如何学习五笔打字-戴尔笔记本

0x000024
2023年3月31日发(作者:mcafee卸载不了)

DRIVER_POWER_STATE_FAILURE蓝屏分析

⽂章⽬录

DRIVER_POWER_STATE_FAILURE蓝屏分析

最近有同事在客户现场遇到了蓝屏问题,分析和很久没有结论,请求我帮忙分析⼀下DUMP⽂件,本⽂记录⼀下整个分析过程。

1.背景

有电脑频繁出现蓝屏,蓝屏代码为DRIVER_POWER_STATE_FAILURE,例如如下:

DRIVER_POWER_STATE_FAILURE(9f)

AdriverhasfailedtocompleteapowerIRPwithinaspecifictime.

Arguments:

Arg1:0004,ThepowertransitiontimedoutwaitingtosynchronizewiththePnp

subsystem.

Arg2:012c,Timeoutinseconds.

Arg3:ffffb103caf02080,ThethreadcurrentlyholdingontothePnplock.

Arg4:ffffee8635e5f7e0,nt!TRIAGE_9F_PNPonWin7andhigher

从现场反馈,好像是每次在开机的时候出现蓝屏,接下来我们具体分析⼀下这个问题的原因。

2.分析

⾸先,我们看蓝屏时候出现的堆栈信息:

Implicitthreadisnowffff9b00`abfe9240

#RetAddr:ArgstoChild:CallSite

00fffff806`3ca9f6f6:00000000`0000009f00000000`0000`0000012cffffb103`caf02080:nt!KeBugCheckEx

01fffff806`3cdaf9a6:ffffee86`35e5fa1000000000`00000070fffff806`381958`00000001:nt!PnpBugcheckPowerTimeout+0x76

02fffff806`3c8c1d49:ffffee86`36a2723000000001`516253a000000001`00000002ffffb103`dae7f000:nt!PopBuildDeviceNotifyListWatchdog+0x16

03fffff806`3c8c0aa9:00000000`0000001e00000000`0000`0000`00000070:nt!KiProcessExpiredTimerList+0x169

04fffff806`3c9c5ebe:ffffffff`00000000ffff9b00`abfd8180ffff9b00`abfe9240ffffb103`dd515080:nt!KiRetireDpcList+0x4e9

`00000000:ffffee86`35e60000ffffee86`35e59`0000`00000000:nt!KiIdleLoop+0x7e

从上⾯我们可以⼤致的猜测到是因为在处理PNP电源消息的时候超时了,然后被看门狗检测到了操作超时⽽引发的蓝屏,这⾥我们不去纠结

看门狗这个机制,存在的问题肯定是超时导致的,我看看下PNPLOCK对应的栈信息:

THREADffffb103caf02080Cid0004.0120Teb:0000Win32Thread:0000WAIT:(Executive)KernelModeNon-Alertable

ffffb103ddf6c5b0NotificationEvent

IRPList:

ffffb103dfde65e0:(0006,03e8)Flags:00000000Mdl:00000000

Notimpersonating

DeviceMapffffc3875d014ba0

OwningProcessffffb103c8cae040Image:System

AttachedProcessN/AImage:N/A

WaitStartTickCount17026Ticks:19200(0:00:05:00.000)

ContextSwitchCount8393IdealProcessor:7NoStackSwap

UserTime00:00:00.000

KernelTime00:00:00.156

Win32StartAddressnt!ExpWorkerThread(0xfffff8063c8f42b0)

StackInitffffee86360b8b90Currentffffee86360b7da0

Baseffffee86360b9000Limitffffee86360b2000Call0000

Priority15BasePriority12PriorityDecrement0IoPriority2PagePriority5

Child-SPRetAddr:ArgstoChild:CallSite

ffffee86`360b7de0fffff806`3c91507d:ffff9b00`abfd81808010001f`fffffffeffff9b00`ffffffff00000000`00000001:nt!KiSwapContext+0x76

ffffee86`360b7f20fffff806`3c913f04:ffffb103`caf0`00000000ffffb103`00000000fffff806`00000000:nt!KiSwapThread+0xbfd

ffffee86`360b7fc0fffff806`3c9136a5:ffffb103`c8cb3cb0ffffb103`0000`0000`00000000:nt!KiCommitThreadWait+0x144

ffffee86`360b8060fffff806`407e9920:ffffb103`ddf6c5b0fffff806`00000000ffffb103`db5ca000fffff806`00000000:nt!KeWaitForSingleObject+0x255

ffffee86`360b8140fffff806`407dcb89:ffffb103`ddf6c590ffffee86`360b82d0ffffb103`ddf6c590fffff806`407cc8eb:ndis!KWaitEventBase

nstant>::Wait+0x28

ffffee86`360b8180fffff806`4080bb01:ffffb103`ddf6b1a0ffffee86`360b82d0ffffb103`ddf6c590ffffb103`db5ca020:ndis!Ndis::BindEngine::ApplyBindChang

es+0x10915

ffffee86`360b81d0fffff806`407750d4:ffffb103`ddf6b1a0ffffb103`ddf6b1a0fffff806`407b5050fffff806`407b5050:ndis!ndisPnPRemoveDevice+0x2fd

