如何解决Minifilter中的蓝屏崩溃
我以 minispy 为例来阻止对某些文件的某些进程的访问。我将文件路径和进程路径发送到用户模式应用程序,并在用户模式处理完成。最后,用户模式应用程序返回 TRUE/FALSE,在内核模式下,如果用户模式应用程序的响应为 TRUE,则阻塞完成。
This runs successfully for approx 45min and sometimes 1hr
。最后蓝屏系统崩溃,错误为 非页面区域中的页面错误。
我无法弄清楚为什么在一段时间后会发生这种情况?
我现在迷路了。请帮我找出这个问题的原因。 我会非常感谢你。
注意:用户模式应用程序在处理后需要 1-8 毫秒的时间来响应。
Minifilter 内核模式 MiniPreRead 代码:
FLT_PREOP_CALLBACK_STATUS MiniPreRead(PFLT_CALLBACK_DATA Data,PCFLT_RELATED_OBJECTS FltObjects,PVOID* CompletionContext) {
UNREFERENCED_PARAMETER(Data);
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);
//DbgPrint("MiniPreRead");
PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
PMINISPY_NOTIFICATION notification = NULL;
PUNICODE_STRING pni = NULL;
BOOLEAN isBlock,shouldSkipThisFileName;
ULONG seconds_to_wait;
PVOID replyBuffer = NULL;
ULONG replyLength;
LARGE_INTEGER timeOut;
NTSTATUS status;
WCHAR Name[260] = { 0 };
WCHAR ProcessPath[260] = { 0 };
//update from usermode reply
isBlock = FALSE;
shouldSkipThisFileName = FALSE;
//TODO: How much Waiting Time?
seconds_to_wait = 5;
timeOut.QuadPart = -((LONGLONG)seconds_to_wait * 10 * 1000 * 1000);
status = FltGetFileNameInformation(Data,FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,&FileNameInfo);
if (!NT_SUCCESS(status)) {
goto cleanup;
}
status = FltParseFileNameInformation(FileNameInfo);
if (!NT_SUCCESS(status)) {
goto cleanup;
}
if (FileNameInfo->Name.MaximumLength >= 260) {
goto cleanup;
}
RtlCopyMemory(Name,FileNameInfo->Name.Buffer,FileNameInfo->Name.MaximumLength);
DbgPrint("\n\nMiniPreRead: FileName = %ws\n",Name);
//skip systm process as fileName: ntoskrnl svchost,& fileType: .sys,.dll
shouldSkipThisFileName = (wcsstr(Name,L"ntoskrnl") != NULL || wcsstr(Name,L"svchost") != NULL || wcsstr(Name,L".SYS") != NULL || wcsstr(Name,L".sys") != NULL || wcsstr(Name,L".DLL") != NULL || wcsstr(Name,L".dll") != NULL) ? TRUE : FALSE;
//skip if path is not the drivePath
if (wcsstr(Name,L"Device\\HarddiskVolume") == NULL) {
goto cleanup;
}
if (shouldSkipThisFileName) {
goto cleanup;
}
status = STATUS_UNSUCCESSFUL;
status = GetProcessImageName(IoThreadToProcess(Data->Thread),&pni); //TODO: Improve by https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getprocessimagefilenamea
try {
if (!NT_SUCCESS(status)) {
leave;
}
if (NULL == pni->Buffer) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
RtlCopyMemory(ProcessPath,pni->Buffer,pni->MaximumLength);
//TODO: skip for system32 process for now
if (wcsstr(ProcessPath,L"Windows\\System32") != NULL) {
DbgPrint("\n\nMiniPreRead: kernelToUserMode: Skipping SystemProcess: %ws\n",ProcessPath);
leave;
}
//TODO: skip Just for Testing purpose
if (wcsstr(ProcessPath,L"explorer.exe") != NULL) {
DbgPrint("\n\nMiniPreRead: kernelToUserMode: Skipping explorer: %ws\n",ProcessPath);
leave;
}
DbgPrint("\n\nMiniPreRead: kernelToUserMode:| |\n");
DbgPrint("\n\nMiniPreRead: kernelToUserMode: Final psName: %ws\n",ProcessPath);
DbgPrint("\n\nMiniPreRead: kernelToUserMode: Final FileName: %ws\n",Name);
#ifndef KERNEL_TO_USER
notification = ExAllocatePoolWithTag(NonPagedPool,sizeof(MINISPY_NOTIFICATION),SPY_TAG);
if (NULL == notification) {
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
