21,597
社区成员
发帖
与我相关
我的任务
分享卸载 TDI 过滤驱动蓝屏问题(急求)
tdi过滤
参考了tdifw1.4.4
上网查询了下
两种方式的过滤都试过,在建立过滤对象机制中会出现蓝屏,网上是说在卸载的时候还会有irp过来,导致蓝屏。
而使用hook则不会出现这种情况。
但是我修改了代码发现hook也是会出现蓝屏的。
我考虑了下发现如果在hook模式,也会出现irp信息送过来的问题撒,不知道我这想法正确不
dump文件显示信息
参考了tdifw1.4.4
上网查询了下
两种方式的过滤都试过,在建立过滤对象机制中会出现蓝屏,网上是说在卸载的时候还会有irp过来,导致蓝屏。
而使用hook则不会出现这种情况。
但是我修改了代码发现hook也是会出现蓝屏的。
我考虑了下发现如果在hook模式,也会出现irp信息送过来的问题撒,不知道我这想法正确不
dump文件显示信息
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f7acadd0, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: f7acadd0, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: f7acadd0
CURRENT_IRQL: 2
FAULTING_IP:
JAHT_NET_MON>+dd0
f7acadd0 ?? ???
CUSTOMER_CRASH_COUNT: 13
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME:
8ÊÛ
¡åw.exe
TRAP_FRAME: f886ad54 -- (.trap 0xfffffffff886ad54)
ErrCode = 00000010
eax=00000000 ebx=00000000 ecx=81735a02 edx=81735b8c esi=81735af8 edi=81735b6b
eip=f7acadd0 esp=f886adc8 ebp=f886adf4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
<Unloaded_JAHT_NET_MON>+0xdd0:
f7acadd0 ?? ???
Resetting default scope
IP_MODULE_UNLOADED:
JAHT_NET_MON>+dd0
f7acadd0 ?? ???
LAST_CONTROL_TRANSFER: from f7acadd0 to 80886a69
FAILED_INSTRUCTION_ADDRESS:
JAHT_NET_MON>+dd0
f7acadd0 ?? ???
STACK_TEXT:
f886ad54 f7acadd0 badb0d00 81735b8c 00000000 nt!KiTrap0E+0x2a1
WARNING: Frame IP not in any known module. Following frames may be wrong.
f886adc4 8081d741 00000000 81735af8 81b6aba8 <Unloaded_JAHT_NET_MON>+0xdd0
f886adf4 f7d61b41 817fd888 817bc290 80a50290 nt!IopfCompleteRequest+0xcd
f886ae0c f7d65358 81735af8 c00000b5 00000000 tcpip!TCPDataRequestComplete+0xa6
f886ae20 f7d5889a 81735af8 c00000b5 00000000 tcpip!TCPRequestComplete+0x12
f886ae50 f7d6bba4 097bc290 00000002 00000000 tcpip!CloseTCB+0x1c8
f886ae6c f7d71505 817bc290 00000002 f7d6075c tcpip!DerefTCB+0x60
f886aedc f7d6076b f7dc9720 00000000 f886afa4 tcpip!TCBTimeout+0x847
f886aeec 8082f58a f7dc9730 f7dc9720 33b186bc tcpip!TCBTimeoutdpc+0xf
f886afa4 8082f8c3 00000000 00000000 0201de6f nt!KiTimerExpiration+0x458
f886aff4 80887b30 f6ba29cc 00000000 00000000 nt!KiRetireDpcList+0x65
f886aff8 f6ba29cc 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x30
f886affc 00000000 00000000 00000000 00000000 0xf6ba29cc
STACK_COMMAND: kb
FOLLOWUP_IP:
JAHT_NET_MON>+dd0
f7acadd0 ?? ???
SYMBOL_STACK_INDEX: 1
**********************************
FOLLOWUP_NAME: MachineOwner
**********************************
**********************************
DEBUG_FLR_IMAGE_TIMESTAMP: 0
**********************************
**********************************
Followup: MachineOwner
---------
...全文
请发表友善的回复…
发表回复
skyair624 2012-01-11
- 打赏
- 举报
正解:
某个线程进入你的驱动JAHT_NET_MON hook的dispatch例程时被调度到其他线程,然后在调度回来前,你执行了unload操作,此时你的驱动没有对这个“行为”进行“同步”,会不定时呈现蓝屏
解决方法:
hook点jmp进JAHT_NET_MON前进行“同步计数”,卸载前检测计数值,可以解决问题
某个线程进入你的驱动JAHT_NET_MON hook的dispatch例程时被调度到其他线程,然后在调度回来前,你执行了unload操作,此时你的驱动没有对这个“行为”进行“同步”,会不定时呈现蓝屏
解决方法:
hook点jmp进JAHT_NET_MON前进行“同步计数”,卸载前检测计数值,可以解决问题
tabgift 2011-08-27
- 打赏
- 举报
饿 dump没有贴上 -0-
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f744cdd0, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: f744cdd0, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: f744cdd0
CURRENT_IRQL: 2
FAULTING_IP:
JAHT_NET_MON>+dd0
f744cdd0 ?? ???
