问题出现好久了一直解决不了,求大佬解决一下
windbg看了一下堆栈,到了nt!memcpy+0x4a这个位置引发的异常,感到很奇怪,传到MmCopyVirtualMemory的参数应该是没问题的,一个脚本项目里面大概3小时后就蓝屏,读的是用户层进程的内存,不知道是不是一直在读的原因
源代码很简单,就是这样写的:
dump文件就不上传了,如果有想解决的,可以留个联系方式
蓝屏dump:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffffeeffffffef, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80173831c0a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
KEY_VALUES_STRING: 1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | Key : AV. Type
Value: Read
Key : Analysis.CPU.mSec
Value: 4359
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 56199
Key : Analysis.Init.CPU.mSec
Value: 2578
Key : Analysis.Init.Elapsed.mSec
Value: 84557
Key : Analysis.Memory.CommitPeak.Mb
Value: 94
Key : WER.OS.Branch
Value: co_release
Key : WER.OS.Timestamp
Value: 2021 - 06 - 04T16 : 28 : 00Z
Key : WER.OS.Version
Value: 10.0 . 22000.1
|
FILE_IN_CAB: 011323-18343-01.dmp
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffffeeffffffef
BUGCHECK_P2: 0
BUGCHECK_P3: fffff80173831c0a
BUGCHECK_P4: 2
READ_ADDRESS: fffff80174105450: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
ffffffeeffffffef
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
TRAP_FRAME: fffff50c86487050 -- (.trap 0xfffff50c86487050)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff50c864873d0 rbx=0000000000000000 rcx=fffff50c864873d0
rdx=00000ae279b78c1f rsi=0000000000000000 rdi=0000000000000000
rip=fffff80173831c0a rsp=fffff50c864871e8 rbp=00000000000038bc
r8=0000000000000001 r9=fffff50c86487300 r10=fffff50c864872f0
r11=ffffffffffffffff r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!memcpy+0x4a:
fffff80173831c0a 448a1c11 mov r11b,byte ptr [rcx+rdx] ds:ffffffee
ffffffef=??
Resetting default scope
STACK_TEXT:
fffff50c86486da8 fffff801
738a1acd : 0000000000000050 ffffffee
ffffffef 0000000000000000 fffff50c
86487050 : nt!KeBugCheckEx
fffff50c86486db0 fffff801
73665396 : 0000000000000040 00000000
00000000 fffff50c86486fb0 00000000
00000000 : nt!MiSystemFault+0x1c4a5d
fffff50c86486eb0 fffff801
7382c941 : 0000000000000000 00000000
00000000 0000000000000001 00000000
00000000 : nt!MmAccessFault+0x2a6
fffff50c86487050 fffff801
73831c0a : fffff80173a8ebf8 ffffffee
ffffffef 0000000000000000 fffff50c
864872f0 : nt!KiPageFault+0x341
fffff50c864871e8 fffff801
73a8ebf8 : ffffffeeffffffef 00000000
00000000 fffff50c864872f0 ffffcf8f
00000000 : nt!memcpy+0x4a
fffff50c864871f0 fffff801
73a8dadd : ffffcf8f815a00c0 00000000
000038bc 0000000000000070 fffff801
73821740 : nt!MiCopyVirtualMemory+0x2b8
fffff50c86487620 ffff8000
8e8c20d7 : cf8f815a00c0b627 00000000
00000000 ffffcf8f823b5060 00000000
00000020 : nt!MmCopyVirtualMemory+0x2d
fffff50c86487670 cf8f815a
00c0b627 : 0000000000000000 ffffcf8f
823b5060 0000000000000020 00000000
00000001 : 0xffff80008e8c20d7
fffff50c
86487678 0000000000000000 : ffffcf8f
823b5060 0000000000000020 00000000
00000001 fffff80173a8bc00 : 0xcf8f815a
00c0b627
SYMBOL_NAME: nt!MiSystemFault+1c4a5d
MODULE_NAME: nt
IMAGE_VERSION: 10.0.22000.1455
STACK_COMMAND: .cxr; .ecxr ; kb
IMAGE_NAME: ntkrnlmp.exe
BUCKET_ID_FUNC_OFFSET: 1c4a5d
FAILURE_BUCKET_ID: AVR(null)_nt!MiSystemFault
OS_VERSION: 10.0.22000.1
BUILDLAB_STR: co_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {636dd506-1acb-bac0-a568-0355527c550f}
Followup: MachineOwner
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2023-3-27 16:25
被wx_刹那轮回编辑
,原因: