小弟写了个微过滤驱动,过滤了下MJ_READ,MJ_WRITE等几个请求。加载后打开文件没问题,但是写入文件就有问题了*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.BugCheck 50, {ffffffe4, 1, f84c688b, 0}Probably caused by : fltMgr.sys ( fltMgr!FltpPerformPreCallbacks+2d7 )Followup: MachineOwner
---------nt!RtlpBreakWithStatusInstruction:
80528bdc cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffe4, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: f84c688b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)Debugging Details:
------------------
WRITE_ADDRESS: ffffffe4 FAULTING_IP:
fltMgr!FltpPerformPreCallbacks+2d7
f84c688b 8945e4 mov dword ptr [ebp-1Ch],eaxMM_INTERNAL_CODE: 0IMAGE_NAME: fltMgr.sysDEBUG_FLR_IMAGE_TIMESTAMP: 480251daMODULE_NAME: fltMgrFAULTING_MODULE: f84c5000 fltMgrDEFAULT_BUCKET_ID: DRIVER_FAULTBUGCHECK_STR: 0x50PROCESS_NAME: notepad.exeTRAP_FRAME: b235492c -- (.trap 0xffffffffb235492c)
ErrCode = 00000002
eax=00000001 ebx=81e976c8 ecx=00000008 edx=804fef9d esi=81c244a0 edi=81c245e4
eip=f84c688b esp=b23549a0 ebp=00000000 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
fltMgr!FltpPerformPreCallbacks+0x2d7:
f84c688b 8945e4 mov dword ptr [ebp-1Ch],eax ss:0010:ffffffe4=????????
Resetting default scopeLAST_CONTROL_TRANSFER: from 804f8b9d to 80528bdcSTACK_TEXT:
b2354468 804f8b9d 00000003 ffffffe4 00000000 nt!RtlpBreakWithStatusInstruction
b23544b4 804f978a 00000003 00000000 c07ffff8 nt!KiBugCheckDebugBreak+0x19
b2354894 804f9cb5 00000050 ffffffe4 00000001 nt!KeBugCheck2+0x574
b23548b4 8051dc4f 00000050 ffffffe4 00000001 nt!KeBugCheckEx+0x1b
b2354914 8054151c 00000001 ffffffe4 00000000 nt!MmAccessFault+0x8e7
b2354914 f84c688b 00000001 ffffffe4 00000000 nt!KiTrap0E+0xcc
b23549ec f84c82a0 00354a30 81e976c8 82053cd0 fltMgr!FltpPerformPreCallbacks+0x2d7
b2354a00 f84d5217 b2354a30 f84d36aa 00000000 fltMgr!FltpPassThroughInternal+0x32
b2354a18 f84d5742 b2354a30 81cf1a68 82053b50 fltMgr!FltpCreateInternal+0x63
b2354a4c 804ef119 81e96c48 82053b40 82053b40 fltMgr!FltpCreate+0x258
b2354a5c 80579616 8211a7a0 81ec4b44 b2354c04 nt!IopfCallDriver+0x31
b2354b3c 805b5cbc 8211a7b8 00000000 81ec4aa0 nt!IopParseDevice+0xa12
b2354bc4 805b2065 00000000 b2354c04 00000040 nt!ObpLookupObjectName+0x56a
b2354c18 8056c223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
b2354c94 8056cb9a 0007d784 40100080 0007d724 nt!IopCreateFile+0x407
b2354cf0 8056f2ac 0007d784 40100080 0007d724 nt!IoCreateFile+0x8e
b2354d30 8053e638 0007d784 40100080 0007d724 nt!NtCreateFile+0x30
b2354d30 7c92e4f4 0007d784 40100080 0007d724 nt!KiFastCallEntry+0xf8
0007d6e0 7c92d09c 7c8109a6 0007d784 40100080 ntdll!KiFastSystemCallRet
0007d6e4 7c8109a6 0007d784 40100080 0007d724 ntdll!ZwCreateFile+0xc
0007d77c 7632be20 00000000 40000000 00000003 kernel32!CreateFileW+0x35f