CUSTOMER_CRASH_COUNT: 18
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: Idle
TRAP_FRAME: 80894360 -- (.trap 0xffffffff80894360)
ErrCode = 00000010
eax=00000000 ebx=00000000 ecx=813fdb02 edx=813fdba4 esi=813fdb10 edi=813fdb83
eip=f744cdd0 esp=808943d4 ebp=80894400 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
<Unloaded_JAHT_NET_MON>+0xdd0:
f744cdd0 ?? ???
Resetting default scope
IP_MODULE_UNLOADED:
JAHT_NET_MON>+dd0
f744cdd0 ?? ???
LAST_CONTROL_TRANSFER: from f744cdd0 to 80886a69
FAILED_INSTRUCTION_ADDRESS:
JAHT_NET_MON>+dd0
f744cdd0 ?? ???
STACK_TEXT:
80894360 f744cdd0 badb0d00 813fdba4 00000000 nt!KiTrap0E+0x2a1
WARNING: Frame IP not in any known module. Following frames may be wrong.
808943d0 8081d741 00000000 813fdb10 81402098 <Unloaded_JAHT_NET_MON>+0xdd0
80894400 f7d48b41 814629a0 81444068 80a50290 nt!IopfCompleteRequest+0xcd
80894418 f7d4c358 813fdb10 c00000b5 00000000 tcpip!TCPDataRequestComplete+0xa6
8089442c f7d3f89a 813fdb10 c00000b5 00000000 tcpip!TCPRequestComplete+0x12
8089445c f7d52ba4 09444068 00000002 00000000 tcpip!CloseTCB+0x1c8
80894478 f7d58505 81444068 00000002 f7d4775c tcpip!DerefTCB+0x60
808944e8 f7d4776b f7db0720 00000000 808945b0 tcpip!TCBTimeout+0x847
808944f8 8082f402 f7db0730 f7db0720 03e6fc9e tcpip!TCBTimeoutdpc+0xf
808945b0 8082f8c3 00000000 00000000 0201508f nt!KiTimerExpiration+0x2d0
80894600 80887d97 00000000 0000000e 00000000 nt!KiRetireDpcList+0x65
80894604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x2f
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f744cdd0, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: f744cdd0, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: f744cdd0
CURRENT_IRQL: 2
FAULTING_IP:
JAHT_NET_MON>+dd0
f744cdd0 ?? ???
CUSTOMER_CRASH_COUNT: 18
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: Idle
TRAP_FRAME: 80894360 -- (.trap 0xffffffff80894360)
ErrCode = 00000010
eax=00000000 ebx=00000000 ecx=813fdb02 edx=813fdba4 esi=813fdb10 edi=813fdb83
eip=f744cdd0 esp=808943d4 ebp=80894400 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
<Unloaded_JAHT_NET_MON>+0xdd0:
f744cdd0 ?? ???
Resetting default scope
IP_MODULE_UNLOADED:
JAHT_NET_MON>+dd0
f744cdd0 ?? ???
LAST_CONTROL_TRANSFER: from f744cdd0 to 80886a69
FAILED_INSTRUCTION_ADDRESS:
JAHT_NET_MON>+dd0
f744cdd0 ?? ???
STACK_TEXT:
80894360 f744cdd0 badb0d00 813fdba4 00000000 nt!KiTrap0E+0x2a1
WARNING: Frame IP not in any known module. Following frames may be wrong.
808943d0 8081d741 00000000 813fdb10 81402098 <Unloaded_JAHT_NET_MON>+0xdd0
80894400 f7d48b41 814629a0 81444068 80a50290 nt!IopfCompleteRequest+0xcd
80894418 f7d4c358 813fdb10 c00000b5 00000000 tcpip!TCPDataRequestComplete+0xa6
8089442c f7d3f89a 813fdb10 c00000b5 00000000 tcpip!TCPRequestComplete+0x12
8089445c f7d52ba4 09444068 00000002 00000000 tcpip!CloseTCB+0x1c8
80894478 f7d58505 81444068 00000002 f7d4775c tcpip!DerefTCB+0x60
808944e8 f7d4776b f7db0720 00000000 808945b0 tcpip!TCBTimeout+0x847
808944f8 8082f402 f7db0730 f7db0720 03e6fc9e tcpip!TCBTimeoutdpc+0xf
808945b0 8082f8c3 00000000 00000000 0201508f nt!KiTimerExpiration+0x2d0
80894600 80887d97 00000000 0000000e 00000000 nt!KiRetireDpcList+0x65
80894604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x2f
gw_net 2011-08-26
- 打赏
- 举报
dump的call stack是什么呀?
