在 miniflter 中获取文件读取访问的进程名称时崩溃

分类:编程问答

如何解决在 miniflter 中获取文件读取访问的进程名称时崩溃

系统在尝试获取任何文件读取访问的进程名称时崩溃,错误代码为 PAGE_FAULT_IN_NONPAGED AREA。该代码在一段时间内运行良好。这是大约30分钟。当 spyShelter 运行时,就会发生崩溃。

我无法弄清楚。请看一看,并期待很快收到所有专家的来信。

代码:

NTSTATUS GetProcessImageName(
    PEPROCESS eProcess,PUNICODE_STRING* ProcessImageName
)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG returnedLength;
    HANDLE hProcess = NULL;

    PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

    if (eProcess == NULL)
    {
        return STATUS_INVALID_PARAMETER_1;
    }

    status = ObOpenObjectByPointer(eProcess,NULL,KernelMode,&hProcess);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("ObOpenObjectByPointer Failed: %08x\n",status);
        return status;
    }

    if (ZwQueryInformationProcess == NULL)
    {
        UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"ZwQueryInformationProcess");

        ZwQueryInformationProcess = (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);

        if (ZwQueryInformationProcess == NULL)
        {
            DbgPrint("Cannot resolve ZwQueryInformationProcess");
            status = STATUS_UNSUCCESSFUL;
            goto cleanUp;
        }
    }

    /* Query the actual size of the process path */
    status = ZwQueryInformationProcess(hProcess,ProcessImageFileName,// buffer
        0,// buffer size
        &returnedLength);

    DbgPrint("\n\nMiniPreRead: kernelToUserMode: ProcessNameLength: %u\n",returnedLength);
    
    if (returnedLength >= 260) {
        DbgPrint("ZwQueryInformationProcess status = %x\n",status);
        status = STATUS_UNSUCCESSFUL;
        goto cleanUp;
    }

    if (STATUS_INFO_LENGTH_MISMATCH != status) {
        DbgPrint("ZwQueryInformationProcess status = %x\n",status);
        status = STATUS_UNSUCCESSFUL;
        goto cleanUp;
    } 

    *ProcessImageName = ExAllocatePoolWithTag(PagedPool,returnedLength,SPY_TAG);

    if (NULL == ProcessImageName) {
        status =  STATUS_INSUFFICIENT_RESOURCES;
        goto cleanUp;
    }

    status = ZwQueryInformationProcess(hProcess,*ProcessImageName,&returnedLength);

    if (!NT_SUCCESS(status)) {
        ExFreePool(*ProcessImageName);
        *ProcessImageName = NULL;
    }
cleanUp:

    if (hProcess) {
        ZwClose(hProcess);
    }

    return status;
}

非常感谢。

现在堆栈显示文件 minispy.c 的第 702 行

**STACK_TEXT**

FAILED_INSTRUCTION_ADDRESS: 
win32kbase!UserIsUserCritSecIn+0
ffffe54c`f35e0450 ??              ???

