Windows蓝屏分析
+ -
Windows系统蓝屏产生的DMP文件在那个目录
DMP蓝屏DRIVER_VERIFIER_DMA_VIOLATION

蓝屏IRQL_NOT_LESS_OR_EQUAL与nt!ExpScanGeneralLookasideList

2023-06-28 41 0

自动分析如下:

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffffffeffffffd9, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :读取内存导致问题
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80348f14290, address which referenced memory

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on LIXIAOMINGPC

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 1

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 71

    Key  : Analysis.System
    Value: CreateObject


BUGCHECK_CODE:  a

BUGCHECK_P1: fffffffeffffffd9

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80348f14290

READ_ADDRESS:  fffffffeffffffd9 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


PROCESS_NAME:  System

TRAP_FRAME:  ffffc98188f0a2a0 -- (.trap 0xffffc98188f0a2a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80348f14290 rsp=ffffc98188f0a430 rbp=000000000000ffff
 r8=ffffffff00000001  r9=0000000000000004 r10=0000000000000000
r11=0000000000000100 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!ExpScanGeneralLookasideList+0x40:
fffff803`48f14290 418b48d8        mov     ecx,dword ptr [r8-28h] ds:fffffffe`ffffffd9=????????
Resetting default scope

STACK_TEXT:  
ffffc981`88f0a158 fffff803`48fd68e9 : 00000000`0000000a fffffffe`ffffffd9 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffc981`88f0a160 fffff803`48fd2cd4 : ffffa80c`37ceb040 ffffe418`f519cbad 00000000`00000000 ffff8c00`4174a180 : nt!KiBugCheckDispatch+0x69
ffffc981`88f0a2a0 fffff803`48f14290 : 00000000`00000001 fffff803`4920ff30 00000000`00000000 00000000`000000e3 : nt!KiPageFault+0x454
ffffc981`88f0a430 fffff803`48f91dcd : 00000000`00000008 00000000`ffffffff fffff803`49245800 ffffa80c`37cb0300 : nt!ExpScanGeneralLookasideList+0x40
ffffc981`88f0a460 fffff803`48f39d65 : ffffa80c`37cea040 00000000`00000080 fffff803`48f91cc0 00000000`00000000 : nt!KeBalanceSetManager+0x10d
ffffc981`88f0a550 fffff803`48fcc57c : ffff8c00`4174a180 ffffa80c`37cea040 fffff803`48f39d10 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffc981`88f0a5a0 00000000`00000000 : ffffc981`88f0b000 ffffc981`88f04000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x1c


SYMBOL_NAME:  nt!ExpScanGeneralLookasideList+40

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  40

FAILURE_BUCKET_ID:  AV_nt!ExpScanGeneralLookasideList

OS_VERSION:  10.0.17763.1

BUILDLAB_STR:  rs5_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {76f24b7e-30bf-766a-9788-497c3826355f}

Followup:     MachineOwner
---------

查看堆栈:

6: kd> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 fffff803`48fd68e9 : 00000000`0000000a fffffffe`ffffffd9 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
01 fffff803`48fd2cd4 : ffffa80c`37ceb040 ffffe418`f519cbad 00000000`00000000 ffff8c00`4174a180 : nt!KiBugCheckDispatch+0x69
02 fffff803`48f14290 : 00000000`00000001 fffff803`4920ff30 00000000`00000000 00000000`000000e3 : nt!KiPageFault+0x454
03 fffff803`48f91dcd : 00000000`00000008 00000000`ffffffff fffff803`49245800 ffffa80c`37cb0300 : nt!ExpScanGeneralLookasideList+0x40
04 fffff803`48f39d65 : ffffa80c`37cea040 00000000`00000080 fffff803`48f91cc0 00000000`00000000 : nt!KeBalanceSetManager+0x10d
05 fffff803`48fcc57c : ffff8c00`4174a180 ffffa80c`37cea040 fffff803`48f39d10 00000000`00000000 : nt!PspSystemThreadStartup+0x55
06 00000000`00000000 : ffffc981`88f0b000 ffffc981`88f04000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x1c

通过以上栈回溯可知,内存负载均衡线程KeBalanceSetManager在扫描非分页快查表发生了缺页导致蓝屏
看一下陷阱帧

6: kd> .trap 0xffffc98188f0a2a0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80348f14290 rsp=ffffc98188f0a430 rbp=000000000000ffff
 r8=ffffffff00000001  r9=0000000000000004 r10=0000000000000000
r11=0000000000000100 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!ExpScanGeneralLookasideList+0x40:
fffff803`48f14290 418b48d8        mov     ecx,dword ptr [r8-28h] ds:fffffffe`ffffffd9=????????