RtlCopyMemory(¬ification->ProcessPath,ProcessPath,260);
RtlCopyMemory(¬ification->filePath,Name,260);
notification->msgCountNumId = ++globalCount % 10000000;
//replyLength = sizeof(MINISPY_REPLY);
//TODO For both userMode and kernel mode as recommend on doc: replyLength = sizeof(FILTER_REPLY_HEADER) + sizeof(MINISPY_REPLY);
replyLength = sizeof(FILTER_REPLY_HEADER) + sizeof(MINISPY_REPLY);
DbgPrint("\n\nMiniPreRead: kernelToUserMode: Waiting for usermode reply for MsgSendId: %d,ps: %ws...\n",notification->msgCountNumId,pni->Buffer);
status = FltSendMessage(MiniSpyData.Filter,&MiniSpyData.ClientPort,notification,&replyLength,NULL);
if (STATUS_TIMEOUT == status) {
DbgPrint("\n\nMiniPreRead: kernelToUserMode: timeout occured!\n");
}
else if (STATUS_SUCCESS == status) {
try {
isBlock = ((PMINISPY_REPLY)notification)->res;
}
finally {}
DbgPrint("\n\nMiniPreRead: kernelToUserMode: Reply isBlock: %d,MsgSendId: %d,ps: %ws\n",isBlock,((PMINISPY_REPLY)notification)->msgCountId,ProcessPath);
}
else {
DbgPrint("\n\nMiniPreRead: kernelToUserMode: --- couldn't send processPath %ws to the user-mode,status 0x%X\n",status);
// STATUS_INSUFFICIENT_RESOURCES STATUS_PORT_DISCONNECTED STATUS_THREAD_IS_TERMINATING
}
#endif
}
finally {
if (notification != NULL) {
ExFreePoolWithTag(notification,SPY_TAG);
}
if (pni != NULL) {
ExFreePool(pni);
}
}
Blocking:
if (isBlock) {
KdPrint(("read file: %ws blocked \r\n",Name)); // only in DEBUG
DbgPrint(("read file: %ws blocked \r\n",Name));
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
if (FileNameInfo) {
FltReleaseFileNameInformation(FileNameInfo);
}
return FLT_PREOP_COMPLETE;
}
cleanup:
if (FileNameInfo) {
FltReleaseFileNameInformation(FileNameInfo);
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
OUTPUT OF
!anaylze -v
kd> !analyze -v
***************************
* *
* Bugcheck Analysis *
* *
***************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff8b8e6a20eec0,memory referenced.
Arg2: 0000000000000010,value 0 = read operation,1 = write operation.
Arg3: ffff8b8e6a20eec0,If non-zero,the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002,(reserved)
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 6452
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-T8VRNB1
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 20375
Key : Analysis.Memory.CommitPeak.Mb
Value: 145
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 50
BUGCHECK_P1: ffff8b8e6a20eec0
BUGCHECK_P2: 10
BUGCHECK_P3: ffff8b8e6a20eec0
BUGCHECK_P4: 2
READ_ADDRESS: ffff8b8e6a20eec0 Paged session pool
MM_INTERNAL_CODE: 2
IMAGE_NAME: win32kbase.sys
MODULE_NAME: win32kbase
FAULTING_MODULE: ffff8b8e6a200000 win32kbase
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: Registry
TRAP_FRAME: ffff8185547855b0 -- (.trap 0xffff8185547855b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff8b8e6a20eec0 rbx=0000000000000000 rcx=ffffca0e20ce12c0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffff8b8e6a20eec0 rsp=ffff818554785748 rbp=0000000000000000
r8=ffff8185547857f0 r9=0000000000000000 r10=000000004f414f41
r11=0000000000001001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32kbase!UserIsUserCritSecIn:
ffff8b8e`6a20eec0 ?? ???
