[求助]minifilter 蓝屏问题-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]minifilter 蓝屏问题

发表于: 2017-4-1 16:47 6045

[求助]minifilter 蓝屏问题

幻海孤舟

2017-4-1 16:47

6045

请大神帮忙分析一个问题呢。windbg信息如下：

INVALID_PROCESS_ATTACH_ATTEMPT (5)

Arguments:

Arg1: ffffe000a664e900

Arg2: ffffe000a36c8900

Arg3: 0000000000000001

Arg4: 0000000000000001

Debugging Details:

------------------

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 9600.17936.amd64fre.winblue_ltsb.150715-0840

SYSTEM_MANUFACTURER: VMware, Inc.

VIRTUAL_MACHINE: VMware

SYSTEM_PRODUCT_NAME: VMware Virtual Platform

SYSTEM_VERSION: None

BIOS_VENDOR: Phoenix Technologies LTD

BIOS_VERSION: 6.00

BIOS_DATE: 09/21/2015

BASEBOARD_MANUFACTURER: Intel Corporation

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

BASEBOARD_VERSION: None

DUMP_TYPE: 1

BUGCHECK_P1: ffffe000a664e900

BUGCHECK_P2: ffffe000a36c8900

BUGCHECK_P3: 1

BUGCHECK_P4: 1

CPU_COUNT: c

CPU_MHZ: 898

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 4f

CPU_STEPPING: 1

CPU_MICROCODE: 6,4f,1,0 (F,M,S,R) SIG: B00001E'00000000 (cache) B00001E'00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x5

PROCESS_NAME: System

CURRENT_IRQL: 1

ANALYSIS_SESSION_HOST: DESKTOP-BNLMI0B

ANALYSIS_SESSION_TIME: 04-01-2017 16:21:18.0112

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

LAST_CONTROL_TRANSFER: from fffff803fa017240 to fffff803f9fd39a0

STACK_TEXT:

fffff803`fb8dacc8 fffff803`fa017240 : 00000000`00000005 ffffe000`a664e900 ffffe000`a36c8900 00000000`00000001 : nt!KeBugCheckEx

fffff803`fb8dacd0 fffff803`fa2aecaa : 00000000`00000001 ffffe000`a655df00 ffffe000`a74eaf40 fffff803`fb8dae18 : nt! ?? ::FNODOBFM::`string'+0x33380

fffff803`fb8dad20 fffff801`ac0f126a : ffffe000`a59d7ee0 00000000`00000000 00000000`00000000 00000000`00000f01 : nt!MmProbeAndLockProcessPages+0x56

fffff803`fb8dada0 fffff801`ae801097 : ffffe000`a69a29c8 ffffe000`a751c74a fffff803`fb8dafc0 fffff801`00000438 : fltmgr!FltSendMessage+0x24a

fffff803`fb8daee0 fffff801`ae8100f7 : fffff803`fb8dafc0 ffffe000`00000438 00000000`00000000 fffff803`fb8dafa0 : HiveMiniFilter!MyFltSendMessage+0x87 [g:\hive\hivefilecontrol\hiveminifilter\operation.c @ 1228]

fffff803`fb8daf40 fffff801`ac0ebe8b : ffffe000`a69a29c8 fffff803`fb8db478 00000000`00000000 fffff801`00000000 : HiveMiniFilter!WritePostOperation+0x467 [g:\hive\hivefilecontrol\hiveminifilter\operation.c @ 852]

fffff803`fb8db430 fffff801`ac0ec5ad : 00000000`00000000 00000000`00000000 ffffe000`a74ccf40 ffffe000`a74f5cf0 : fltmgr!FltpPerformPostCallbacks+0x34b

fffff803`fb8db500 fffff803`f9f1253e : ffffe000`a74f5cf0 00000000`00000000 ffffe000`a74f5e53 ffffe000`a7310dd4 : fltmgr!FltpPassThroughCompletionWorker+0x7d

fffff803`fb8db570 fffff801`ad2d4ac5 : ffffe000`a74f5cf0 00000000`00000001 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x2ee

fffff803`fb8db6b0 fffff801`ad2d72db : 00000000`00000000 ffffe000`a71b7ca0 fffff801`ad2f8010 ffffe000`a44ee801 : rdbss!RxCompleteRequestEx+0x1f5

