首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  2. 问答
  3. 为什么调用ExAllocatePoolWithTag会导致蓝屏
为什么调用ExAllocatePoolWithTag会导致蓝屏
sanqiu 2021-9-21 1377
源自:
1
2
3
4
5
6
7
8
9
10
11
12
PAGED_CODE()
const UINT64 memory_block_size =
        sizeof(PhysicalMemoryDescriptor) +
        sizeof(PhysicalMemoryRun) * (number_of_runs - 1);
    __debugbreak();
    PhysicalMemoryDescriptor* pm_block = NULL;
    pm_block =(PhysicalMemoryDescriptor*)(ExAllocatePoolWithTag(NonPagedPool, memory_block_size, POOL_TAG));
    if (!pm_block)
    {
        ExFreePoolWithTag(pm_ranges, 'hPmM');
        return NULL;
    }

调用的时候直接蓝了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
KDTARGET: Refreshing KD connection
 
*** Fatal System Error: 0x0000000a
                       (0x00000000000000F9,0x0000000000000002,0x0000000000000000,0xFFFFF8065D1C111D)
 
WARNING: This break is not a step/trace completion.
The last command has been cleared to prevent
accidental continuation of this unrelated event.
Check the event, location and thread before resuming.
Break instruction exception - code 80000003 (first chance)
 
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
 
A fatal system error has occurred.
 
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff806`5d1cdd20 cc              int     3
0: kd> !analyze -v
Connected to Windows 10 17763 x64 target at (Tue Sep 21 17:40:22.006 2021 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...........................
 
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
 
....................................
................................................................
...........................................................
Loading User Symbols
 
Loading unloaded module list
..........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000000000f9, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8065d1c111d, address which referenced memory
 
Debugging Details:
 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8065d1c111d rsp=fffffc0bb0579210 rbp=fffffc0bb05792b0
 r8=ffffe50812deb288  r9=0000000000000000 r10=0000000000000000
r11=000000000000000a r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!RtlpHpVsContextAllocateInternal+0xa5:
fffff806`5d1c111d 8b08            mov     ecx,dword ptr [rax] ds:00000000`000000f9=????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from fffff8065d29b652 to fffff8065d1cdd20
 
STACK_TEXT: 
fffffc0b`b0578778 fffff806`5d29b652 : 00000000`000000f9 00000000`00000003 fffffc0b`b05788e0 fffff806`5d16cab0 : nt!DbgBreakPointWithStatus
fffffc0b`b0578780 fffff806`5d29add7 : 00000000`00000003 fffffc0b`b05788e0 fffff806`5d1da0e0 00000000`0000000a : nt!KiBugCheckDebugBreak+0x12
fffffc0b`b05787e0 fffff806`5d1c61a7 : 00000000`00000041 fffff806`5d0772e4 00000000`00000101 00000000`00000000 : nt!KeBugCheck2+0x957
fffffc0b`b0578f00 fffff806`5d1d78e9 : 00000000`0000000a 00000000`000000f9 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx+0x107
fffffc0b`b0578f40 fffff806`5d1d3cd4 : ffffe508`18884134 00000000`00000000 00000000`00000001 ffffe508`18884000 : nt!KiBugCheckDispatch+0x69
fffffc0b`b0579080 fffff806`5d1c111d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x454
fffffc0b`b0579210 fffff806`5d067ac6 : ffffe508`12e00000 ffffb081`00000080 ffffe508`0000000a 00000000`80000004 : nt!RtlpHpVsContextAllocateInternal+0xa5
fffffc0b`b0579280 fffff806`5d0662c6 : ffffe508`12e00000 fffffc0b`b0579389 00000000`514e4153 00000000`00000000 : nt!RtlpHpVsContextAllocate+0x46
fffffc0b`b0579300 fffff806`5d35504d : 00000000`00000000 00000000`00000070 00000000`514e4153 ffffe508`1ad9b000 : nt!ExAllocateHeapPool+0x9d6
fffffc0b`b05793f0 fffff806`630d34ac : ffffe508`1ad9b000 ffffe508`13c84be0 ffffe508`12e00000 fffff806`5d12c71b : nt!ExAllocatePoolWithTag+0x3d
fffffc0b`b05794d0 fffff806`630d3613 : ffffffff`00000001 fffff806`630d3174 ffffffff`00000000 00000000`00000001 : MyDriver!UtilpBuildPhysicalMemoryRanges+0x14c [D:\code\MyDriver\MyDriver\util.c @ 295]
fffffc0b`b0579560 fffff806`630d248e : 00000000`4d8fc000 ffffe508`13c84be0 ffffe508`12deb100 00000000`00000000 : MyDriver!UtilpInitializePhysicalMemoryRanges+0x43 [D:\code\MyDriver\MyDriver\util.c @ 242]
fffffc0b`b05795b0 fffff806`630d5210 : ffffe508`1ad9b000 ffffe508`13c84be0 fffffc0b`b0579878 fffffc0b`b05796a0 : MyDriver!InitEpt+0x18e [D:\code\MyDriver\MyDriver\ept.c @ 310]
fffffc0b`b0579670 fffff806`630d56c7 : ffffe508`12deb050 ffffffff`80002044 00000000`00000000 ffffe508`13c84be0 : MyDriver!VmpInitializeProcessorData+0xb0 [D:\code\MyDriver\MyDriver\vm.c @ 360]
fffffc0b`b05796c0 fffff806`630d1198 : fffffc0b`b0579730 fffff806`630d11bc ffffe508`12deb050 00000000`00000000 : MyDriver!VmpRealizeVm+0x57 [D:\code\MyDriver\MyDriver\vm.c @ 949]
fffffc0b`b0579710 fffffc0b`b0579730 : fffff806`630d11bc ffffe508`12deb050 00000000`00000000 ffffe508`1ad9b000 : MyDriver!AsmSaveEspEip+0x33 [D:\code\MyDriver\MyDriver\vtX64.asm @ 313]
fffffc0b`b0579718 fffff806`630d11bc : ffffe508`12deb050 00000000`00000000 ffffe508`1ad9b000 ffffb081`9fa3cf30 : 0xfffffc0b`b0579730
fffffc0b`b0579720 ffffe508`12deb050 : 00000000`00000000 ffffe508`1ad9b000 ffffb081`9fa3cf30 00000000`00000002 : MyDriver!AsmSaveEspEip+0x57 [D:\code\MyDriver\MyDriver\vtX64.asm @ 323]
fffffc0b`b0579728 00000000`00000000 : ffffe508`1ad9b000 ffffb081`9fa3cf30 00000000`00000002 ffffffff`80002044 : 0xffffe508`12deb050
 