Resetting default scope
FAILED_INSTRUCTION_ADDRESS:
win32kbase!UserIsUserCritSecIn+0
ffff8b8e`6a20eec0 ?? ???
STACK_TEXT:
ffff8185`54785308 fffff804`44c1ebbb : 00000000`00000050 ffff8b8e`6a20eec0 00000000`00000010 ffff8185`547855b0 : nt!KeBugCheckEx
ffff8185`54785310 fffff804`44a0c960 : 00000000`00000000 00000000`00000010 ffff8185`54785630 00000000`00000000 : nt!MiSystemFault+0x1f43ab
ffff8185`54785410 fffff804`44c03c5e : 00000000`00000240 ffffca0e`0e968c50 00000000`00000240 ffff8185`547856c1 : nt!MmAccessFault+0x400
ffff8185`547855b0 ffff8b8e`6a20eec0 : fffff804`5eeba14f 00000000`00000000 ffff8185`54785a30 00000000`00000020 : nt!KiPageFault+0x35e
ffff8185`54785748 fffff804`5eeba14f : 00000000`00000000 ffff8185`54785a30 00000000`00000020 fffff804`5eecab6e : win32kbase!UserIsUserCritSecIn
ffff8185`54785750 fffff804`5eebaa5d : ffff8185`547858c8 ffffca0e`00000000 00000000`00004a61 00000000`00000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
ffff8185`547857e0 fffff804`44e0fc1c : ffffa405`73e28200 ffff8185`547858c8 ffff8185`547858c8 00000000`00000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
ffff8185`54785810 fffff804`44e0fd8a : 00000000`00000000 00000000`00000000 00000000`00000000 ffffdc4d`19a20f67 : nt!ObpCallPreOperationCallbacks+0x10c
ffff8185`54785890 fffff804`44e2c20d : 00000000`00000000 ffff8185`54785a20 ffffca0e`25e0e050 ffffca0e`25e0e050 : nt!ObpPreInterceptHandleCreate+0xaa
ffff8185`54785900 fffff804`44de1029 : ffffa405`7343d350 00000000`00000000 0038005f`00620075 0079006b`00000000 : nt!ObpCreateHandle+0xa1d
ffff8185`54785af0 fffff804`4395104b : ffff8185`54786339 fffff804`44b3c67c 00000000`00000208 ffffca0e`25c4c8d8 : nt!ObOpenObjectByPointer+0x1b9
ffff8185`54785d70 fffff804`439512f9 : fffff804`43952be0 00000000`00000200 00000000`00000000 00000000`00000000 : minispy+0x104b
ffff8185`54785dd0 fffff804`4712608c : 00000000`00000000 ffffca0e`25c4c7f0 ffffca0e`25c4c8d8 ffffca0e`253efbb0 : minispy+0x12f9
ffff8185`54786280 fffff804`47125b37 : ffff8185`54786400 00000000`00000003 ffffca0e`26747600 00000000`00000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
ffff8185`547863a0 fffff804`47124b46 : ffff8185`54788000 ffff8185`54781000 00000000`00000000 ffff8185`547864c0 : FLTMGR!FltpPassThroughInternal+0xc7
ffff8185`547863f0 fffff804`471248bb : 00000000`00000000 00000000`00000000 00000000`00000000 fffff804`44e2b3c1 : FLTMGR!FltpPassThrough+0x1d6
ffff8185`54786490 fffff804`44a52f55 : ffffca0e`1f8d0630 00000000`00001000 00000000`00000000 ffffffff`80004210 : FLTMGR!FltpDispatch+0x8b
ffff8185`547864f0 fffff804`44dfd878 : 00000000`00000000 ffffca0e`267476a0 00000000`00000001 ffffca0e`0f7ef501 : nt!IofCallDriver+0x55
ffff8185`54786530 fffff804`44de59b9 : ffffca0e`00000000 ffff8185`547867a0 ffffca0e`1c7d16e0 ffff8185`547867a0 : nt!IopSynchronousServiceTail+0x1a8
ffff8185`547865d0 fffff804`44c074b5 : ffffca0e`20ce1910 ffffffff`80004210 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x599