fffff803`fb8db760 fffff801`ad2d911f : ffffe000`a549c030 00000000`00000000 00000000`00000000 fffff801`ac197010 : rdbss!RxLowIoCompletionTail+0xab

fffff803`fb8db7a0 fffff801`ac1d62ad : ffffe000`a549c030 ffffe000`a7351de8 ffffe000`a7351ed0 ffffe000`a66e4920 : rdbss!RxLowIoCompletion+0x3f

fffff803`fb8db7e0 fffff801`ac1606c1 : ffffe000`00000000 00000000`00000000 ffffe000`a71b7ca0 ffffe000`a549c030 : mrxsmb20!Smb2Write_Finalize+0x1cd

fffff803`fb8db850 fffff801`ac161dd9 : ffffe000`a7311db0 ffffe000`a7351ed0 00000000`00005701 00000000`00000001 : mrxsmb!SmbCeSendCompleteInd+0x451

fffff803`fb8db8f0 fffff803`f9f1253e : ffffe000`a65c0b90 fffff803`fb8dba40 00000000`00000000 ffffe000`a65c0c63 : mrxsmb!SmbWskSendComplete+0xc9

fffff803`fb8db940 fffff801`ad402dd2 : ffffe000`a65c0b90 ffff1be1`2956af02 ffffe000`a41f410c 00000000`00000000 : nt!IopfCompleteRequest+0x2ee

fffff803`fb8dba80 fffff801`acaa35a1 : 00000000`00000000 ffffe000`a526f0d0 fffff803`fb8dbbe0 fffff803`fb8dbdc8 : afd!WskProTLSendOrDisconnectComplete+0x72

fffff803`fb8dbae0 fffff801`acaa8ce0 : 00000000`00000001 fffff801`aca787e0 00000000`00000000 ffffe000`a3d29150 : tcpip!TcpTcbReceive+0x311

fffff803`fb8dbc30 fffff801`acaa86f5 : ffffe000`a44d382c 00000000`00000000 00000000`00000000 ffffe000`a3dcf0e0 : tcpip!TcpMatchReceive+0x1f0

fffff803`fb8dbdc0 fffff801`acaeb990 : ffffe000`a3de65c0 00000000`00000000 00000000`00006cc0 ffffe000`a52cd000 : tcpip!TcpPreValidatedReceive+0x385

fffff803`fb8dbec0 fffff801`aca789d2 : ffffe000`a45b4770 fffff801`aca787e0 fffff801`aca70006 00000000`00000006 : tcpip!IpFlcReceivePreValidatedPackets+0x650

fffff803`fb8dc080 fffff803`f9f3efa3 : fffffff6`0000000c 00000000`00000000 ffffe000`a3daee10 fffff803`fb8d7000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x102

fffff803`fb8dc1b0 fffff801`aca78b26 : fffff801`aca788d0 fffff803`fb8dc2d0 ffffe000`a43b2c10 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0xf3

fffff803`fb8dc2a0 fffff801`abe02903 : 00000000`00000000 fffff803`fb8dc381 ffffe000`00000001 ffffe000`a6a24b60 : tcpip!FlReceiveNetBufferListChain+0xb6

fffff803`fb8dc320 fffff801`abe0308a : 00000000`ffffff01 ffffe000`a6a20008 00000000`00000000 ffffe000`00000001 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123

fffff803`fb8dc3e0 fffff801`ae2461c4 : ffffe000`a4319000 fffff801`ae246efc ffffe000`a4319e00 ffffe000`a44ee8a0 : NDIS!NdisMIndicateReceiveNetBufferLists+0x32a

fffff803`fb8dc5c0 fffff801`ae246a9d : 00000000`00000001 ffffe000`a44ee8a0 ffffe000`a4319000 00000000`00000001 : e1i63x64!RECEIVE::RxIndicateNBLs+0xd4

fffff803`fb8dc600 fffff801`ae239150 : 00000000`00000000 ffffe000`a3bc84c0 00000000`00000000 ffff0001`00000000 : e1i63x64!RECEIVE::RxProcessInterrupts+0x19d

fffff803`fb8dc680 fffff801`ae23957e : ffffe000`a3bc84c0 ffffe000`a4319000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x1c0