ffffee86`360b8410fffff806`407e919f:ffffb103`ddf6b1a0ffffee86`360b85f0ffffb103`ddf6b1a0ffffb103`dfde6500:ndis!ndisPnPRemoveDeviceEx+0x148

ffffee86`360b8460fffff806`40774f31:ffffb103`ddf6b1a0ffffb103`ddf6b1a0ffffee86`360b8630ffffb103`dfde65e0:ndis!ndisPnPIrpSurpriseRemovalInner+0

x13f

ffffee86`360b8560fffff806`407193c4:ffffb103`dfde65e000000000`0000`00000000ffffb103`ddf6b1a0:ndis!ndisPnPIrpSurpriseRemoval+

0xed

ffffee86`360b85b0fffff806`3c90a929:ffffee86`360b8601ffffb103`ddf6b`00000001ffffee86`360b8720:ndis!ndisPnPDispatch+0x31354

ffffee86`360b8620fffff806`3cdbafe4:ffffee86`360b86c0ffffb103`ddf6b050ffffee86`360b8720ffffb103`dfde65e0:nt!IofCallDriver+0x59

ffffee86`360b8660fffff806`3cf3123a:00000000`00000017ffffb103`ddf75af0ffffb103`dbeb52a0ffffb103`ddf75af0:nt!IopSynchronousCall+0xf8

ffffee86`360b86e0fffff806`3cf30df9:ffffc387`6e7b479000000000`0000`0000`00000000:nt!IopRemoveDevice+0x106

ffffee86`360b87a0fffff806`3cf30bbb:ffffb103`ddf75af000000000`0000`0000`00000000:nt!PnpSurpriseRemoveLockedD

eviceNode+0xb5

ffffee86`360b8800fffff806`3cf3088a:ffffb103`ddf75af0ffffee86`360b888000000000`00000000fffff806`3cf3064f:nt!PnpDeleteLockedDeviceNode+0x57

ffffee86`360b8840fffff806`3cf2f087:ffffb103`dbeb596000000008`0000`0000`00000000:nt!PnpDeleteLockedDeviceNod

es+0x76

ffffee86`360b88c0fffff806`3cf0867e:ffffee86`360b8a10ffffb103`dd9e6900ffffee86`360b8a00ffffc387`00000008:nt!PnpProcessQueryRemoveAndEject+

0x1ef

ffffee86`360b89b0fffff806`3cdd6748:ffffc387`6e7b4790ffffc387`6a87d1e0ffffc387`6a87d1e000000000`00000000:nt!PnpProcessTargetDeviceEvent+0

xea

ffffee86`360b89e0fffff806`3c8f43b5:ffffb103`c8cb3cb0ffffb103`caf02080ffffb103`c8cb3cb0fffff806`3cc61340:nt!PnpDeviceEventWorker+0x2d8

ffffee86`360b8a70fffff806`3c86bcd5:ffffb103`caf0`00000080ffffb103`c8cae040000024ef`bd9bbfff:nt!ExpWorkerThread+0x105

ffffee86`360b8b10fffff806`3c9c9998:ffff9b00`ac524180ffffb103`caf02080fffff806`3c86bc8000000000`00000000:nt!PspSystemThreadStartup+0x55

ffffee86`360b8b6000000000`00000000:ffffee86`360b9000ffffee86`360b2`0000`00000000:nt!KiStartSystemThread+0x28

这⾥看到了system进程中存在⼀个线程等待NDIS的事件信号,并且从这个堆栈中我们⼤致发现这个线程应该占⽤了PNP锁,我们看下占⽤

情况:

THREADffffb103da5bb080Cid03c8.03ccTeb:0000009f3443b000Win32Thread:ffffb103da407810WAIT:(WrResource)KernelModeNon-Alertable

ffffee8636a270e0SynchronizationEvent

Notimpersonating

DeviceMapffffc3875d014ba0

OwningProcessffffb103da5ba080Image:

AttachedProcessN/AImage:N/A

WaitStartTickCount36004Ticks:222(0:00:00:03.468)

ContextSwitchCount439IdealProcessor:2

UserTime00:00:00.000

KernelTime00:00:00.062

Win32StartAddress0x00007ff7e0c836f0

StackInitffffee8636a27b90Currentffffee8636a26c60

Baseffffee8636a28000Limitffffee8636a21000Call0000

Priority15BasePriority15PriorityDecrement0IoPriority2PagePriority5

Child-SPRetAddr:ArgstoChild:CallSite

ffffee86`36a26ca0fffff806`3c91507d:ffff9b00`abfd8180ffffffd7`fffffffeffffb103`ffffffff00000000`00000001:nt!KiSwapContext+0x76

ffffee86`36a26de0fffff806`3c913f04:ffffb103`da5bb080ffffb103`00000000ffffb103`00000000ffffb103`00000000:nt!KiSwapThread+0xbfd

ffffee86`36a26e80fffff806`3c9136a5:00000000`0000006cfffff806`0000`0000`00000000:nt!KiCommitThreadWait+0x144

ffffee86`36a26f20fffff806`3c91691d:ffffee86`36a270e000000000`0000001b00000000`00000000ffffee86`36a27400:nt!KeWaitForSingleObject+0x255

ffffee86`36a27000fffff806`3c90fcd7:fffff806`3cc629a0ffffee86`36a270c800000000`00010224fffff806`3c95a6c0:nt!ExpWaitForResource+0x6d

ffffee86`36a27080fffff806`3cdeaeac:ffffee86`36a271c000000000`00000000ffffee86`36a271a000000000`00000001:nt!ExAcquireResourceExclusiveLi

te+0x217

ffffee86`36a27110fffff806`3c957e9c:00000000`0000`0000`0000`00000005:nt!PpDevNodeLockTree+0x

