Kx只有41个只能发在临时会员板块
虽说TDI已经过时,但BUG不过时;
问题在产生创建请求,并在其完成函数中向下发送查询 地址请求时错误,相关代码:
这是为创建请求设置的的完成函数:
NTSTATUS TDIFltClass::CreateOperatComplete(PDEVICE_OBJECT DeviceObject,PIRP Irp,PVOID Context){
if(NT_SUCCESS(Irp->IoStatus.Status)){
TDIFltExt* Exten=(TDIFltExt*)DeviceObject->DeviceExtension;
PIO_STACK_LOCATION IoStack=IoGetCurrentIrpStackLocation(Irp);
PIRP Query=(PIRP)Context;
KdPrint(("向下发送查询请求\n"));
TDI_ADDRESS_INFO* Address=(TDI_ADDRESS_INFO*)ExAllocatePool(NonPagedPool,sizeof(TDI_ADDRESS_INFO)+10);
PMDL Mdl=IoAllocateMdl(Address,sizeof(TDI_ADDRESS_INFO)+10,FALSE,FALSE,NULL);
if(Mdl==NULL||Address==NULL) goto err;
MmBuildMdlForNonPagedPool(Mdl);
TdiBuildQueryInformation(Query,Exten->LowerDevice,IoStack->FileObject,QueryOperatComplete,NULL,TDI_QUERY_ADDRESS_INFO,Mdl);
NTSTATUS status;
status=IoCallDriver(Exten->LowerDevice,Query);//发送查询地址请求
if(status!=STATUS_PENDING&&!NT_SUCCESS(status)){
if(Mdl!=NULL){
IoFreeMdl(Mdl);
}
if(Address!=NULL){
ExFreePool(Address);
}
}
}
err:
if(Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}
return STATUS_SUCCESS;
}
这是查询请求完成所设置的完成函数:
NTSTATUS TDIFltClass::QueryOperatComplete(PDEVICE_OBJECT DeviceObject,PIRP Irp,PVOID Context){
KdPrint(("查询请求完成\n"));
PVOID Add=MmGetSystemAddressForMdlSafe(Irp->MdlAddress,NormalPagePriority);
KdPrint(("1\n"));
if(NT_SUCCESS(Irp->IoStatus.Status)&&Irp->MdlAddress!=NULL){
// TDIFltExt* Exten=(TDIFltExt*)DeviceObject->DeviceExtension;
KdPrint(("2\n"));
TDI_ADDRESS_INFO* AddInfo=(TDI_ADDRESS_INFO*)Add;
TA_ADDRESS* Addr=AddInfo->Address.Address;
KdPrint(("3\n"));
KdPrint(("Address:%x,port:%u\n",Myntohl(((TDI_ADDRESS_IP*)(Addr->Address))->in_addr),
Myntohs(((TDI_ADDRESS_IP*)(Addr->Address))->sin_port)));
//可将地址与端口保存起来与其文件对象对应以在必要时刻查询
}
// IoFreeMdl(Irp->MdlAddress);//释不释放都蓝屏
KdPrint(("4\n"));
// ExFreePool(Add););//释不释放都蓝屏
KdPrint(("5\n"));
return STATUS_SUCCESS;
}
DUMP:
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 0003e10e, page frame number
Arg3: 00000001, current share count
Arg4: 00000000, 0
BUGCHECK_STR: 0x4E_7
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 83d35083 to 83cd1110
STACK_TEXT:
8d2d2f4c 83d35083 00000003 a9a5df6f 00000065 nt!RtlpBreakWithStatusInstruction
8d2d2f9c 83d35b81 00000003 000000cf 854c9d88 nt!KiBugCheckDebugBreak+0x1c
8d2d3360 83ce8f47 0000004e 00000007 0003e10e nt!KeBugCheck2+0x68b
8d2d338c 83cc1b85 0003e10e 869e6d38 865fa110 nt!MiPfnReferenceCountIsZero+0x24
8d2d33e4 83ccead8 869e6d38 857e77c0 865fa110 nt!MmUnlockPages+0x557
8d2d3420 8e2af35a 865fa168 857e794c 00000103 nt!IopfCompleteRequest+0x2cd
8d2d34e4 8e2af705 865fa150 00000000 00000010 tdx!TdxQueryAddressComplete+0x1ba
8d2d3544 8e2a5438 007e77c0 865fa150 00000000 tdx!TdxIssueQueryAddressRequest+0x251
8d2d3560 8e2b0383 857e77c0 865fa110 865fa100 tdx!TdxQueryInformationTransportAddress+0x5e
