Драйвер ядра Windows - исключение доступа к памяти
Я пытаюсь лучше понять водителей и построил очень простой с нуля.
#include <ntddk.h>
VOID onUnload(IN PDRIVER_OBJECT pDriver_Object)
{
DbgPrint("Unloading Driver\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriver_Object, IN PUNICODE_STRING regPath)
{
DbgPrint("Driver Loaded");
(*pDriver_Object).DriverUnload = onUnload;
return(STATUS_SUCCESS);
}
Я устанавливаю его на компьютер под управлением Windows 7 x64 с отключенной принудительной подписью драйверов. Драйвер устанавливается нормально, но когда я пытаюсь его запустить, я получаю:
[SC] StartService FAILED 6:
The handle is invalid.
После дальнейшего исследования с Windbg я получаю:
*** Fatal System Error: 0x0000007e
(0xFFFFFFFFC0000005,0xFFFFF80002C7501D,0xFFFFF88002F89768,0xFFFFF88002F88FC0)
делаю! анализ -v получает меня:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002c7501d, The address that the exception occurred at
Arg3: fffff88002f89768, Exception Record Address
Arg4: fffff88002f88fc0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!IopLoadDriver+5ad
fffff800`02c7501d 0fb77044 movzx esi,word ptr [rax+44h]
EXCEPTION_RECORD: fffff88002f89768 -- (.exr 0xfffff88002f89768)
ExceptionAddress: fffff80002c7501d (nt!IopLoadDriver+0x00000000000005ad)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000044
Attempt to read from address 0000000000000044
CONTEXT: fffff88002f88fc0 -- (.cxr 0xfffff88002f88fc0;r)
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88002f89a08
rdx=fffff88003981000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c7501d rsp=fffff88002f899a0 rbp=0000000020206f49
r8=fffff88003981000 r9=fffff88002f899a8 r10=00000000c000007b
r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000064
r14=fffffa800f359490 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
nt!IopLoadDriver+0x5ad:
fffff800`02c7501d 0fb77044 movzx esi,word ptr [rax+44h] ds:002b:00000000`00000044=????
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=fffff88002f89a08
rdx=fffff88003981000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c7501d rsp=fffff88002f899a0 rbp=0000000020206f49
r8=fffff88003981000 r9=fffff88002f899a8 r10=00000000c000007b
r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000064
r14=fffffa800f359490 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
nt!IopLoadDriver+0x5ad:
fffff800`02c7501d 0fb77044 movzx esi,word ptr [rax+44h] ds:002b:00000000`00000044=????
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000044
READ_ADDRESS: 0000000000000044
FOLLOWUP_IP:
nt!IopLoadDriver+5ad
fffff800`02c7501d 0fb77044 movzx esi,word ptr [rax+44h]
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre
LAST_CONTROL_TRANSFER: from fffff80002c75875 to fffff80002c7501d
STACK_TEXT:
fffff880`02f899a0 fffff800`02c75875 : 00000000`00000001 00000000`00000000 00000000`00000000 fffffa80`0f4195f0 : nt!IopLoadDriver+0x5ad
fffff880`02f89c70 fffff800`0289b161 : fffff800`00000000 ffffffff`80000064 fffff800`02c75820 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff880`02f89cb0 fffff800`02b31166 : 00000000`00000000 fffffa80`0cd99680 00000000`00000080 fffffa80`0cd7e890 : nt!ExpWorkerThread+0x111
fffff880`02f89d40 fffff800`0286c486 : fffff800`02a06e80 fffffa80`0cd99680 fffffa80`0cd99b60 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`02f89d80 00000000`00000000 : fffff880`02f8a000 fffff880`02f84000 fffff880`02f89230 00000000`00000000 : nt!KiStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!IopLoadDriver+5ad
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600
IMAGE_VERSION: 6.1.7600.16385
STACK_COMMAND: .cxr 0xfffff88002f88fc0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_VRF_nt!IopLoadDriver+5ad
BUCKET_ID: X64_0x7E_VRF_nt!IopLoadDriver+5ad
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7e_vrf_nt!ioploaddriver+5ad
FAILURE_ID_HASH: {9a15ac25-64d6-8f42-e8da-2a5880ae0901}
Followup: MachineOwner
Кажется, что Windows даже не может добраться до моей функции DriverEntry. Любая идея о том, как это исправить или отладить дальше? Спасибо!