58

ffffee86`36a27140fffff806`3cd9d386:fffff806`3cb799e8fffff806`3c86fc3300000000`4000`00000000:nt!PnpLockDeviceActionQueue+0x

10

ffffee86`36a27180fffff806`3cd9d2fb:00000000`0000`00000000ffffb103`dbcfe9b0fffff806`3caee9fe:nt!IoBuildPoDeviceNotifyList+0x4a

ffffee86`36a271e0fffff806`3cf25d00:00000000`00000000ffffb103`dbcfe98000000000`0000`00000000:nt!PopBuildDeviceNotifyList+0xb

7

ffffee86`36a272c0fffff806`3cd9a79f:ffffee86`36a273d0ffffee86`36a27448ffffee86`36a273d0000001ab`ff7c0000:nt!PoInitializeBroadcast+0xc8

ffffee86`36a272f0fffff806`3cd9f19c:ffffb103`c8ee8000fffff806`0000`0000`00989680:nt!PopTransitionSystemPowerState

Ex+0x233

ffffee86`36a273b0fffff806`3c9d3c15:ffffb103`0000`0000`00000000ffffb103`c8ee2000:nt!NtSetSystemPowerState+0x4c

ffffee86`36a27590fffff806`3c9c61b0:fffff806`3cd9a6baffffee86`36a27810ffffee86`36a277b000000000`00000000:nt!KiSystemServiceCopyEnd+0x25(

TrapFrame@ffffee86`36a27590)

ffffee86`36a27728fffff806`3cd9a6ba:ffffee86`36a27810ffffee86`36a277b000000000`0000`00000000:nt!KiServiceLinkage

ffffee86`36a27730fffff806`3cd9f19c:ffffd8a4`d1924af4fffff806`0000`0000`00000000:nt!PopTransitionSystemPowerState

Ex+0x14e

ffffee86`36a277f0fffff806`3d10d069:00000000`0000`0000`0000`00000000:nt!NtSetSystemPowerState+

0x4c

ffffee86`36a279d0fffff806`3c9d3c15:ffffb103`da5bb080ffffee86`00000001ffffee86`36a27a80ffffee86`36a27a80:nt!NtShutdownSystem+0x39

ffffee86`36a27a0000007ff9`fccdf624:00000000`0000`0000`0000`00000000:nt!KiSystemServiceCopyEn

d+0x25(TrapFrame@ffffee86`36a27a00)

0000009f`3432f53800000000`00000000:00000000`0000`0000`0000`00000000:0x00007ff9`fccdf624

确实仿佛是wininit在关机的时候(跟客户反馈的开机似乎有点不⼀样,但是这⾥并不影响分析过程),请求占⽤设备栈的锁,然后陷⼊了等

到状态,等待的锁被上⾯的线程栈调⽤给占⽤了。

我们继续分析这个线程

Priority15BasePriority12PriorityDecrement0IoPriority2PagePriority5

Child-SPRetAddr:ArgstoChild:CallSite

ffffee86`360b7de0fffff806`3c91507d:ffff9b00`abfd81808010001f`fffffffeffff9b00`ffffffff00000000`00000001:nt!KiSwapContext+0x76

ffffee86`360b7f20fffff806`3c913f04:ffffb103`caf0`00000000ffffb103`00000000fffff806`00000000:nt!KiSwapThread+0xbfd

ffffee86`360b7fc0fffff806`3c9136a5:ffffb103`c8cb3cb0ffffb103`0000`0000`00000000:nt!KiCommitThreadWait+0x144

ffffee86`360b8060fffff806`407e9920:ffffb103`ddf6c5b0fffff806`00000000ffffb103`db5ca000fffff806`00000000:nt!KeWaitForSingleObject+0x255

ffffee86`360b8140fffff806`407dcb89:ffffb103`ddf6c590ffffee86`360b82d0ffffb103`ddf6c590fffff806`407cc8eb:ndis!KWaitEventBase

nstant>::Wait+0x28

ffffee86`360b8180fffff806`4080bb01:ffffb103`ddf6b1a0ffffee86`360b82d0ffffb103`ddf6c590ffffb103`db5ca020:ndis!Ndis::BindEngine::ApplyBindChang

es+0x10915

ffffee86`360b81d0fffff806`407750d4:ffffb103`ddf6b1a0ffffb103`ddf6b1a0fffff806`407b5050fffff806`407b5050:ndis!ndisPnPRemoveDevice+0x2fd

ffffee86`360b8410fffff806`407e919f:ffffb103`ddf6b1a0ffffee86`360b85f0ffffb103`ddf6b1a0ffffb103`dfde6500:ndis!ndisPnPRemoveDeviceEx+0x148

ffffee86`360b8460fffff806`40774f31:ffffb103`ddf6b1a0ffffb103`ddf6b1a0ffffee86`360b8630ffffb103`dfde65e0:ndis!ndisPnPIrpSurpriseRemovalInner+0

x13f

ffffee86`360b8560fffff806`407193c4:ffffb103`dfde65e000000000`0000`00000000ffffb103`ddf6b1a0:ndis!ndisPnPIrpSurpriseRemoval+