8d2d357c 83c8d593 866a8398 865fa110 85680508 tdx!TdxTdiDispatchInternalDeviceControl+0xc5
8d2d3594 9067ce58 865fa180 865fa184 858b20e0 nt!IofCallDriver+0x63
8d2d35bc 83cce933 858b2028 85680508 865fa110 TDIFilter!TDIFltClass::CreateOperatComplete+0x118 [g:\drivertest\1tdifilter\tdifilter\tdifilterclass.cpp @ 115]
8d2d3604 8e2b01bd 866a8398 857e77c0 8568ee60 nt!IopfCompleteRequest+0x128
8d2d3628 83c8d593 8cc87110 85680508 8568ee78 tdx!TdxTdiDispatchCreate+0x213
8d2d3640 9067cafa 874a8ab8 858b2028 8745a140 nt!IofCallDriver+0x63
8d2d3670 9067c3a0 858b2028 85680508 8d2d3698 TDIFilter!TDIFltClass::MyCreateHandler+0xea [g:\drivertest\1tdifilter\tdifilter\tdifilterclass.cpp @ 94]
8d2d3680 83c8d593 858b2028 85680508 874a8b14 TDIFilter!DriverBase::CreateHandler+0x20 [g:\drivertest\tdifilter\tdifilter\driverbase.cpp @ 44]
8d2d3698 83e9d2a9 a9a5c783 8d2d3840 00000000 nt!IofCallDriver+0x63
8d2d3770 83e7cac5 866a8398 a55e2650 857e0418 nt!IopParseDevice+0xed7
8d2d37ec 83e8ced6 00000000 8d2d3840 00000240 nt!ObpLookupObjectName+0x4fa
8d2d3848 83e839b4 8d2d3a9c 855e2650 00000000 nt!ObOpenObjectByName+0x165
8d2d38c4 83ec4eca 8d2d3adc 02000000 8d2d3a9c nt!IopCreateFile+0x673
8d2d3920 8e2df517 8d2d3adc 02000000 8d2d3a9c nt!IoCreateFileEx+0x9e
8d2d3b64 8e2dbfaf 857bfee0 858062f0 00000016 afd!AfdTdiCreateAO+0x573
8d2d3bec 8e2e82bc 872a77d0 866af1f8 8d2d3c14 afd!AfdBind+0x37a
8d2d3bfc 83c8d593 866af1f8 8568b7f0 8568b7f0 afd!AfdDispatchDeviceControl+0x3b
8d2d3c14 83e8199f 872a77d0 8568b7f0 8568b8cc nt!IofCallDriver+0x63
8d2d3c34 83e84b71 866af1f8 872a77d0 00000000 nt!IopSynchronousServiceTail+0x1f8
8d2d3cd0 83ecb3f4 866af1f8 8568b7f0 00000000 nt!IopXxxControlFile+0x6aa
8d2d3d04 83c941ea 0000039c 000004a4 00000000 nt!NtDeviceIoControlFile+0x2a
8d2d3d04 776770b4 0000039c 000004a4 00000000 nt!KiFastCallEntry+0x12a
0133e770 77675864 751c3ad6 0000039c 000004a4 ntdll!KiFastSystemCallRet
0133e774 751c3ad6 0000039c 000004a4 00000000 ntdll!NtDeviceIoControlFile+0xc
0133e828 767c45cf 0000039c 0133e880 00000010 mswsock!WSPBind+0x1fc
0133e84c 75089caf 0000039c 0133e880 00000010 WS2_32!bind+0x50
0133e8a0 75089ba9 0000039c 00000002 00000000 DNSAPI!Socket_Bind+0x1d2
0133e8d8 75089ae6 00000002 00000002 00000000 DNSAPI!Socket_Create+0x1c7
0133e8f8 750894aa 00000002 009818f8 009819d8 DNSAPI!Socket_GetUdp+0x16
0133e910 7508981c 00000000 00981868 009825d8 DNSAPI!Socket_CreateMessageSocket+0xb1
0133e92c 75089723 00000016 009819ee 00000001 DNSAPI!Send_MessagePrivateEx+0x172
0133e950 7508f762 009818f8 00981838 00981868 DNSAPI!sendUsingServerInfo+0x88
0133e98c 750889d2 009818f8 00981838 00000000 DNSAPI!sendUdpToNextDnsServers+0x231
0133ea84 7508904f 00000000 009a29c8 40006404 DNSAPI!Send_AndRecvUdpWithParam+0x1e0
0133eb38 75088f09 00981838 0000232b 0133f160 DNSAPI!Send_AndRecv+0xbd
0133ed5c 750887d2 0133f160 000025e5 0133f160 DNSAPI!Query_Wire+0x1d5
