错误提示:
=========================================================
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f7830601, The address that the exception occurred at
Arg3: f6fd0b84, Exception Record Address
Arg4: f6fd0880, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
comcap!ccpAttachDevice+111 [d:\driverfiles\comcap\comcap.c @ 179]
f7830601 8911 mov dword ptr [ecx],edx
EXCEPTION_RECORD: f6fd0b84 -- (.exr 0xfffffffff6fd0b84)
ExceptionAddress: f7830601 (comcap!ccpAttachDevice+0x00000111)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000
CONTEXT: f6fd0880 -- (.cxr 0xfffffffff6fd0880)
eax=821ee030 ebx=00000000 ecx=00000000 edx=821ee030 esi=e19813a6 edi=81f37ed0
eip=f7830601 esp=f6fd0c4c ebp=f6fd0c54 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
comcap!ccpAttachDevice+0x111:
f7830601 8911 mov dword ptr [ecx],edx ds:0023:00000000=????????
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
comcap!ccpAttachDevice+111 [d:\driverfiles\comcap\comcap.c @ 179]
f7830601 8911 mov dword ptr [ecx],edx
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
LAST_CONTROL_TRANSFER: from f783068b to f7830601
STACK_TEXT:
f6fd0c54 f783068b 81f37ed0 821ee030 f7832008 comcap!ccpAttachDevice+0x111 [d:\driverfiles\comcap\comcap.c @ 179]
f6fd0c78 f78306e2 81f37ed0 0000001b f6fd0d58 comcap!ccpAttachAllComs+0x5b [d:\driverfiles\comcap\comcap.c @ 203]
f6fd0c88 808e0097 81f37ed0 81c7c000 00000000 comcap!DriverEntry+0x42 [d:\driverfiles\comcap\comcap.c @ 227]
f6fd0d58 808e1a58 8000039c 00000001 00000000 nt!IopLoadDriver+0x689
f6fd0d80 8082050b 8000039c 00000000 81f4ecb0 nt!IopLoadUnloadDriver+0x45
f6fd0dac 80905b5b f6720cf4 00000000 00000000 nt!ExpWorkerThread+0xeb
f6fd0ddc 808286ad 8082044e 80000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FAULTING_SOURCE_CODE:
175: status = STATUS_UNSUCCESSFUL;
176: return status;
177: }
178:
> 179: *next = topdev;
180:
181: // ¨¦¨¨???a??¨¦¨¨¡À?¨°??-???¡¥
182: (*fltobj)->Flags = (*fltobj)->Flags & ~DO_DEVICE_INITIALIZING;
183: return STATUS_SUCCESS;
184:
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: comcap!ccpAttachDevice+111
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: comcap
IMAGE_NAME: comcap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a1bb2dd
STACK_COMMAND: .cxr 0xfffffffff6fd0880 ; kb
FAILURE_BUCKET_ID: 0x7E_comcap!ccpAttachDevice+111
BUCKET_ID: 0x7E_comcap!ccpAttachDevice+111
Followup: MachineOwner
=========================================================
源码:
#include <wdm.h>
#include <ntddk.h>
#include <ntstrsafe.h>
// 计算机上最多只有32 个串口,这是笔者的假定
#define CCP_MAX_COM_ID 32
// 保存所有过滤设备指针
static PDEVICE_OBJECT s_fltobj[CCP_MAX_COM_ID] = {0};
// 保存所有真实设备指针
static PDEVICE_OBJECT s_nextobj[CCP_MAX_COM_ID] = {0};
//动态卸载
#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
#define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)
NTSTATUS ccpDispatch(PDEVICE_OBJECT driver,PIRP irp)
{
//首先要通过函数IoGetCurrentIrpStackLocation()得到当前的IRP
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(irp);
NTSTATUS status;
ULONG i,j;
for(i=0;i<CCP_MAX_COM_ID;i++)
{
if(s_fltobj[i] == driver)
{
//跳过电源请求
if(irpsp->MajorFunction == IRP_MJ_POWER)
{
PoStartNextPowerIrp(irp);
IoSkipCurrentIrpStackLocation(irp);