 
THREAD_SHA1_HASH_MOD_FUNC:  175a9f37220613d002e92c65b778584ece79bde8
 
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  97c79e2c0bdf4493cfb50dfb5edc272ac2b65e0c
 
THREAD_SHA1_HASH_MOD:  df14fe238b393aa283a90228ca5c940d072b6e8e
 
FOLLOWUP_IP:
MyDriver!UtilpBuildPhysicalMemoryRanges+14c [D:\code\MyDriver\MyDriver\util.c @ 295]
fffff806`630d34ac 4889442428      mov     qword ptr [rsp+28h],rax
 
FAULT_INSTR_CODE:  24448948
 
FAULTING_SOURCE_LINE:  D:\code\MyDriver\MyDriver\util.c
 
FAULTING_SOURCE_FILE:  D:\code\MyDriver\MyDriver\util.c
 
FAULTING_SOURCE_LINE_NUMBER:  295
 
FAULTING_SOURCE_CODE: 
   291:          sizeof(PhysicalMemoryDescriptor) +
   292:          sizeof(PhysicalMemoryRun) * (number_of_runs - 1);
   293:      __debugbreak();
   294:      PhysicalMemoryDescriptor* pm_block = NULL;
295:      pm_block =(PhysicalMemoryDescriptor*)(ExAllocatePoolWithTag(NonPagedPool, memory_block_size, POOL_TAG));
   296:      if (!pm_block)
   297:      {
   298:          ExFreePoolWithTag(pm_ranges, POOL_TAG);
   299:          return NULL;
   300:      }
 
 
SYMBOL_STACK_INDEX:  a
 
SYMBOL_NAME:  MyDriver!UtilpBuildPhysicalMemoryRanges+14c
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: MyDriver
 
IMAGE_NAME:  MyDriver.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  6149a2ca
 
STACK_COMMAND:  .thread ; .cxr ; kb
 
BUCKET_ID_FUNC_OFFSET:  14c
 
FAILURE_BUCKET_ID:  AV_MyDriver!UtilpBuildPhysicalMemoryRanges
 
BUCKET_ID:  AV_MyDriver!UtilpBuildPhysicalMemoryRanges
 
PRIMARY_PROBLEM_CLASS:  AV_MyDriver!UtilpBuildPhysicalMemoryRanges
 
TARGET_TIME:  2021-09-21T09:40:17.000Z
 
OSBUILD:  17763
 
OSSERVICEPACK:  0
 
SERVICEPACK_NUMBER: 0
 
OS_REVISION: 0
 
SUITE_MASK:  272
 
PRODUCT_TYPE:  1
 
OSPLATFORM_TYPE:  x64
 
OSNAME:  Windows 10
 
OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
 
OS_LOCALE: 
 
USER_LCID:  0
 
OSBUILD_TIMESTAMP:  2010-07-01 17:37:06
 
BUILDDATESTAMP_STR:  180914-1434
 
BUILDLAB_STR:  rs5_release
 
BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434
 
ANALYSIS_SESSION_ELAPSED_TIME:  7f5a
 
ANALYSIS_SOURCE:  KM
 
FAILURE_ID_HASH_STRING:  km:av_mydriver!utilpbuildphysicalmemoryranges
 
FAILURE_ID_HASH:  {dcccddc9-f1d2-c3cf-0e52-2edf9e53cfe4}
 
Followup:     MachineOwner
---------
 
------------------

dbg分析好像是因为IRQL过高, 我使用这个PAGED_CODE()宏检测了请求级别了,而且分配的是非分页内存,为什么还会蓝屏

收藏
2条回答
sanqiu 2021-9-22

自问自答吧,原因是分配的内存不是0x1000的倍数,但是我试了别的驱动可以不按倍数分配,原因未知

回复
不戴草帽 2021-11-15

多谢提醒

回复
回答
回答问题,请先登录
  参与学习     人
  提问次数     100 个
学习课程
我的问答 领取收益
0
我的提问
0
我的回答
0
学习收益
采纳榜
©2000 - 2024 看雪 / 沪ICP备2022023406号 / 沪公网安备 31011502006611号

电话

邮件

客服