[求助]帮忙分析一个蓝屏，什么引起了BSOD?-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]帮忙分析一个蓝屏，什么引起了BSOD?

发表于: 2020-5-23 14:43 3367

[求助]帮忙分析一个蓝屏，什么引起了BSOD?

sxwsxw

2020-5-23 14:43

3367

Loading Dump File [D:\BSOD\MEMORY.DMP]
Kernel Summary Dump File: Kernel address space is available, User address space may not be available.

WARNING: Whitespace at start of path element

* Path validation summary **
Response Time (ms) Location
Deferred SRV C:\symbols http://msdl.microsoft.com/download/symbols
WARNING: Whitespace at start of path element
Symbol search path is: SRV C:\symbols http://msdl.microsoft.com/download/symbols; SRV C:\symbols http://msdl.microsoft.com/download/symbols
Executable search path is:

Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24150.amd64fre.win7sp1_ldr_escrow.180528-1700
Machine Name:
Kernel base = 0xfffff80004615000 PsLoadedModuleList = 0xfffff80004854c90
Debug session time: Thu May 21 04:49:23.738 2020 (UTC + 8:00)
System Uptime: 2 days 1:31:16.765

Loading Kernel Symbols
...............................................................
................................................................
.....Page 3a53e9 not present in the dump file. Type ".hh dbgerr004" for details
...Page 3a382a not present in the dump file. Type ".hh dbgerr004" for details
..........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018). Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................

* Symbol Loading Error Summary **
Module name Error
ntkrnlmp The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
For analysis of this file, run !analyze -v
2: kd> !analyze -v

*
Bugcheck Analysis *
*

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff800046b390a, Address of the instruction which caused the bugcheck
Arg3: fffff8801fcd5a40, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

* Kernel symbols are WRONG. Please fix symbols to do analysis.

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 0

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CIRRUS-PC

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 0

Key  : Analysis.Memory.CommitPeak.Mb
Value: 61

Key  : Analysis.System
Value: CreateObject

ADDITIONAL_DEBUG_TEXT:
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

WRONG_SYMBOLS_TIMESTAMP: 5b0cb355

WRONG_SYMBOLS_SIZE: 5e3000

FAULTING_MODULE: fffff80004615000 nt

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff800046b390a

BUGCHECK_P3: fffff8801fcd5a40

BUGCHECK_P4: 0

CONTEXT: fffff8801fcd5a40 -- (.cxr 0xfffff8801fcd5a40)
rax=0000000000000100 rbx=fffff8801fcd6500 rcx=0000000000000000
rdx=0000000000100000 rsi=0000000000000000 rdi=0000000000100000
rip=fffff800046b390a rsp=fffff8801fcd6410 rbp=fffff981020c0000
r8=fffff8801fcd6500 r9=0000000000000000 r10=0000000000000fff
r11=0000000000000000 r12=fffffa8018572cd0 r13=0000000000000001
r14=0000000000100000 r15=fffffa800d684988
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
nt!KeConnectInterruptForHal+0x8ba:
fffff800046b390a f6413820 test byte ptr [rcx+38h],20h ds:002b:0000000000000038=??
Resetting default scope

ASSERT_DATA:

ASSERT_FILE_LOCATION: at Line 533553792

STACK_TEXT:
fffff8801fcd6410 fffff800046b3adc : fffff88000000000 fffff8801fcd6500 fffff981020c0000 0000000000000001 : nt!KeConnectInterruptForHal+0x8ba
fffff8801fcd6470 fffff800049ddd3e : 0000000000000040 0000000000100000 fffff981020c0000 0000000000040000 : nt!KeConnectInterruptForHal+0xa8c
fffff8801fcd64d0 fffff80004665c11 : 0000000000000100 0000000000100000 0000000000100001 fffffa800d684988 : nt!FsRtlMdlRead+0x13e
fffff8801fcd6500 fffff800048fcc60 : fffffa8000000000 0000000000100000 0000000000100000 fffff8801fcd6630 : nt!CcCopyWrite+0x391
fffff8801fcd6560 fffff880016ce16f : fffff88000000000 0000000000000005 fffffa8000040000 fffffa8018572c01 : nt!CcCopyRead+0x180
fffff8801fcd6620 fffff88001001098 : fffffa8018572cd0 fffffa800d684920 fffff8a03bdcdc70 0000000000000001 : Ntfs+0x9916f
fffff8801fcd6800 fffff8800100491a : fffff8801fcd68d0 fffff88001020400 0000000008c80000 fffffa8018572c03 : fltmgr+0x1098
fffff8801fcd6860 fffff88001020630 : fffffa8018572cd0 0000000000000000 fffff8801fcd69c8 0000000000100000 : fltmgr!FltIsCallbackDataDirty+0x23ba
fffff8801fcd68a0 fffff800048fe321 : fffffa8018572cd0 fffffa8000000001 fffffa800c7f7080 fffffa8018572cd0 : fltmgr!FltDeletePushLock+0x1e0
fffff8801fcd6940 fffff800046c79d3 : 0000000074f62450 0000000000000000 0000000000000000 0000000000000000 : nt!NtReadFile+0x441
fffff8801fcd6a70 0000000074f62e09 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!longjmp+0x5c63
0000000011b2ee18 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x74f62e09

SYMBOL_NAME: nt_wrong_symbols!5B0CB3555E3000

IMAGE_VERSION: 6.1.7601.24150

STACK_COMMAND: .cxr 0xfffff8801fcd5a40 ; kb

EXCEPTION_CODE_STR: 5B0CB355

EXCEPTION_STR: WRONG_SYMBOLS

PROCESS_NAME: ntoskrnl.wrong.symbols.exe

IMAGE_NAME: ntoskrnl.wrong.symbols.exe

MODULE_NAME: nt_wrong_symbols

FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_7601.24150.amd64fre.win7sp1_ldr_escrow.180528-1700_TIMESTAMP_180529-015637_5B0CB355_nt_wrong_symbols!5B0CB3555E3000

OS_VERSION: 7.1.7601.24150

BUILDLAB_STR: win7sp1_ldr_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {cb7d819b-9afd-4919-80a7-ed3febb39787}