-
-
[旧帖] [求助]TDI过滤驱动老是蓝屏 0.00雪花
-
发表于: 2015-3-9 22:21
-
Kx只有41个只能发在临时会员板块虽说TDI已经过时,但BUG不过时;
问题在产生创建请求,并在其完成函数中向下发送查询 地址请求时错误,相关代码:
这是为创建请求设置的的完成函数:
NTSTATUS TDIFltClass::CreateOperatComplete(PDEVICE_OBJECT DeviceObject,PIRP Irp,PVOID Context){
if(NT_SUCCESS(Irp->IoStatus.Status)){
TDIFltExt* Exten=(TDIFltExt*)DeviceObject->DeviceExtension;
PIO_STACK_LOCATION IoStack=IoGetCurrentIrpStackLocation(Irp);
PIRP Query=(PIRP)Context;
KdPrint(("向下发送查询请求\n"));
TDI_ADDRESS_INFO* Address=(TDI_ADDRESS_INFO*)ExAllocatePool(NonPagedPool,sizeof(TDI_ADDRESS_INFO)+10);
PMDL Mdl=IoAllocateMdl(Address,sizeof(TDI_ADDRESS_INFO)+10,FALSE,FALSE,NULL);
if(Mdl==NULL||Address==NULL) goto err;
MmBuildMdlForNonPagedPool(Mdl);
TdiBuildQueryInformation(Query,Exten->LowerDevice,IoStack->FileObject,QueryOperatComplete,NULL,TDI_QUERY_ADDRESS_INFO,Mdl);
NTSTATUS status;
status=IoCallDriver(Exten->LowerDevice,Query);//发送查询地址请求
if(status!=STATUS_PENDING&&!NT_SUCCESS(status)){
if(Mdl!=NULL){
IoFreeMdl(Mdl);
}
if(Address!=NULL){
ExFreePool(Address);
}
}
}
err:
if(Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}
return STATUS_SUCCESS;
}
这是查询请求完成所设置的完成函数:
NTSTATUS TDIFltClass::QueryOperatComplete(PDEVICE_OBJECT DeviceObject,PIRP Irp,PVOID Context){
KdPrint(("查询请求完成\n"));
PVOID Add=MmGetSystemAddressForMdlSafe(Irp->MdlAddress,NormalPagePriority);
KdPrint(("1\n"));
if(NT_SUCCESS(Irp->IoStatus.Status)&&Irp->MdlAddress!=NULL){
// TDIFltExt* Exten=(TDIFltExt*)DeviceObject->DeviceExtension;
KdPrint(("2\n"));
TDI_ADDRESS_INFO* AddInfo=(TDI_ADDRESS_INFO*)Add;
TA_ADDRESS* Addr=AddInfo->Address.Address;
KdPrint(("3\n"));
KdPrint(("Address:%x,port:%u\n",Myntohl(((TDI_ADDRESS_IP*)(Addr->Address))->in_addr),
Myntohs(((TDI_ADDRESS_IP*)(Addr->Address))->sin_port)));
//可将地址与端口保存起来与其文件对象对应以在必要时刻查询
}
// IoFreeMdl(Irp->MdlAddress);//释不释放都蓝屏
KdPrint(("4\n"));
// ExFreePool(Add););//释不释放都蓝屏
KdPrint(("5\n"));
return STATUS_SUCCESS;
}
DUMP:
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 0003e10e, page frame number
Arg3: 00000001, current share count
Arg4: 00000000, 0
BUGCHECK_STR: 0x4E_7
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 83d35083 to 83cd1110
STACK_TEXT:
8d2d2f4c 83d35083 00000003 a9a5df6f 00000065 nt!RtlpBreakWithStatusInstruction
8d2d2f9c 83d35b81 00000003 000000cf 854c9d88 nt!KiBugCheckDebugBreak+0x1c
8d2d3360 83ce8f47 0000004e 00000007 0003e10e nt!KeBugCheck2+0x68b
8d2d338c 83cc1b85 0003e10e 869e6d38 865fa110 nt!MiPfnReferenceCountIsZero+0x24
