家里无聊随手做:【我的电脑听我的】驱动通知通过规则拦截进程启动

显示全部楼层 · 发表于 2013-4-28 14:48:40

0: kd> !analyze -v
*******************************************************************************
*                                                                            *
*                      Bugcheck Analysis                                  *
*                                                                            *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000109b, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 92881c8c, Address of the block of pool being deallocated

Debugging Details:
------------------

BUGCHECK_STR:  0xc2_7

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 8465e78d to 8455ac6b

STACK_TEXT:
928819fc 8465e78d 92881c8c 00000000 00000200 nt!ExFreePoolWithTag+0x1b1
92881a18 846b141c 928818c0 8464cbc0 92881c8c nt!SeDeleteAccessState+0x2b
92881a40 93e79c47 92881c8c 80000000 92881c74 nt!PsOpenProcess+0x23f
WARNING: Stack unwind information not available. Following frames may be wrong.
92881a80 b3c9d368 92881c8c 80000000 92881c74 klif+0x77c47
92881a98 b3c9d479 92881c8c 80000000 92881c74 filnk+0x6e368
92881ae8 8d51be1d 92881c8c 80000000 92881c74 filnk+0x6e479
92881bac 8d602e6f 92881c8c 80000000 92881c74 Hookport+0x4e1d
92881bd0 844778ba 92881c8c 80000000 92881c74 bd0001+0x2e6f
92881bd0 84475cfd 92881c8c 80000000 92881c74 nt!KiFastCallEntry+0x12a
92881c58 b3ca6ef0 92881c8c 80000000 92881c74 nt!ZwOpenProcess+0x11
92881c9c b3c99ca8 00000e40 a2479000 00000400 filnk+0x77ef0
92881d04 844778ba 00000a44 00000404 014ff738 filnk+0x6aca8
92881d04 76e47094 00000a44 00000404 014ff738 nt!KiFastCallEntry+0x12a
014ff62c 00000000 00000000 00000000 00000000 0x76e47094

STACK_COMMAND:  kb

FOLLOWUP_IP:
klif+77c47
93e79c47 ??             ???

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  klif+77c47

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: klif

IMAGE_NAME:  klif.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  502e5c77

FAILURE_BUCKET_ID:  0xc2_7_klif+77c47

BUCKET_ID:  0xc2_7_klif+77c47

Followup: MachineOwner

过多的驱动导致的多重释放内存。

显示全部楼层 · 发表于 2013-4-28 15:21:17

wowocock 发表于 2013-4-28 14:48
0: kd> !analyze -v
*******************************************************************************
...

大大是在回答楼上的么

话说在堆栈里面只看到一次ExFreePoolWithTag啊..

显示全部楼层 · 发表于 2013-4-28 16:51:05

wowocock 发表于 2013-4-28 14:48
0: kd> !analyze -v
*******************************************************************************
...

大牛厉害，我是为了测试一下百度才用的，还有我百度的服务进程还有其他进程全部修改为了手动启动，这次测试看到是klif驱动导致的啊

显示全部楼层 · 发表于 2013-4-28 19:48:34

有源码

显示全部楼层 · 发表于 2013-4-28 20:54:16

大神好

显示全部楼层 · 发表于 2013-4-28 23:14:32

还不错啊

显示全部楼层 · 发表于 2013-4-29 08:12:00

这是易语言做的、、、？？

显示全部楼层 · 发表于 2013-4-29 08:18:14

E剑忠晴发表于 2013-4-28 19:48
有源码

有吗。。??

显示全部楼层 · 发表于 2013-4-29 14:52:17

+1 置顶这个好还以为你要加在你的劫杀器里面

显示全部楼层 · 发表于 2013-4-29 18:14:59

wowocock 发表于 2013-4-28 14:48
0: kd> !analyze -v
*******************************************************************************
...

http://bbs.kafan.cn/forum.php?mo ... &fromuid=525863
大牛你给看看，还是这两个蓝屏，MJ说是人生日历造成的，到底是谁造成的

[原创工具] 家里无聊随手做:【我的电脑听我的】驱动通知通过规则拦截进程启动