[求助] FltUnregisterFilter卡死，是资源泄漏导致的吗？-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助] FltUnregisterFilter卡死，是资源泄漏导致的吗？
发表于: 2023-1-19 16:33 7249
[求助] FltUnregisterFilter卡死，是资源泄漏导致的吗？

wumnkx
2023-1-19 16:33
7249
我写了个驱动在某些win10电脑上fltmc unload卸载时会卡死，看调用栈卡在FltUnregisterFilter里了，有大佬遇到过吗？该怎么分析
100
101
102
103
104
105
106
107
108
109
110
111
112
113
10: kd> kbn;!fltkd.filter ffffc402f1075a20;!VERIFIER 3 mydriver
  *** Stack trace for last set conte - .thread/.cxr resets it
 # RetAddr               : Args to Child                                                           : Call Site
00 fffff802`47c130b0     : ffffd501`00000000 00000000`00000000 ffffc402`ef0fb190 fffff802`483b5019 : nt!KiSwapConte+0x76
01 fffff802`47c125df     : ffffc402`00000009 00000000`00000007 ffff840f`c064f2c0 ffffc402`00000000 : nt!KiSwapThread+0x500
02 fffff802`47c11e83     : ffff840f`00000000 fffff802`00000000 ffffc402`f13ef200 ffffc402`f4034180 : nt!KiCommitThreadWait+0x14f
03 fffff802`47c97285     : ffff840f`c064f378 ffffc402`00000000 00000000`00000000 00000000`ffffff00 : nt!KeWaitForSingleObject+0x233
04 fffff802`43cecb87     : 00000000`00000d07 fffff802`00000000 00000000`00001001 fffff802`ca8f7209 : nt!ExWaitForRundownProtectionReleaseCacheAware+0xb5
05 fffff802`43d1e557     : 00000001`11d4b362 ffffc402`f1076a20 00000000`00000002 00000001`11d4b361 : FLTMGR!FltpWaitForRundownProtectionReleaseInternal+0xcf
06 fffff802`43d385aa     : ffffc402`f1076a90 ffffc402`f1075a20 ffffc402`f1075a20 000e0011`0000000e : FLTMGR!FltpFreeInstance+0x10b
07 fffff802`ca90020a     : fffff802`ca8ff6f0 ffffc402`e2119010 ffffc402`cbb04d10 ffffc402`cbb03bb0 : FLTMGR!FltUnregisterFilter+0x11a
08 fffff802`ca90507b     : ffffc402`cbb04d10 ffffc402`cbb03b80 00000000`00000101 ffffc402`f1075a20 : mydriver!CMinifilter::OnStop+0x4a [C:\Users\Admin\Documents\mydriver\mydriver\framework\minifilter.cpp @ 184] 
09 fffff802`ca905132     : ffffc402`cbb03b80 fffff802`47dfdeb0 00000000`00000010 00000000`00040082 : mydriver!CKModule::Stop+0x5b [C:\Users\Admin\Documents\mydriver\mydriver\framework\kmodule.cpp @ 73] 
0a fffff802`ca905038     : ffffc402`cbb03b80 ffffc402`ef6078f0 ffff840f`c064f900 ffffc402`f1005100 : mydriver!CKModule::StopSubmodules+0x7e [C:\Users\Admin\Documents\mydriver\mydriver\framework\kmodule.cpp @ 229] 
0b fffff802`ca8fd4b0     : ffffc402`f1005040 ffffc402`ef6078f0 ffffc402`ef6078f0 ffffc402`ef6078f0 : mydriver!CKModule::Stop+0x18 [C:\Users\Admin\Documents\mydriver\mydriver\framework\kmodule.cpp @ 71] 
0c fffff802`ca8f8e5b     : fffff802`ca8ff6f0 ffffc402`e2119010 00000000`00000101 ffffc402`f1075a20 : mydriver!CApplication::Unload+0x28 [C:\Users\Admin\Documents\mydriver\mydriver\framework\application.cpp @ 102] 
0d fffff802`ca8ff77b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : mydriver!DriverUnload+0x3b [C:\Users\Admin\Documents\mydriver\mydriver\driver.cpp @ 50] 
0e fffff802`43d3593a     : ffff840f`c064f900 ffffc402`ef6078f0 ffffc402`f1075a20 00000001`11d297fe : mydriver!CMinifilter::__FilterUnload+0x8b [C:\Users\Admin\Documents\mydriver\mydriver\framework\minifilter.cpp @ 305] 
0f fffff802`43d35bfe     : ffffc402`00000000 00000000`00000000 ffffffff`00000010 00000000`00000000 : FLTMGR!FltpDoUnloadFilter+0x19e
10 fffff802`43d39372     : ffffc402`f4034040 ffffc402`cc083c80 00000000`00000000 00000000`00000001 : FLTMGR!FltpUnloadFilterWorker+0xe
11 fffff802`47c52b65     : ffffc402`f4034040 ffffc402`f4034040 ffffc402`cc083c80 fffff802`00000000 : FLTMGR!FltpSyncOpWorker+0x52
12 fffff802`47c71d25     : ffffc402`f4034040 00000000`00000080 ffffc402`cc0a3040 000fa5ef`bd9bbfff : nt!ExpWorkerThread+0x105
13 fffff802`47e01f08     : fffff802`43560180 ffffc402`f4034040 fffff802`47c71cd0 21113311`33113311 : nt!PspSystemThreadStartup+0x55
14 00000000`00000000     : ffff840f`c0650000 ffff840f`c0649000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
 