8d2d33e4 83ccead8 869e6d38 857e77c0 865fa110 nt!MmUnlockPages+0x557
8d2d3420 8e2af35a 865fa168 857e794c 00000103 nt!IopfCompleteRequest+0x2cd
8d2d34e4 8e2af705 865fa150 00000000 00000010 tdx!TdxQueryAddressComplete+0x1ba
8d2d3544 8e2a5438 007e77c0 865fa150 00000000 tdx!TdxIssueQueryAddressRequest+0x251
8d2d3560 8e2b0383 857e77c0 865fa110 865fa100 tdx!TdxQueryInformationTransportAddress+0x5e
8d2d357c 83c8d593 866a8398 865fa110 85680508 tdx!TdxTdiDispatchInternalDeviceControl+0xc5
8d2d3594 9067ce58 865fa180 865fa184 858b20e0 nt!IofCallDriver+0x63
8d2d35bc 83cce933 858b2028 85680508 865fa110 TDIFilter!TDIFltClass::CreateOperatComplete+0x118 [g:\drivertest\1tdifilter\tdifilter\tdifilterclass.cpp @ 115]
8d2d3604 8e2b01bd 866a8398 857e77c0 8568ee60 nt!IopfCompleteRequest+0x128
8d2d3628 83c8d593 8cc87110 85680508 8568ee78 tdx!TdxTdiDispatchCreate+0x213
8d2d3640 9067cafa 874a8ab8 858b2028 8745a140 nt!IofCallDriver+0x63
8d2d3670 9067c3a0 858b2028 85680508 8d2d3698 TDIFilter!TDIFltClass::MyCreateHandler+0xea [g:\drivertest\1tdifilter\tdifilter\tdifilterclass.cpp @ 94]
8d2d3680 83c8d593 858b2028 85680508 874a8b14 TDIFilter!DriverBase::CreateHandler+0x20 [g:\drivertest\tdifilter\tdifilter\driverbase.cpp @ 44]
8d2d3698 83e9d2a9 a9a5c783 8d2d3840 00000000 nt!IofCallDriver+0x63
8d2d3770 83e7cac5 866a8398 a55e2650 857e0418 nt!IopParseDevice+0xed7
8d2d37ec 83e8ced6 00000000 8d2d3840 00000240 nt!ObpLookupObjectName+0x4fa
8d2d3848 83e839b4 8d2d3a9c 855e2650 00000000 nt!ObOpenObjectByName+0x165
8d2d38c4 83ec4eca 8d2d3adc 02000000 8d2d3a9c nt!IopCreateFile+0x673
8d2d3920 8e2df517 8d2d3adc 02000000 8d2d3a9c nt!IoCreateFileEx+0x9e
8d2d3b64 8e2dbfaf 857bfee0 858062f0 00000016 afd!AfdTdiCreateAO+0x573
8d2d3bec 8e2e82bc 872a77d0 866af1f8 8d2d3c14 afd!AfdBind+0x37a
8d2d3bfc 83c8d593 866af1f8 8568b7f0 8568b7f0 afd!AfdDispatchDeviceControl+0x3b
8d2d3c14 83e8199f 872a77d0 8568b7f0 8568b8cc nt!IofCallDriver+0x63
8d2d3c34 83e84b71 866af1f8 872a77d0 00000000 nt!IopSynchronousServiceTail+0x1f8
8d2d3cd0 83ecb3f4 866af1f8 8568b7f0 00000000 nt!IopXxxControlFile+0x6aa
8d2d3d04 83c941ea 0000039c 000004a4 00000000 nt!NtDeviceIoControlFile+0x2a
8d2d3d04 776770b4 0000039c 000004a4 00000000 nt!KiFastCallEntry+0x12a
0133e770 77675864 751c3ad6 0000039c 000004a4 ntdll!KiFastSystemCallRet
0133e774 751c3ad6 0000039c 000004a4 00000000 ntdll!NtDeviceIoControlFile+0xc
0133e828 767c45cf 0000039c 0133e880 00000010 mswsock!WSPBind+0x1fc
0133e84c 75089caf 0000039c 0133e880 00000010 WS2_32!bind+0x50
