首页
社区
课程
招聘
[求助] 帮忙分析蓝屏DMP
发表于: 2015-5-21 22:32 5427

[求助] 帮忙分析蓝屏DMP

2015-5-21 22:32
5427
装了个PATCH 64签名的工具 打上补丁后 一用驱动保护退出就直接蓝屏 帮忙定位下是哪个补丁引起的~!

052115-11559-01.rar

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 22
活跃值: (242)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
2
我觉得应该是内存访问的问题,好像是和Vstart冲突了,然后就是你的函数返回地址怎么为0了,第一次分析dump文件,也不太会,把dump内容贴上来等大牛们解答,我也学习学习。
Child-SP          RetAddr           Call Site
fffff880`098cb8e0 00000000`00000000 DMProtect64+0x250c

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffffffffffd0, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff800042b70f1, If non-zero, the instruction address which referenced the bad memory
        address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------

Could not read faulting driver name

WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800044ff100
ffffffffffffffd0

FAULTING_IP:
nt!ObReferenceObjectByPointerWithTag+31
fffff800`042b70f1 f048830301      lock add qword ptr [rbx],1

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  VStart.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff880098cb4b0 -- (.trap 0xfffff880098cb4b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc3918277cdc1 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800042b70f1 rsp=fffff880098cb640 rbp=00000000746c6644
r8=0000000000000000  r9=0000000000000000 r10=fffff80004251000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!ObReferenceObjectByPointerWithTag+0x31:
fffff800`042b70f1 f048830301      lock add qword ptr [rbx],1 ds:0001:00000000`00000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80004344eb0 to fffff800042c5ec0

STACK_TEXT:  
fffff880`098cb348 fffff800`04344eb0 : 00000000`00000050 ffffffff`ffffffd0 00000000`00000001 fffff880`098cb4b0 : nt!KeBugCheckEx
fffff880`098cb350 fffff800`042c3fee : 00000000`00000001 ffffffff`ffffffd0 fffffa80`0c550000 ffffffff`ffffffd0 : nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`098cb4b0 fffff800`042b70f1 : 00000000`00000000 00000000`00000000 00000000`00000001 00000980`00000000 : nt!KiPageFault+0x16e
fffff880`098cb640 fffff800`045b3de4 : 00000000`c0000037 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObReferenceObjectByPointerWithTag+0x31
fffff880`098cb670 fffff800`045a57a0 : 00000000`00001200 ffffffff`d646d900 00000000`00000000 fffffa80`0c3a0060 : nt!ObOpenObjectByPointerWithTag+0x64
fffff880`098cb890 fffff880`0578150c : 00000000`00000000 fffff880`054d8159 fffff8a0`02465010 00000000`0000000c : nt!ObOpenObjectByPointer+0x30
fffff880`098cb8e0 00000000`00000000 : fffff880`054d8159 fffff8a0`02465010 00000000`0000000c 00000000`00000000 : DMProtect64+0x250c

STACK_COMMAND:  kb

FOLLOWUP_IP:
DMProtect64+250c
fffff880`0578150c ??              ???

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  DMProtect64+250c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: DMProtect64

IMAGE_NAME:  DMProtect64.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5518a17b

FAILURE_BUCKET_ID:  X64_0x50_DMProtect64+250c

BUCKET_ID:  X64_0x50_DMProtect64+250c

Followup: MachineOwner
---------

0: kd> k
Child-SP          RetAddr           Call Site
fffff880`098cb348 fffff800`04344eb0 nt!KeBugCheckEx
fffff880`098cb350 fffff800`042c3fee nt! ?? ::FNODOBFM::`string'+0x4518f
fffff880`098cb4b0 fffff800`042b70f1 nt!KiPageFault+0x16e
fffff880`098cb640 fffff800`045b3de4 nt!ObReferenceObjectByPointerWithTag+0x31
fffff880`098cb670 fffff800`045a57a0 nt!ObOpenObjectByPointerWithTag+0x64
fffff880`098cb890 fffff880`0578150c nt!ObOpenObjectByPointer+0x30
fffff880`098cb8e0 00000000`00000000 DMProtect64+0x250c
2015-5-25 00:32
0
游客
登录 | 注册 方可回帖
返回
//