[求助]蓝屏的dump,麻烦大神帮忙分析下-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]蓝屏的dump,麻烦大神帮忙分析下

发表于: 2017-3-28 00:46 2699

[求助]蓝屏的dump,麻烦大神帮忙分析下

yuanxiaoou 活跃值

2017-3-28 00:46

2699

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64

Loading Dump File [F:\032817-19328-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***

****************************************************************************

* Symbol loading may be unreliable without a symbol search path. *

* Use .symfix to have the debugger choose a symbol path. *

* After setting your symbol path, use .reload to refresh symbol locations. *

****************************************************************************

Executable search path is:

*********************************************************************

* Symbols can not be loaded because symbol path is not initialized. *

* *

* The Symbol Path can be set by: *

* using the _NT_SYMBOL_PATH environment variable. *

* using the -y <symbol_path> argument when starting the debugger. *

* using .sympath and .sympath+ *

*********************************************************************

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Machine Name:

Kernel base = 0x84003000 PsLoadedModuleList = 0x841435b0

Debug session time: Tue Mar 28 00:07:49.500 2017 (UTC + 8:00)

System Uptime: 0 days 6:16:35.343

*********************************************************************

* Symbols can not be loaded because symbol path is not initialized. *

* *

* The Symbol Path can be set by: *

* using the _NT_SYMBOL_PATH environment variable. *

* using the -y <symbol_path> argument when starting the debugger. *

* using .sympath and .sympath+ *

*********************************************************************

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

Loading Kernel Symbols

...............................................................

................................................................

............

Loading User Symbols

Loading unloaded module list

...........

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000CE, {a0c23e30, 0, a0c23e30, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

Probably caused by : myDriver.sys ( myDriver+4e30 )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)

A driver unloaded without cancelling timers, DPCs, worker threads, etc.

The broken driver's name is displayed on the screen.

Arguments:

Arg1: a0c23e30, memory referenced

Arg2: 00000000, value 0 = read operation, 1 = write operation

Arg3: a0c23e30, If non-zero, the instruction address which referenced the bad memory

address.

Arg4: 00000000, Mm internal code.

Debugging Details:

------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

ADDITIONAL_DEBUG_TEXT:

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

FAULTING_MODULE: 84003000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 0

READ_ADDRESS: unable to get nt!MmSpecialPoolStart

unable to get nt!MmSpecialPoolEnd

unable to get nt!MmPoolCodeStart

unable to get nt!MmPoolCodeEnd

a0c23e30

FAULTING_IP:

myDriver+4e30

a0c23e30 ?? ???

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xCE

CURRENT_IRQL: 0

IP_MODULE_UNLOADED:

myDriver+4e30

a0c23e30 ?? ???

LAST_CONTROL_TRANSFER: from 8408957d to a0c23e30

FAILED_INSTRUCTION_ADDRESS:

myDriver+4e30

a0c23e30 ?? ???

STACK_TEXT:

WARNING: Frame IP not in any known module. Following frames may be wrong.

a2217780 8408957d 9cfe69bb 00000000 87117ab0 <Unloaded_myDriver.sys>+0x4e30

a2217840 8419dfd5 00000000 a0c1f000 84143580 nt+0x8657d

a2217878 8419e247 87117ab0 ffffffff 00000000 nt+0x19afd5

a221789c 84176234 87117ab0 866f3488 8709c9b8 nt+0x19b247

a22178b4 8424c997 8709c9d0 8709c9d0 8709c9b8 nt+0x173234

a22178cc 840594ca 00000000 a2217be8 8709c9d0 nt+0x249997

a2217a3c 842b454a 00000000 a2217a54 8403887a nt+0x564ca

a2217a48 8403887a a2217be8 a2217c1c 84037b85 nt+0x2b154a

a2217a54 84037b85 badb0d00 a2217acc 000001ff nt+0x3587a

a2217c1c 842b454a 00000000 a2217c34 8403887a nt+0x34b85

a2217c28 8403887a 00c2ef64 00c2ef6c 773b70b4 nt+0x2b154a

a2217c34 773b70b4 badb0d00 00c2ef54 00000000 nt+0x3587a

a2217c38 badb0d00 00c2ef54 00000000 00000000 0x773b70b4

a2217c3c 00c2ef54 00000000 00000000 00000000 0xbadb0d00

a2217c40 00000000 00000000 00000000 00000000 0xc2ef54

STACK_COMMAND: kb

FOLLOWUP_IP:

myDriver+4e30

a0c23e30 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: myDriver+4e30

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: myDriver

IMAGE_NAME: myDriver.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

---------

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (3)
supercolin 雪币： 1711 活跃值： (516) 能力值： ( LV12，RANK：200 ) 在线值：发帖 11 回帖 133 粉丝 11 关注私信	supercolin 1 2 楼 dmp文件没有，mydriver的symbol没有怎么玩... 看起来是unload以后发生的，十有八九没unload干净 2017-3-28 09:49 0
大只狼雪币： 1140 活跃值： (102) 能力值： ( LV4，RANK：48 ) 在线值：发帖 13 回帖 249 粉丝 1 关注私信	大只狼 3 楼 A driver unloaded without cancelling timers, DPCs, worker threads, etc. Probably caused by : myDriver.sys ( myDriver+4e30 ) 2017-3-28 13:00 0
MOVESP 雪币： 44 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 95 粉丝 0 关注私信	MOVESP 4 楼是不是a0c23e30引用了你驱动的RVA4e30出错 2017-3-28 13:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

yuanxiaoou

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
supercolin 雪币： 1711 活跃值： (516) 能力值： ( LV12，RANK：200 ) 在线值：发帖 11 回帖 133 粉丝 11 关注私信	supercolin 1 2 楼 dmp文件没有，mydriver的symbol没有怎么玩... 看起来是unload以后发生的，十有八九没unload干净 2017-3-28 09:49 0
大只狼雪币： 1140 活跃值： (102) 能力值： ( LV4，RANK：48 ) 在线值：发帖 13 回帖 249 粉丝 1 关注私信	大只狼 3 楼 A driver unloaded without cancelling timers, DPCs, worker threads, etc. Probably caused by : myDriver.sys ( myDriver+4e30 ) 2017-3-28 13:00 0
MOVESP 雪币： 44 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 95 粉丝 0 关注私信	MOVESP 4 楼是不是a0c23e30引用了你驱动的RVA4e30出错 2017-3-28 13:16 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复