0xed

ffffee86`360b85b0fffff806`3c90a929:ffffee86`360b8601ffffb103`ddf6b`00000001ffffee86`360b8720:ndis!ndisPnPDispatch+0x31354

ffffee86`360b8620fffff806`3cdbafe4:ffffee86`360b86c0ffffb103`ddf6b050ffffee86`360b8720ffffb103`dfde65e0:nt!IofCallDriver+0x59

ffffee86`360b8660fffff806`3cf3123a:00000000`00000017ffffb103`ddf75af0ffffb103`dbeb52a0ffffb103`ddf75af0:nt!IopSynchronousCall+0xf8

ffffee86`360b86e0fffff806`3cf30df9:ffffc387`6e7b479000000000`0000`0000`00000000:nt!IopRemoveDevice+0x106

ffffee86`360b87a0fffff806`3cf30bbb:ffffb103`ddf75af000000000`0000`0000`00000000:nt!PnpSurpriseRemoveLockedD

eviceNode+0xb5

ffffee86`360b8800fffff806`3cf3088a:ffffb103`ddf75af0ffffee86`360b888000000000`00000000fffff806`3cf3064f:nt!PnpDeleteLockedDeviceNode+0x57

ffffee86`360b8840fffff806`3cf2f087:ffffb103`dbeb596000000008`0000`0000`00000000:nt!PnpDeleteLockedDeviceNod

es+0x76

ffffee86`360b88c0fffff806`3cf0867e:ffffee86`360b8a10ffffb103`dd9e6900ffffee86`360b8a00ffffc387`00000008:nt!PnpProcessQueryRemoveAndEject+

0x1ef

ffffee86`360b89b0fffff806`3cdd6748:ffffc387`6e7b4790ffffc387`6a87d1e0ffffc387`6a87d1e000000000`00000000:nt!PnpProcessTargetDeviceEvent+0

xea

ffffee86`360b89e0fffff806`3c8f43b5:ffffb103`c8cb3cb0ffffb103`caf02080ffffb103`c8cb3cb0fffff806`3cc61340:nt!PnpDeviceEventWorker+0x2d8

ffffee86`360b8a70fffff806`3c86bcd5:ffffb103`caf0`00000080ffffb103`c8cae040000024ef`bd9bbfff:nt!ExpWorkerThread+0x105

ffffee86`360b8b10fffff806`3c9c9998:ffff9b00`ac524180ffffb103`caf02080fffff806`3c86bc8000000000`00000000:nt!PspSystemThreadStartup+0x55

ffffee86`360b8b6000000000`00000000:ffffee86`360b9000ffffee86`360b2`0000`00000000:nt!KiStartSystemThread+0x28

从中,我们找到等待的事件

4:kd>dtnt!_KEVENTffffb103`ddf6c5b0

+0x000Header:_DISPATCHER_HEADER

4:kd>dx-id0,0,ffffb103c8cae040-r1(*((ntkrnlmp!_DISPATCHER_HEADER*)0xffffb103ddf6c5b0))

(*((ntkrnlmp!_DISPATCHER_HEADER*)0xffffb103ddf6c5b0))[Type:_DISPATCHER_HEADER]

[+0x000]Lock:393216[Type:long]

[+0x000]LockNV:393216[Type:long]

[+0x000]Type:0x0[Type:unsignedchar]

[+0x001]Signalling:0x0[Type:unsignedchar]

[+0x002]Size:0x6[Type:unsignedchar]

[+0x003]Reserved1:0x0[Type:unsignedchar]

[+0x000]TimerType:0x0[Type:unsignedchar]

[+0x001]TimerControlFlags:0x0[Type:unsignedchar]

[+0x001(0:0)]Absolute:0x0[Type:unsignedchar]

[+0x001(1:1)]Wake:0x0[Type:unsignedchar]

[+0x001(7:2)]EncodedTolerableDelay:0x0[Type:unsignedchar]

[+0x002]Hand:0x6[Type:unsignedchar]

[+0x003]TimerMiscFlags:0x0[Type:unsignedchar]

[+0x003(5:0)]Index:0x0[Type:unsignedchar]

[+0x003(6:6)]Inserted:0x0[Type:unsignedchar]

[+0x003(7:7)]Expired:0x0[Type:unsignedchar]

[+0x000]Timer2Type:0x0[Type:unsignedchar]

[+0x001]Timer2Flags:0x0[Type:unsignedchar]