这里的R8为ffffffff00000001,寄存器r8显然是个无效内存,我们通过ida分析一下数据的来源
如下所示函数ExpScanGeneralLookasideList参数
分别为
第一个参数:ExNPagedLookasideListHead
第二个参数:ExNPagedLookasideLock
ExNPagedLookasideListHead

可见是遍历ExNPagedLookasideListHead链表过程中,发现链表节点有损坏导致蓝屏的,现在windbg手动遍历一下

6: kd> !list ExNPagedLookasideListHead
fffff803`4920ff30  fffff803`49243a00 ffffa80c`46a52a20
fffff803`4920ff40  00000000`00000000 00000000`00000000
fffff803`4920ff50  fffff803`49dce640 ffffa80c`45bf34f0
fffff803`4920ff60  00000000`00000000 00000000`00000000
fffff803`4920ff70  fffff803`4920ff70 fffff803`4920ff70
fffff803`4920ff80  00000000`00000000 00000000`00000000
fffff803`4920ff90  fffff803`49212c20 ffffa80c`42805cb8
fffff803`4920ffa0  00000000`00001001 00000000`00000000

fffff803`49243a00  fffff803`492e3d80 fffff803`4920ff30
fffff803`49243a10  00000000`00000000 00000000`00000000
fffff803`49243a20  00000000`00000000 00000000`00000000
fffff803`49243a30  00000000`00000000 00000000`00000000
fffff803`49243a40  00000000`00000000 00000000`00000000
fffff803`49243a50  00000000`00000000 00000000`00000000
fffff803`49243a60  00000000`00000000 ffffa080`0000b0d8
fffff803`49243a70  ffffa080`0000b168 00000000`000361a0

……中间省略,太长了

fffff803`492e3d80  fffff803`492e3c00 fffff803`49243a00
fffff803`492e3d90  00000000`00000000 00000000`00000000
fffff803`492e3da0  00000000`00000000 00000000`00000000
fffff803`492e3db0  00000000`00000000 00000000`00000000
fffff803`492e3dc0  00000000`00100000 00000000`00000000
fffff803`492e3dd0  0000010f`01000004 00000010`000000ff
fffff803`492e3de0  00000001`00000000 000000a0`45476d57
fffff803`492e3df0  fffff803`49153010 fffff803`49155780
ffffa80c`40ff7090  ffffa80c`47266ec0 ffffa80c`466d3bb0
ffffa80c`40ff70a0  00000000`00000000 00000000`00000000
ffffa80c`40ff70b0  00000000`00000000 00000000`00000000
ffffa80c`40ff70c0  00000000`00000000 00000000`00000000
ffffa80c`40ff70d0  ffffa80c`40ff70d0 ffffa80c`40ff70d0
ffffa80c`40ff70e0  00000000`0000000a 00000000`00000000
ffffa80c`40ff70f0  00000000`00000000 00000000`00000000
ffffa80c`40ff7100  00000000`00000000 00000000`00000000

ffffa80c`47266ec0  ffffa80c`44841ea0 ffffa80c`40ff7090
ffffa80c`47266ed0  00000000`00000000 00000000`00000000
ffffa80c`47266ee0  00000000`00000000 00000000`00000000
ffffa80c`47266ef0  00000000`00000000 00000000`00000000
ffffa80c`47266f00  00000000`00000000 00000000`00000000
ffffa80c`47266f10  fffff803`5288c5b0 ffffa80c`47266c00
ffffa80c`47266f20  ffffa80c`472d4e90 00000000`00000000
ffffa80c`47266f30  ffffa80c`47266f30 ffffa80c`47266f30

