BUGCHECK:0xc4_e3的通解.
原因:是在和函数访问了用户的数据,解决办法吗?最简单的就是copy.
关键是看:访问了用户的哪个地址和内核的哪个函数的哪个参数用到了那个用户的地址.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000e3, Kernel Zw API called with user-mode address as parameter.
Arg2: fffff880060cacab, Address inside the driver making the incorrect API call.
Arg3: 000007fefbdccb40, User-mode address used as API parameter.
Arg4: 0000000000000000
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_e3
FAULTING_IP:
rdrct64!Process_CreateKey+18b [e:\securedesktop\dpdesk\rdrct\regeditvista.c @ 311]
fffff880`060cacab 89442444 mov dword ptr [rsp+44h],eax
FOLLOWUP_IP:
rdrct64!Process_CreateKey+18b [e:\securedesktop\dpdesk\rdrct\regeditvista.c @ 311]
fffff880`060cacab 89442444 mov dword ptr [rsp+44h],eax
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff800019b9a02 to fffff800018c09b0
STACK_TEXT:
fffff880`06670a88 fffff800`019b9a02 : 00000000`000000e3 fffffa80`05ee0720 00000000`00000065 fffff800`01903898 : nt!RtlpBreakWithStatusInstruction
fffff880`06670a90 fffff800`019ba7ee : 000007fe`00000003 00000000`00000000 fffff800`019040f0 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
fffff880`06670af0 fffff800`018c8c84 : fffff980`08deac00 fffff800`01d5e012 00000000`00000400 fffff800`01d5832e : nt!KeBugCheck2+0x71e
fffff880`066711c0 fffff800`01d564ec : 00000000`000000c4 00000000`000000e3 fffff880`060cacab 000007fe`fbdccb40 : nt!KeBugCheckEx+0x104
fffff880`06671200 fffff800`01d56fd5 : 00000000`00000000 fffff800`01d584ae 00000000`00000000 fffff800`01893081 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`06671240 fffff800`01d584ae : fffff880`060cacab fffff800`01d5854e fffff880`06671390 fffff880`060cacab : nt!ViZwCheckAddress+0x35
fffff880`06671280 fffff800`01d5cc28 : fffff880`06671390 fffff880`060cacab 00000000`00ee00ec fffff980`04186c00 : nt!ViZwCheckUnicodeString+0x2e
fffff880`066712c0 fffff880`060cacab : 00000000`00000000 fffff880`06671a50 00000000`00000000 fffff880`06671380 : nt!VfZwCreateKey+0x68
fffff880`06671320 fffff880`060cb451 : fffff880`06671680 fffff880`06671680 fffff8a0`04217570 fffff800`01c741d1 : rdrct64!Process_CreateKey+0x18b [e:\securedesktop\dpdesk\rdrct\regeditvista.c @ 311]
fffff880`066713d0 fffff800`01c74460 : 00000000`00000000 00000000`0000001a fffff880`06671680 00000000`000007ff : rdrct64!RegistryCallback+0x91 [e:\securedesktop\dpdesk\rdrct\regeditvista.c @ 1179]
fffff880`06671420 fffff800`01b2bedd : fffffa80`0000001a fffff880`06671680 fffffa80`05ee0701 fffff880`0000001b : nt!CmpCallCallBacks+0x1c0
fffff880`066714f0 fffff800`01bc56d8 : fffffa80`0590acc8 fffffa80`00000000 fffffa80`0590ab10 fffff8a0`00000001 : nt! ?? ::NNGAKEGL::`string'+0x2ad6d
fffff880`066717f0 fffff800`01bc68f6 : 00000000`000000d4 fffffa80`0590ab10 16a00000`01b7d860 fffffa80`03d36f30 : nt!ObpLookupObjectName+0x588
fffff880`066718e0 fffff800`01b7d024 : fffff880`06671b88 00000000`00000000 fffff880`06671a01 fffff800`018c6dbd : nt!ObOpenObjectByName+0x306
fffff880`066719b0 fffff800`01b7d8c2 : 00000000`053fe3b8 fffff880`0002001f 00000000`053fe3d8 fffff800`01b7d894 : nt!CmCreateKey+0x2e1
fffff880`06671b20 fffff800`018c7e13 : fffffa80`05ee0720 0000007f`00000007 00000000`053fe318 00000980`00000000 : nt!NtCreateKey+0x2e
fffff880`06671b70 00000000`775f148a : 00000000`7738d4d8 00000000`053fe7a8 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`053fe368 00000000`7738d4d8 : 00000000`053fe7a8 00000000`00000000 00000000`00000000 000007fe`fbe6626a : ntdll!NtCreateKey+0xa