[+0x001(0:0)]Timer2Inserted:0x0[Type:unsignedchar]

[+0x001(1:1)]Timer2Expiring:0x0[Type:unsignedchar]

[+0x001(2:2)]Timer2CancelPending:0x0[Type:unsignedchar]

[+0x001(3:3)]Timer2SetPending:0x0[Type:unsignedchar]

[+0x001(4:4)]Timer2Running:0x0[Type:unsignedchar]

[+0x001(5:5)]Timer2Disabled:0x0[Type:unsignedchar]

[+0x001(7:6)]Timer2ReservedFlags:0x0[Type:unsignedchar]

[+0x002]Timer2ComponentId:0x6[Type:unsignedchar]

[+0x003]Timer2RelativeId:0x0[Type:unsignedchar]

[+0x000]QueueType:0x0[Type:unsignedchar]

[+0x001]QueueControlFlags:0x0[Type:unsignedchar]

[+0x001(0:0)]Abandoned:0x0[Type:unsignedchar]

[+0x001(1:1)]DisableIncrement:0x0[Type:unsignedchar]

[+0x001(7:2)]QueueReservedControlFlags:0x0[Type:unsignedchar]

[+0x002]QueueSize:0x6[Type:unsignedchar]

[+0x003]QueueReserved:0x0[Type:unsignedchar]

[+0x000]ThreadType:0x0[Type:unsignedchar]

[+0x001]ThreadReserved:0x0[Type:unsignedchar]

[+0x002]ThreadControlFlags:0x6[Type:unsignedchar]

[+0x002(0:0)]CycleProfiling:0x0[Type:unsignedchar]

[+0x002(1:1)]CounterProfiling:0x1[Type:unsignedchar]

[+0x002(2:2)]GroupScheduling:0x1[Type:unsignedchar]

[+0x002(3:3)]AffinitySet:0x0[Type:unsignedchar]

[+0x002(4:4)]Tagged:0x0[Type:unsignedchar]

[+0x002(5:5)]EnergyProfiling:0x0[Type:unsignedchar]

[+0x002(6:6)]SchedulerAssist:0x0[Type:unsignedchar]

[+0x002(7:7)]ThreadReservedControlFlags:0x0[Type:unsignedchar]

[+0x003]DebugActive:0x0[Type:unsignedchar]

[+0x003(0:0)]ActiveDR7:0x0[Type:unsignedchar]

[+0x003(1:1)]Instrumented:0x0[Type:unsignedchar]

[+0x003(2:2)]Minimal:0x0[Type:unsignedchar]

[+0x003(5:3)]Reserved4:0x0[Type:unsignedchar]

[+0x003(6:6)]UmsScheduled:0x0[Type:unsignedchar]

[+0x003(7:7)]UmsPrimary:0x0[Type:unsignedchar]

[+0x000]MutantType:0x0[Type:unsignedchar]

[+0x001]MutantSize:0x0[Type:unsignedchar]

[+0x002]DpcActive:0x6[Type:unsignedchar]

[+0x003]MutantReserved:0x0[Type:unsignedchar]

[+0x004]SignalState:0[Type:long]

[+0x008]WaitListHead[Type:_LIST_ENTRY]

4:kd>dx-r1(*((ntkrnlmp!_LIST_ENTRY*)0xffffb103ddf6c5b8))

(*((ntkrnlmp!_LIST_ENTRY*)0xffffb103ddf6c5b8))[Type:_LIST_ENTRY]

[+0x000]Flink:0xffffb103de5901c0[Type:_LIST_ENTRY*]

[+0x008]Blink:0xffffb103caf021c0[Type:_LIST_ENTRY*]

但是我们从这个事件已经⽆法发现很多有⽤的东西了。不过我们从WaitListHead[Type:_LIST_ENTRY]我们可以知道,到底我多少个线程在等

待这个事件,遍历所有线程链表如下:

(*((ntkrnlmp!_LIST_ENTRY*)0xffffb103ddf6c5b8))[Type:_LIST_ENTRY]

[+0x000]Flink:0xffffb103de5901c0[Type:_LIST_ENTRY*]

[+0x008]Blink:0xffffb103caf021c0[Type:_LIST_ENTRY*]

4:kd>dx-r1((ntkrnlmp!_LIST_ENTRY*)0xffffb103de5901c0)

((ntkrnlmp!_LIST_ENTRY*)0xffffb103de5901c0):0xffffb103de5901c0[Type:_LIST_ENTRY*]

[+0x000]Flink:0xffffb103caf021c0[Type:_LIST_ENTRY*]

[+0x008]Blink:0xffffb103ddf6c5b8[Type:_LIST_ENTRY*]

4:kd>dx-r1((ntkrnlmp!_LIST_ENTRY*)0xffffb103caf021c0)

((ntkrnlmp!_LIST_ENTRY*)0xffffb103caf021c0):0xffffb103caf021c0[Type:_LIST_ENTRY*]

[+0x000]Flink:0xffffb103ddf6c5b8[Type:_LIST_ENTRY*]

[+0x008]Blink:0xffffb103de5901c0[Type:_LIST_ENTRY*]

