基本信息如下:
kd> !analyze -v
******************************************************************************** *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
BUGCHECK_STR: 0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=00000390 ebx=f85d46d9 ecx=ba721308 edx=ba722038 esi=81408d28 edi=f85d46d9
eip=80538f2a esp=ba720f4c ebp=ba7212ec iopl=0 nv up di ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010082
nt!_SEH_prolog+0x1a:
80538f2a 53 push ebx
kd> .thread
Implicit thread is now 811cfbf8
kd> !thread
THREAD 811cfbf8 Cid 0150.0154 Teb: 7ffdf000 Win32Thread: e1e23008 RUNNING on processor 0
IRP List:
811c8008: (0006,01b4) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap e1cf0780
Owning Process 0 Image: <Unknown>
Attached Process 811cf020 Image: WINWORD.EXE
Wait Start TickCount 2427 Ticks: 1 (0:00:00:00.015)
Context Switch Count 197 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.453
Win32 Start Address Unknown_Module_30000000 (0x300019a0)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init ba725000 Current ba721b74 Base ba725000 Limit ba721000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
分析:
EXCEPTION_DOUBLE_FAULT错误多数情况为栈溢出,
nt!_SEH_prolog+0x1a:
80538f2a 53 push ebx
这两条说明确实和堆栈有关系
Stack Init ba725000 Current ba721b74 Base ba725000 Limit ba721000 Call 0
这里就完全说明是一个堆栈溢出啦,esp=ba720f4c 明显超出了Limit ba721000的范围啦
参考:
http://www.osronline.com/showThread.cfm?link=70453
http://bbs.pediy.com/archive/index.php?t-99293.html