fffff803`fb8dc6f0 fffff801`ae238b78 : fffff803`fb8dc829 ffff0001`00000000 fffff801`ae238af0 ffffe000`a43b5000 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e

fffff803`fb8dc750 fffff801`abe04005 : fffff803`fa185f00 fffff803`f9f78f50 ffffe000`a3cefb50 fffff801`aca74db3 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28

fffff803`fb8dc790 fffff803`f9f061e0 : fffff803`fb8dcb20 fffff803`fa183180 00000000`00000002 fffff803`f9e1a58f : NDIS!ndisInterruptDpc+0x1b5

fffff803`fb8dc890 fffff803`f9f05527 : 00000000`00000000 ffffe000`a6c23080 fffff803`fa183180 fffff803`00000001 : nt!KiExecuteAllDpcs+0x1b0

fffff803`fb8dc9e0 fffff803`f9fd74ea : fffff803`fa183180 fffff803`fa183180 fffff803`fa1dca00 ffffe000`a74b2080 : nt!KiRetireDpcList+0xd7

fffff803`fb8dcc60 00000000`00000000 : fffff803`fb8dd000 fffff803`fb8d7000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: d2981fe6e73ec9f0b84eb44b493f49f89a00e201

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 34d50751ba9b5b2fbee71d6ef497f0cbba7c72b6

THREAD_SHA1_HASH_MOD: 9fc1487c4bae9e906abf2f35ff2f82eaf67cfcde

FOLLOWUP_IP:

HiveMiniFilter!MyFltSendMessage+87 [g:\hive\hivefilecontrol\hiveminifilter\operation.c @ 1228]

fffff801`ae801097 89442444 mov dword ptr [rsp+44h],eax

FAULT_INSTR_CODE: 44244489

FAULTING_SOURCE_LINE: g:\hive\hivefilecontrol\hiveminifilter\operation.c

FAULTING_SOURCE_FILE: g:\hive\hivefilecontrol\hiveminifilter\operation.c

FAULTING_SOURCE_LINE_NUMBER: 1228

FAULTING_SOURCE_CODE:

1224: {

1225: KeLowerIrql(APC_LEVEL);

1226: bLower = TRUE;

1227: }

> 1228: status = FltSendMessage(gFilterData.Filter, &gFilterData.ClientPort, SenderBuffer, SenderBufferLength, ReplyBuffer, ReplyLength, Timeout);

1229: if (bLower)

1230: {

1231: KfRaiseIrql(irqlTemp);

1232: }

1233: return status;

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: HiveMiniFilter!MyFltSendMessage+87

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: HiveMiniFilter

IMAGE_NAME: HiveMiniFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 58df58ff

BUCKET_ID_FUNC_OFFSET: 87

FAILURE_BUCKET_ID: 0x5_HiveMiniFilter!MyFltSendMessage

BUCKET_ID: 0x5_HiveMiniFilter!MyFltSendMessage

PRIMARY_PROBLEM_CLASS: 0x5_HiveMiniFilter!MyFltSendMessage

TARGET_TIME: 2017-04-01T07:53:11.000Z

OSBUILD: 9600

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 3

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2015-07-16 00:37:58

BUILDDATESTAMP_STR: 150715-0840

BUILDLAB_STR: winblue_ltsb

BUILDOSVER_STR: 6.3.9600.17936.amd64fre.winblue_ltsb.150715-0840

ANALYSIS_SESSION_ELAPSED_TIME: 12ec

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x5_hiveminifilter!myfltsendmessage