4:kd>dx-r1((ntkrnlmp!_LIST_ENTRY*)0xffffb103ddf6c5b8)

((ntkrnlmp!_LIST_ENTRY*)0xffffb103ddf6c5b8):0xffffb103ddf6c5b8[Type:_LIST_ENTRY*]

[+0x000]Flink:0xffffb103de5901c0[Type:_LIST_ENTRY*]

[+0x008]Blink:0xffffb103caf021c0[Type:_LIST_ENTRY*]

这⾥看到了⼀个可疑的线程:

4:kd>!thread0xffffb103de5901c0-140

THREADffffb103de590080Cid1bd4.1bd8Teb:c5b000Win32Thread:ffffb103ddf355c0WAIT:(Executive)KernelModeNon-Alertable

ffffb103ddf6c5b0NotificationEvent

IRPList:

ffffb103dd9f2960:(0006,0118)Flags:00000884Mdl:00000000

Notimpersonating

DeviceMapffffc3875d014ba0

OwningProcessffffb103de678480Image:

AttachedProcessN/AImage:N/A

WaitStartTickCount15925Ticks:20301(0:00:05:17.203)

ContextSwitchCount284IdealProcessor:2

UserTime00:00:00.015

KernelTime00:00:00.078

Win32StartAddress0xec08

StackInitffffee863a4b7b90Currentffffee863a4b66a0

Baseffffee863a4b8000Limitffffee863a4b1000Call0000

Priority8BasePriority8PriorityDecrement0IoPriority2PagePriority5

Child-SPRetAddr:ArgstoChild:CallSite

ffffee86`3a4b66e0fffff806`3c91507d:ffff9b00`0000`00000000ffff9b00`ffffffff00000000`00000001:nt!KiSwapContext+0x76

ffffee86`3a4b6820fffff806`3c913f04:ffffb103`de59`00000000ffffee86`3a4b7301fffff806`00000000:nt!KiSwapThread+0xbfd

ffffee86`3a4b68c0fffff806`3c9136a5:00000000`00000004ffffb103`0000`0000`00000000:nt!KiCommitThreadWait+0x14

4

ffffee86`3a4b6960fffff806`407e9920:ffffb103`ddf6c5b0fffff806`00000000ffffee86`3a4b7300fffff806`00000000:nt!KeWaitForSingleObject+0x255

ffffee86`3a4b6a40fffff806`407dcb89:00000000`00000000ffffee86`3a4b6bd0ffffb103`ddf6c590fffff806`407cc8eb:ndis!KWaitEventBase

constant>::Wait+0x28

ffffee86`3a4b6a80fffff806`40763b1a:ffffb103`ddf6b1a0ffffee86`3a4b6bd000000000`00000000ffffee86`3a4b6b48:ndis!Ndis::BindEngine::ApplyBindCh

anges+0x10915

ffffee86`3a4b6ad0fffff806`407edcc4:ffffb103`dbfe4`00000001ffffb103`c87dc008ffffb103`dbfe4010:ndis!ndisOpenAdapterLegacyProtoco

l+0x262

ffffee86`3a4b6c80fffff806`407dd5b6:ffffc387`66892480fffff806`00000000ffffb103`ddf6b1a000000000`00000000:ndis!ndisBindLegacyProtocol+0x2c8

ffffee86`3a4b6dd0fffff806`407d195e:00000000`00000000ffffee86`0000001dffffee86`3a4b6f4000000000`00000000:ndis!ndisRestartProtocol+0xb742

ffffee86`3a4b6e40fffff806`407d13c0:ffffb103`ddf6b1a0ffffb103`ddf6b1a0ffffb103`ddf6c608ffffb103`ddf6c590:ndis!Ndis::BindEngine::Iterate+0x4f6

ffffee86`3a4b6fc0fffff806`407cc409:ffffb103`ddf6c590ffffee86`3a4b71`0000`00000000:ndis!Ndis::BindEngine::UpdateBind

ings+0x98

ffffee86`3a4b7010fffff806`407cc2c8:ffffb103`ddf6c59000000000`00000000ffffb103`ddf6c590fffff806`407cc8eb:ndis!Ndis::BindEngine::DispatchPendin

gWork+0x75

ffffee86`3a4b7040fffff806`40763b1a:ffffb103`ddf6b1a0ffffee86`3a4b7`00000000ffffee86`3a4b7108:ndis!Ndis::BindEngine::ApplyBindCh

anges+0x54

ffffee86`3a4b7090fffff806`40809a9c:ffffb103`dd9f2a00ffffee86`3a4b7301ffffb103`c87dc008ffffb103`c87dc000:ndis!ndisOpenAdapterLegacyProtocol+

