zoukankan      html  css  js  c++  java
  • 人要是倒霉,电脑都蓝屏

    今天,笔记本又蓝屏了,dump嗷嗷奇怪,

    Win10 x64的系统,用WinDbg10加载dmp 之后,竟然无法正确下载符号。

    擦,这要我怎么办,手动下载符号?

    好吧,手动下载符号之后,

    .reload 之后,

    !analyze -v

    结果就给我这些破玩艺。。。

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 00000000fff6a322, memory referenced
    Arg2: 00000000000000ff, IRQL
    Arg3: 00000000000000ca, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: fffff803e7d0ed17, address which referenced memory

    其实,这里出现了两个问题:

    1:这异常,十分可怕啊,调用时的IRQL竟然是0xFF,这是怎么搞得,为什么IRQL会这么高,X64下,没记错的话,应该是R8保存着IRQL,R8的值确实就是这个值

    2:

     1 fffff803`e7d0ecfc 654c8b042520000000 mov   r8,qword ptr gs:[20h]
     2 fffff803`e7d0ed05 4caf            scas    qword ptr [rdi]
     3 fffff803`e7d0ed07 35f4a2f6ff      xor     eax,0FFF6A2F4h
     4 fffff803`e7d0ed0c 458bdf          mov     r11d,r15d
     5 fffff803`e7d0ed0f 4d8b8840060000  mov     r9,qword ptr [r8+640h]
     6 fffff803`e7d0ed16 fd              std
     7 fffff803`e7d0ed17 8b4024          mov     eax,dword ptr [rax+24h]
     8 fffff803`e7d0ed1a 498b9188310000  mov     rdx,qword ptr [r9+3188h]
     9 fffff803`e7d0ed21 418b8c8640a33a00 mov     ecx,dword ptr [r14+rax*4+3AA340h]
    10 fffff803`e7d0ed29 410fb68051870000 movzx   eax,byte ptr [r8+8751h]
    11 fffff803`e7d0ed31 83e13f          and     ecx,3Fh
    12 fffff803`e7d0ed34 410fb79992000000 movzx   ebx,word ptr [r9+92h]
    13 fffff803`e7d0ed3c 480fb3ca        btr     rdx,rcx
    14 fffff803`e7d0ed40 498b4940        mov     rcx,qword ptr [r9+40h]

    上面代码是dmp 里面得到的代码,注意看第6行处

     1 .text:0000000140095CFC 65 4C 8B 04 25 20 00 00 00                    mov     r8, gs:20h
     2 .text:0000000140095D05 4C 8D 35 F4 A2 F6 FF                          lea     r14, cs:140000000h
     3 .text:0000000140095D0C 45 8B DF                                      mov     r11d, r15d
     4 .text:0000000140095D0F 4D 8B 88 40 06 00 00                          mov     r9, [r8+640h]
     5 .text:0000000140095D16 41 8B 40 24                                   mov     eax, [r8+24h]
     6 .text:0000000140095D1A 49 8B 91 88 00 00 00                          mov     rdx, [r9+88h]
     7 .text:0000000140095D21 41 8B 8C 86 40 A3 3A 00                       mov     ecx, ds:rva KiProcessorIndexToNumberMappingTable[r14+rax*4]
     8 .text:0000000140095D29 41 0F B6 80 51 06 00 00                       movzx   eax, byte ptr [r8+651h]
     9 .text:0000000140095D31 83 E1 3F                                      and     ecx, 3Fh
    10 .text:0000000140095D34 41 0F B7 99 92 00 00 00                       movzx   ebx, word ptr [r9+92h]
    11 .text:0000000140095D3C 48 0F B3 CA                                   btr     rdx, rcx
    12 .text:0000000140095D40 49 8B 49 40                                   mov     rcx, [r9+40h]

    这段代码,是我反汇编WinDbg工具集里面那个pdb下载工具,下载回来的exe得到的代码,

    代码长度不同啊,我电脑里面跑着的内核内存被改了,为什么被改,被谁改了,怎么改的,擦,

    一个又一个问题啊,

    先工作,有空回头再来看。

  • 相关阅读:
    项目流程
    Html5 经验
    knockoutjs 经验总结
    redmine处理规范
    用fiddler监控移动端的通讯
    git
    es6 中的 Promise
    html5游戏的横屏问题
    jQuery 学习笔记
    jQuery 里的 Promise
  • 原文地址:https://www.cnblogs.com/suanguade/p/5953193.html
Copyright © 2011-2022 走看看