0007e000 763273cf 0007e02c 00000000 00030210 comdlg32!CFileOpenBrowser::OKButtonPressed+0x905
0007e240 763272d7 001300ee 0003024c 000c5ff8 comdlg32!CFileOpenBrowser::ProcessEdit+0x192
0007e280 7632277f 00000001 0003024c 0007e528 comdlg32!CFileOpenBrowser::OnCommandMessage+0x1d3
0007e4c0 77d18734 001300ee 00000111 00000001 comdlg32!OpenDlgProc+0x2f5
0007e4ec 77d23ce4 76322615 001300ee 00000111 USER32!InternalCallWinProc+0x28
0007e558 77d23b30 00000000 76322615 001300ee USER32!UserCallDlgProcCheckWow+0x146
0007e5a0 77d23d5c 00000000 00000111 00000001 USER32!DefDlgProcWorker+0xa8
0007e5bc 77d18734 001300ee 00000111 00000001 USER32!DefDlgProcW+0x22
0007e5e8 77d18816 77d23d3a 001300ee 00000111 USER32!InternalCallWinProc+0x28
0007e650 77d2927b 00000000 77d23d3a 001300ee USER32!UserCallWinProcCheckWow+0x150
0007e68c 77d292e3 005be9c8 005b7850 00000001 USER32!SendMessageWorker+0x4a5
0007e6ac 771a7354 001300ee 00000111 00000001 USER32!SendMessageW+0x7f
0007e6cc 771a7436 000c4ee0 00000000 0010001b COMCTL32!Button_NotifyParent+0x3d
0007e6e8 771a973b 000c4ee0 00000001 0007e7e0 COMCTL32!Button_ReleaseCapture+0xd7
0007e778 77d18734 0003024c 00000202 00000000 COMCTL32!Button_WndProc+0x887
0007e7a4 77d18816 771a8eb4 0003024c 00000202 USER32!InternalCallWinProc+0x28
0007e80c 77d2a013 00000000 771a8eb4 0003024c USER32!UserCallWinProcCheckWow+0x150
0007e83c 77d2a039 771a8eb4 0003024c 00000202 USER32!CallWindowProcAorW+0x98
0007e85c 76322e02 771a8eb4 0003024c 00000202 USER32!CallWindowProcW+0x1b
0007e878 77d18734 0003024c 00000202 00000000 comdlg32!OKSubclass+0x46
0007e8a4 77d18816 76322dbf 0003024c 00000202 USER32!InternalCallWinProc+0x28
0007e90c 77d189cd 00000000 76322dbf 0003024c USER32!UserCallWinProcCheckWow+0x150
0007e96c 77d18a10 0007e9bc 00000000 0007e9a0 USER32!DispatchMessageWorker+0x306
0007e97c 77d274ff 0007e9bc 00000000 005be9c8 USER32!DispatchMessageW+0xf
0007e9a0 77d2763c 001300ee 005bdd30 0007008e USER32!IsDialogMessageW+0x572
0007e9dc 77d249c4 001300ee 0007008e 00000010 USER32!DialogBox2+0x144
0007ea04 77d24a06 76320000 000b19b0 0007008e USER32!InternalDialogBox+0xd0
0007ea24 77d3208d 76320000 000b19b0 0007008e USER32!DialogBoxIndirectParamAorW+0x37
0007ea44 7632355f 76320000 000b19b0 0007008e USER32!DialogBoxIndirectParamW+0x1b
0007ea90 7634dad7 00000000 00000001 0007eac8 comdlg32!NewGetFileName+0x240
0007eaa0 76323349 0007eadc 0007fb40 00000000 comdlg32!NewGetSaveFileName+0xf
0007eac8 76337c7d 0007eadc 76337895 7c80ba7f comdlg32!GetFileName+0xd0
0007fb44 01002cc6 0100a680 00000000 00000111 comdlg32!GetSaveFileNameW+0x52
0007fdbc 01003927 0007008e 00000004 00000000 NOTEPAD!NPCommand+0x13f
0007fde0 77d18734 0007008e 00000111 00000004 NOTEPAD!NPWndProc+0x4fe