STACK_TEXT:  
ffffec87`2d597dd8 fffff805`57ca8d02 : ffffe54c`f35e0450 00000000`00000003 ffffec87`2d597f40 fffff805`57b1afe0 : nt!DbgBreakPointWithStatus
ffffec87`2d597de0 fffff805`57ca83f7 : ffffe54c`00000003 ffffec87`2d597f40 fffff805`57bd81f0 ffffec87`2d598480 : nt!KiBugCheckDebugBreak+0x12
ffffec87`2d597e40 fffff805`57bc3b97 : fffff805`57e641f8 fffff805`57cd2855 ffffe54c`f35e0450 ffffe54c`f35e0450 : nt!KeBugCheck2+0x947
ffffec87`2d598540 fffff805`57c13ae0 : 00000000`00000050 ffffe54c`f35e0450 00000000`00000010 ffffec87`2d598820 : nt!KeBugCheckEx+0x107
ffffec87`2d598580 fffff805`57acdcbf : 00000000`00000000 00000000`00000010 00000000`00000000 ffffe54c`f35e0450 : nt!MiSystemFault+0x18f320
ffffec87`2d598680 fffff805`57bd1b5e : 00000000`00000240 00000000`00000240 00000000`00000000 ffffec87`2d598950 : nt!MmAccessFault+0x34f
ffffec87`2d598820 ffffe54c`f35e0450 : fffff807`cf85af9b ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 : nt!KiPageFault+0x35e
ffffec87`2d5989b8 fffff807`cf85af9b : ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 fffff807`cf86c772 : win32kbase!UserIsUserCritSecIn
ffffec87`2d5989c0 fffff807`cf85b8a9 : ffffec87`2d598c98 ffff9804`00000000 00000000`000047bb 00000000`00000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
ffffec87`2d598a50 fffff805`5801b10d : ffffbf80`6bec0d00 ffffec87`2d598c98 ffffec87`2d598c98 ffffec87`00000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
ffffec87`2d598a80 fffff805`5802afa5 : 00000000`00000000 ffffec87`2d598c20 00000000`00000000 ffff9804`9229de80 : nt!ObpCallPreOperationCallbacks+0x10d
ffffec87`2d598b00 fffff805`5800774c : 00000000`00000000 00000000`00000000 ffff9804`998ed4c0 006e0069`00000000 : nt!ObpCreateHandle+0xab5
ffffec87`2d598d30 fffff805`5631104b : ffff9804`99d1bb50 00000000`10000004 ffffec87`2d599549 fffff805`57b1b02c : nt!ObOpenObjectByPointer+0xec
ffffec87`2d598f90 fffff805`56311321 : fffff805`56312c60 00000000`00000200 00000000`00000000 ffff9804`99d1bdb0 : minispy!GetProcessImageName+0x4b [C:\Users\jay\Documents\Visual Studio 2015\Projects\minispyNetworkShareBlock\filter\minispy.c @ 702]
ffffec87`2d5994a0 fffff805`5c5845d0 : ffffec87`2d599680 00000000`00000000 ffff9804`96fbbb03 00000000`00060900 : FLTMGR!FltpPerformPreCallbacks+0x2fd
ffffec87`2d5995b0 fffff805`5c584142 : 00000000`00000000 ffffec87`2d599680 ffff9804`96fbbb20 ffffec87`2d599690 : FLTMGR!FltpPassThroughInternal+0x90
ffffec87`2d5995e0 fffff805`5c583f2e : 00000000`00000000 00000000`00000000 00000000`00000000 fffff805`580319a5 : FLTMGR!FltpPassThrough+0x162
ffffec87`2d599660 fffff805`57a467f9 : ffff9804`96fbbb20 00000000`00000200 00000000`00000000 ffffffff`80001ef8 : FLTMGR!FltpDispatch+0x9e
ffffec87`2d5996c0 fffff805`58029d65 : 00000000`00000000 ffff9804`9a12c990 ffff9804`9a12c9e0 ffff9804`9a12c990 : nt!IofCallDriver+0x59
ffffec87`2d599700 fffff805`58026cbf : ffff9804`00000000 ffff9804`9abda8e0 ffffec87`2d599af0 ffffec87`2d599980 : nt!IopSynchronousServiceTail+0x1a5
ffffec87`2d5997a0 fffff805`57bd5355 : 00000000`00000001 ffffffff`80001ef8 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x59f
ffffec87`2d599890 fffff805`57bc78b0 : fffff805`57b28996 ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
ffffec87`2d599a98 fffff805`57b28996 : ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
ffffec87`2d599aa0 fffff805`580da37c : ffffbf80`744d7000 ffffec87`2d599c30 ffffbf80`00000000 ffffbf80`744d7000 : nt!CmpDoFileRead+0xb6
ffffec87`2d599b50 fffff805`58086ca4 : 00000000`00000030 ffffbf80`782e1000 ffffbf80`782e1000 ffffbf80`71f2cb90 : nt!CmpFileRead+0x2c
ffffec87`2d599ba0 fffff805`58084e5d : 00000000`00000030 ffffec87`2d59a3d0 ffffbf80`782e1000 ffffbf80`782e1000 : nt!HvpGetHiveHeader+0x7c
ffffec87`2d599be0 fffff805`58086e8c : ffffec87`2d599e60 01d714ee`4baa7a6a 00000000`00000001 ffffbf80`782e1000 : nt!HvLoadHive+0xa1
ffffec87`2d599d20 fffff805`580844ae : ffffffff`ffffffff ffffec87`2d599e60 00000000`00000001 00000000`00000000 : nt!HvHiveStartFileBacked+0x100
ffffec87`2d599d60 fffff805`57fe2151 : 00000000`00000000 00000000`0000009c ffffec87`2d59a090 00000000`00000000 : nt!CmpCreateHive+0x62a
ffffec87`2d599f90 fffff805`58099833 : ffff9804`99bd93a0 fffff805`57a4e5b6 ffff9804`99bd9118 fffff805`57e63878 : nt!CmpInitHiveFromFile+0x3f9
ffffec87`2d59a1d0 fffff805`57fe2f10 : fffff805`57e63880 ffffec87`2d59a350 00000000`00000000 ffffec87`2d59a768 : nt!CmpCmdHiveOpen+0xd7
ffffec87`2d59a250 fffff805`57fe4ba5 : 00000000`00000000 ffffec87`00000010 00000000`00000000 00000000`00000001 : nt!CmLoadAppKey+0x364
ffffec87`2d59a6a0 fffff805`57fe4331 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff813d`8d0f6699 : nt!CmLoadDifferencingKey+0x869
ffffec87`2d59aa20 fffff805`57bd5355 : 00000000`00000620 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtLoadKeyEx+0x51
ffffec87`2d59aa90 00007ffe`ecb7ee04 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000a9`b57fe238 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`ecb7ee04

