PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: f0006c74, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: bf838c27, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved)
符号库有些不全,将就看看吧 Microsoft (R) Windows Debugger Version 6.8.0004.0 X86 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\Program Files\Debugging Tools for Windows\MEMORY.DMP] Kernel Complete Dump File: Full address space is available
Symbol search path is: SRV*C:\MaxDOS\Symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_rtm.040803-2158 Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055bb20 Debug session time: Wed Jan 14 09:44:26.114 2009 (GMT+8) System Uptime: 2 days 22:34:08.298 Loading Kernel Symbols ..................................................................................................... Loading User Symbols .............. Loading unloaded module list ..................................................*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
Use !analyze -v to get detailed debugging information.
BugCheck F4, {3, 80d33da0, 80d33f14, 805fb7a8}
************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* Probably caused by : memory_corruption
CRITICAL_OBJECT_TERMINATION (f4) A process or thread crucial to system operation has unexpectedly exited or been terminated. Several processes and threads are necessary for the operation of the system; when they are terminated (for any reason), the system can no longer function. Arguments: Arg1: 00000003, Process Arg2: 80d33da0, Terminating object Arg3: 80d33f14, Process image file name Arg4: 805fb7a8, Explanatory message (ascii)
Debugging Details: ------------------
************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** *************************************************************************
kd> !apc *** Enumerating APCs in all processes Process 80e82830 System Process 80ce3c08 smss.exe Process 80d33da0 csrss.exe Thread 80cf0da8 ApcStateIndex 0 ApcListHead 80cf0de4 [USER] KAPC @ 80e031c8 Type 12 KernelRoutine 80577b96 nt!PspQueueApcSpecialApc+0 RundownRoutine 00000000 +0 Process 80d0dda0 winlogon.exe Process 80d07a50 services.exe Process 80d36a58 lsass.exe Process ffb57440 svchost.exe Process 80d22488 svchost.exe Process ffb5b020 svchost.exe Process ffb8b750 svchost.exe Process 80cf6020 svchost.exe Process 80d3f550 explorer.exe Process ffb596e0 spoolsv.exe Process ffaa2a30 vmusrvc.exe Process ffaa04a0 ctfmon.exe Process ffa97638 vmsrvc.exe Process ffa88700 vpcmap.exe Process ffa4f020 alg.exe Process 80cd9be8 wuauclt.exe Process 80ded870 wuauclt.exe Process 80cc9798 AnyAPC_Boom.exe
PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: f000eefb, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: bf838c27, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved)
加粗的 win32k!NtUserGetDCEx+0x2c 说明了0x804e006b前面的一个Call跳到了NtUserGetDCEx。接着看蓝色部分0xbf838c27,这就是出错位置,所以转到了nt!KiTrap0E进行错误处理。所以大致可以确定是在 NtUserGetDCEx 里出的问题。
看到一篇叫“A Story of Unchecked Assumptions in the Windows Kernel”的文章,里面的第28页说了个有趣的特性:
All threads are part of a desktop Except CSRSS-owned threads but Microsoft owns that code, and it never calls NtUserGetThreadState or NtUserGetDCEx.