0133e8a0 75089ba9 0000039c 00000002 00000000 DNSAPI!Socket_Bind+0x1d2
0133e8d8 75089ae6 00000002 00000002 00000000 DNSAPI!Socket_Create+0x1c7
0133e8f8 750894aa 00000002 009818f8 009819d8 DNSAPI!Socket_GetUdp+0x16
0133e910 7508981c 00000000 00981868 009825d8 DNSAPI!Socket_CreateMessageSocket+0xb1
0133e92c 75089723 00000016 009819ee 00000001 DNSAPI!Send_MessagePrivateEx+0x172
0133e950 7508f762 009818f8 00981838 00981868 DNSAPI!sendUsingServerInfo+0x88
0133e98c 750889d2 009818f8 00981838 00000000 DNSAPI!sendUdpToNextDnsServers+0x231
0133ea84 7508904f 00000000 009a29c8 40006404 DNSAPI!Send_AndRecvUdpWithParam+0x1e0
0133eb38 75088f09 00981838 0000232b 0133f160 DNSAPI!Send_AndRecv+0xbd
0133ed5c 750887d2 0133f160 000025e5 0133f160 DNSAPI!Query_Wire+0x1d5
0133ed74 75086f38 0133f160 00004000 0133f160 DNSAPI!Query_SingleNamePrivate+0x13c
0133efc0 75086493 0133f160 00000000 0133f160 DNSAPI!Query_SingleNameDualAddr+0x178
0133efd4 750863ac 0133f160 750ba848 0133f160 DNSAPI!Query_SingleName+0x52
0133f024 7508f66b 0033f160 0000007b 0133f160 DNSAPI!Query_AllNames+0x490
0133f0f4 7508ba0e 0133f160 00981838 726ae040 DNSAPI!Query_Multicast+0x1ca
0133f120 72693455 00000000 003f66ec 72691840 DNSAPI!Query_Main+0x30d
0133f138 726932b7 0133f160 0133f5dc 0133f7ec dnsrslvr!ResolverQuery+0x9c
0133f5d8 75be04e8 00000000 003f66dc 0000001c dnsrslvr!R_ResolverQuery+0x147
0133f604 75c45311 7269318a 0133f7f0 00000006 RPCRT4!Invoke+0x2a
0133fa0c 75c4431d 00000000 00000000 022a4b20 RPCRT4!NdrStubCall2+0x2d6
0133fa28 75be063c 022a4b20 0f2a1efa 003b4ec8 RPCRT4!NdrServerCall2+0x19
0133fa64 75be07ca 7269181d 022a4b20 0133fb14 RPCRT4!DispatchToStubInCNoAvrf+0x4a
0133fabc 75be06b6 003b4ec8 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x16c
0133fae4 75bd76db 00000000 00000000 0133fb14 RPCRT4!RPC_INTERFACE::DispatchToStub+0x8b
0133fb30 75be0ac6 022a4a68 0133fb4c 00390738 RPCRT4!LRPC_SCALL::DispatchRequest+0x257
0133fb50 75be0a85 022a4a68 003f6688 00390738 RPCRT4!LRPC_SCALL::QueueOrDispatchCall+0xbd
0133fb6c 75be0921 00000000 003f6670 003b4ec8 RPCRT4!LRPC_SCALL::HandleRequest+0x34f
0133fba0 75be0895 00000000 003f6670 003f5568 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x144
0133fbd8 75bdfe85 003b4d58 00000000 003f5568 RPCRT4!LRPC_ADDRESS::HandleRequest+0xbd
0133fc54 75bdfd1d 00000000 0133fc70 75bdfc6a RPCRT4!LRPC_ADDRESS::ProcessIO+0x50a
0133fc60 75bdfc6a 003b4df4 00000000 0133fc98 RPCRT4!LrpcServerIoHandler+0x16
0133fc70 77661d55 0133fcdc 003b4df4 003b4e40 RPCRT4!LrpcIoComplete+0x16