FAILURE_ID_HASH: {a6e529d2-2eaf-b55f-5301-2b165c167fba}

Followup: MachineOwner

开始报异常，是因为函数不晓得什么原因运行在DISPATCH_LEVEL 等级，降级后，就这样蓝屏了。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (9)
hzqst 雪币： 12848 活跃值： (9147) 能力值： ( LV9，RANK：280 ) 在线值：发帖 47 回帖 1793 粉丝 569 关注私信	hzqst 3 2 楼 FltSendMessage function FltSendMessage sends a message to a waiting user-mode application on behalf of a minifilter driver or a minifilter driver instance. IRQL <= APC_LEVEL PostOperation can be running at DISPATCH_LEVEL 你懂的 LowerIRQL是作死引用老v的话：正确的姿势是开一个WorkItem或者Thread 然后更好的方法（巨硬用过的方法）应该是插入一个链表中，另一个线程不停从链表取出并Send 2017-4-1 17:29 0
MOVESP 雪币： 44 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 95 粉丝 0 关注私信	MOVESP 3 楼 @1228 2017-4-1 17:38 0
幻海孤舟雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	幻海孤舟 4 楼 hzqst FltSendMessage functionFltSendMessage sends a message to a waiting user-mode application ... 是这样的，最开始是没有修改这东西的。但是还是蓝屏，所以我加了日志，发现这个时候post在DISPATCH_LEVEL，而FltSendMessage 需要IRQL <= APC_LEVEL，所以考虑修改降级。但是这个该了还是蓝屏。而且蓝屏的位置一模一样。ffffd000`47dfdd18 fffff800`be19e240 : 00000000`00000005 ffffe000`890ed080 ffffe000`85c2d680 00000000`00000001 : nt!KeBugCheckEx ffffd000`47dfdd20 fffff800`be435caa : 00000000`00000001 ffffe000`8797e750 ffffe000`89f1cf40 ffffd000`47dfde68 : nt! ?? ::FNODOBFM::`string'+0x33380 ffffd000`47dfdd70 fffff801`bd0ab26a : ffffe000`899d2a00 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmProbeAndLockProcessPages+0x56 ffffd000`47dfddf0 fffff801`bf8a81a7 : ffffe000`89511898 ffffe000`896d968a ffffd000`47dfdfc0 ffffd000`00000438 : fltmgr!FltSendMessage+0x24a ffffd000`47dfdf30 fffff801`bd0a5e8b : ffffe000`89511898 ffffd000`47dfe478 00000000`00000000 fffff801`00000000 : HiveMiniFilter!WritePostOperation+0x487 [g:\hive\hivefilecontrol\hiveminifilter\operation.c @ 852] ffffd000`47dfe430 fffff801`bd0a65ad : 00000000`00000000 ffffd000`47dfe620 ffffe000`89da6e60 ffffe000`891bd010 : fltmgr!FltpPerformPostCallbacks+0x34b ffffd000`47dfe500 fffff800`be09953e : ffffe000`891bd010 00000000`00000000 ffffe000`891bd173 ffffe000`893490d4 : fltmgr!FltpPassThroughCompletionWorker+0x7d ffffd000`47dfe570 fffff801`bd177ac5 : ffffe000`891bd010 00000000`00000001 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x2ee ffffd000`47dfe6b0 fffff801`bd17a2db : 00000000`00000000 ffffe000`88873880 fffff801`bd19b010 ffffe000`86d5c401 : rdbss!RxCompleteRequestEx+0x1f5 ffffd000`47dfe760 fffff801`bd17c11f : ffffe000`87c5b030 00000000`00000000 00000000`00000000 fffff801`bf526010 : rdbss!RxLowIoCompletionTail+0xab ffffd000`47dfe7a0 fffff801`bf5652ad : ffffe000`87c5b030 ffffe000`89cd9de8 ffffe000`89cd9ed0 ffffe000`87bb5b50 : rdbss!RxLowIoCompletion+0x3f ffffd000`47dfe7e0 fffff801`bf4ef6c1 : ffffe000`00000000 ffffe000`00000000 ffffe000`88873880 ffffe000`87c5b030 : mrxsmb20!Smb2Write_Finalize+0x1cd ffffd000`47dfe850 fffff801`bf4f0dd9 : ffffe000`89bb8e10 ffffe000`89cd9ed0 ffffe000`862c1301 00000001`00000001 : mrxsmb!SmbCeSendCompleteInd+0x451 ffffd000`47dfe8f0 fffff800`be09953e : ffffe000`894db8a0 ffffd000`47dfea40 00000000`00000000 ffffe000`894db973 : mrxsmb!SmbWskSendComplete+0xc9 ffffd000`47dfe940 fffff801`bde02dd2 : ffffe000`894db8a0 ffffdf9c`5a685102 ffffe000`8683010c 00000000`00000000 : nt!IopfCompleteRequest+0x2ee ffffd000`47dfea80 fffff801`bd6e55a1 : 00000000`00000000 ffffe000`877f0820 ffffd000`47dfebe0 ffffd000`47dfedc8 : afd!WskProTLSendOrDisconnectComplete+0x72 ffffd000`47dfeae0 fffff801`bd6eace0 : 00000000`00000001 fffff801`bd6ba7e0 00000000`00000000 ffffe000`85c82610 : tcpip!TcpTcbReceive+0x311 ffffd000`47dfec30 fffff801`bd6ea6f5 : ffffe000`86d2202c 00000000`00000000 00000000`00000000 ffffe000`8639b158 : tcpip!TcpMatchReceive+0x1f0 