00000000`053fe370 00000000`7738d7c8 : 00000000`053fe7a8 00000000`053fe780 00000000`00000000 00000000`053fe8d8 : kernel32!Wow64NtCreateKey+0xe8
00000000`053fe440 00000000`7738d343 : 000007fe`fe9053c0 00000000`00000170 00000000`053fe8d8 00000000`053fe788 : kernel32!LocalBaseRegCreateKey+0x282
00000000`053fe720 00000000`7738d3e0 : 00000000`000000d4 00000000`00000000 00000000`0399c020 00000000`00000000 : kernel32!RegCreateKeyExInternalW+0x15c
00000000`053fe800 000007fe`fbddfe97 : 00000000`0399c020 00000000`0001035a 00000000`00000190 00000000`00000000 : kernel32!RegCreateKeyExW+0x50
00000000`053fe860 000007fe`fe5ad3fc : 00000000`053fe990 00000000`00030352 00000000`053fe978 00000000`053fe970 : comctl32!CreateMRUListLazyW+0x8f
00000000`053fe940 000007fe`fe55b5b2 : 00000000`00000004 00000000`774ba85d 00000000`0001035a 00000000`00000141 : SHELL32!CreateMRUListW+0x38
00000000`053fe970 000007fe`fe55a0ae : 00000000`00000000 00000000`0399c020 00000000`0399c020 00000000`0399c020 : SHELL32!OpenRunDlgMRU+0x5e
00000000`053fe9d0 000007fe`fe559f63 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000087 : SHELL32!CRunDlg::InitRunDlg+0x185
00000000`053fec70 00000000`774ae53b : 00000000`038b4830 00000000`00000000 00000000`00000001 ffffffff`fc74b7cf : SHELL32!RunDlgProc+0x279
00000000`053fed20 00000000`774ae2f2 : 00000000`00000110 000007fe`fe55af1c 00000000`00700c80 00000000`0001035a : USER32!GetCapture+0x40b
00000000`053fede0 00000000`774d4843 : 00000000`00000000 00000000`00700c80 00000000`00000000 00000000`00030352 : USER32!GetCapture+0x1c2
00000000`053fee60 00000000`00000000 : 00000000`00700c80 00000000`00000000 00000000`00030352 00000000`00000000 : USER32!UserHandleGrantAccess+0x8d73
STACK_COMMAND: kb
FAULTING_SOURCE_LINE: e:\securedesktop\dpdesk\rdrct\regeditvista.c
FAULTING_SOURCE_FILE: e:\securedesktop\dpdesk\rdrct\regeditvista.c
FAULTING_SOURCE_LINE_NUMBER: 311
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: rdrct64!Process_CreateKey+18b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdrct64
IMAGE_NAME: rdrct64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5285ddfd
FAILURE_BUCKET_ID: X64_0xc4_e3_VRF_rdrct64!Process_CreateKey+18b
BUCKET_ID: X64_0xc4_e3_VRF_rdrct64!Process_CreateKey+18b
Followup: MachineOwner
---------
关键的问题在这里:
nt!ViZwCheckAddress:
fffff800`01d0efa0 4883ec38 sub rsp,38h
fffff800`01d0efa4 4885c9 test rcx,rcx
fffff800`01d0efa7 742c je nt!ViZwCheckAddress+0x35 (fffff800`01d0efd5)
fffff800`01d0efa9 483b0d6090daff cmp rcx,qword ptr [nt!MmHighestUserAddress (fffff800`01ab8010)]
fffff800`01d0efb0 7323 jae nt!ViZwCheckAddress+0x35 (fffff800`01d0efd5)
fffff800`01d0efb2 8b0528f10400 mov eax,dword ptr [nt!ViZwBreakForIssues (fffff800`01d5e0e0)]
fffff800`01d0efb8 85c0 test eax,eax
fffff800`01d0efba 7419 je nt!ViZwCheckAddress+0x35 (fffff800`01d0efd5)
fffff800`01d0efbc 488364242000 and qword ptr [rsp+20h],0
fffff800`01d0efc2 4c8bc2 mov r8,rdx
fffff800`01d0efc5 bae3000000 mov edx,0E3h
fffff800`01d0efca 4c8bc9 mov r9,rcx
fffff800`01d0efcd 8d4ae1 lea ecx,[rdx-1Fh]
fffff800`01d0efd0 e8dbf4ffff call nt!VerifierBugCheckIfAppropriate (fffff800`01d0e4b0)
fffff800`01d0efd5 4883c438 add rsp,38h
fffff800`01d0efd9 c3 ret
这是用异常处理也处理不了的.
made by correy
made at 2013.11.19
没有评论:
发表评论