0007fe0c 77d18816 01003429 0007008e 00000111 USER32!InternalCallWinProc+0x28
0007fe74 77d189cd 00000000 01003429 0007008e USER32!UserCallWinProcCheckWow+0x150
0007fed4 77d18a10 0007fefc 00000000 0007ff1c USER32!DispatchMessageWorker+0x306
0007fee4 01002a12 0007fefc 00000000 7c80b731 USER32!DispatchMessageW+0xf
0007ff1c 01007511 01000000 00000000 000a2332 NOTEPAD!WinMain+0xdc
0007ffc0 7c817067 000b734c 0007daf8 7ffd6000 NOTEPAD!WinMainCRTStartup+0x174
0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND: kbFOLLOWUP_IP:
fltMgr!FltpPerformPreCallbacks+2d7
f84c688b 8945e4 mov dword ptr [ebp-1Ch],eaxSYMBOL_STACK_INDEX: 6SYMBOL_NAME: fltMgr!FltpPerformPreCallbacks+2d7FOLLOWUP_NAME: MachineOwnerFAILURE_BUCKET_ID: 0x50_fltMgr!FltpPerformPreCallbacks+2d7BUCKET_ID: 0x50_fltMgr!FltpPerformPreCallbacks+2d7Followup: MachineOwner
---------
栈追踪在fltMgr!FltpPerformPreCallbacks+0x2d7出错了。可这个根本还没有进入我的驱动程序咋就挂了呢。郁闷ing。考虑到叫做PerformPreCallbacks我检查了下注册回调的代码好像没有问题啊。。
以下是注册的结构//包含了需要过滤的IRP请求
const FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,0,Antinvader_PreCreate,Antinvader_PostCreate },
{ IRP_MJ_CLOSE,0,Antinvader_PreClose,Antinvader_PostClose},
{ IRP_MJ_READ,0,Antinvader_PreRead,Antinvader_PostRead},
{ IRP_MJ_WRITE,0,Antinvader_PreWrite,Antinvader_PostWrite},
{ IRP_MJ_CLEANUP,0,Antinvader_PreCleanUp,Antinvader_PostCleanUp},
{ IRP_MJ_SET_INFORMATION,0,Antinvader_PreSetInformation,Antinvader_PostSetInformation},
{ IRP_MJ_DIRECTORY_CONTROL,0,Antinvader_PreDirectoryControl,Antinvader_PostDirectoryControl},
{ IRP_MJ_QUERY_INFORMATION,0,Antinvader_PreQueryInformation,Antinvader_PostQueryInformation},
{ IRP_MJ_OPERATION_END }
};
各位帮忙看看问题 感激不尽啊
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.BugCheck 50, {ffffffe4, 1, f84c688b, 0}Probably caused by : fltMgr.sys ( fltMgr!FltpPerformPreCallbacks+2d7 )Followup: MachineOwner
---------nt!RtlpBreakWithStatusInstruction:
80528bdc cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffe4, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: f84c688b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)Debugging Details:
------------------
WRITE_ADDRESS: ffffffe4 FAULTING_IP:
fltMgr!FltpPerformPreCallbacks+2d7
f84c688b 8945e4 mov dword ptr [ebp-1Ch],eaxMM_INTERNAL_CODE: 0IMAGE_NAME: fltMgr.sysDEBUG_FLR_IMAGE_TIMESTAMP: 480251daMODULE_NAME: fltMgrFAULTING_MODULE: f84c5000 fltMgrDEFAULT_BUCKET_ID: DRIVER_FAULTBUGCHECK_STR: 0x50PROCESS_NAME: notepad.exeTRAP_FRAME: b235492c -- (.trap 0xffffffffb235492c)
ErrCode = 00000002
eax=00000001 ebx=81e976c8 ecx=00000008 edx=804fef9d esi=81c244a0 edi=81c245e4
eip=f84c688b esp=b23549a0 ebp=00000000 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
fltMgr!FltpPerformPreCallbacks+0x2d7:
f84c688b 8945e4 mov dword ptr [ebp-1Ch],eax ss:0010:ffffffe4=????????
