驱动BAPIDRV.SYS 让我喝了蓝屏的钙

七宝

CiInitialize 发表于 2013-5-7 00:26
论坛手机模式挂了，给反馈下吧

那我转给谁？我先给淡淡玉和主动防御两个了，对了，你微博我也给转一个

淡淡玉

感谢反馈，已经提交技术在查看

一个笨鸟

Flameocean 发表于 2013-5-6 22:49
你怎么知道

昨天做梦预见的

wowocock

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory.  The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 9e1079ec, Virtual address for the attempted write.
Arg2: 79edb121, PTE contents.
Arg3: 8b01ab14, (reserved)
Arg4: 0000000b, (reserved)

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xBE

PROCESS_NAME:  SuperKiller.ex

CURRENT_IRQL:  0

TRAP_FRAME:  8b01ab14 -- (.trap 0xffffffff8b01ab14)
ErrCode = 00000003
eax=010df8b0 ebx=9e1079e8 ecx=00000008 edx=c04720d8 esi=8e41b008 edi=00000001
eip=84638f57 esp=8b01ab88 ebp=8b01aba0 iopl=0         nv up ei pl nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010217
nt!CmpAddValueToList+0x63:
84638f57 894304          mov     dword ptr [ebx+4],eax ds:0023:9e1079ec=ffffffff
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8448aaa8 to 844d786f

STACK_TEXT:  
8b01aafc 8448aaa8 00000001 9e1079ec 00000000 nt!MmAccessFault+0x106
8b01aafc 84638f57 00000001 9e1079ec 00000000 nt!KiTrap0E+0xdc
8b01aba0 84639141 010e1de0 00000000 00000000 nt!CmpAddValueToList+0x63
8b01abc8 8465530f 8e41b008 8b01accc 00000000 nt!CmpSetValueKeyNew+0x60
8b01ac8c 972f9b3a b73c7838 8b01accc 00000004 nt!CmSetValueKey+0x81f
WARNING: Stack unwind information not available. Following frames may be wrong.
8b01ad04 972ef2cf 00000994 08ceeea0 00000004 BAPIDRV+0x16b3a
8b01b9f4 972f8326 87115b80 00000014 87115b80 BAPIDRV+0xc2cf
8b01ba24 84480c29 88891dc0 870633e8 870633e8 BAPIDRV+0x15326
8b01ba3c 84674bf9 89cf32e0 870633e8 87063458 nt!IofCallDriver+0x63
8b01ba5c 84677de2 88891dc0 89cf32e0 00000000 nt!IopSynchronousServiceTail+0x1f8
8b01ba60 88891dc0 89cf32e0 00000000 8b01ba01 nt!IopXxxControlFile+0x6aa
8b01ba64 89cf32e0 00000000 8b01ba01 00000301 0x88891dc0
8b01ba68 00000000 8b01ba01 00000301 00000002 0x89cf32e0


STACK_COMMAND:  kb

FOLLOWUP_IP:
BAPIDRV+16b3a
972f9b3a ??              ???

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  BAPIDRV+16b3a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: BAPIDRV

IMAGE_NAME:  BAPIDRV.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  517a35b6

FAILURE_BUCKET_ID:  0xBE_BAPIDRV+16b3a

BUCKET_ID:  0xBE_BAPIDRV+16b3a

Followup: MachineOwner

看DUMP貌似是穿越驱动导致，问了下王教授，但也看不出明显问题，如果能再现的话，建议取个FULL DUMP发上来看看。

wowocock

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory.  The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 9e1079ec, Virtual address for the attempted write.
Arg2: 79edb121, PTE contents.
Arg3: 8b01ab14, (reserved)
Arg4: 0000000b, (reserved)

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xBE

PROCESS_NAME:  SuperKiller.ex

CURRENT_IRQL:  0

TRAP_FRAME:  8b01ab14 -- (.trap 0xffffffff8b01ab14)
ErrCode = 00000003
eax=010df8b0 ebx=9e1079e8 ecx=00000008 edx=c04720d8 esi=8e41b008 edi=00000001
eip=84638f57 esp=8b01ab88 ebp=8b01aba0 iopl=0         nv up ei pl nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010217
nt!CmpAddValueToList+0x63:
84638f57 894304          mov     dword ptr [ebx+4],eax ds:0023:9e1079ec=ffffffff
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8448aaa8 to 844d786f

STACK_TEXT:  
8b01aafc 8448aaa8 00000001 9e1079ec 00000000 nt!MmAccessFault+0x106
8b01aafc 84638f57 00000001 9e1079ec 00000000 nt!KiTrap0E+0xdc
8b01aba0 84639141 010e1de0 00000000 00000000 nt!CmpAddValueToList+0x63
8b01abc8 8465530f 8e41b008 8b01accc 00000000 nt!CmpSetValueKeyNew+0x60
8b01ac8c 972f9b3a b73c7838 8b01accc 00000004 nt!CmSetValueKey+0x81f
WARNING: Stack unwind information not available. Following frames may be wrong.
8b01ad04 972ef2cf 00000994 08ceeea0 00000004 BAPIDRV+0x16b3a
8b01b9f4 972f8326 87115b80 00000014 87115b80 BAPIDRV+0xc2cf
8b01ba24 84480c29 88891dc0 870633e8 870633e8 BAPIDRV+0x15326
8b01ba3c 84674bf9 89cf32e0 870633e8 87063458 nt!IofCallDriver+0x63
8b01ba5c 84677de2 88891dc0 89cf32e0 00000000 nt!IopSynchronousServiceTail+0x1f8
8b01ba60 88891dc0 89cf32e0 00000000 8b01ba01 nt!IopXxxControlFile+0x6aa
8b01ba64 89cf32e0 00000000 8b01ba01 00000301 0x88891dc0
8b01ba68 00000000 8b01ba01 00000301 00000002 0x89cf32e0