ffffd000`47dfedc0 fffff801`bd72d990 : ffffe000`863d9e80 00000000`00000000 00000000`000013c1 fffff801`bd83f100 : tcpip!TcpPreValidatedReceive+0x385 ffffd000`47dfeec0 fffff801`bd6ba9d2 : ffffe000`86d4d480 fffff801`bd6ba7e0 fffff801`bd6b0006 00000000`00000006 : tcpip!IpFlcReceivePreValidatedPackets+0x650 ffffd000`47dff080 fffff800`be0c5fa3 : ffffe000`89581030 00000000`00000000 ffffe000`863c3b10 ffffd000`47dfa000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x102 ffffd000`47dff1b0 fffff801`bd6bab26 : fffff801`bd6ba8d0 ffffd000`47dff2d0 ffffe000`86d59510 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0xf3 ffffd000`47dff2a0 fffff801`bcc2a903 : 00000000`00000000 ffffd000`47dff381 ffffe000`00000001 ffffe000`8a0b7860 : tcpip!FlReceiveNetBufferListChain+0xb6 ffffd000`47dff320 fffff801`bcc2b08a : ffffdf9c`ffffff01 ffffe000`8a0b0008 00000000`00000000 ffffe000`00000001 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123 ffffd000`47dff3e0 fffff801`bf0fa1c4 : ffffe000`868ef000 fffff801`bf0faefc ffffe000`868f0500 ffffe000`86d5c4f0 : NDIS!NdisMIndicateReceiveNetBufferLists+0x32a ffffd000`47dff5c0 fffff801`bf0faa9d : 00000000`00000001 ffffe000`86d5c4f0 ffffe000`868ef000 00000000`00000001 : e1i63x64!RECEIVE::RxIndicateNBLs+0xd4 ffffd000`47dff600 fffff801`bf0ed150 : 00000000`00000001 ffffe000`861888b0 00000000`00000000 ffff0001`00000001 : e1i63x64!RECEIVE::RxProcessInterrupts+0x19d ffffd000`47dff680 fffff801`bf0ed57e : ffffe000`861888b0 ffffe000`868ef000 ffff0001`00000001 ffff0001`00000001 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x1c0 ffffd000`47dff6f0 fffff801`bf0ecb78 : ffffd000`47dff829 ffff0001`00000001 fffff801`bf0ecaf0 ffffe000`8699b000 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e ffffd000`47dff750 fffff801`bcc2c005 : 00000000`00000000 00000000`00000000 ffffe000`862c1bc8 fffff801`bd6b6db3 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28 ffffd000`47dff790 fffff800`be08d1e0 : ffffd000`47dffb20 ffffffff`ffd11000 00000000`00000001 fffff800`be7a158f : NDIS!ndisInterruptDpc+0x1b5 ffffd000`47dff890 fffff800`be08c527 : ffffe000`89897000 ffffe000`89897080 00000000`00000000 ffffd000`00000002 : nt!KiExecuteAllDpcs+0x1b0 ffffd000`47dff9e0 fffff800`be15e4ea : ffffd000`47dd5180 ffffd000`47dd5180 ffffd000`47de14c0 ffffe000`88b6e080 : nt!KiRetireDpcList+0xd7 ffffd000`47dffc60 00000000`00000000 : ffffd000`47e00000 ffffd000`47dfa000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a hzqst，你的建议是不管这个FltSendMessage是否支持异步通知，都自己另外开辟一个队列来来单独发送？ 2017-4-1 17:41 0
hzqst 雪币： 12848 活跃值： (9147) 能力值： ( LV9，RANK：280 ) 在线值：发帖 47 回帖 1793 粉丝 569 关注私信	hzqst 3 5 楼幻海孤舟是这样的，最开始是没有修改这东西的。但是还是蓝屏，所以我加了日志，发现这个时候post在DISPATCH_LEVEL，而FltSendMessage 需要IRQL 看我上面说的最后一段话 2017-4-1 17:59 0
幻海孤舟雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	幻海孤舟 6 楼 to hzqst:明白，就是要自己建的队列和线程来专门发送接收。谢谢 2017-4-1 18:08 0
FckTheDog 雪币： 112 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 42 粉丝 0 关注私信	FckTheDog 7 楼不降级什么问题都没，发送内容保证不会PageOut不就ok 2017-4-4 02:27 0
幻海孤舟雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	幻海孤舟 8 楼 FckTheDog 不降级什么问题都没，发送内容保证不会PageOut不就ok to FckTheDol，没有明白你的意思，能给我科普仔细点么。我的最开始代码是没有开降级的。不小的什么原因，writepost运行在dispatch了，要蓝屏，因为FltSendMessage <= APC，所以我才搞这个降级的。但是降级了依旧蓝屏。你提的这个“保证发送内容不会pageout”，这个要怎么保证呢。 2017-4-5 10:52 0
FckTheDog 雪币： 112 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 42 粉丝 0 关注私信	FckTheDog 9 楼首先，个人感觉处理监控数据较好的方式是先缓存起来，然后要么用户层来读，要么内核线程发。其次，我觉得在回调中使用FltSendMessage是比较懒的一种行为，虽然我也这么做过，FltSendMessage的buf可以从NPList的快表中申请内存，每次发完Free掉…… 2017-4-6 01:13 0
沉醉星渊雪币： 16 活跃值： (527) 能力值： ( LV2，RANK：10 ) 在线值：发帖 41 回帖 112 粉丝 0 关注私信	沉醉星渊 10 楼没人敢手动降级的吧 2018-4-25 17:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