0133fc98 776615ac 0133fcdc 00000000 00000000 ntdll!TppAlpcpExecuteCallback+0x1c5
0133fe00 75b23c45 00389158 0133fe4c 776937f5 ntdll!TppWorkerThread+0x5a4
0133fe0c 776937f5 00389158 7642bc94 00000000 kernel32!BaseThreadInitThunk+0xe
0133fe4c 776937c8 776603e7 00389158 00000000 ntdll!__RtlUserThreadStart+0x70
0133fe64 00000000 776603e7 00389158 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiPfnReferenceCountIsZero+24
83ce8f47 cc int 3
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!MiPfnReferenceCountIsZero+24
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce78a09
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x4E_7_nt!MiPfnReferenceCountIsZero+24
BUCKET_ID: 0x4E_7_nt!MiPfnReferenceCountIsZero+24
Followup: MachineOwner
---------
!devobj 0xFFFFFFFF858B2028
Device object (858b2028) is for:
\Driver\TDIFilter DriverObject 8588a360
Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000018
DevExt 858b20e0 DevObjExt 858b2108
ExtensionFlags (0x00000800)
Unknown flags 0x00000800
AttachedTo (Lower) 866a8398 \Driver\tdx
Device queue is not busy.
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
看了你的源码,核心步骤与你相同,非说不同的话,在查询地址的完成函数里,你是将要查询的地址打算存放的原始地址作为完成函数的上下文传进了查询地址完成函数,而我是从IRP->MdlAddress通过MmGetSystemAddressByMdlSafe得到存放查询的地址的原始地址,这应该没问题吧?
麻烦你再看看我的代码  ,实在没辙了
|
|
|
|
|
|
|
|
|
MSDN我看了,但是我没有调用过MmUnlockPages ,MmUnmapLockedPages之类的函数,那
nt!MmUnlockPages+0x557调用 是怎么来的? 我应该怎么修改? 
|
|
|
|
|
|
|
|
|
MSDN中讲的内容我看了,我没有触犯它说的那些。
可以讲的详细点吗?我琢磨好几天了。 
|
|
|
|
|
|
刚才把调用放在WorkItem里面,但还是出了同样的问题
VOID TDIFltClass::WorkItemRoutine(PDEVICE_OBJECT DeviceObject,PVOID Context){ WorkItemContext* WorkContext=(WorkItemContext*)Context; TDIFltExt* Exten=(TDIFltExt*)DeviceObject->DeviceExtension; TDI_ADDRESS_INFO* Address=(TDI_ADDRESS_INFO*)ExAllocatePool(NonPagedPool,sizeof(TDI_ADDRESS_INFO)+10); if(Address==NULL){ ExFreePool(Context); return; } PMDL Mdl=IoAllocateMdl(Address,sizeof(TDI_ADDRESS_INFO)+10,FALSE,FALSE,NULL); if(Mdl==NULL){ ExFreePool(Address); ExFreePool(Context); return; } MmBuildMdlForNonPagedPool(Mdl); TdiBuildQueryInformation(WorkContext->QueryIrp,Exten->LowerDevice,WorkContext->FileObject,QueryOperatComplete,NULL,TDI_QUERY_ADDRESS_INFO,Mdl); NTSTATUS status; status=IoCallDriver(Exten->LowerDevice,WorkContext->QueryIrp); if(status!=STATUS_PENDING&&!NT_SUCCESS(status)){ if(Mdl!=NULL){ IoFreeMdl(Mdl); } if(Address!=NULL){ ExFreePool(Address); } } ExFreePool(Context);//释放上下文 } 
|
|
|
|
|
|
|
|
|
|
|
|
|