Resetting default scopeLAST_CONTROL_TRANSFER: from 804f8b9d to 80528bdcSTACK_TEXT:
b2354468 804f8b9d 00000003 ffffffe4 00000000 nt!RtlpBreakWithStatusInstruction
b23544b4 804f978a 00000003 00000000 c07ffff8 nt!KiBugCheckDebugBreak+0x19
b2354894 804f9cb5 00000050 ffffffe4 00000001 nt!KeBugCheck2+0x574
b23548b4 8051dc4f 00000050 ffffffe4 00000001 nt!KeBugCheckEx+0x1b
b2354914 8054151c 00000001 ffffffe4 00000000 nt!MmAccessFault+0x8e7
b2354914 f84c688b 00000001 ffffffe4 00000000 nt!KiTrap0E+0xcc
b23549ec f84c82a0 00354a30 81e976c8 82053cd0 fltMgr!FltpPerformPreCallbacks+0x2d7
b2354a00 f84d5217 b2354a30 f84d36aa 00000000 fltMgr!FltpPassThroughInternal+0x32
b2354a18 f84d5742 b2354a30 81cf1a68 82053b50 fltMgr!FltpCreateInternal+0x63
b2354a4c 804ef119 81e96c48 82053b40 82053b40 fltMgr!FltpCreate+0x258
b2354a5c 80579616 8211a7a0 81ec4b44 b2354c04 nt!IopfCallDriver+0x31
b2354b3c 805b5cbc 8211a7b8 00000000 81ec4aa0 nt!IopParseDevice+0xa12
b2354bc4 805b2065 00000000 b2354c04 00000040 nt!ObpLookupObjectName+0x56a
b2354c18 8056c223 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
b2354c94 8056cb9a 0007d784 40100080 0007d724 nt!IopCreateFile+0x407
b2354cf0 8056f2ac 0007d784 40100080 0007d724 nt!IoCreateFile+0x8e
b2354d30 8053e638 0007d784 40100080 0007d724 nt!NtCreateFile+0x30
b2354d30 7c92e4f4 0007d784 40100080 0007d724 nt!KiFastCallEntry+0xf8
0007d6e0 7c92d09c 7c8109a6 0007d784 40100080 ntdll!KiFastSystemCallRet
0007d6e4 7c8109a6 0007d784 40100080 0007d724 ntdll!ZwCreateFile+0xc
0007d77c 7632be20 00000000 40000000 00000003 kernel32!CreateFileW+0x35f
0007e000 763273cf 0007e02c 00000000 00030210 comdlg32!CFileOpenBrowser::OKButtonPressed+0x905
0007e240 763272d7 001300ee 0003024c 000c5ff8 comdlg32!CFileOpenBrowser::ProcessEdit+0x192
0007e280 7632277f 00000001 0003024c 0007e528 comdlg32!CFileOpenBrowser::OnCommandMessage+0x1d3
0007e4c0 77d18734 001300ee 00000111 00000001 comdlg32!OpenDlgProc+0x2f5
0007e4ec 77d23ce4 76322615 001300ee 00000111 USER32!InternalCallWinProc+0x28
0007e558 77d23b30 00000000 76322615 001300ee USER32!UserCallDlgProcCheckWow+0x146
0007e5a0 77d23d5c 00000000 00000111 00000001 USER32!DefDlgProcWorker+0xa8
0007e5bc 77d18734 001300ee 00000111 00000001 USER32!DefDlgProcW+0x22
0007e5e8 77d18816 77d23d3a 001300ee 00000111 USER32!InternalCallWinProc+0x28
0007e650 77d2927b 00000000 77d23d3a 001300ee USER32!UserCallWinProcCheckWow+0x150
0007e68c 77d292e3 005be9c8 005b7850 00000001 USER32!SendMessageWorker+0x4a5
0007e6ac 771a7354 001300ee 00000111 00000001 USER32!SendMessageW+0x7f
0007e6cc 771a7436 000c4ee0 00000000 0010001b COMCTL32!Button_NotifyParent+0x3d
0007e6e8 771a973b 000c4ee0 00000001 0007e7e0 COMCTL32!Button_ReleaseCapture+0xd7
0007e778 77d18734 0003024c 00000202 00000000 COMCTL32!Button_WndProc+0x887
0007e7a4 77d18816 771a8eb4 0003024c 00000202 USER32!InternalCallWinProc+0x28
0007e80c 77d2a013 00000000 771a8eb4 0003024c USER32!UserCallWinProcCheckWow+0x150
0007e83c 77d2a039 771a8eb4 0003024c 00000202 USER32!CallWindowProcAorW+0x98