幻海孤舟

发帖

回帖

RANK

关注

私信

他的文章

[求助]minifilter 蓝屏问题 6046

关于我们

联系我们

企业服务

看雪公众号

最新回复 (9)
hzqst 雪币： 12848 活跃值： (9147) 能力值： ( LV9，RANK：280 ) 在线值：发帖 47 回帖 1793 粉丝 569 关注私信	hzqst 3 2 楼 FltSendMessage function FltSendMessage sends a message to a waiting user-mode application on behalf of a minifilter driver or a minifilter driver instance. IRQL <= APC_LEVEL PostOperation can be running at DISPATCH_LEVEL 你懂的 LowerIRQL是作死引用老v的话：正确的姿势是开一个WorkItem或者Thread 然后更好的方法（巨硬用过的方法）应该是插入一个链表中，另一个线程不停从链表取出并Send 2017-4-1 17:29 0
MOVESP 雪币： 44 活跃值： (32) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 95 粉丝 0 关注私信	MOVESP 3 楼 @1228 2017-4-1 17:38 0
幻海孤舟雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	幻海孤舟 4 楼 hzqst FltSendMessage functionFltSendMessage sends a message to a waiting user-mode application ... 是这样的，最开始是没有修改这东西的。但是还是蓝屏，所以我加了日志，发现这个时候post在DISPATCH_LEVEL，而FltSendMessage 需要IRQL <= APC_LEVEL，所以考虑修改降级。但是这个该了还是蓝屏。而且蓝屏的位置一模一样。ffffd000`47dfdd18 fffff800`be19e240 : 00000000`00000005 ffffe000`890ed080 ffffe000`85c2d680 00000000`00000001 : nt!KeBugCheckEx ffffd000`47dfdd20 fffff800`be435caa : 00000000`00000001 ffffe000`8797e750 ffffe000`89f1cf40 ffffd000`47dfde68 : nt! ?? ::FNODOBFM::`string'+0x33380 ffffd000`47dfdd70 fffff801`bd0ab26a : ffffe000`899d2a00 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmProbeAndLockProcessPages+0x56 ffffd000`47dfddf0 fffff801`bf8a81a7 : ffffe000`89511898 ffffe000`896d968a ffffd000`47dfdfc0 ffffd000`00000438 : fltmgr!FltSendMessage+0x24a ffffd000`47dfdf30 fffff801`bd0a5e8b : ffffe000`89511898 ffffd000`47dfe478 00000000`00000000 fffff801`00000000 : HiveMiniFilter!WritePostOperation+0x487 [g:\hive\hivefilecontrol\hiveminifilter\operation.c @ 852] ffffd000`47dfe430 fffff801`bd0a65ad : 00000000`00000000 ffffd000`47dfe620 ffffe000`89da6e60 ffffe000`891bd010 : fltmgr!FltpPerformPostCallbacks+0x34b ffffd000`47dfe500 fffff800`be09953e : ffffe000`891bd010 00000000`00000000 ffffe000`891bd173 ffffe000`893490d4 : fltmgr!FltpPassThroughCompletionWorker+0x7d ffffd000`47dfe570 fffff801`bd177ac5 : ffffe000`891bd010 00000000`00000001 00000000`00000000 00000000`00000000 : nt!IopfCompleteRequest+0x2ee ffffd000`47dfe6b0 fffff801`bd17a2db : 00000000`00000000 ffffe000`88873880 fffff801`bd19b010 ffffe000`86d5c401 : rdbss!RxCompleteRequestEx+0x1f5 ffffd000`47dfe760 fffff801`bd17c11f : ffffe000`87c5b030 00000000`00000000 00000000`00000000 fffff801`bf526010 : rdbss!RxLowIoCompletionTail+0xab