在产品安装过程中发现蓝屏。经初步排查(进安全模式一个个改驱动扩展名测出来的):驱动FileMonitor.sys与2345的2345Base.sys不能一起加载运行(各自分别加载运行都没问题的)!
Symbol search path is: srv*C:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`03e1e000 PsLoadedModuleList = 0xfffff800`0405be50
Debug session time: Wed Oct 28 10:00:22.651 2020 (UTC + 8:00)
System Uptime: 0 days 0:32:27.760
Loading Kernel Symbols
...............................................................
................................................................
..................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 0, fffff80003eafa83}
Probably caused by : ntkrnlmp.exe ( nt!KiPageFault+260 )
Followup: MachineOwner
---------
0: kd> !analyze -v -f
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced //访问了NULL内存地址
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80003eafa83, address which referenced memory
Debugging Details:
------------------
OVERLAPPED_MODULE: Address regions for 'RefreshList' and 'crashdmp.sys' overlap
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800040c60e0
0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!IopCompleteRequest+ae3
fffff800`03eafa83 488b09 mov rcx,qword ptr [rcx] //执行这条指令就崩了
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: dllhost.exe //进程
IRP_ADDRESS: ffffffffffffff89
TRAP_FRAME: fffff880065986a0 -- (.trap 0xfffff880065986a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff88006597b78 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003eafa83 rsp=fffff88006598830 rbp=0000000000000000
r8=fffff88006598938 r9=fffff88006598930 r10=0000000000000002
r11=fffff80003eaefa0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po cy
nt!IopCompleteRequest+0xae3:
fffff800`03eafa83 488b09 mov rcx,qword ptr [rcx] ds:00000000`00000000=???????????????? //访问了NULL内存地址
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80003e8f469 to fffff80003e8ff00
//函数调用栈,看不到是那个驱动引发的
STACK_TEXT:
fffff880`06598558 fffff800`03e8f469 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`06598560 fffff800`03e8e0e0 : fffffa80`1a97d180 fffffa80`18d69810 fffff8a0`02055e20 fffff880`03f05584 : nt!KiBugCheckDispatch+0x69
fffff880`065986a0 fffff800`03eafa83 : fffffa80`1b9ac060 00000000`00000000 fffffa80`1a7ad610 00000000`00000000 : nt!KiPageFault+0x260
fffff880`06598830 fffff800`03e6c92f : 00000000`00000001 00000000`0011f000 fffff800`00000000 00000000`00000000 : nt!IopCompleteRequest+0xae3
fffff880`06598900 fffff800`03e41ba9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x1d7
fffff880`06598980 fffff800`041d22da : fffffa80`1a7ad610 fffffa80`1ba53b30 fffff880`06598b10 fffff880`06598b08 : nt!KiCheckForKernelApcDelivery+0x25
fffff880`065989b0 fffff800`041a6ebf : fffffa80`00000004 fffffa80`1ba53b30 fffff880`06598b10 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x2a83e
fffff880`06598aa0 fffff800`03e8f3e5 : 00000000`0000000c fffffa80`1b9ac060 00000000`0027ec78 fffff800`03f80d01 : nt!NtMapViewOfSection+0x2be
fffff880`06598b70 00000000`76f3013a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x28a
00000000`0027ec58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f3013a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiPageFault+260
fffff800`03e8e0e0 440f20c0 mov rax,cr8
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiPageFault+260
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe //内核模块
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600
FAILURE_BUCKET_ID: X64_0xA_nt!KiPageFault+260
BUCKET_ID: X64_0xA_nt!KiPageFault+260
Followup: MachineOwner
---------
//函数调用栈
0: kd> kP
Child-SP RetAddr Call Site
fffff880`06598558 fffff800`03e8f469 nt!KeBugCheckEx
fffff880`06598560 fffff800`03e8e0e0 nt!KiBugCheckDispatch+0x69
fffff880`065986a0 fffff800`03eafa83 nt!KiPageFault+0x260
fffff880`06598830 fffff800`03e6c92f nt!IopCompleteRequest+0xae3
fffff880`06598900 fffff800`03e41ba9 nt!KiDeliverApc+0x1d7
fffff880`06598980 fffff800`041d22da nt!KiCheckForKernelApcDelivery+0x25
fffff880`065989b0 fffff800`041a6ebf nt! ?? ::NNGAKEGL::`string'+0x2a83e
fffff880`06598aa0 fffff800`03e8f3e5 nt!NtMapViewOfSection+0x2be
fffff880`06598b70 00000000`76f3013a nt!KiSystemServiceExit+0x28a
00000000`0027ec58 00000000`00000000 0x76f3013a
0: kd> kv
Child-SP RetAddr : Args to Child : Call Site
fffff880`06598558 fffff800`03e8f469 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`06598560 fffff800`03e8e0e0 : fffffa80`1a97d180 fffffa80`18d69810 fffff8a0`02055e20 fffff880`03f05584 : nt!KiBugCheckDispatch+0x69
fffff880`065986a0 fffff800`03eafa83 : fffffa80`1b9ac060 00000000`00000000 fffffa80`1a7ad610 00000000`00000000 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`065986a0)
fffff880`06598830 fffff800`03e6c92f : 00000000`00000001 00000000`0011f000 fffff800`00000000 00000000`00000000 : nt!IopCompleteRequest+0xae3
fffff880`06598900 fffff800`03e41ba9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x1d7
fffff880`06598980 fffff800`041d22da : fffffa80`1a7ad610 fffffa80`1ba53b30 fffff880`06598b10 fffff880`06598b08 : nt!KiCheckForKernelApcDelivery+0x25
fffff880`065989b0 fffff800`041a6ebf : fffffa80`00000004 fffffa80`1ba53b30 fffff880`06598b10 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x2a83e
fffff880`06598aa0 fffff800`03e8f3e5 : 00000000`0000000c fffffa80`1b9ac060 00000000`0027ec78 fffff800`03f80d01 : nt!NtMapViewOfSection+0x2be
fffff880`06598b70 00000000`76f3013a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x28a (TrapFrame @ fffff880`06598be0)
00000000`0027ec58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f3013a
//加载的内核模块
0: kd> lm f
start end module name
fffff800`00b9c000 fffff800`00ba6000 kdcom kdcom.dll
fffff800`03e1e000 fffff800`043fb000 nt ntkrnlmp.exe
fffff800`043fb000 fffff800`04444000 hal hal.dll
fffff880`00c00000 fffff880`00cc0000 CI \SystemRoot\system32\CI.dll
...
fffff880`03271000 fffff880`032a1000 2345Base \SystemRoot\system32\drivers\2345Base.sys //和FileMonitor.sys有冲突
...
fffff880`033c9000 fffff880`033df000 FileMonitor \??\C:\Program Files\DAMon(X64)\drivers\FileMonitor.sys //和2345Base.sys有冲突
...
由于函数调用栈太深了,看不出就是那个驱动最终触的nt!KeBugCheckEx!有谁能帮忙找出来?谢谢!(dmp日志见附件)
[课程]Android-CTF解题方法汇总!
最后于 2020-10-28 20:24
被低调putchar编辑
,原因:
