[求助]调试狂人的代码出错，请高手看看。-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]调试狂人的代码出错，请高手看看。 0.00雪花

发表于: 2009-5-26 17:59 1380

[旧帖] [求助]调试狂人的代码出错，请高手看看。 0.00雪花

iyunxi

2009-5-26 17:59

1380

错误提示：
=========================================================

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f7830601, The address that the exception occurred at
Arg3: f6fd0b84, Exception Record Address
Arg4: f6fd0880, Context Record Address

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
comcap!ccpAttachDevice+111 [d:\driverfiles\comcap\comcap.c @ 179]
f7830601 8911          mov    dword ptr [ecx],edx

EXCEPTION_RECORD:  f6fd0b84 -- (.exr 0xfffffffff6fd0b84)
ExceptionAddress: f7830601 (comcap!ccpAttachDevice+0x00000111)
ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000

CONTEXT:  f6fd0880 -- (.cxr 0xfffffffff6fd0880)
eax=821ee030 ebx=00000000 ecx=00000000 edx=821ee030 esi=e19813a6 edi=81f37ed0
eip=f7830601 esp=f6fd0c4c ebp=f6fd0c54 iopl=0       nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000          efl=00010286
comcap!ccpAttachDevice+0x111:
f7830601 8911          mov    dword ptr [ecx],edx  ds:0023:00000000=????????
Resetting default scope

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000

FOLLOWUP_IP:
comcap!ccpAttachDevice+111 [d:\driverfiles\comcap\comcap.c @ 179]
f7830601 8911          mov    dword ptr [ecx],edx

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_DEREFERENCE

LAST_CONTROL_TRANSFER:  from f783068b to f7830601

STACK_TEXT:
f6fd0c54 f783068b 81f37ed0 821ee030 f7832008 comcap!ccpAttachDevice+0x111 [d:\driverfiles\comcap\comcap.c @ 179]
f6fd0c78 f78306e2 81f37ed0 0000001b f6fd0d58 comcap!ccpAttachAllComs+0x5b [d:\driverfiles\comcap\comcap.c @ 203]
f6fd0c88 808e0097 81f37ed0 81c7c000 00000000 comcap!DriverEntry+0x42 [d:\driverfiles\comcap\comcap.c @ 227]
f6fd0d58 808e1a58 8000039c 00000001 00000000 nt!IopLoadDriver+0x689
f6fd0d80 8082050b 8000039c 00000000 81f4ecb0 nt!IopLoadUnloadDriver+0x45
f6fd0dac 80905b5b f6720cf4 00000000 00000000 nt!ExpWorkerThread+0xeb
f6fd0ddc 808286ad 8082044e 80000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FAULTING_SOURCE_CODE:
175: status = STATUS_UNSUCCESSFUL;
176: return status;
177: }
178:
>  179: *next = topdev;
180:
181: // ¨¦¨¨???a??¨¦¨¨¡À?¨°??-???¡¥
182: (*fltobj)->Flags = (*fltobj)->Flags & ~DO_DEVICE_INITIALIZING;
183: return STATUS_SUCCESS;
184:

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  comcap!ccpAttachDevice+111

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: comcap

IMAGE_NAME:  comcap.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a1bb2dd

STACK_COMMAND:  .cxr 0xfffffffff6fd0880 ; kb

FAILURE_BUCKET_ID:  0x7E_comcap!ccpAttachDevice+111

BUCKET_ID:  0x7E_comcap!ccpAttachDevice+111

Followup: MachineOwner

=========================================================

源码：

#include <wdm.h>
#include <ntddk.h>
#include <ntstrsafe.h>

// 计算机上最多只有32 个串口，这是笔者的假定
#define CCP_MAX_COM_ID 32

// 保存所有过滤设备指针
static PDEVICE_OBJECT s_fltobj[CCP_MAX_COM_ID] = {0};

// 保存所有真实设备指针
static PDEVICE_OBJECT s_nextobj[CCP_MAX_COM_ID] = {0};

//动态卸载
#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)

NTSTATUS ccpDispatch(PDEVICE_OBJECT driver,PIRP irp)
{
//首先要通过函数IoGetCurrentIrpStackLocation()得到当前的IRP
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(irp);
NTSTATUS status;

ULONG i,j;

for(i=0;i<CCP_MAX_COM_ID;i++)
{
if(s_fltobj[i] == driver)
{
//跳过电源请求
if(irpsp->MajorFunction == IRP_MJ_POWER)
{
PoStartNextPowerIrp(irp);
IoSkipCurrentIrpStackLocation(irp);
return PoCallDriver(s_nextobj[i],irp);
}

if(irpsp->MajorFunction == IRP_MJ_WRITE)
{
// 如果是写，先获得长度
ULONG len = irpsp->Parameters.Write.Length;

// 然后获得缓冲区
PUCHAR buf = NULL;

if(irp->MdlAddress != NULL)
buf = (PUCHAR)MmGetSystemAddressForMdlSafe(irp->MdlAddress,NormalPagePriority);
else
buf = (PUCHAR)irp->UserBuffer;

if(buf == NULL)
buf = (PUCHAR)irp->AssociatedIrp.SystemBuffer;

for(j=0;j<len;++j)
{
DbgPrint("Comcap: Send Data:%2x\r\n",buf[j]);
}

}

IoSkipCurrentIrpStackLocation(irp);
return IoCallDriver(s_nextobj[i],irp);

