检查样品发生碰撞 [英] Crash with inspect sample

查看：68 发布时间：2019/6/17 13:23:32 wfp

本文介绍了检查样品发生碰撞的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

您好。我正面临由NETIO.SYS与Windows7（RTM）引起的崩溃并检查样本。我的问题是：出了什么问题以及如何避免这种崩溃？

环境：

- Windows7 RTM
- 检查最新WDK的样品（7600.16385.0）

可以提供全面转储。崩溃分析：

加载转储文件[C：\Users\Frank \Desktop\MEMORY.DMP]
内核完整转储文件：提供完整的地址空间

符号搜索路径是：SRV * p：\websymbols * http://msdl.microsoft.com/download/symbols; SRV * p：\websymbols * \\ pegasus \download\symbols; M：\Symbols
可执行搜索路径是：
Windows 7内核版本7600 MP（4 procs）免费x86兼容
产品：WinNt，套件：TerminalServer SingleUserTS
建造者：7600.16385.x86fre.win7_rtm.090713-1255
机器名称：
内核基数= 0x8280d000 PsLoadedModuleList = 0x82955810
调试会话时间：周一8月10日20:55： 57.934 2009（GMT + 2）
系统正常运行时间：0天5：25：53.323
加载内核符号
.................. .............................................
。 .................................................. .............
..........
加载用户符号

加载卸载的模块列表<登记/> ............ ......................................
******** ************************************************** *********************
* * * * Bugcheck分析*
* *
***** ************************************************** ************************

使用！analyze -v获取详细的调试信息。

BugCheck D1，{0,2,0,88c95dad}

可能由以下原因引起：NETIO.SYS（NETIO！NetioDereferenceNetBufferList + a2）

跟进：MachineOwner
---------

2：kd> ！分析-v
****************************************** ************************************** * * * * * * * * * * * * * * * * * *
* *
*************************************** ****************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL（d1）
试图在中断请求级别（IRQL）过高的情况下访问可分页（或完全无效）的地址。这通常是由使用不正确地址的驱动程序引起的。
如果内核调试器可用，则获得堆栈回溯。
参数：
Arg1：00000000，引用的内存
Arg2：00000002 ，IRQL
Arg3：00000000，值0 =读操作，1 =写操作
Arg4：88c95dad，引用存储器的地址

调试细节：
------------------

READ_ADDRESS：00000000

CURRENT_IRQL：2

FAULTING_IP：
tcpip！FlpReturnNetBufferListChain + 35
88c95dad 8b08 mov ecx，dword ptr [eax]

DEFAULT_BUCKET_ID：INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR：0xD1

PROCESS_NAME：系统

TRAP_FRAME：942d1ab0 - （.trap 0xffffffff942d1ab0）
ErrCode = 00000000
eax = 00000000 ebx = 861fee30 ecx = 856ad918 edx = 829429c0 esi = 861feed0 edi = ffffffac
eip = 88c95dad esp = 942d1b24 ebp = 942d1b38 iopl = 0 nv up ei ng nz na pe nc
cs = 0008 ss = 0010 ds = 0023 es = 0023 fs = 0030 gs = 0000 efl = 00010286
tcpip！FlpReturnNetBufferListChain + 0x35：
88c95dad 8b08 mov ecx，dword ptr [eax] ds：0023：00000000 = ????????
重置默认范围

LAST_CONTROL_TRANSFER：从88c95dad到828537eb

STACK_TEXT：
942d1ab0 88c95dad badb0d00 829429c0 829428c0 nt！KiTrap0E + 0x2cf
942d1b38 88abfb48 861fee30 00000001 00000000 tcpip！FlpReturnNetBufferListChain + 0x35
942d1b58 88ac121c 84a83d70 00000000 00000000 NETIO！NetioDereferenceNetBufferList + 0xa2
942d1b88 88c97b40 00000000 00000000 00000000 NETIO！NetioDereferenceNetBufferListChain + 0x3a
942d1ba8 88c98fc0 8567e000 00000000 85647670 tcpip！IppCompleteAndFreePacketList + 0xd7
942d1bec 88c96b64 88cf8d98 00000011 84a83d70 tcpip！IppReceiveHeaderBatch + 0x28c
942d1c80 88cd3fad 861250f8 00000000 00000001 tcpip！IpFlcReceivePackets + 0xbe5
942d1ca0 88d60197 02000000 00000001 0000000b tcpip！IppInspectInjectReceive + 0xca
942d1cd8 931151b0 860be740 00000000 00000000 fwpkclnt！FwpsInjectTransportReceiveAsync0 + 0x1bc
942d1d1c 931152fa 00000000 00000000 84cd8d48 inspect！TLInspectCloneReinjectInbound + 0xc2 [p：\winddk\7600.16385.0\src\\\
etwork\trans \inspect\sys\inspect.c @ 1033]
942d1d50 82a1b66d 00000000 b388620e 00000000 inspect！TLInspectWorker + 0xd2 [p：\winddk\7600.16385.0\src\\\
etwork\trans\ inspect \ sys \inspect.c @ 1216]
942d1d90 828cd0d9 93115228 00000000 00000000 nt！PspSystemThreadStartup + 0x9e
00000000 00000000 00000000 00000000 00000000 nt！KiThreadStartup + 0x19