ffffd000`47dfe7a0 fffff801`bf5652ad : ffffe000`87c5b030 ffffe000`89cd9de8 ffffe000`89cd9ed0 ffffe000`87bb5b50 : rdbss!RxLowIoCompletion+0x3f ffffd000`47dfe7e0 fffff801`bf4ef6c1 : ffffe000`00000000 ffffe000`00000000 ffffe000`88873880 ffffe000`87c5b030 : mrxsmb20!Smb2Write_Finalize+0x1cd ffffd000`47dfe850 fffff801`bf4f0dd9 : ffffe000`89bb8e10 ffffe000`89cd9ed0 ffffe000`862c1301 00000001`00000001 : mrxsmb!SmbCeSendCompleteInd+0x451 ffffd000`47dfe8f0 fffff800`be09953e : ffffe000`894db8a0 ffffd000`47dfea40 00000000`00000000 ffffe000`894db973 : mrxsmb!SmbWskSendComplete+0xc9 ffffd000`47dfe940 fffff801`bde02dd2 : ffffe000`894db8a0 ffffdf9c`5a685102 ffffe000`8683010c 00000000`00000000 : nt!IopfCompleteRequest+0x2ee ffffd000`47dfea80 fffff801`bd6e55a1 : 00000000`00000000 ffffe000`877f0820 ffffd000`47dfebe0 ffffd000`47dfedc8 : afd!WskProTLSendOrDisconnectComplete+0x72 ffffd000`47dfeae0 fffff801`bd6eace0 : 00000000`00000001 fffff801`bd6ba7e0 00000000`00000000 ffffe000`85c82610 : tcpip!TcpTcbReceive+0x311 ffffd000`47dfec30 fffff801`bd6ea6f5 : ffffe000`86d2202c 00000000`00000000 00000000`00000000 ffffe000`8639b158 : tcpip!TcpMatchReceive+0x1f0 ffffd000`47dfedc0 fffff801`bd72d990 : ffffe000`863d9e80 00000000`00000000 00000000`000013c1 fffff801`bd83f100 : tcpip!TcpPreValidatedReceive+0x385 ffffd000`47dfeec0 fffff801`bd6ba9d2 : ffffe000`86d4d480 fffff801`bd6ba7e0 fffff801`bd6b0006 00000000`00000006 : tcpip!IpFlcReceivePreValidatedPackets+0x650 ffffd000`47dff080 fffff800`be0c5fa3 : ffffe000`89581030 00000000`00000000 ffffe000`863c3b10 ffffd000`47dfa000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x102 ffffd000`47dff1b0 fffff801`bd6bab26 : fffff801`bd6ba8d0 ffffd000`47dff2d0 ffffe000`86d59510 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0xf3 ffffd000`47dff2a0 fffff801`bcc2a903 : 00000000`00000000 ffffd000`47dff381 ffffe000`00000001 ffffe000`8a0b7860 : tcpip!FlReceiveNetBufferListChain+0xb6 ffffd000`47dff320 fffff801`bcc2b08a : ffffdf9c`ffffff01 ffffe000`8a0b0008 00000000`00000000 ffffe000`00000001 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123 ffffd000`47dff3e0 fffff801`bf0fa1c4 : ffffe000`868ef000 fffff801`bf0faefc ffffe000`868f0500 ffffe000`86d5c4f0 : NDIS!NdisMIndicateReceiveNetBufferLists+0x32a ffffd000`47dff5c0 fffff801`bf0faa9d : 00000000`00000001 ffffe000`86d5c4f0 ffffe000`868ef000 00000000`00000001 : e1i63x64!RECEIVE::RxIndicateNBLs+0xd4 ffffd000`47dff600 