:30:07.823
Loading Kernel Symbols
...............................................................
................................................................
.............
Loading User Symbols
Loading unloaded module list
......................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 8053cc71, a89e1c90, 0}

Probably caused by : hardware ( nt!_SEH_epilog+6 )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053cc71, The address that the exception occurred at
Arg3: a89e1c90, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

FAULTING_IP:
nt!_SEH_epilog+6
8053cc71 0000            add     byte ptr [eax],al

TRAP_FRAME:  a89e1c90 -- (.trap 0xffffffffa89e1c90)
ErrCode = 00000002
eax=00000102 ebx=00000102 ecx=ffffffff edx=00000000 esi=a89e1d1c edi=00000102
eip=8053cc71 esp=a89e1d04 ebp=a89e1d50 iopl=0         nv up ei pl nz na po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010203
nt!_SEH_epilog+0x6:
8053cc71 0000            add     byte ptr [eax],al          ds:0023:00000102=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  Tencentdl.exe

MISALIGNED_IP:
nt!_SEH_epilog+6
8053cc71 0000            add     byte ptr [eax],al

LAST_CONTROL_TRANSFER:  from 805426cc to 8053cc71

STACK_TEXT:  
a89e1d50 805426cc 0000023c 00000000 a89e1d1c nt!_SEH_epilog+0x6
a89e1d50 7c92e514 0000023c 00000000 a89e1d1c nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
01c6feec 00000000 00000000 00000000 00000000 0x7c92e514

STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!_SEH_epilog+6
8053cc71 0000            add     byte ptr [eax],al

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!_SEH_epilog+6

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: hardware

FAILURE_BUCKET_ID:  IP_MISALIGNED

BUCKET_ID:  IP_MISALIGNED

Followup: MachineOwner
---------

3: kd> .trap 0xffffffffa89e1c90
ErrCode = 00000002
eax=00000102 ebx=00000102 ecx=ffffffff edx=00000000 esi=a89e1d1c edi=00000102
eip=8053cc71 esp=a89e1d04 ebp=a89e1d50 iopl=0         nv up ei pl nz na po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010203
nt!_SEH_epilog+0x6:
8053cc71 0000            add     byte ptr [eax],al          ds:0023:00000102=??
3: kd> u 8053cc6b
nt!_SEH_epilog:
8053cc6b 8b4df0          mov     ecx,dword ptr [ebp-10h]
8053cc6e 64890d00000000  mov     dword ptr fs:[0],ecx
8053cc75 59              pop     ecx
8053cc76 5f              pop     edi
8053cc77 5e              pop     esi
8053cc78 5b              pop     ebx
8053cc79 c9              leave
8053cc7a 51              push    ecx
很奇葩啊,KiFastCallEntry里面崩了,难道发现新漏洞了?

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 70
活跃值: (37)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
2
打个LOL老是蓝屏
2015-2-6 13:56
0
雪    币: 2291
活跃值: (938)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
3
EIP被破坏了,指向了8053cc71,本来应该是这样的:
-----------------------------------------------------------------------
nt!_SEH_epilog:
8053cc6b 8b4df0          mov     ecx,dword ptr [ebp-10h]
8053cc6e 64890d00000000  mov     dword ptr fs:[0],ecx
8053cc75 59              pop     ecx
-----------------------------------------------------------------------
跳到8053cc71去执行就成了这样:
-----------------------------------------------------------------------
3: kd> u 0x8053cc71
nt!_SEH_epilog+0x6:
8053cc71 0000            add     byte ptr [eax],al
8053cc73 0000            add     byte ptr [eax],al
8053cc75 59              pop     ecx
-----------------------------------------------------------------------
指令被错误解释执行了,第一条指令试图往eax指向的内存赋值。此时eax=0x102。导致内存访问异常,所以抛出了错误码为STATUS_ACCESS_VIOLATION(C0000005)的蓝屏错误了
2015-2-6 14:23
0
雪    币: 70
活跃值: (37)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
关键是为什么跳过去,你看函数堆栈,实在想不明白怎么会莫名其妙的到了SEH,而且还跳到了指令的中间去
2015-2-6 21:55
0
游客
登录 | 注册 方可回帖
返回
//