STACK_COMMAND:  kb

FOLLOWUP_IP:
BAPIDRV+16b3a
972f9b3a ??              ???

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  BAPIDRV+16b3a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: BAPIDRV

IMAGE_NAME:  BAPIDRV.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  517a35b6

FAILURE_BUCKET_ID:  0xBE_BAPIDRV+16b3a

BUCKET_ID:  0xBE_BAPIDRV+16b3a

Followup: MachineOwner

wowocock

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory.  The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 9e1079ec, Virtual address for the attempted write.
Arg2: 79edb121, PTE contents.
Arg3: 8b01ab14, (reserved)
Arg4: 0000000b, (reserved)

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xBE

PROCESS_NAME:  SuperKiller.ex

CURRENT_IRQL:  0

TRAP_FRAME:  8b01ab14 -- (.trap 0xffffffff8b01ab14)
ErrCode = 00000003
eax=010df8b0 ebx=9e1079e8 ecx=00000008 edx=c04720d8 esi=8e41b008 edi=00000001
eip=84638f57 esp=8b01ab88 ebp=8b01aba0 iopl=0         nv up ei pl nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010217
nt!CmpAddValueToList+0x63:
84638f57 894304          mov     dword ptr [ebx+4],eax ds:0023:9e1079ec=ffffffff
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8448aaa8 to 844d786f

STACK_TEXT:  
8b01aafc 8448aaa8 00000001 9e1079ec 00000000 nt!MmAccessFault+0x106
8b01aafc 84638f57 00000001 9e1079ec 00000000 nt!KiTrap0E+0xdc
8b01aba0 84639141 010e1de0 00000000 00000000 nt!CmpAddValueToList+0x63
8b01abc8 8465530f 8e41b008 8b01accc 00000000 nt!CmpSetValueKeyNew+0x60
8b01ac8c 972f9b3a b73c7838 8b01accc 00000004 nt!CmSetValueKey+0x81f
WARNING: Stack unwind information not available. Following frames may be wrong.
8b01ad04 972ef2cf 00000994 08ceeea0 00000004 BAPIDRV+0x16b3a
8b01b9f4 972f8326 87115b80 00000014 87115b80 BAPIDRV+0xc2cf
8b01ba24 84480c29 88891dc0 870633e8 870633e8 BAPIDRV+0x15326
8b01ba3c 84674bf9 89cf32e0 870633e8 87063458 nt!IofCallDriver+0x63
8b01ba5c 84677de2 88891dc0 89cf32e0 00000000 nt!IopSynchronousServiceTail+0x1f8
8b01ba60 88891dc0 89cf32e0 00000000 8b01ba01 nt!IopXxxControlFile+0x6aa
8b01ba64 89cf32e0 00000000 8b01ba01 00000301 0x88891dc0
8b01ba68 00000000 8b01ba01 00000301 00000002 0x89cf32e0


STACK_COMMAND:  kb

FOLLOWUP_IP:
BAPIDRV+16b3a
972f9b3a ??              ???

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  BAPIDRV+16b3a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: BAPIDRV

IMAGE_NAME:  BAPIDRV.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  517a35b6

FAILURE_BUCKET_ID:  0xBE_BAPIDRV+16b3a

BUCKET_ID:  0xBE_BAPIDRV+16b3a

Followup: MachineOwner
---------

wowocock

网络延迟，竟然那么慢，看了下貌似是BAPIDRV的穿越驱动导致，咨询了下作者，说是直接下传请求，不应该出错，如果能再现的话，建议传个FULL DUMP上来看看。

CiInitialize

七宝 发表于 2013-5-7 08:06
那我转给谁？我先给淡淡玉和主动防御两个了，对了，你微博我也给转一个

我那贴的意思是说，卡饭论坛的手机模式挂了，帮忙给论坛的管理反馈下。。

Flameocean

wowocock 发表于 2013-5-7 09:59
网络延迟，竟然那么慢，看了下貌似是BAPIDRV的穿越驱动导致，咨询了下作者，说是直接下传请求，不应该出错， ...

邵哥这个急救箱不是你写的吗，怎么又是王教授了呢，是不是上次发现微软那个王宇大神，另外我选择的完全储运也是只有这个DMP

Flameocean

CiInitialize 发表于 2013-5-7 10:17
我那贴的意思是说，卡饭论坛的手机模式挂了，帮忙给论坛的管理反馈下。。

大神看看，这个驱动的问题没有