70,022
社区成员
发帖
与我相关
我的任务
分享windbg调试目标机器xp,不知道为什么目标机器一直重启
我用windbg调试xp..加载完我的驱动后不知道为什么被调试机就自动重启了,windbg返回内容如下,高手们给指明下,谢咯。
*** Fatal System Error: 0x0000007f
(0x00000008,0x80042000,0x00000000,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80042000, 0, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : ntkrnlpa.exe ( nt!KeRegisterBugCheckReasonCallback+77c )
Followup: MachineOwner
---------
nt!DbgBreakPointWithStatus+0x4:
80528bec cc int 3
kd> !analyze -v
UNEXPECTED_KERNEL_MODE_TRAP (7f)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: nt
FAULTING_MODULE: 804d8000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd8
BUGCHECK_STR: 0x7f_8
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 804f979a to 80528bec
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
80547b7c 804f979a 00000003 00000000 00000000 nt!DbgBreakPointWithStatus+0x4
80547f5c 80540522 0000007f 00000008 80042000 nt!KeRegisterBugCheckReasonCallback+0x77c
00000000 00000000 00000000 00000000 00000000 nt!Kei386EoiHelper+0x166a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeRegisterBugCheckReasonCallback+77c
804f979a e8f1710000 call nt!ZwYieldExecution+0x630 (80500990)
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KeRegisterBugCheckReasonCallback+77c
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntkrnlpa.exe
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
*** Fatal System Error: 0x0000007f
(0x00000008,0x80042000,0x00000000,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80042000, 0, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : ntkrnlpa.exe ( nt!KeRegisterBugCheckReasonCallback+77c )
Followup: MachineOwner
---------
nt!DbgBreakPointWithStatus+0x4:
80528bec cc int 3
kd> !analyze -v
UNEXPECTED_KERNEL_MODE_TRAP (7f)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: nt
FAULTING_MODULE: 804d8000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd8
BUGCHECK_STR: 0x7f_8
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 804f979a to 80528bec
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
80547b7c 804f979a 00000003 00000000 00000000 nt!DbgBreakPointWithStatus+0x4
80547f5c 80540522 0000007f 00000008 80042000 nt!KeRegisterBugCheckReasonCallback+0x77c
00000000 00000000 00000000 00000000 00000000 nt!Kei386EoiHelper+0x166a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeRegisterBugCheckReasonCallback+77c
804f979a e8f1710000 call nt!ZwYieldExecution+0x630 (80500990)
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KeRegisterBugCheckReasonCallback+77c
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntkrnlpa.exe
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
...全文
请发表友善的回复…
发表回复
VirtualRookit 2011-03-18
- 打赏
- 举报
bluewanderer,你好,你说得对,我仔细看了下,的确如你所说,我太粗心了,谢谢。
return STATUS_ACCESS_DENIED; //访问者所请求的操作,不具备必要权限。
}
ntStatus = ZwOpenProcess(ProcessHandle, //就错在此处,应为ntStatus = Real_zwOpenProcess()...
DesiredAccess,
ObjectAttributes,
ClientId);
return ntStatus
return STATUS_ACCESS_DENIED; //访问者所请求的操作,不具备必要权限。
}
ntStatus = ZwOpenProcess(ProcessHandle, //就错在此处,应为ntStatus = Real_zwOpenProcess()...
DesiredAccess,
ObjectAttributes,
ClientId);
return ntStatus
一曲肝肠断 2011-03-18
- 打赏
- 举报
[Quote=引用 5 楼 bluewanderer 的回复:]
直观来说... 你这么写的结果是一个递归死循环...
[/Quote]
恩,很有可能,你hook的时候,把原来函数指针保存下,在你的函数中在调用原来的函数。
直接ZwOpenProcess可能会造成无限递归死循环
直观来说... 你这么写的结果是一个递归死循环...
[/Quote]
恩,很有可能,你hook的时候,把原来函数指针保存下,在你的函数中在调用原来的函数。
直接ZwOpenProcess可能会造成无限递归死循环
bluewanderer 2011-03-18
- 打赏
- 举报
直观来说... 你这么写的结果是一个递归死循环...
