下面进行下一个蓝屏调式,我们编译运行,然后我们把这个dump提取出来,用windbg载入,信息很直观的表达了出来。
Windbg分析dump,一般对于写驱动的来说,windbg上有几个东西要记得
Probably caused by
这里指明了蓝屏引起的驱动
Probably caused by : BSODCheck.sys ( BSODCheck!IsExitProcess+a3 )
输入命令!analyze -v之后得到的蓝屏的原因:
然后我们对比msdn,即可得到为什么蓝屏
FOLLOWUP_IP
引起蓝屏的实际代码
bab890d3 8b08 mov ecx,dword ptr [eax]
CONTEXT
蓝屏时候的现场环境
CONTEXT: bacfb87c -- (.cxr 0xffffffffbacfb87c)
eax=00000014 ebx=00000000 ecx=80008138 edx=00000000 esi=e11c41a4 edi=89589078
eip=bab890d3 esp=bacfbc48 ebp=bacfbc64 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210206
BSODCheck!IsExitProcess+0xa3:
bab890d3 8b08 mov ecx,dword ptr [eax] ds:0023:00000014=????????
Resetting default scope
STACK_TEXT
蓝屏时候调用的函数
STACK_TEXT:
bacfbc64 bab891a3 80008000 00000005 893f8b38 BSODCheck!IsExitProcess+0xa3 [e:\project\agpÁã»ù´¡Çý¶¯½Ì³Ì\µÚÒ»ÕÂ-»ù´¡ÈëÃÅ\µÚÒ»½Ú-Çý¶¯¿ò¼Ü\3.×î³£¼ûÀ¶ÆÁÐÞ¸´£¨ÊÔ¿´ÄÚÈÝ£©\bsodcheck\bsodcheck.c @ 41]
bacfbc7c 805777ff 89589078 89787000 00000000 BSODCheck!DriverEntry+0x83 [e:\project\agpÁã»ù´¡Çý¶¯½Ì³Ì\µÚÒ»ÕÂ-»ù´¡ÈëÃÅ\µÚÒ»½Ú-Çý¶¯¿ò¼Ü\3.×î³£¼ûÀ¶ÆÁÐÞ¸´£¨ÊÔ¿´ÄÚÈÝ£©\bsodcheck\bsodcheck.c @ 72]
bacfbd4c 8057790f 8000048c 00000001 00000000 nt!IopLoadDriver+0x66d
bacfbd74 80535c12 8000048c 00000000 89a328b8 nt!IopLoadUnloadDriver+0x45
bacfbdac 805c71ec b1c0fcf4 00000000 00000000 nt!ExpWorkerThread+0x100
bacfbddc 80542de2 80535b12 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
mov ecx,dword ptr [eax]
取eax的值,并且保存到ecx,
这里的eax是一个指针。
eax=00000014
bab890cd 8b45f8 mov eax,dword ptr [ebp-8]
bab890d0 0345ec add eax,dword ptr [ebp-14h]
bab890d3 8b08 mov ecx,dword ptr [eax]
dword ptr [ebp-8] 是一个局部变量,保存到eax
Eax+dword ptr [ebp-14h]局部变量
40: SectionObject = *(PULONG)((ULONG)Eprocess + SectionObjectOffset);
kd> dd bacfbc64-14h
bacfbc50 00000014 00000002 00000138 00000000
现在我们知道蓝屏的原因,现在在代码里修改
SectionObject = *(PULONG)((ULONG)Eprocess + SectionObjectOffset);
if (MmIsAddressValid(SectionObject))
{
Segment = *(PULONG)((ULONG)SectionObject + SegmentOffset);
if (MmIsAddressValid((PVOID)Segment)){
bRetOK = TRUE;
}
}