看了下IRQL没有问题,运行是在minifilter的IRP_MJ_CREATE 的PreopCallback中,看了看内存中参数也没有出现异常
InitializeObjectAttributes(
&oaDes,
DesFileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
KIRQL kirq = KeGetCurrentIrql();
if (kirq != PASSIVE_LEVEL)
{
KdPrint(("Err:Incorrect IRQL"));
}
status = ZwCreateFile(
&hDes,
FILE_GENERIC_WRITE,
&oaDes,
&iosDes,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN_IF,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
NULL
);
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88003552f68
Arg3: fffff880035527c0
Arg4: fffff80003f95a21
Debugging Details:
------------------
EXCEPTION_RECORD: fffff88003552f68 -- (.exr 0xfffff88003552f68)
ExceptionAddress: fffff80003f95a21 (nt!FsRtlFindInTunnelCache+0x0000000000000091)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff880035527c0 -- (.cxr 0xfffff880035527c0;r)
rax=0000000000000010 rbx=fffffa8001b93240 rcx=fffff8a0012ec956
rdx=0000000000000010 rsi=0000000000000001 rdi=007600650044005c
rip=fffff80003f95a21 rsp=fffff880035531a0 rbp=fffffa8002995c10
r8=0000000000000039 r9=0000000000d0e23c r10=fffff8a0012ec96c
r11=fffff8a0012ec976 r12=007600650044005c r13=00050000000133fc
r14=fffff880035535f8 r15=fffff88003553430
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
nt!FsRtlFindInTunnelCache+0x91:
fffff800`03f95a21 4c396f30 cmp qword ptr [rdi+30h],r13 ds:002b:00760065`0044008c=????????????????
Last set context:
rax=0000000000000010 rbx=fffffa8001b93240 rcx=fffff8a0012ec956
rdx=0000000000000010 rsi=0000000000000001 rdi=007600650044005c
rip=fffff80003f95a21 rsp=fffff880035531a0 rbp=fffffa8002995c10
r8=0000000000000039 r9=0000000000d0e23c r10=fffff8a0012ec96c
r11=fffff8a0012ec976 r12=007600650044005c r13=00050000000133fc
r14=fffff880035535f8 r15=fffff88003553430
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
nt!FsRtlFindInTunnelCache+0x91:
fffff800`03f95a21 4c396f30 cmp qword ptr [rdi+30h],r13 ds:002b:00760065`0044008c=????????????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
fffff880`03bc034f 89442460 mov dword ptr [rsp+60h],eax
FAULTING_IP:
nt!FsRtlFindInTunnelCache+91
fffff800`03f95a21 4c396f30 cmp qword ptr [rdi+30h],r13
BUGCHECK_STR: 0x24
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from fffff8800130fc15 to fffff80003f95a21
STACK_TEXT:
fffff880`035531a0 fffff880`0130fc15 : fffffa80`01b93240 fffff8a0`0206fc00 fffffa80`029b1010 fffff880`035538f0 : nt!FsRtlFindInTunnelCache+0x91
fffff880`03553220 fffff880`012f95af : fffffa80`029b1010 fffff880`035538f0 fffffa80`029b1010 fffff8a0`01ef3901 : Ntfs!NtfsCreateNewFile+0x395
fffff880`03553550 fffff880`012633ad : fffffa80`029b1010 fffffa80`02995c10 fffff880`035538f0 fffffa80`026fe300 : Ntfs!NtfsCommonCreate+0xe8f
fffff880`03553720 fffff800`03c83e78 : fffff880`03553860 00000000`4558452e 00000000`00000000 00000000`00000000 : Ntfs!NtfsCommonCreateCallout+0x1d
fffff880`03553750 fffff880`01263b2f : fffff880`01263390 fffff880`012629c0 fffff880`03553900 fffff880`01303100 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`03553830 fffff880`012fbb3c : 00000000`00000000 00000000`00000000 fffff880`03553a80 fffffa80`02995c10 : Ntfs!NtfsCommonCreateOnNewStack+0x4f
fffff880`03553890 fffff880`01122bcf : fffffa80`01b92030 fffffa80`02995c10 00000000`00000000 00000000`00000000 : Ntfs!NtfsFsdCreate+0x1ac
fffff880`03553a40 fffff880`011422b9 : fffffa80`02995c10 fffffa80`01b90010 fffffa80`02995c00 fffffa80`01b8dde0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`03553ad0 fffff800`03f7d68b : 00000000`00000004 00000000`00000240 fffffa80`016ec350 00000000`00000000 : fltmgr!FltpCreate+0x2a9
fffff880`03553b80 fffff800`03f791ae : fffffa80`00c28250 00000000`00000000 fffffa80`016c5b10 00000000`00000700 : nt!IopParseDevice+0x14e2
fffff880`03553ce0 fffff800`03f79c96 : 00000000`00000000 fffff880`03553e60 fffff8a0`00000240 fffffa80`00cf6f30 : nt!ObpLookupObjectName+0x784
fffff880`03553de0 fffff800`03f7ba8c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObOpenObjectByName+0x306
fffff880`03553eb0 fffff800`03f87104 : fffff880`03554268 00000000`00120116 fffff880`035542e0 fffff880`035542a0 : nt!IopCreateFile+0x2bc
fffff880`03553f50 fffff800`03c76753 : fffffa80`00d3e230 fffffa80`02763b50 fffff880`035542c8 fffff8a0`00100080 : nt!NtCreateFile+0x78
fffff880`03553fe0 fffff800`03c72d10 : fffff880`03bc034f 00000000`00000000 fffffa80`029450a0 fffffa80`02945000 : nt!KiSystemServiceCopyEnd+0x13
fffff880`035541e8 fffff880`03bc034f : 00000000`00000000 fffffa80`029450a0 fffffa80`02945000 00000000`00000801 : nt!KiServiceLinkage
==
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
冰栈
代码有点乱,出现的状况也比较特殊,我稍微动了下环境就又正常了,就是想了解下有没有遇到过类似的状况。最后是怎么解决的。