0x262

ffffee86`3a4b7240fffff806`53d72edd:ffffb103`c87dc000ffffb103`c87dc028ffffb103`dd9f2960ffffb103`c87ddb68:ndis!NdisOpenAdapter+0x4c

ffffee86`3a4b72b0fffff806`3c90a929:ffffb103`00000000ffffb103`cad9ee5000000000`00000000ffffb103`dd9f2a30:XXXXXcap+0x2edd

ffffee86`3a4b7360fffff806`3c9099e4:00000000`0000`00000000ffffb103`dd9f2a78fffff806`3c90a1a3:nt!IofCallDriver+0x59

ffffee86`3a4b73a0fffff806`3ceaf86b:ffffee86`3a4b7660fffff806`3ceaf225ffffee86`3a4b75d0ffffb103`dbb7a520:nt!IoCallDriverWithTracing+0x34

ffffee86`3a4b73f0fffff806`3ceb681f:ffffb103`cad9ed00ffffb103`cad9ec25ffffb103`dd9d4010ffffc387`5d04a801:nt!IopParseDevice+0x62b

ffffee86`3a4b7560fffff806`3ceb4c81:ffffb103`dd9d4000ffffee86`3a4b77a8ffffc387`00000040ffffb103`c8cf94e0:nt!ObpLookupObjectName+0x78f

ffffee86`3a4b7720fffff806`3ce64f50:ffffee86`0000`00e3e85000000000`0000`00000000:nt!ObOpenObjectByNameEx+0

x201

ffffee86`3a4b7860fffff806`3ce64719:00000000`00e3df8000000000`c000`00e3e85000000000`00e3df98:nt!IopCreateFile+0x820

ffffee86`3a4b7900fffff806`3c9d3c15:ffffb103`de590080ffffee86`3a4b7a80ffffee86`3a4b79a800000000`00c5b000:nt!NtCreateFile+0x79

ffffee86`3a4b799000007ff9`fccdcb14:00000000`0000`0000`0000`00000000:nt!KiSystemServiceCopyEn

d+0x25(TrapFrame@ffffee86`3a4b7a00)

00000000`00e3df`00000000:00000000`0000`0000`0000`00000000:0x00007ff9`fccdcb14

这个线程虽然⽐较可疑,但是似乎他并没有占⽤什么资源导致等待,先认定他是可疑的点吧。

我们从事件的源头出发,查看导致等待的代码

确实存在等待⼀个事件的操作,验证了我们上⾯的分析过程,我们看下这个事件在哪些地⽅可以设置,通过查找我们发现了两个地⽅

还有就是void__fastcallNdis::BindEngine::UpdateBindings(Ndis::BindEngine*this,structKLockThisExclusive*a2)这个函数

明显第⼀个是没有什么可以分析的了,因为第⼀个是构造函数,构造函数肯定调⽤的,并且调⽤完成构造函数之后,事件是有信号的,那么

这⾥我们可以得到⼀个分析的点,那么谁把这个事件状态clear掉了呢?

接着分析我们发现

就在void__fastcallNdis::BindEngine::UpdateBindings(Ndis::BindEngine*this,structKLockThisExclusive*a2)这个函数的上层调⽤了Clear操作,等等

到了这⾥我们看⼀下那个可疑的调⽤操作

4:kd>!thread0xffffb103de5901c0-140

THREADffffb103de590080Cid1bd4.1bd8Teb:c5b000Win32Thread:ffffb103ddf355c0WAIT:(Executive)KernelModeNon-Alertable

ffffb103ddf6c5b0NotificationEvent

IRPList:

ffffb103dd9f2960:(0006,0118)Flags:00000884Mdl:00000000

Notimpersonating

DeviceMapffffc3875d014ba0

OwningProcessffffb103de678480Image:

AttachedProcessN/AImage:N/A

WaitStartTickCount15925Ticks:20301(0:00:05:17.203)

ContextSwitchCount284IdealProcessor:2

UserTime00:00:00.015

KernelTime00:00:00.078

Win32StartAddress0xec08

StackInitffffee863a4b7b90Currentffffee863a4b66a0

Baseffffee863a4b8000Limitffffee863a4b1000Call0000

Priority8BasePriority8PriorityDecrement0IoPriority2PagePriority5

Child-SPRetAddr:ArgstoChild:CallSite

ffffee86`3a4b66e0fffff806`3c91507d:ffff9b00`0000`00000000ffff9b00`ffffffff00000000`00000001:nt!KiSwapContext+0x76

ffffee86`3a4b6820fffff806`3c913f04:ffffb103`de59`00000000ffffee86`3a4b7301fffff806`00000000:nt!KiSwapThread+0xbfd

ffffee86`3a4b68c0fffff806`3c9136a5:00000000`00000004ffffb103`0000`0000`00000000:nt!KiCommitThreadWait+0x14