return PoCallDriver(s_nextobj[i],irp);
}
if(irpsp->MajorFunction == IRP_MJ_WRITE)
{
// 如果是写,先获得长度
ULONG len = irpsp->Parameters.Write.Length;
// 然后获得缓冲区
PUCHAR buf = NULL;
if(irp->MdlAddress != NULL)
buf = (PUCHAR)MmGetSystemAddressForMdlSafe(irp->MdlAddress,NormalPagePriority);
else
buf = (PUCHAR)irp->UserBuffer;
if(buf == NULL)
buf = (PUCHAR)irp->AssociatedIrp.SystemBuffer;
for(j=0;j<len;++j)
{
DbgPrint("Comcap: Send Data:%2x\r\n",buf[j]);
}
}
IoSkipCurrentIrpStackLocation(irp);
return IoCallDriver(s_nextobj[i],irp);
}
}
irp->IoStatus.Information = 0;
irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
IoCompleteRequest(irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
void ccpUnload()
{
ULONG i;
LARGE_INTEGER interval;
// 首先解除绑定
for(i=0;i<CCP_MAX_COM_ID;i++)
{
if(s_nextobj[i] != NULL)
IoDetachDevice(s_nextobj[i]);
}
// 睡眠5 秒。等待所有IRP 处理结束
interval.QuadPart = (5*1000 * DELAY_ONE_MILLISECOND);
KeDelayExecutionThread(KernelMode,FALSE,&interval);
// 删除这些设备
for(i=0;i<CCP_MAX_COM_ID;i++)
{
if(s_fltobj[i] != NULL)
IoDeleteDevice(s_fltobj[i]);
}
}
PDEVICE_OBJECT ccpOpenCom(ULONG id,NTSTATUS *status)
{
// 将获取的串口ID 转换为字符串型的串口名
UNICODE_STRING name_str;
static WCHAR name[32]={0};
PFILE_OBJECT fileobj = NULL;
PDEVICE_OBJECT devobj = NULL;
//清空name 数组所占用内存
memset(name,0,sizeof(WCHAR)*32);
//组合字符串(生成一个完整的设备名,存入name 数组)
RtlStringCchPrintfW(name,32,L"\\Device\\Serial%d",id);
//赋值给字符串name_str
RtlInitUnicodeString(&name_str,name);
//从名字获得设备对象,也就是打开设备
*status = IoGetDeviceObjectPointer(&name_str,FILE_ALL_ACCESS,&fileobj,&devobj);
//如果打开成功就删除文件对像
if(*status == STATUS_SUCCESS)
ObDereferenceObject(fileobj);
//返回该设备
return devobj;
}
NTSTATUS ccpAttachDevice(PDRIVER_OBJECT driver,PDEVICE_OBJECT oldobj,PDEVICE_OBJECT *fltobj,PDEVICE_OBJECT *next)
{
NTSTATUS status;
PDEVICE_OBJECT topdev = NULL;
//生成设备,然后绑定
status = IoCreateDevice(driver,0,NULL,oldobj->DeviceType,0,FALSE,fltobj);
if(status != STATUS_SUCCESS)
return status;
//拷贝重要标志位
if(oldobj->Flags & DO_BUFFERED_IO)
(*fltobj)->Flags |= DO_BUFFERED_IO;
if(oldobj->Flags & DO_DIRECT_IO)
(*fltobj)->Flags |= DO_DIRECT_IO;
if(oldobj->Flags & DO_BUFFERED_IO)
(*fltobj)->Flags |= DO_BUFFERED_IO;
if(oldobj->Characteristics & FILE_DEVICE_SECURE_OPEN)
(*fltobj)->Characteristics |= FILE_DEVICE_SECURE_OPEN;
(*fltobj)->Flags |= DO_POWER_PAGABLE;
// 将一个设备绑定到另一个设备上
topdev = IoAttachDeviceToDeviceStack(*fltobj,oldobj);
if(topdev == NULL)
{
IoDeleteDevice(*fltobj);
*fltobj = NULL;
status = STATUS_UNSUCCESSFUL;
return status;
}
*next = topdev;
// 设置这个设备已经启动
(*fltobj)->Flags = (*fltobj)->Flags & ~DO_DEVICE_INITIALIZING;
return STATUS_SUCCESS;
}
void ccpAttachAllComs(PDRIVER_OBJECT driver)
{
ULONG i;
PDEVICE_OBJECT com_ob;
NTSTATUS status;
for(i=0;i<CCP_MAX_COM_ID;i++)
{
//获得objce 引用
com_ob = ccpOpenCom(i,&status);
if(com_ob == NULL)
continue;
//将生成的设备绑定到真实的设备上
ccpAttachDevice(driver,com_ob,&s_fltobj[i],s_nextobj[i]);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PUNICODE_STRING reg_path)
{
unsigned int i;
#if DBG
_asm int 3
#endif
//设置分发函数
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
driver->MajorFunction[i] = ccpDispatch;
}
//支持动态卸载函数
driver->DriverUnload = ccpUnload;
//绑定串口
ccpAttachAllComs(driver);
return STATUS_SUCCESS;
}
[课程]Android-CTF解题方法汇总!