ffffa80c`44841ea0  ffffa80c`46dd7c60 ffffa80c`47266ec0
ffffa80c`44841eb0  00000000`00000000 00000000`00000000
ffffa80c`44841ec0  00000000`00000000 00000000`00000000
ffffa80c`44841ed0  00000000`00000000 00000000`00000000
ffffa80c`44841ee0  00000000`00000000 00000000`00000000
ffffa80c`44841ef0  fffff803`5288c5b0 ffffa80c`44841be0
ffffa80c`44841f00  ffffa80c`472d6890 00000000`00000000
ffffa80c`44841f10  ffffa80c`44841f10 ffffa80c`44841f10

ffffa80c`46dd7c60  ffffa80c`43874ab0 ffffa80c`44841ea0
ffffa80c`46dd7c70  00000000`00000000 00000000`00000000
ffffa80c`46dd7c80  00000000`00000000 00000000`00000000
ffffa80c`46dd7c90  00000000`00000000 00000000`00000000
ffffa80c`46dd7ca0  00000000`00000000 00000000`00000000
ffffa80c`46dd7cb0  fffff803`5288c5b0 ffffa80c`46dd79a0
ffffa80c`46dd7cc0  ffffa80c`472d7310 00000000`00000000
ffffa80c`46dd7cd0  ffffa80c`46dd7cd0 ffffa80c`46dd7cd0

ffffa80c`43874ab0  ffffa80c`46a529a0 ffffa80c`46dd7c60
ffffa80c`43874ac0  00000000`00000000 00000000`00000000
ffffa80c`43874ad0  00000000`00000000 00000000`00000000
ffffa80c`43874ae0  00000000`00000000 00000000`00000000
ffffa80c`43874af0  00000000`000001b0 00000000`00000000
ffffa80c`43874b00  00000000`00000000 00000000`00000000
ffffa80c`43874b10  00000000`00000000 00000000`00000000
ffffa80c`43874b20  00000000`00000000 00000000`00000000

ffffa80c`46a529a0  ffffffff`00000001 00000000`00000040 损坏节点
ffffa80c`46a529b0  00000001`00000001 00000000`00000000
ffffa80c`46a529c0  00000000`00000000 00000001`00000708
ffffa80c`46a529d0  00000000`00000000 00000000`00000000
ffffa80c`46a529e0  00000003`00000000 00000000`00000000
ffffa80c`46a529f0  00000000`00000000 ffffffff`00000000
ffffa80c`46a52a00  000003e8`00000000 00000001`00000000
ffffa80c`46a52a10  00000001`01010000 00010000`00000000

ffffffff`00000001  ????????`???????? ????????`????????
ffffffff`00000011  ????????`???????? ????????`????????
ffffffff`00000021  ????????`???????? ????????`????????
ffffffff`00000031  ????????`???????? ????????`????????
ffffffff`00000041  ????????`???????? ????????`????????
ffffffff`00000051  ????????`???????? ????????`????????
ffffffff`00000061  ????????`???????? ????????`????????
ffffffff`00000071  ????????`???????? ????????`????????
Windows系统蓝屏产生的DMP文件在那个目录
DMP蓝屏DRIVER_VERIFIER_DMA_VIOLATION

0 篇笔记 写笔记

Window蓝屏停止码大全
详情:https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/bug-check-code-reference2代码Code名称Name0x00000001APC_INDEX_MISMATCHAPC_......
Window蓝屏及信息结构
Windows蓝屏,又叫蓝屏死机(Blue Screen of Death,简称BSOD),是微软的 Windows 系列操作系统在无法从一个系统错误中恢复过来时,为保护电脑数据文件不被破坏而强制显示的屏幕图像。X86 处理器将代码的运行分为4个级别,分别为R0,R1,R2,R3,Windows操......
Win10和Win7驱动_security_init_cookie蓝屏兼容问题
今天使用VS2019+WDK10写了一个简单的64驱动,在Win7系统下安装时出现了蓝屏问题。使用windbg进行栈回溯,发现出现蓝屏的方法是发生在调用驱动入口函数DriverEntry之前。RetAddr : Call Sitefffff880`030ba015 : byt......
Windows蓝屏分析-DRIVER_POWER_STATE_FAILURE键盘电源切换引起的蓝屏
昨天在回家的路上,老大说你处理一个手中的BUG。我回复说明天处理,今天来到公司一看,果然有一个,是蓝屏的问题。然后去测试那里看限象,测试组的同学说的是一顿猛操作摄像头和麦克风,然后按住电源关机后出现黑屏,然后蓝屏。心想坏了,不会是摄像头或麦克风驱动引起的蓝屏吧。不过幸好的是,当时机子开了dump。......
windows蓝屏分析BSOD-ExpScanGeneralLookasideList引用ffffffffffffffd8地址IRQL_NOT_LESS_OR_EQUAL
本文的完成得到了QQ windows驱动开发交流群(938840300)群主的帮助,感谢他的原始分析。这里本人基于它的原始分析在第二次蓝屏DMP上按照它的思路完成该文。同事说最近出一个蓝屏,让分析一下。使用Windbg加载信息如下:IRQL_NOT_LESS_OR_EQUAL (a)An ......
USBXHCI 引起的DRIVER_IRQL_NOT_LESS_OR_EQUAL蓝屏分析
错误内存为0000000000000024,可以看到是一个NULL地址。DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)An attempt was made to access a pageable (or completely invalid) address at an......
手动进行系统蓝屏KeBugCheckEx
这里可以使用KeBugCheck,参数BugCheckCode是停止吧VOID KeBugCheck( IN ULONG BugCheckCode );另外一个函数是KeBugCheckExVOID KeBugCheckEx( IN ULONG BugC......
Windbg和IDA配合解决已卸载的驱动DPC定时器引起的蓝屏DRIVER_IRQL_NOT_LESS_OR_EQUAL
最近搞了一个虚拟的设备驱动,自己测试都没有问题,不过拿给同事正式用的时候,会出现蓝屏问题。按他来说,好像成了必现问题。今天一大早,斜风细雨,天气凉爽,正是揪出这个BUG的好时机,说干就干。自己先是在调试机中模拟同事的试验方法,可惜的是,试了多次均没有复现。还真是奇怪了,没办法,自己只能不起寻常路了。......
串口过滤驱动调试过程蓝屏NO_MORE_IRP_STACK_LOCATIONS(35)问题分析
最近在搞一个串口的过滤驱动程序,在调度过程中报了一个蓝屏问题。NO_MORE_IRP_STACK_LOCATIONS (35)A higher level driver has attempted to call a lower level driver throughthe IoCallDr......
Windows系统蓝屏产生的DMP文件在那个目录
当电脑出现蓝屏时,Windows系统会自动生成一个蓝屏错误DMP文件,这个文件一般保存在C盘的一个目录中。一般根据系统设置的不同,会有2个目录,具体是那一个,根据系统设置而确定。第一个是:C:Windowsmemory.dmp第二个是:C:WindowsMinidumpDMP蓝屏的......
蓝屏IRQL_NOT_LESS_OR_EQUAL与nt!ExpScanGeneralLookasideList
自动分析如下:6: kd> !analyze -v******************************************************************************** ......
DMP蓝屏DRIVER_VERIFIER_DMA_VIOLATION
同事给了一个DMP文件,说是在DELL笔记本中插入了一个HDMI线之后,再拔掉就BSOD了。使用WINDBG自动分析提示是DMA问题:DRIVER_VERIFIER_DMA_VIOLATION (e6)An illegal DMA operation was attempted by a dri......
作者信息
我爱内核
Windows驱动开发,网站开发
好好学习,天天向上。
  • ARP
  • ASIO
  • 文件系统
  • Win32应用层
  • Windows基础
  • Windows消息队列
  • Windows进程&线程
  • Windows驱动
  • 微软技术分享
  • C/C++逆向汇编
    • 取消
    感谢您的支持,我会继续努力的!
    扫码支持
    扫码打赏,你说多少就多少

    打开支付宝扫一扫,即可进行扫码打赏哦

    您的支持,是我们前进的动力!