4

ffffee86`3a4b6960fffff806`407e9920:ffffb103`ddf6c5b0fffff806`00000000ffffee86`3a4b7300fffff806`00000000:nt!KeWaitForSingleObject+0x255

ffffee86`3a4b6a40fffff806`407dcb89:00000000`00000000ffffee86`3a4b6bd0ffffb103`ddf6c590fffff806`407cc8eb:ndis!KWaitEventBase

constant>::Wait+0x28

ffffee86`3a4b6a80fffff806`40763b1a:ffffb103`ddf6b1a0ffffee86`3a4b6bd000000000`00000000ffffee86`3a4b6b48:ndis!Ndis::BindEngine::ApplyBindCh

anges+0x10915

ffffee86`3a4b6ad0fffff806`407edcc4:ffffb103`dbfe4`00000001ffffb103`c87dc008ffffb103`dbfe4010:ndis!ndisOpenAdapterLegacyProtoco

l+0x262

ffffee86`3a4b6c80fffff806`407dd5b6:ffffc387`66892480fffff806`00000000ffffb103`ddf6b1a000000000`00000000:ndis!ndisBindLegacyProtocol+0x2c8

ffffee86`3a4b6dd0fffff806`407d195e:00000000`00000000ffffee86`0000001dffffee86`3a4b6f4000000000`00000000:ndis!ndisRestartProtocol+0xb742

ffffee86`3a4b6e40fffff806`407d13c0:ffffb103`ddf6b1a0ffffb103`ddf6b1a0ffffb103`ddf6c608ffffb103`ddf6c590:ndis!Ndis::BindEngine::Iterate+0x4f6

ffffee86`3a4b6fc0fffff806`407cc409:ffffb103`ddf6c590ffffee86`3a4b71`0000`00000000:ndis!Ndis::BindEngine::UpdateBind

ings+0x98

ffffee86`3a4b7010fffff806`407cc2c8:ffffb103`ddf6c59000000000`00000000ffffb103`ddf6c590fffff806`407cc8eb:ndis!Ndis::BindEngine::DispatchPendin

gWork+0x75

ffffee86`3a4b7040fffff806`40763b1a:ffffb103`ddf6b1a0ffffee86`3a4b7`00000000ffffee86`3a4b7108:ndis!Ndis::BindEngine::ApplyBindCh

anges+0x54

ffffee86`3a4b7090fffff806`40809a9c:ffffb103`dd9f2a00ffffee86`3a4b7301ffffb103`c87dc008ffffb103`c87dc000:ndis!ndisOpenAdapterLegacyProtocol+

0x262

ffffee86`3a4b7240fffff806`53d72edd:ffffb103`c87dc000ffffb103`c87dc028ffffb103`dd9f2960ffffb103`c87ddb68:ndis!NdisOpenAdapter+0x4c

ffffee86`3a4b72b0fffff806`3c90a929:ffffb103`00000000ffffb103`cad9ee5000000000`00000000ffffb103`dd9f2a30:XXXXXcap+0x2edd

ffffee86`3a4b7360fffff806`3c9099e4:00000000`0000`00000000ffffb103`dd9f2a78fffff806`3c90a1a3:nt!IofCallDriver+0x59

ffffee86`3a4b73a0fffff806`3ceaf86b:ffffee86`3a4b7660fffff806`3ceaf225ffffee86`3a4b75d0ffffb103`dbb7a520:nt!IoCallDriverWithTracing+0x34

ffffee86`3a4b73f0fffff806`3ceb681f:ffffb103`cad9ed00ffffb103`cad9ec25ffffb103`dd9d4010ffffc387`5d04a801:nt!IopParseDevice+0x62b

ffffee86`3a4b7560fffff806`3ceb4c81:ffffb103`dd9d4000ffffee86`3a4b77a8ffffc387`00000040ffffb103`c8cf94e0:nt!ObpLookupObjectName+0x78f

ffffee86`3a4b7720fffff806`3ce64f50:ffffee86`0000`00e3e85000000000`0000`00000000:nt!ObOpenObjectByNameEx+0

x201

ffffee86`3a4b7860fffff806`3ce64719:00000000`00e3df8000000000`c000`00e3e85000000000`00e3df98:nt!IopCreateFile+0x820

ffffee86`3a4b7900fffff806`3c9d3c15:ffffb103`de590080ffffee86`3a4b7a80ffffee86`3a4b79a800000000`00c5b000:nt!NtCreateFile+0x79

ffffee86`3a4b799000007ff9`fccdcb14:00000000`0000`0000`0000`00000000:nt!KiSystemServiceCopyEn

d+0x25(TrapFrame@ffffee86`3a4b7a00)

00000000`00e3df`00000000:00000000`0000`0000`0000`00000000:0x00007ff9`fccdcb14

刚好在这个调⽤过程中了,那么看来这是这个调⽤⽆疑了,我们看下这个IRP操作:

4:kd>!irpffffb103dd9f2960

Irpisactivewith1stacks1iscurrent(=0xffffb103dd9f2a30)

NoMdl:NoSystemBuffer:Threadffffb103de590080:Irpstacktrace.

cmdflgclDeviceFileCompletion-Context

>[IRP_MJ_CREATE(0),N/A(0)]

00ffffb103cad9ed00ffffb103de1e4a600000

DriverXXXXcap

Args:ffffee863a4b74f0

那么⼤致是NdisOpenAdapter调⽤的时候出现了错误了,本⼈对于Ndis驱动没有过多深⼊的研究,也不知道这个调⽤是否真会造成问题。

但是我们⼤致可以得到结论,卡死蓝屏应该就是这个驱动导致的。

3.验证

让同事将这个驱动重命名,测试蓝屏不再重现,因此基本得出结论,就是这个驱动错误导致蓝屏。

更多推荐

0x000024