fffff801`bf0ed150 : 00000000`00000001 ffffe000`861888b0 00000000`00000000 ffff0001`00000001 : e1i63x64!RECEIVE::RxProcessInterrupts+0x19d ffffd000`47dff680 fffff801`bf0ed57e : ffffe000`861888b0 ffffe000`868ef000 ffff0001`00000001 ffff0001`00000001 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x1c0 ffffd000`47dff6f0 fffff801`bf0ecb78 : ffffd000`47dff829 ffff0001`00000001 fffff801`bf0ecaf0 ffffe000`8699b000 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e ffffd000`47dff750 fffff801`bcc2c005 : 00000000`00000000 00000000`00000000 ffffe000`862c1bc8 fffff801`bd6b6db3 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28 ffffd000`47dff790 fffff800`be08d1e0 : ffffd000`47dffb20 ffffffff`ffd11000 00000000`00000001 fffff800`be7a158f : NDIS!ndisInterruptDpc+0x1b5 ffffd000`47dff890 fffff800`be08c527 : ffffe000`89897000 ffffe000`89897080 00000000`00000000 ffffd000`00000002 : nt!KiExecuteAllDpcs+0x1b0 ffffd000`47dff9e0 fffff800`be15e4ea : ffffd000`47dd5180 ffffd000`47dd5180 ffffd000`47de14c0 ffffe000`88b6e080 : nt!KiRetireDpcList+0xd7 ffffd000`47dffc60 00000000`00000000 : ffffd000`47e00000 ffffd000`47dfa000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a hzqst，你的建议是不管这个FltSendMessage是否支持异步通知，都自己另外开辟一个队列来来单独发送？ 2017-4-1 17:41 0
hzqst 雪币： 12848 活跃值： (9147) 能力值： ( LV9，RANK：280 ) 在线值：发帖 47 回帖 1793 粉丝 569 关注私信	hzqst 3 5 楼幻海孤舟是这样的，最开始是没有修改这东西的。但是还是蓝屏，所以我加了日志，发现这个时候post在DISPATCH_LEVEL，而FltSendMessage 需要IRQL 看我上面说的最后一段话 2017-4-1 17:59 0
幻海孤舟雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	幻海孤舟 6 楼 to hzqst:明白，就是要自己建的队列和线程来专门发送接收。谢谢 2017-4-1 18:08 0
FckTheDog 雪币： 112 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 42 粉丝 0 关注私信	FckTheDog 7 楼不降级什么问题都没，发送内容保证不会PageOut不就ok 2017-4-4 02:27 0
幻海孤舟雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	幻海孤舟 8 楼 FckTheDog 不降级什么问题都没，发送内容保证不会PageOut不就ok to FckTheDol，没有明白你的意思，能给我科普仔细点么。我的最开始代码是没有开降级的。不小的什么原因，writepost运行在dispatch了，要蓝屏，因为FltSendMessage <= APC，所以我才搞这个降级的。但是降级了依旧蓝屏。你提的这个“保证发送内容不会pageout”，这个要怎么保证呢。 2017-4-5 10:52 0
FckTheDog 雪币： 112 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 42 粉丝 0 关注私信	FckTheDog 9 楼首先，个人感觉处理监控数据较好的方式是先缓存起来，然后要么用户层来读，要么内核线程发。其次，我觉得在回调中使用FltSendMessage是比较懒的一种行为，虽然我也这么做过，FltSendMessage的buf可以从NPList的快表中申请内存，每次发完Free掉…… 2017-4-6 01:13 0
沉醉星渊雪币： 16 活跃值： (527) 能力值： ( LV2，RANK：10 ) 在线值：发帖 41 回帖 112 粉丝 0 关注私信	沉醉星渊 10 楼没人敢手动降级的吧 2018-4-25 17:18 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复