VirtualRookit 2011-03-18
- 打赏
- 举报
在系统崩溃前,只调用到我驱动里的以下函数。
NTSTATUS
HookZwOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
if ((ULONG)ClientId->UniqueProcess == PID)
{
KdPrint(("Protect Process !\n"));
return STATUS_ACCESS_DENIED; //访问者所请求的操作,不具备必要权限。
}
ntStatus = ZwOpenProcess(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId);
return ntStatus;
}
NTSTATUS
HookZwOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
if ((ULONG)ClientId->UniqueProcess == PID)
{
KdPrint(("Protect Process !\n"));
return STATUS_ACCESS_DENIED; //访问者所请求的操作,不具备必要权限。
}
ntStatus = ZwOpenProcess(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId);
return ntStatus;
}
bluewanderer 2011-03-18
- 打赏
- 举报
给你的所有函数断点,并且现在栈溢出的可能性比较大或者你用了更花的逻辑
VirtualRookit 2011-03-18
- 打赏
- 举报
代码如下,再DriverEntry返回时,系统还正常着,DriverEntry返回几秒后就出现状态了,
NTSTATUS
DriverEntry(
__in struct _DRIVER_OBJECT *pDriverObject,
__in PUNICODE_STRING pRegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING DeviceName; //设备名称
UNICODE_STRING SymbolicLinkName; //设备符号链接名,供win32链接使用
PDEVICE_OBJECT pDeviceObject ; //指向设备对象的指针
#ifdef DBG
_asm int 3;
#endif
RtlInitUnicodeString(&DeviceName, NT_DEVICE_NAME); //注意\\Device\\为特定字串
RtlInitUnicodeString(&SymbolicLinkName, DOS_DEVICE_NAME); //注意\\DosDevices\\为特定字串
//生成设备
ntStatus = IoCreateDevice(pDriverObject, //本驱动的驱动对象,这个指针是系统提供,从DriverEntry传入。
0, //设备扩展
&DeviceName, //设备名称
FILE_DEVICE_UNKNOWN, //设备类型
0, //设备特征,一般为0
FALSE, //是否排斥,一般为FALSE
&pDeviceObject);
if (!NT_SUCCESS(ntStatus))
{
KdPrint(("IoCreateDevice failed\n"));
return ntStatus;
}
//生成符号链接名,符号链接名主要作用是和win32通信
ntStatus = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
if (!NT_SUCCESS(ntStatus))
{
KdPrint(("IoCreateSymbolicLink failed\n"));
return ntStatus;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
pDriverObject->DriverUnload = Unload;
//保存系统中真正的函数地址,注意*(PULONG)((PUCHAR)ZwOpenProcess + 1)乃是取得函数ID号,还不是函数地址
Real_ZwOpenProcess = (pZwOpenProcess)(KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)ZwOpenProcess + 1)]);
__asm
{
push eax;
cli; //禁止中断
mov eax, cr0;
and eax, not 10000H; //去除内存保护 ,才能写内存
mov cr0, eax;
pop eax;
}
//hook SSDT里的函数地址
KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)ZwOpenProcess + 1)] = (ULONG)HookZwOpenProcess;
__asm
{
push eax;
mov eax, cr0;
or eax, 10000H;
mov cr0, eax; //恢复内存保护,只读内存
sti;
pop eax;
}
return STATUS_SUCCESS; //此处正常返回,而后5秒左右就崩溃了。
}
NTSTATUS
DriverEntry(
__in struct _DRIVER_OBJECT *pDriverObject,
__in PUNICODE_STRING pRegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING DeviceName; //设备名称
UNICODE_STRING SymbolicLinkName; //设备符号链接名,供win32链接使用
PDEVICE_OBJECT pDeviceObject ; //指向设备对象的指针
#ifdef DBG
_asm int 3;
#endif
RtlInitUnicodeString(&DeviceName, NT_DEVICE_NAME); //注意\\Device\\为特定字串
RtlInitUnicodeString(&SymbolicLinkName, DOS_DEVICE_NAME); //注意\\DosDevices\\为特定字串
//生成设备
ntStatus = IoCreateDevice(pDriverObject, //本驱动的驱动对象,这个指针是系统提供,从DriverEntry传入。
0, //设备扩展
&DeviceName, //设备名称
FILE_DEVICE_UNKNOWN, //设备类型
0, //设备特征,一般为0
FALSE, //是否排斥,一般为FALSE
&pDeviceObject);
if (!NT_SUCCESS(ntStatus))
{
KdPrint(("IoCreateDevice failed\n"));
return ntStatus;
}
//生成符号链接名,符号链接名主要作用是和win32通信
ntStatus = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
if (!NT_SUCCESS(ntStatus))
{
KdPrint(("IoCreateSymbolicLink failed\n"));
return ntStatus;
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
pDriverObject->DriverUnload = Unload;
//保存系统中真正的函数地址,注意*(PULONG)((PUCHAR)ZwOpenProcess + 1)乃是取得函数ID号,还不是函数地址
Real_ZwOpenProcess = (pZwOpenProcess)(KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)ZwOpenProcess + 1)]);
__asm
{
push eax;
cli; //禁止中断
mov eax, cr0;
and eax, not 10000H; //去除内存保护 ,才能写内存
mov cr0, eax;
pop eax;
}
//hook SSDT里的函数地址
KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)ZwOpenProcess + 1)] = (ULONG)HookZwOpenProcess;
__asm
{
push eax;
mov eax, cr0;
or eax, 10000H;
mov cr0, eax; //恢复内存保护,只读内存
sti;
pop eax;
}
return STATUS_SUCCESS; //此处正常返回,而后5秒左右就崩溃了。
}
bluewanderer 2011-03-18
- 打赏
- 举报
在你的驱动入口加个断点吧,搞不好是栈结构已经毁了
