21,597
社区成员
发帖
与我相关
我的任务
分享键盘过滤驱动双机调试
前面发了一贴,没人问津,再发一贴,等待大大们来指点下
原帖:寒江独钓 键盘过滤驱动
下面是调试的截图,获取kdbclass驱动对象设备列表为空
由于设备列表为空,下面绑定的代码没有执行
进入系统后,用devicetree 查看,可以看到kdbclass下面有两个设备,驱动对象的地址和我图1截图中的地址是一样的
不明白为什么会这样,设置问题还是什么?
这样我都调试不了蓝屏代码。
原帖:寒江独钓 键盘过滤驱动
下面是调试的截图,获取kdbclass驱动对象设备列表为空
由于设备列表为空,下面绑定的代码没有执行
进入系统后,用devicetree 查看,可以看到kdbclass下面有两个设备,驱动对象的地址和我图1截图中的地址是一样的
不明白为什么会这样,设置问题还是什么?
这样我都调试不了蓝屏代码。
...全文
请发表友善的回复…
发表回复
见习学术士 2011-05-25
- 打赏
- 举报
[Quote=引用 4 楼 huntercao 的回复:]
蓝屏代码是什么?
[/Quote]
贴在上面了呢
蓝屏代码是什么?
[/Quote]
贴在上面了呢
曹大夯 2011-05-25
- 打赏
- 举报
蓝屏代码是什么?
cnzdgs 2011-05-25
- 打赏
- 举报
c0000005表示内存操作违例,WRITE_ADDRESS: 00000000说明程序使用了空指针。
ObReferenceObjectByHandle函数需要提供一个指针变量的地址,用于返回对象指针。
ObReferenceObjectByHandle函数需要提供一个指针变量的地址,用于返回对象指针。
曹大夯 2011-05-25
- 打赏
- 举报
ObReferenceObjectByHandle(
hThread,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
(PVOID*)&pDeviceExtension->pThreadObject,
NULL);
曹大夯 2011-05-25
- 打赏
- 举报
ObReferenceObjectByHandle(
hThread,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
(PVOID*)&pDeviceExtension->pThreadObject,
NULL);
ObReferenceObjectByHandle的第五个参数是PVOID *,需要将指针的地址传进去。
按照上面的修改试一下。
见习学术士 2011-05-25
- 打赏
- 举报
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 80574426, f78f2aa8, f78f26f8}
Probably caused by : ctrl2cap.sys ( ctrl2cap!InitThreadKeyLogger+136 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
804ee34c cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80574426, The address that the exception occurred at
Arg3: f78f2aa8, Exception Record Address
Arg4: f78f26f8, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
nt!ObReferenceObjectByHandle+16
80574426 8913 mov dword ptr [ebx],edx
EXCEPTION_RECORD: f78f2aa8 -- (.exr 0xfffffffff78f2aa8)
ExceptionAddress: 80574426 (nt!ObReferenceObjectByHandle+0x00000016)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000
CONTEXT: f78f26f8 -- (.cxr 0xfffffffff78f26f8)
eax=000005b0 ebx=00000000 ecx=82322f78 edx=00000000 esi=825df3a0 edi=f78f2c30
eip=80574426 esp=f78f2b70 ebp=f78f2b80 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ObReferenceObjectByHandle+0x16:
80574426 8913 mov dword ptr [ebx],edx ds:0023:00000000=????????
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
ctrl2cap!InitThreadKeyLogger+136 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 507]
f7848d66 8b8d58ffffff mov ecx,dword ptr [ebp-0A8h]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
LAST_CONTROL_TRANSFER: from f7848d66 to 80574426
STACK_TEXT:
f78f2b80 f7848d66 000005b0 001f03ff 00000000 nt!ObReferenceObjectByHandle+0x16
f78f2c4c f7848330 82322ec0 00000000 00000000 ctrl2cap!InitThreadKeyLogger+0x136 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 507]
f78f2c84 f7848c01 822fa7e0 82141000 00000018 ctrl2cap!c2pAttachDevices+0x180 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 156]
f78f2c9c 805bbcbb 822fa7e0 82141000 00000000 ctrl2cap!DriverEntry+0x81 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 435]
f78f2d58 805bbee5 800005ac 82141000 822fa7e0 nt!IopLoadDriver+0x5e1
f78f2d80 804ee5c8 800005ac 00000000 825df3a0 nt!IopLoadUnloadDriver+0x43
f78f2dac 805f3828 f703ccf4 00000000 00000000 nt!ExpWorkerThread+0xe9
f78f2ddc 8050258e 804ee50d 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FAULTING_SOURCE_CODE:
503: return status;
504:
505: // ¡À¡ê¡ä???3¨¬???¨®
506:
> 507:
508: ObReferenceObjectByHandle(
509: hThread,
510: THREAD_ALL_ACCESS,
511: NULL,
512: KernelMode,
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: ctrl2cap!InitThreadKeyLogger+136
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ctrl2cap
IMAGE_NAME: ctrl2cap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4dd9c175
STACK_COMMAND: .cxr 0xfffffffff78f26f8 ; kb
FAILURE_BUCKET_ID: 0x7E_ctrl2cap!InitThreadKeyLogger+136
BUCKET_ID: 0x7E_ctrl2cap!InitThreadKeyLogger+136
Followup: MachineOwner
---------
BugCheck 7E, {c0000005, 80574426, f78f2aa8, f78f26f8}
Probably caused by : ctrl2cap.sys ( ctrl2cap!InitThreadKeyLogger+136 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
804ee34c cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80574426, The address that the exception occurred at
Arg3: f78f2aa8, Exception Record Address
Arg4: f78f26f8, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
nt!ObReferenceObjectByHandle+16
80574426 8913 mov dword ptr [ebx],edx
EXCEPTION_RECORD: f78f2aa8 -- (.exr 0xfffffffff78f2aa8)
ExceptionAddress: 80574426 (nt!ObReferenceObjectByHandle+0x00000016)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000000
Attempt to write to address 00000000
CONTEXT: f78f26f8 -- (.cxr 0xfffffffff78f26f8)
eax=000005b0 ebx=00000000 ecx=82322f78 edx=00000000 esi=825df3a0 edi=f78f2c30
eip=80574426 esp=f78f2b70 ebp=f78f2b80 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ObReferenceObjectByHandle+0x16:
80574426 8913 mov dword ptr [ebx],edx ds:0023:00000000=????????
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
ctrl2cap!InitThreadKeyLogger+136 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 507]
f7848d66 8b8d58ffffff mov ecx,dword ptr [ebp-0A8h]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
LAST_CONTROL_TRANSFER: from f7848d66 to 80574426
STACK_TEXT:
f78f2b80 f7848d66 000005b0 001f03ff 00000000 nt!ObReferenceObjectByHandle+0x16
f78f2c4c f7848330 82322ec0 00000000 00000000 ctrl2cap!InitThreadKeyLogger+0x136 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 507]
f78f2c84 f7848c01 822fa7e0 82141000 00000018 ctrl2cap!c2pAttachDevices+0x180 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 156]
f78f2c9c 805bbcbb 822fa7e0 82141000 00000000 ctrl2cap!DriverEntry+0x81 [e:\linux\debug\ctrl2cap_xiaoc\ctrl2cap.c @ 435]
f78f2d58 805bbee5 800005ac 82141000 822fa7e0 nt!IopLoadDriver+0x5e1
f78f2d80 804ee5c8 800005ac 00000000 825df3a0 nt!IopLoadUnloadDriver+0x43
f78f2dac 805f3828 f703ccf4 00000000 00000000 nt!ExpWorkerThread+0xe9
f78f2ddc 8050258e 804ee50d 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FAULTING_SOURCE_CODE:
503: return status;
504:
505: // ¡À¡ê¡ä???3¨¬???¨®
506:
> 507:
508: ObReferenceObjectByHandle(
509: hThread,
510: THREAD_ALL_ACCESS,
511: NULL,
512: KernelMode,
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: ctrl2cap!InitThreadKeyLogger+136
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ctrl2cap
IMAGE_NAME: ctrl2cap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4dd9c175
STACK_COMMAND: .cxr 0xfffffffff78f26f8 ; kb
FAILURE_BUCKET_ID: 0x7E_ctrl2cap!InitThreadKeyLogger+136
BUCKET_ID: 0x7E_ctrl2cap!InitThreadKeyLogger+136
Followup: MachineOwner
---------
见习学术士 2011-05-25
- 打赏
- 举报
BugCheck 7E, {c0000005, 80574426, f78f2aa8, f78f26f8}
Probably caused by : ctrl2cap.sys ( ctrl2cap!InitThreadKeyLogger+136 )
Followup: MachineOwner
---------
Probably caused by : ctrl2cap.sys ( ctrl2cap!InitThreadKeyLogger+136 )
Followup: MachineOwner
---------
见习学术士 2011-05-25
- 打赏
- 举报
[Quote=引用 6 楼 huntercao 的回复:]
好像没有看到bugcheck code啊。
bug check code和相关的4个Parameters可以告诉你错误类型是什么。
[/Quote]
不知道你说的这个在哪里查看
这是蓝屏的截图
好像没有看到bugcheck code啊。
bug check code和相关的4个Parameters可以告诉你错误类型是什么。
[/Quote]
不知道你说的这个在哪里查看
这是蓝屏的截图
曹大夯 2011-05-25
- 打赏
- 举报
好像没有看到bugcheck code啊。
bug check code和相关的4个Parameters可以告诉你错误类型是什么。
bug check code和相关的4个Parameters可以告诉你错误类型是什么。
见习学术士 2011-05-24
- 打赏
- 举报
[Quote=引用 1 楼 cnzdgs 的回复:]
你的程序运行的时候设备还没有创建.
[/Quote]
谢谢王老五,我换了一种驱动加载方式就好了。。
你的程序运行的时候设备还没有创建.
[/Quote]
谢谢王老五,我换了一种驱动加载方式就好了。。
见习学术士 2011-05-24
- 打赏
- 举报
继续往下调试,蓝屏代码:
FOLLOWUP_IP:
ctrl2cap_f79e1000!InitThreadKeyLogger+104 [e:\Çý¶¯¿ª·¢\Çý¶¯Ô´Âë\ctrl2cap_xiaoc\ctrl2cap.c @ 499]
f79e2124 8b8558ffffff mov eax,dword ptr [ebp-0A8h]
FAULTING_SOURCE_CODE:
495: (PVOID*)pDeviceExtension->pThreadObject,
496: NULL);
497:
498: // 1?¡À??¨²o????¨®????¡À¨²¦Ì?¨°y¨®?
> 499: ZwClose(hThread);
500: return status;
501: }
502:
503: VOID ThreadKeyLogger(IN PVOID pContext)
504: {
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ctrl2cap_f79e1000
IMAGE_NAME: ctrl2cap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ddbaa0d
SYMBOL_NAME: ctrl2cap_f79e1000!InitThreadKeyLogger+104
STACK_COMMAND: .cxr 0xfffffffff78ea790 ; kb
FAILURE_BUCKET_ID: 0x7E_ctrl2cap_f79e1000!InitThreadKeyLogger+104
BUCKET_ID: 0x7E_ctrl2cap_f79e1000!InitThreadKeyLogger+104
Followup: MachineOwner
---------
在执行 ObReferenceObjectByHandle 后就蓝屏了。
大家帮忙看看。
FOLLOWUP_IP:
ctrl2cap_f79e1000!InitThreadKeyLogger+104 [e:\Çý¶¯¿ª·¢\Çý¶¯Ô´Âë\ctrl2cap_xiaoc\ctrl2cap.c @ 499]
f79e2124 8b8558ffffff mov eax,dword ptr [ebp-0A8h]
FAULTING_SOURCE_CODE:
495: (PVOID*)pDeviceExtension->pThreadObject,
496: NULL);
497:
498: // 1?¡À??¨²o????¨®????¡À¨²¦Ì?¨°y¨®?
> 499: ZwClose(hThread);
500: return status;
501: }
502:
503: VOID ThreadKeyLogger(IN PVOID pContext)
504: {
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ctrl2cap_f79e1000
IMAGE_NAME: ctrl2cap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ddbaa0d
SYMBOL_NAME: ctrl2cap_f79e1000!InitThreadKeyLogger+104
STACK_COMMAND: .cxr 0xfffffffff78ea790 ; kb
FAILURE_BUCKET_ID: 0x7E_ctrl2cap_f79e1000!InitThreadKeyLogger+104
BUCKET_ID: 0x7E_ctrl2cap_f79e1000!InitThreadKeyLogger+104
Followup: MachineOwner
---------
NTSTATUS InitThreadKeyLogger(IN PDEVICE_OBJECT theDriverObject, int nindex)
{
// IRQL = passive level
PC2P_DEV_EXT pDeviceExtension;
HANDLE hThread;
NTSTATUS status;
IO_STATUS_BLOCK file_status;
OBJECT_ATTRIBUTES obj_attrib;
CCHAR ntNameFile[100] ={0};//= "\\??\\C:\\KeyBoard.txt";//"\\DosDevices\\C:\\KeyBoard.txt";
STRING ntNameString;
UNICODE_STRING uFileName;
pDeviceExtension = (PC2P_DEV_EXT)theDriverObject->DeviceExtension;
DbgBreakPoint();//放在需要调试的地方
_snprintf(ntNameFile, 100, "\\??\\C:\\KeyBoard%d.txt", nindex);
//设置线程结束标志
pDeviceExtension->bThreadTerminate=FALSE;
//创建一个线程取记录键盘按键
status = PsCreateSystemThread(
&hThread,
(ACCESS_MASK)0,
NULL,
(HANDLE)0,
NULL,
ThreadKeyLogger,
pDeviceExtension);
if(!NT_SUCCESS(status))
return status;
//转换格式
RtlInitAnsiString(&ntNameString, ntNameFile);
RtlAnsiStringToUnicodeString(&uFileName,&ntNameString,TRUE);
InitializeObjectAttributes(&obj_attrib, &uFileName,
OBJ_CASE_INSENSITIVE,
NULL, NULL);
//创建记录文件
//status=ZwCreateFile(pDeviceExtension->hLogFile,
// GENERIC_WRITE | GENERIC_READ,
// &obj_attrib,
// &file_status,
// NULL,
// FILE_ATTRIBUTE_NORMAL|FILE_ATTRIBUTE_SYSTEM,//|FILE_ATTRIBUTE_HIDDEN,
// 0,
// FILE_OPEN_IF,
// FILE_SYNCHRONOUS_IO_NONALERT,
// NULL,
// 0);
// 保存线程对象
ObReferenceObjectByHandle(
hThread,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
(PVOID*)pDeviceExtension->pThreadObject,
NULL);
// 关闭内核对象对句柄的引用
ZwClose(hThread);
return status;
}
在执行 ObReferenceObjectByHandle 后就蓝屏了。
大家帮忙看看。
cnzdgs 2011-05-23
- 打赏
- 举报
你的程序运行的时候设备还没有创建.