ffff8185`547866b0 fffff804`44bf98e0 : fffff804`44b18673 ffffa405`86efe000 ffffffff`80001b14 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
ffff8185`547868b8 fffff804`44b18673 : ffffa405`86efe000 ffffffff`80001b14 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
ffff8185`547868c0 fffff804`44ee07ac : ffffa405`86efe000 ffff8185`54786a58 ffffa405`00000000 ffffa405`86efe000 : nt!CmpDoFileRead+0xb7
ffff8185`54786970 fffff804`44e873fc : 01d70ea2`09a2a5e3 ffffa405`970df000 00000000`00000000 00000000`00000000 : nt!CmpFileRead+0x2c
ffff8185`547869c0 fffff804`44e858a3 : 01d70ea2`09a2a5e3 ffffa405`84d99e20 ffffa405`970df000 ffffa405`84d99e20 : nt!HvpGetHiveHeader+0x7c
ffff8185`54786a00 fffff804`44e8857b : ffffa405`7626f400 01d70ea2`09a2a5e3 00000000`00000001 ffffa405`970df000 : nt!HvLoadHive+0xa7
ffff8185`54786b50 fffff804`44e88b73 : 00000000`00000000 ffff8185`54786c90 00000000`00000001 ffffa405`970df000 : nt!HvHiveStartFileBacked+0x107
ffff8185`54786b90 fffff804`44e639e1 : 00000000`00000000 ffffca0e`0000009c ffff8185`54786ee0 00000000`00000000 : nt!CmpCreateHive+0x3d3
ffff8185`54786de0 fffff804`44dd63dc : 00000000`00000000 00000000`00000000 ffff8185`547871d0 fffff804`44e2b3c1 : nt!CmpInitHiveFromFile+0x3a9
ffff8185`54787020 fffff804`44e94ce3 : ffffa405`84d99e20 00000000`00000000 ffffa405`00000000 ffffa405`84d99e20 : nt!CmpCmdHiveOpen+0xdc
ffff8185`54787120 fffff804`44e8cf82 : 00000000`00000000 ffff8185`00000010 00000000`00000000 00000000`00000001 : nt!CmLoadAppKey+0x46b
ffff8185`547875a0 fffff804`44e8c77d : 00007ff8`00000000 ffffa405`7be70580 ffff8185`54787a00 fffffbbf`fc1c5d38 : nt!CmLoadDifferencingKey+0x7f6
ffff8185`54787920 fffff804`44c074b5 : 00000000`00000000 00000000`00000001 000000b3`33ffe148 ffff8185`54787a80 : nt!NtLoadKeyEx+0x5d
ffff8185`54787990 00007ff8`4510e734 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000b3`33ffe1e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`4510e734
SYMBOL_NAME: win32kbase!UserIsUserCritSecIn+0
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: AV_INVALID_BAD_IP_win32kbase!UserIsUserCritSecIn
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {c8670668-72de-2a31-2f67-c17c5864267c}
Followup: MachineOwner
---------
||1:3: kd> lmvm win32kbase
Browse full module list
start end module name
ffff8b8e`6a200000 ffff8b8e`6a4da000 win32kbase # (pdb symbols) C:\ProgramData\Dbg\sym\win32kbase.pdb\E51C1F9B0FA0D0F8FD417E3DB89E9E911\win32kbase.pdb
Loaded symbol image file: win32kbase.sys
Mapped memory image file: C:\ProgramData\Dbg\sym\win32kbase.sys\A6BD5AD22da000\win32kbase.sys
Image path: \SystemRoot\System32\win32kbase.sys
Image name: win32kbase.sys
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: A6BD5AD2 (This is a reproducible build file hash,not a timestamp)
CheckSum: 002CC779
ImageSize: 002DA000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
请分析此输出并帮助我摆脱异常。我现在完全迷失了,需要 stackoverflow 社区的帮助。 我会非常感谢你。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。