第 702 行:

status = ObOpenObjectByPointer(eProcess,&hProcess);
if (!NT_SUCCESS(status))
{
DbgPrint("ObOpenObjectByPointer Failed: %08x\n",status);
return status;
}

解决方法

IRP_MJ_READ 操作回调例程通常在 DISPATCH_LEVEL 调用。 但是根据 WDK documentation

,ObOpenObjectByPointer 函数必须在 ACP_LEVEL 或更低级别调用

建议您在IRP_MJ_CREATE操作回调中获取并保存进程名,并在IRP_MJ_READ操作中使用。

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

相关推荐

matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd import matplotlib.pyplot as plt # 设置字体 plt.rcParams['font.sans-serif'] = ['SimHei'] # 能正确显示负号 p
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:controller层有一个接口,访问该接口时报错:Request method ‘DELETE‘ not supported 错误原因:没有接收到前端传入的参数,修改为如下 参考 错误2:cannot r
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen 解决方法:重启docker -> systemctl r
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Altʾnter快捷键,选择第2项 参考:https://blog.csdn.net/shi_hong_fei_hei/article/details/88814070 错误2:启动时报错,不能找到主启动类 #
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirement already satisfied: pip in c:\users\ychen\appdata\local\programs\python\python310\lib\site-packages (22.0.4) Coll
maven常见错误
错误1:maven打包报错 错误还原:使用maven打包项目时报错如下 [ERROR] Failed to execute goal org.apache.maven.plugins:maven-resources-plugin:3.2.0:resources (default-resources)
cloud项目中常见错误
错误1:服务调用时报错 服务消费者模块assess通过openFeign调用服务提供者模块hires 如下为服务提供者模块hires的控制层接口 @RestController @RequestMapping("/hires") public class FeignControl
springboot常见错误
错误1:运行项目后报如下错误 解决方案 报错2:Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:compile (default-compile) on project sb 解决方案:在pom.
springmvc拦截器中使用redisTemplate报空指针异常
参考 错误原因 过滤器或拦截器在生效时,redisTemplate还没有注入 解决方案:在注入容器时就生效 @Component //项目运行时就注入Spring容器 public class RedisBean { @Resource private RedisTemplate<String
vite报错:npm ERR! command C:WINDOWSsystem32cmd.exe /d /s /c C:UsersychenAppDataLocalTempnpx-dde1c848.cmd
使用vite构建项目报错 C:\Users\ychen\work>npm init @vitejs/app @vitejs/create-app is deprecated, use npm init vite instead C:\Users\ychen\AppData\Local\npm-
VM VirtualBox中安装centos时报错:设置基础软件仓库时出错
参考1 参考2 解决方案 # 点击安装源 协议选择 http:// 路径填写 mirrors.aliyun.com/centos/8.3.2011/BaseOS/x86_64/os URL类型 软件库URL 其他路径 # 版本 7 mirrors.aliyun.com/centos/7/os/x86
kafka常见问题
报错1 [root@slave1 data_mocker]# kafka-console-consumer.sh --bootstrap-server slave1:9092 --topic topic_db [2023-12-19 18:31:12,770] WARN [Consumer clie
hive常见问题
错误1 # 重写数据 hive (edu)> insert overwrite table dwd_trade_cart_add_inc > select data.id, > data.user_id, > data.course_id, > date_format(
装载数据时报错:Failed to execute spark task, with exception 'org.apache.hadoop.hive.ql.metadata.HiveException(Failed to create spark client.)'
错误1 hive (edu)> insert into huanhuan values(1,'haoge'); Query ID = root_20240110071417_fe1517ad-3607-41f4-bdcf-d00b98ac443e Total jobs = 1
flume常见问题
报错1:执行到如下就不执行了,没有显示Successfully registered new MBean. [root@slave1 bin]# /usr/local/software/flume-1.9.0/bin/flume-ng agent -n a1 -c /usr/local/softwa
hadoop集群常见错误
虚拟及没有启动任何服务器查看jps会显示jps,如果没有显示任何东西 [root@slave2 ~]# jps 9647 Jps 解决方案 # 进入/tmp查看 [root@slave1 dfs]# cd /tmp [root@slave1 tmp]# ll 总用量 48 drwxr-xr-x. 2
hive常见错误
报错1 hive> show databases; OK Failed with exception java.io.IOException:java.lang.RuntimeException: Error in configuring object Time taken: 0.474 se
Linux常见错误
报错1 [root@localhost ~]# vim -bash: vim: 未找到命令 安装vim yum -y install vim* # 查看是否安装成功 [root@hadoop01 hadoop]# rpm -qa |grep vim vim-X11-7.4.629-8.el7_9.x
使用sqoop一直卡在:mapreduce.Job: Running job: job_1703173956074_0001
修改hadoop配置 vi /usr/local/software/hadoop-2.9.2/etc/hadoop/yarn-site.xml # 添加如下 <configuration> <property> <name>yarn.nodemanager.res
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot