KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address
pinpoints the driver/function that caused the problem. Always note
this address as well as the link date of the driver/image that
contains this address. Some common problems are exception code
0x80000003. This means a hard coded breakpoint or assertion was hit,
but this system was booted /NODEBUG. This is not supposed to happen
as developers should never have hardcoded breakpoints in retail code,
but … If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening. Arguments: Arg1: c0000005, The exception code that was not
handled Arg2: f7439cf1, The address that the exception occurred at
Arg3: ee9ec6e4, Trap Frame Arg4: 00000000Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%p
FAULTING_IP: SecCheck!SfFsControlMountVolumeComplete+19
[d:\work\isg_svn\code\002.code\master-local\kernel\cyseccheck\sfilter.c
@ 6627] f7439cf1 8b7924 mov edi,dword ptr [ecx+24h]TRAP_FRAME: ee9ec6e4 – (.trap 0xffffffffee9ec6e4) ErrCode = 00000000
eax=84ae4308 ebx=84950e28 ecx=0000001f edx=00000000 esi=84950bc8
edi=84950fd4 eip=f7439cf1 esp=ee9ec758 ebp=ee9ec768 iopl=0 nv
up ei ng nz ac po cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030
gs=0000 efl=00010293
CYSecCheck!SfFsControlMountVolumeComplete+0x19: f7439cf1 8b7924
mov edi,dword ptr [ecx+24h] ds:0023:00000043=??? Resetting
default scopeDEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: svchost.exe
LAST_CONTROL_TRANSFER: from f743a84f to f7439cf1
STACK_TEXT: ee9ec768 f743a84f 84964870 84950e28 84950b10
CYSecCheck!SfFsControlMountVolumeComplete+0x19
seccheck\sfilter.c
@ 6627] ee9ec9a4 f743aa8c 84964870 00950e28 84ab3030
CYSecCheck!SfFsControlMountVolume+0x191
[seccheck\sfilter.c
@ 6378] ee9ec9bc 804ef119 84964870 84950e28 84950e28
CYSecCheck!SfFsControl+0x76
[seccheck\sfilter.c
@ 6013] ee9ec9cc 80577fd7 ee9ecb1c 806d3298 84ab3030
nt!IopfCallDriver+0x31 ee9eca1c 804f5345 c000014f 85453f01 00000000
nt!IopMountVolume+0x1b9 ee9eca4c 80578fdc 85453f08 84ab3030 ee9ecb80
nt!IopCheckVpbMounted+0x5b ee9ecb3c 805b5cbc 84ab3030 00000000
8497d008 nt!IopParseDevice+0x3d8 ee9ecbc4 805b2065 00000000 ee9ecc04
00000040 nt!ObpLookupObjectName+0x56a ee9ecc18 8056c223 00000000
00000000 9ecc8401 nt!ObOpenObjectByName+0xeb ee9ecc94 8056cb9a
00e7fbf4 80100080 00e7fb94 nt!IopCreateFile+0x407 ee9eccf0 8056f2ac
00e7fbf4 80100080 00e7fb94 nt!IoCreateFile+0x8e ee9ecd30 8053e638
00e7fbf4 80100080 00e7fb94 nt!NtCreateFile+0x30 ee9ecd30 7c92e4f4
00e7fbf4 80100080 00e7fb94 nt!KiFastCallEntry+0xf8 WARNING: Frame IP
not in any known module. Following frames may be wrong. 00e7fbec
00000000 00000000 00000000 00000000 0x7c92e4f4STACK_COMMAND: kb
FOLLOWUP_IP: SecCheck!SfFsControlMountVolumeComplete+19
[d:\work\isg_svn\code\002.code\master-local\kernel\cyseccheck\sfilter.c
@ 6627] f7439cf1 8b7924 mov edi,dword ptr [ecx+24h]FAULTING_SOURCE_CODE: 6623: // Display a message when we
detect that the VPB for the given 6624: // device object has
changed. 6625: // 6626:6627: if (vpb != irpSp->Parameters.MountVolume.Vpb) 6628: { 6629: 6630: SF_LOG_PRINT( SFDEBUG_DISPLAY_ATTACHMENT_NAMES,
6631: (“SFilter!SfFsControlMountVolume:
VPB in IRP stack changed %p IRPVPB=%p VPB=%p\n”, 6632:
vpb->DeviceObject,SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: SecCheck!SfFsControlMountVolumeComplete+19
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SecCheck
IMAGE_NAME: SecCheck.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5ee8825d
FAILURE_BUCKET_ID: 0x8E_SecCheck!SfFsControlMountVolumeComplete+19
BUCKET_ID: 0x8E_SecCheck!SfFsControlMountVolumeComplete+19
Followup: MachineOwner
分析步骤:
- dump里已显示出出问题的模块和位置, 看dump猜测是数据为空导致
- 查看寄存器内容 kd> r
eax=84ae4308 ebx=84950e28 ecx=0000001f edx=00000000 esi=84950bc8 edi=84950fd4
eip=f7439cf1 esp=ee9ec758 ebp=ee9ec768 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
SecCheck!SfFsControlMountVolumeComplete+0x19:
f7439cf1 8b7924 mov edi,dword ptr [ecx+24h] ds:0023:00000043=????????
- 查看反汇编,确定数据状态 kd> u f7439cd1 L30, **包裹的数据为报错数据
SecCheck!SfIsAttachedToDevice+0x17d:
f7439cd1 653a25775a00cc cmp ah,byte ptr gs:[0CC005A77h]
CYSecCheck!SfFsControlMountVolumeComplete [d:\work\isg_svn\code\002.code\master-local\kernel\cyseccheck\sfilter.c @ 6598]:
f7439cd8 55 push ebp
f7439cd9 8bec mov ebp,esp
f7439cdb 51 push ecx
f7439cdc 8b4510 mov eax,dword ptr [ebp+10h]
f7439cdf 53 push ebx
f7439ce0 8b5d0c mov ebx,dword ptr [ebp+0Ch]
f7439ce3 56 push esi
f7439ce4 8b7028 mov esi,dword ptr [eax+28h]
f7439ce7 8b4360 mov eax,dword ptr [ebx+60h]
f7439cea 8b4e10 mov ecx,dword ptr [esi+10h]
f7439ced 8b4004 mov eax,dword ptr [eax+4]
f7439cf0 57 push edi
f7439cf1 8b7924 mov edi,dword ptr [ecx+24h]
**f7439cf4 3bf8 cmp edi,eax**
f7439cf6 c645ff00 mov byte ptr [ebp-1],0
f7439cfa 741b je CYSecCheck!SfFsControlMountVolumeComplete+0x3f (f7439d17)
f7439cfc f605d41442f701 test byte ptr [CYSecCheck!SfDebug (f74214d4)],1
f7439d03 7412 je CYSecCheck!SfFsControlMountVolumeComplete+0x3f (f7439d17)
- 查看第一个数据kd> dt PVPB 84950fd4
SecCheck!PVPB
0xf73fb976
+0x000 Type : -16223
+0x002 Size : 16916
+0x004 Flags : 0x83f7
+0x006 VolumeLabelLength : 0x5f8
+0x008 DeviceObject : 0x3d830b75 _DEVICE_OBJECT
+0x00c RealDevice : 0xf74214c4 _DEVICE_OBJECT
+0x010 SerialNumber : 0x3b047301
+0x014 ReferenceCount : 0x6a1076c0
+0x018 VolumeLabel : [32] 0x6a00
- 查看第二个数据kd> dt PVPB 84ae4308
SecCheck!PVPB
0x0058000a
+0x000 Type : ??
+0x002 Size : ??
+0x004 Flags : ??
+0x006 VolumeLabelLength : ??
+0x008 DeviceObject : ????
+0x00c RealDevice : ????
+0x010 SerialNumber : ??
+0x014 ReferenceCount : ??
+0x018 VolumeLabel : [32] ??
- 待处理
分析如有问题,请各位指教
311
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