STACK_COMMAND：kb

FOLLOWUP_IP：
NETIO！NetioDereferenceNetBufferList + a2
88abfb48 85ff test edi，edi

SYMBOL_STACK_INDEX：2

SYMBOL_NAME：NETIO！NetioDereferenceNetBufferList + a2

FOLLOWUP_NAME：MachineOwner

MODULE_NAME：NETIO

IMAGE_NAME：NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP：4a5bbf63

FAILURE_BUCKET_ID：0xD1_NETIO！NetioDereferenceNetBufferList + a2

BUCKET_ID：0xD1_NETIO！NetioDereferenceNetBufferList + a2

跟进：MachineOwner
---------

解决方案

样本是否经过修改？

谢谢，彪。 W上。

Hi. I am facing a crash caused by NETIO.SYS with Windows7 (RTM) and inspect sample. My question is: What went wrong and how to avoid this crash?

Environment:

- Windows7 RTM
- Inspect sample from newest WDK (7600.16385.0)

Full dump is available. Crash analysis:

Loading Dump File [C:\Users\Frank\Desktop\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*p:\websymbols*http://msdl.microsoft.com/download/symbols;SRV*p:\websymbols*\\pegasus\download\symbols;M:\Symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x8280d000 PsLoadedModuleList = 0x82955810
Debug session time: Mon Aug 10 20:55:57.934 2009 (GMT+2)
System Uptime: 0 days 5:25:53.323
Loading Kernel Symbols
...............................................................
................................................................
..........
Loading User Symbols

Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {0, 2, 0, 88c95dad}

Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+a2 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 88c95dad, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
tcpip!FlpReturnNetBufferListChain+35
88c95dad 8b08 mov ecx,dword ptr [eax]

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

TRAP_FRAME: 942d1ab0 -- (.trap 0xffffffff942d1ab0)
ErrCode = 00000000
eax=00000000 ebx=861fee30 ecx=856ad918 edx=829429c0 esi=861feed0 edi=ffffffac
eip=88c95dad esp=942d1b24 ebp=942d1b38 iopl=0         nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010286
tcpip!FlpReturnNetBufferListChain+0x35:
88c95dad 8b08            mov     ecx,dword ptr [eax] ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 88c95dad to 828537eb

STACK_TEXT:
942d1ab0 88c95dad badb0d00 829429c0 829428c0 nt!KiTrap0E+0x2cf
942d1b38 88abfb48 861fee30 00000001 00000000 tcpip!FlpReturnNetBufferListChain+0x35
942d1b58 88ac121c 84a83d70 00000000 00000000 NETIO!NetioDereferenceNetBufferList+0xa2
942d1b88 88c97b40 00000000 00000000 00000000 NETIO!NetioDereferenceNetBufferListChain+0x3a
942d1ba8 88c98fc0 8567e000 00000000 85647670 tcpip!IppCompleteAndFreePacketList+0xd7
942d1bec 88c96b64 88cf8d98 00000011 84a83d70 tcpip!IppReceiveHeaderBatch+0x28c
942d1c80 88cd3fad 861250f8 00000000 00000001 tcpip!IpFlcReceivePackets+0xbe5
942d1ca0 88d60197 02000000 00000001 0000000b tcpip!IppInspectInjectReceive+0xca
942d1cd8 931151b0 860be740 00000000 00000000 fwpkclnt!FwpsInjectTransportReceiveAsync0+0x1bc
942d1d1c 931152fa 00000000 00000000 84cd8d48 inspect!TLInspectCloneReinjectInbound+0xc2 [p:\winddk\7600.16385.0\src\network\trans\inspect\sys\inspect.c @ 1033]
942d1d50 82a1b66d 00000000 b388620e 00000000 inspect!TLInspectWorker+0xd2 [p:\winddk\7600.16385.0\src\network\trans\inspect\sys\inspect.c @ 1216]
942d1d90 828cd0d9 93115228 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND: kb

FOLLOWUP_IP:
NETIO!NetioDereferenceNetBufferList+a2
88abfb48 85ff test edi,edi

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: NETIO!NetioDereferenceNetBufferList+a2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf63

FAILURE_BUCKET_ID: 0xD1_NETIO!NetioDereferenceNetBufferList+a2

BUCKET_ID: 0xD1_NETIO!NetioDereferenceNetBufferList+a2

Followup: MachineOwner
---------

解决方案

Had the sample been modified?

thanks,
Biao.W.

这篇关于检查样品发生碰撞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

检查样品发生碰撞 [英] Crash with inspect sample

问题描述

相关文章

其他开发语言最新文章

热门教程

热门工具

登录关闭

检查样品发生碰撞 [英] Crash with inspect sample

问题描述

相关文章

其他开发语言最新文章

热门教程

热门工具

登录 关闭

登录关闭