0133ed74 75086f38 0133f160 00004000 0133f160 DNSAPI!Query_SingleNamePrivate+0x13c
0133efc0 75086493 0133f160 00000000 0133f160 DNSAPI!Query_SingleNameDualAddr+0x178
0133efd4 750863ac 0133f160 750ba848 0133f160 DNSAPI!Query_SingleName+0x52
0133f024 7508f66b 0033f160 0000007b 0133f160 DNSAPI!Query_AllNames+0x490
0133f0f4 7508ba0e 0133f160 00981838 726ae040 DNSAPI!Query_Multicast+0x1ca
0133f120 72693455 00000000 003f66ec 72691840 DNSAPI!Query_Main+0x30d
0133f138 726932b7 0133f160 0133f5dc 0133f7ec dnsrslvr!ResolverQuery+0x9c
0133f5d8 75be04e8 00000000 003f66dc 0000001c dnsrslvr!R_ResolverQuery+0x147
0133f604 75c45311 7269318a 0133f7f0 00000006 RPCRT4!Invoke+0x2a
0133fa0c 75c4431d 00000000 00000000 022a4b20 RPCRT4!NdrStubCall2+0x2d6
0133fa28 75be063c 022a4b20 0f2a1efa 003b4ec8 RPCRT4!NdrServerCall2+0x19
0133fa64 75be07ca 7269181d 022a4b20 0133fb14 RPCRT4!DispatchToStubInCNoAvrf+0x4a
0133fabc 75be06b6 003b4ec8 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x16c
0133fae4 75bd76db 00000000 00000000 0133fb14 RPCRT4!RPC_INTERFACE::DispatchToStub+0x8b
0133fb30 75be0ac6 022a4a68 0133fb4c 00390738 RPCRT4!LRPC_SCALL::DispatchRequest+0x257
0133fb50 75be0a85 022a4a68 003f6688 00390738 RPCRT4!LRPC_SCALL::QueueOrDispatchCall+0xbd
0133fb6c 75be0921 00000000 003f6670 003b4ec8 RPCRT4!LRPC_SCALL::HandleRequest+0x34f
0133fba0 75be0895 00000000 003f6670 003f5568 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x144
0133fbd8 75bdfe85 003b4d58 00000000 003f5568 RPCRT4!LRPC_ADDRESS::HandleRequest+0xbd
0133fc54 75bdfd1d 00000000 0133fc70 75bdfc6a RPCRT4!LRPC_ADDRESS::ProcessIO+0x50a
0133fc60 75bdfc6a 003b4df4 00000000 0133fc98 RPCRT4!LrpcServerIoHandler+0x16
0133fc70 77661d55 0133fcdc 003b4df4 003b4e40 RPCRT4!LrpcIoComplete+0x16
0133fc98 776615ac 0133fcdc 00000000 00000000 ntdll!TppAlpcpExecuteCallback+0x1c5
0133fe00 75b23c45 00389158 0133fe4c 776937f5 ntdll!TppWorkerThread+0x5a4
0133fe0c 776937f5 00389158 7642bc94 00000000 kernel32!BaseThreadInitThunk+0xe
0133fe4c 776937c8 776603e7 00389158 00000000 ntdll!__RtlUserThreadStart+0x70
0133fe64 00000000 776603e7 00389158 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiPfnReferenceCountIsZero+24
83ce8f47 cc int 3
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!MiPfnReferenceCountIsZero+24
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce78a09
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x4E_7_nt!MiPfnReferenceCountIsZero+24
BUCKET_ID: 0x4E_7_nt!MiPfnReferenceCountIsZero+24
Followup: MachineOwner
---------
!devobj 0xFFFFFFFF858B2028
Device object (858b2028) is for:
\Driver\TDIFilter DriverObject 8588a360
Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000018
DevExt 858b20e0 DevObjExt 858b2108
ExtensionFlags (0x00000800)
Unknown flags 0x00000800
AttachedTo (Lower) 866a8398 \Driver\tdx
Device queue is not busy.
[课程]Linux pwn 探索篇!