}
}

irp->IoStatus.Information = 0;
irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
IoCompleteRequest(irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;

}

void ccpUnload()
{
ULONG i;
LARGE_INTEGER interval;

// 首先解除绑定
for(i=0;i<CCP_MAX_COM_ID;i++)
{
if(s_nextobj[i] != NULL)
IoDetachDevice(s_nextobj[i]);
}

// 睡眠5 秒。等待所有IRP 处理结束
interval.QuadPart = (5*1000 * DELAY_ONE_MILLISECOND);
KeDelayExecutionThread(KernelMode,FALSE,&interval);

// 删除这些设备
for(i=0;i<CCP_MAX_COM_ID;i++)
{
if(s_fltobj[i] != NULL)
IoDeleteDevice(s_fltobj[i]);
}
}

PDEVICE_OBJECT ccpOpenCom(ULONG id,NTSTATUS *status)
{
// 将获取的串口ID 转换为字符串型的串口名
UNICODE_STRING name_str;
static WCHAR name[32]={0};
PFILE_OBJECT fileobj = NULL;

PDEVICE_OBJECT devobj = NULL;

//清空name 数组所占用内存
memset(name,0,sizeof(WCHAR)*32);

//组合字符串(生成一个完整的设备名，存入name 数组)
RtlStringCchPrintfW(name,32,L"\\Device\\Serial%d",id);

//赋值给字符串name_str
RtlInitUnicodeString(&name_str,name);

//从名字获得设备对象，也就是打开设备
*status = IoGetDeviceObjectPointer(&name_str,FILE_ALL_ACCESS,&fileobj,&devobj);

//如果打开成功就删除文件对像
if(*status == STATUS_SUCCESS)
ObDereferenceObject(fileobj);

//返回该设备
return devobj;

}

NTSTATUS ccpAttachDevice(PDRIVER_OBJECT driver,PDEVICE_OBJECT oldobj,PDEVICE_OBJECT *fltobj,PDEVICE_OBJECT *next)
{
NTSTATUS status;
PDEVICE_OBJECT topdev = NULL;

//生成设备，然后绑定
status = IoCreateDevice(driver,0,NULL,oldobj->DeviceType,0,FALSE,fltobj);

if(status != STATUS_SUCCESS)
return status;

//拷贝重要标志位
if(oldobj->Flags & DO_BUFFERED_IO)
(*fltobj)->Flags |= DO_BUFFERED_IO;

if(oldobj->Flags & DO_DIRECT_IO)
(*fltobj)->Flags |= DO_DIRECT_IO;

if(oldobj->Flags & DO_BUFFERED_IO)
(*fltobj)->Flags |= DO_BUFFERED_IO;

if(oldobj->Characteristics & FILE_DEVICE_SECURE_OPEN)
(*fltobj)->Characteristics |= FILE_DEVICE_SECURE_OPEN;

(*fltobj)->Flags |= DO_POWER_PAGABLE;

// 将一个设备绑定到另一个设备上
topdev = IoAttachDeviceToDeviceStack(*fltobj,oldobj);

if(topdev == NULL)
{
IoDeleteDevice(*fltobj);
*fltobj = NULL;
status = STATUS_UNSUCCESSFUL;
return status;
}

*next = topdev;

// 设置这个设备已经启动
(*fltobj)->Flags = (*fltobj)->Flags & ~DO_DEVICE_INITIALIZING;
return STATUS_SUCCESS;

}

void ccpAttachAllComs(PDRIVER_OBJECT driver)
{
ULONG i;
PDEVICE_OBJECT com_ob;
NTSTATUS status;

for(i=0;i<CCP_MAX_COM_ID;i++)
{
//获得objce 引用
com_ob = ccpOpenCom(i,&status);
if(com_ob == NULL)
continue;

//将生成的设备绑定到真实的设备上
ccpAttachDevice(driver,com_ob,&s_fltobj[i],s_nextobj[i]);
}
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING reg_path)
{
unsigned int i;

#if DBG
_asm int 3
#endif

//设置分发函数
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
driver->MajorFunction[i] = ccpDispatch;
}

//支持动态卸载函数
driver->DriverUnload = ccpUnload;

//绑定串口
ccpAttachAllComs(driver);

return STATUS_SUCCESS;
}

[课程]Android-CTF解题方法汇总！

收藏・0

免费・0

支持

最新回复 (1)
cleverman 雪币： 75 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 8 回帖 25 粉丝 0 关注私信	cleverman 2 楼你什么时候给s_nextobj赋值的？ 2009-5-27 09:34 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

iyunxi

发帖

回帖

RANK

关注

私信

他的文章

[求助]调试狂人的代码出错，请高手看看。 1381

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
cleverman 雪币： 75 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 8 回帖 25 粉丝 0 关注私信	cleverman 2 楼你什么时候给s_nextobj赋值的？ 2009-5-27 09:34 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复