0007e85c 76322e02 771a8eb4 0003024c 00000202 USER32!CallWindowProcW+0x1b
0007e878 77d18734 0003024c 00000202 00000000 comdlg32!OKSubclass+0x46
0007e8a4 77d18816 76322dbf 0003024c 00000202 USER32!InternalCallWinProc+0x28
0007e90c 77d189cd 00000000 76322dbf 0003024c USER32!UserCallWinProcCheckWow+0x150
0007e96c 77d18a10 0007e9bc 00000000 0007e9a0 USER32!DispatchMessageWorker+0x306
0007e97c 77d274ff 0007e9bc 00000000 005be9c8 USER32!DispatchMessageW+0xf
0007e9a0 77d2763c 001300ee 005bdd30 0007008e USER32!IsDialogMessageW+0x572
0007e9dc 77d249c4 001300ee 0007008e 00000010 USER32!DialogBox2+0x144
0007ea04 77d24a06 76320000 000b19b0 0007008e USER32!InternalDialogBox+0xd0
0007ea24 77d3208d 76320000 000b19b0 0007008e USER32!DialogBoxIndirectParamAorW+0x37
0007ea44 7632355f 76320000 000b19b0 0007008e USER32!DialogBoxIndirectParamW+0x1b
0007ea90 7634dad7 00000000 00000001 0007eac8 comdlg32!NewGetFileName+0x240
0007eaa0 76323349 0007eadc 0007fb40 00000000 comdlg32!NewGetSaveFileName+0xf
0007eac8 76337c7d 0007eadc 76337895 7c80ba7f comdlg32!GetFileName+0xd0
0007fb44 01002cc6 0100a680 00000000 00000111 comdlg32!GetSaveFileNameW+0x52
0007fdbc 01003927 0007008e 00000004 00000000 NOTEPAD!NPCommand+0x13f
0007fde0 77d18734 0007008e 00000111 00000004 NOTEPAD!NPWndProc+0x4fe
0007fe0c 77d18816 01003429 0007008e 00000111 USER32!InternalCallWinProc+0x28
0007fe74 77d189cd 00000000 01003429 0007008e USER32!UserCallWinProcCheckWow+0x150
0007fed4 77d18a10 0007fefc 00000000 0007ff1c USER32!DispatchMessageWorker+0x306
0007fee4 01002a12 0007fefc 00000000 7c80b731 USER32!DispatchMessageW+0xf
0007ff1c 01007511 01000000 00000000 000a2332 NOTEPAD!WinMain+0xdc
0007ffc0 7c817067 000b734c 0007daf8 7ffd6000 NOTEPAD!WinMainCRTStartup+0x174
0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23
STACK_COMMAND: kbFOLLOWUP_IP:
fltMgr!FltpPerformPreCallbacks+2d7
f84c688b 8945e4 mov dword ptr [ebp-1Ch],eaxSYMBOL_STACK_INDEX: 6SYMBOL_NAME: fltMgr!FltpPerformPreCallbacks+2d7FOLLOWUP_NAME: MachineOwnerFAILURE_BUCKET_ID: 0x50_fltMgr!FltpPerformPreCallbacks+2d7BUCKET_ID: 0x50_fltMgr!FltpPerformPreCallbacks+2d7Followup: MachineOwner
---------
栈追踪在fltMgr!FltpPerformPreCallbacks+0x2d7出错了。可这个根本还没有进入我的驱动程序咋就挂了呢。郁闷ing。考虑到叫做PerformPreCallbacks我检查了下注册回调的代码好像没有问题啊。。
以下是注册的结构//包含了需要过滤的IRP请求
const FLT_OPERATION_REGISTRATION Callbacks[] = {
{ IRP_MJ_CREATE,0,Antinvader_PreCreate,Antinvader_PostCreate },
{ IRP_MJ_CLOSE,0,Antinvader_PreClose,Antinvader_PostClose},
{ IRP_MJ_READ,0,Antinvader_PreRead,Antinvader_PostRead},
{ IRP_MJ_WRITE,0,Antinvader_PreWrite,Antinvader_PostWrite},
{ IRP_MJ_CLEANUP,0,Antinvader_PreCleanUp,Antinvader_PostCleanUp},
{ IRP_MJ_SET_INFORMATION,0,Antinvader_PreSetInformation,Antinvader_PostSetInformation},
{ IRP_MJ_DIRECTORY_CONTROL,0,Antinvader_PreDirectoryControl,Antinvader_PostDirectoryControl},
{ IRP_MJ_QUERY_INFORMATION,0,Antinvader_PreQueryInformation,Antinvader_PostQueryInformation},
{ IRP_MJ_OPERATION_END }
};
各位帮忙看看问题 感激不尽啊
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货