在做驱动开发的测试过程中,发现有时候驱动无法成功的unload,程序发生了死锁,导致驱动程序无法成功卸载。
打开windbg, 连接运行的虚拟机。
- 在命令窗口输入: !locks
得到如下的输出:
*** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks.........................................Resource @ 0x8691210c Exclusively owned
Threads: 86fb38b8-01<*>
KD: Scanning for held locks..................................Resource @ 0x86cd5948 Shared 1 owning threads
Threads: 86fb4913-01<*> *** Actual Thread 86fb49102. dt nt!_ERESOURCE -b 0x8691210c
+0x000 Flink : 0x86912024
+0x004 Blink : 0xf72218a8
+0x008 OwnerTable : (null)
+0x00c ActiveCount : 0n1
+0x00e Flag : 0x80
+0x010 SharedWaiters : (null)
+0x014 ExclusiveWaiters : (null)
+0x018 OwnerThreads :
[00] _OWNER_ENTRY
+0x000 OwnerThread : 0x86fb38b8
+0x004 OwnerCount : 0n1
+0x004 TableSize : 1
[01]
+0x000 OwnerThread : 0
+0x004 OwnerCount : 0n0
+0x004 TableSize : 0
+0x028 ContentionCount : 0
+0x02c NumberOfSharedWaiters : 0
+0x02e NumberOfExclusiveWaiters : 0
+0x030 Address : (null)
+0x030 CreatorBackTraceIndex : 0
+0x034 SpinLock : 0dt nt!_ERESOURCE -b 0x86cd5948
+0x000 SystemResourcesList : _LIST_ENTRY [ 0x80566d70 - 0x86c7d8c0 ]
+0x000 Flink : 0x80566d70
+0x004 Blink : 0x86c7d8c0
+0x008 OwnerTable : (null)
+0x00c ActiveCount : 0n1
+0x00e Flag : 8
+0x010 SharedWaiters : (null)
+0x014 ExclusiveWaiters : (null)
+0x018 OwnerThreads :
[00] _OWNER_ENTRY
+0x000 OwnerThread : 0
+0x004 OwnerCount : 0n0
+0x004 TableSize : 0
[01]
+0x000 OwnerThread : 0x86fb4913
+0x004 OwnerCount : 0n1
+0x004 TableSize : 1
+0x028 ContentionCount : 0
+0x02c NumberOfSharedWaiters : 0
+0x02e NumberOfExclusiveWaiters : 0
+0x030 Address : (null)
+0x030 CreatorBackTraceIndex : 0
+0x034 SpinLock : 0Resource object (0x8691210c) 的 ownerThrad 是 0x86fb38b8
Resource object (0x86cd5948) 的 ownerThrad 是 0x86fb49133. 运行: !thread 0x86fb38b8
THREAD 86fb38b8 Cid 0004.002c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
f7944b50 SynchronizationEvent
Not impersonating
DeviceMap e10001e0
Owning Process 0 Image: <Unknown>
Attached Process 86fb57c0 Image: System
Wait Start TickCount 482446 Ticks: 60846 (0:00:15:50.718)
Context Switch Count 12170 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:04.921
Start Address nt!ExpWorkerThread (0x8053967e)
Stack Init f7945000 Current f7944adc Base f7945000 Limit f7942000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
*** ERROR: Module load completed but symbols could not be loaded for DocECFilter.sys
ChildEBP RetAddr Args to Child
f7944af4 80504836 86fb3928 86fb38b8 804fc068 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f7944b00 804fc068 86d02010 86d02008 00000004 nt!KiSwapThread+0x8a (FPO: [0,0,0]) (CONV: fastcall)
f7944b28 f7230aa4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall)
f7944b68 f722ee3e f7944b90 f722f831 86d02008 fltmgr!FltpExWaitForRundownProtectionRelease+0x72 (FPO: [Non-Fpo]) (CONV: fastcall)
f7944b70 f722f831 86d02008 86d05030 86912000 fltmgr!FltpObjectRundownWait+0x10 (FPO: [Non-Fpo]) (CONV: stdcall)
f7944b90 ee853310 86d02070 00000000 00000001 fltmgr!FltUnregisterFilter+0xb1 (FPO: [Non-Fpo]) (CONV: stdcall)
WARNING: Stack unwind information not available. Following frames may be wrong.
f7944ba4 f722ae00 00000001 80536770 86912004 DocECFilter+0x7310
f7944d3c f722afb3 86d02008 00000001 00000001 fltmgr!FltpDoUnloadFilter+0xf8 (FPO: [Non-Fpo]) (CONV: stdcall)
f7944d60 8058245b 00000000 ee647b84 8056585c fltmgr!FltpMiniFilterDriverUnload+0xab (FPO: [Non-Fpo]) (CONV: stdcall)
f7944d7c 8053976d ee647b84 00000000 86fb38b8 nt!IopLoadUnloadDriver+0x19 (FPO: [Non-Fpo]) (CONV: stdcall)
f7944dac 805d0f64 ee647b84 00000000 00000000 nt!ExpWorkerThread+0xef (FPO: [Non-Fpo]) (CONV: stdcall)
f7944ddc 805470de 8053967e 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo]) (CONV: stdcall)
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
!thread 0x86fb4913
86fb4913 is not a thread object, interpreting as stack value...
TYPE mismatch for thread object at 86fb4913说明线程已经结束。 而仍然有一个resource 的owner 是这个线程,说明这个线程中没有正确释放 Resource 资源。
看了一下代码,发现是自己没有正确处理 context reference。
调试 Minifilter 无法卸载
最新推荐文章于 2022-05-16 08:32:29 发布