FLT_FILTER: ffffc402f1075a20 "mydriver" "319200"
   FLT_OBJECT: ffffc402f1075a20  [02000001] Filter DRAINING
      RundownRef               : 0x0000000000002256 (4395)
      PointerCount             : 0x00000002
      PrimaryLink              : [ffffc402eedf3aa0-ffffc402eed2b020] 
   Frame                    : ffffc402e2119010 "Frame 0"
   Flags                    : [00000012] FilteringInitiated BackedByPagefile
   DriverObject             : ffffc402ef6078f0 
   FilterLink               : [ffffc402eedf3aa0-ffffc402eed2b020] 
   PreVolumeMount           : fffff802ca8ff800  mydriver!CMinifilter::__PreOperation 
   PostVolumeMount          : fffff802ca8ffa80  mydriver!CMinifilter::__PostOperation 
   FilterUnload             : fffff802ca8ff6f0  mydriver!CMinifilter::__FilterUnload 
   InstanceSetup            : fffff802ca8ff790  mydriver!CMinifilter::__InstanceSetup 
   InstanceQueryTeardown    : fffff802ca8ff7b0  mydriver!CMinifilter::__InstanceQueryTeardown 
   InstanceTeardownStart    : fffff802ca8fb6f0  mydriver!CApplication::OnStop 
   InstanceTeardownComplete : fffff802ca8ff7c0  mydriver!CMinifilter::__InstanceTeardownComplete 
   ActiveOpens              : (ffffc402f1075bd8)  mCount=2
   Communication Port List  : (ffffc402f1075c28)  mCount=0
   Client Port List         : (ffffc402f1075c78)  mCount=0
   VerifierEension        : 0000000000000000
   Operations               : ffffc402f1075cd0 
   OldDriverUnload          : 0000000000000000  (null) 
   SupportedContes        : (ffffc402f1075b50)
      VolumeContes           : (ffffc402f1075b50)
      InstanceContes         : (ffffc402f1075b58)
      FileContes             : (ffffc402f1075b60)
      StreamContes           : (ffffc402f1075b68)
      StreamHandleContes     : (ffffc402f1075b70)
         ALLOCATE_CONTE_NODE: ffffc402eeffa240 "mydriver" [01] LookasideList (size=176)
      TransactionConte       : (ffffc402f1075b78)
      (null)                   : (ffffc402f1075b80)
   InstanceList             : (ffffc402f1075a88)
      FLT_INSTANCE: ffffc402f1076a20 "mydriver Instance" "319200"
      FLT_INSTANCE: ffffc402efd73a20 "mydriver Instance" "319200"
      FLT_INSTANCE: ffffc402ee77d010 "mydriver Instance" "319200"
      FLT_INSTANCE: ffffc402f51ab9b0 "mydriver Instance" "319200"
      FLT_INSTANCE: ffffc402f5884be0 "mydriver Instance" "319200"
      FLT_INSTANCE: ffffc402f4122be0 "mydriver Instance" "319200"
 
Verify Flags Level 0x00000000
 
  STANDARD FLAGS:
    [ ] (0x00000000) Automatic Checks
    [ ] (0x00000001) Special pool
    [ ] (0x00000002) Force IRQL checking
    [ ] (0x00000008) Pool tracking
    [ ] (0x00000010) I/O verification
    [ ] (0x00000020) Deadlock detection
    [ ] (0x00000080) DMA checking
    [ ] (0x00000100) Security checks
    [ ] (0x00000800) Miscellaneous checks
    [ ] (0x00020000) DDI compliance checking
 
  ADDITIONAL FLAGS:
    [ ] (0x00000004) Randomized low resources simulation
    [ ] (0x00000200) Force pending I/O requests
    [ ] (0x00000400) IRP logging
    [ ] (0x00002000) Invariant MDL checking for stack
    [ ] (0x00004000) Invariant MDL checking for driver
    [ ] (0x00008000) Power framework delay fuzzing
    [ ] (0x00010000) Port/miniport interface checking
    [ ] (0x00040000) Systematic low resources simulation
    [ ] (0x00080000) DDI compliance checking (additional)
    [ ] (0x00200000) NDIS/WIFI verification
    [ ] (0x00800000) Kernel synchronization delay fuzzing
    [ ] (0x01000000) VM switch verification
    [ ] (0x02000000) Code integrity checks
 
    [X] Indicates flag is enabled
 
 
Summary of All Verifier Statistics
 
  RaiseIrqls           0x0
  AcquireSpinLocks     0x0
  Synch Executions     0x0
  Trims                0x0
 
  Pool Allocations Attempted             0x0
  Pool Allocations Succeeded             0x0
  Pool Allocations Succeeded SpecialPool 0x0
  Pool Allocations With NO TAG           0x0
  Pool Allocations Failed                0x0
 
  Current paged pool allocations         0x0 for 00000000 bytes
  Peak paged pool allocations            0x0 for 00000000 bytes
  Current nonpaged pool allocations      0x0 for 00000000 bytes
  Peak nonpaged pool allocations         0x0 for 00000000 bytes