主动防御进程会在关机时导致蓝屏
关机时会蓝屏已经有个把月了,平时使用不影响但是关机会卡在蓝屏界面或者重启,要长按电源强制关机,蓝屏代码kmode_exception_not_handled (0x1e),最近越来越严重受不了了用windbg分析了一下dump,显示是PROCESS_NAME: ZhuDongFangYu.的问题,ai分析说:关机时系统卸载 360 驱动,这个驱动代码有 BUG → 栈溢出 → 蓝屏 0xF7
下面是windbg的analyze
8: kd> !analyze -v
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................................................
....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`003c4018).Type ".hh dbgerr001" for details
Loading unloaded module list
.........................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and BugCheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00000aa19c0deed8, Actual security check cookie from the stack
Arg2: 00000aa12f256a5a, Expected security check cookie
Arg3: fffff55ed0da95a5, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for hotfixplatform.sys
*** WARNING: Unable to verify timestamp for DsArk64.sys
KEY_VALUES_STRING: 1
Key: Analysis.CPU.mSec
Value: 3062
Key: Analysis.Elapsed.mSec
Value: 5010
Key: Analysis.IO.Other.Mb
Value: 64
Key: Analysis.IO.Read.Mb
Value: 3
Key: Analysis.IO.Write.Mb
Value: 234
Key: Analysis.Init.CPU.mSec
Value: 25859
Key: Analysis.Init.Elapsed.mSec
Value: 3364154
Key: Analysis.Memory.CommitPeak.Mb
Value: 388
Key: Analysis.Version.DbgEng
Value: 10.0.29547.1002
Key: Analysis.Version.Description
Value: 10.2602.27.2 amd64fre
Key: Analysis.Version.Ext
Value: 1.2602.27.2
Key: Bugcheck.Code.LegacyAPI
Value: 0xf7
Key: Bugcheck.Code.TargetModel
Value: 0xf7
Key: Dump.Attributes.AsUlong
Value: 0x21808
Key: Dump.Attributes.DiagDataWrittenToHeader
Value: 1
Key: Dump.Attributes.ErrorCode
Value: 0x0
Key: Dump.Attributes.KernelGeneratedTriageDump
Value: 1
Key: Dump.Attributes.LastLine
Value: Dump completed successfully.
Key: Dump.Attributes.ProgressPercentage
Value: 0
Key: Failure.Bucket
Value: 0xF7_MISSING_GSFRAME_hotfixplatform!unknown_function
Key: Failure.Hash
Value: {2ccf49bc-d91e-18e0-8146-353d94162f22}
Key: Hypervisor.Enlightenments.ValueHex
Value: 0x7417df84
Key: Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key: Hypervisor.Flags.ApicEnlightened
Value: 0
Key: Hypervisor.Flags.ApicVirtualizationAvailable
Value: 1
Key: Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key: Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key: Hypervisor.Flags.CpuManager
Value: 1
Key: Hypervisor.Flags.DeprecateAutoEoi
Value: 1
Key: Hypervisor.Flags.DynamicCpuDisabled
Value: 1
Key: Hypervisor.Flags.Epf
Value: 0
Key: Hypervisor.Flags.ExtendedProcessorMasks
Value: 1
Key: Hypervisor.Flags.HardwareMbecAvailable
Value: 1
Key: Hypervisor.Flags.MaxBankNumber
Value: 0
Key: Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key: Hypervisor.Flags.NoExtendedRangeFlush
Value: 0
Key: Hypervisor.Flags.NoNonArchCoreSharing
Value: 1
Key: Hypervisor.Flags.Phase0InitDone
Value: 1
Key: Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key: Hypervisor.Flags.RootScheduler
Value: 0
Key: Hypervisor.Flags.SynicAvailable
Value: 1
Key: Hypervisor.Flags.UseQpcBias
Value: 0
Key: Hypervisor.Flags.Value
Value: 55185662
Key: Hypervisor.Flags.ValueHex
Value: 0x34a10fe
Key: Hypervisor.Flags.VpAssistPage
Value: 1
Key: Hypervisor.Flags.VsmAvailable
Value: 1
Key: Hypervisor.RootFlags.AccessStats
Value: 1
Key: Hypervisor.RootFlags.CrashdumpEnlightened
Value: 1
Key: Hypervisor.RootFlags.CreateVirtualProcessor
Value: 1
Key: Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key: Hypervisor.RootFlags.HostTimelineSync
Value: 1
Key: Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key: Hypervisor.RootFlags.IsHyperV
Value: 1
Key: Hypervisor.RootFlags.LivedumpEnlightened
Value: 1
Key: Hypervisor.RootFlags.MapDeviceInterrupt
Value: 1
Key: Hypervisor.RootFlags.MceEnlightened
Value: 1
Key: Hypervisor.RootFlags.Nested
Value: 0
Key: Hypervisor.RootFlags.StartLogicalProcessor
Value: 1
Key: Hypervisor.RootFlags.Value
Value: 1015
Key: Hypervisor.RootFlags.ValueHex
Value: 0x3f7
Key: WER.System.BIOSRevision
Value: 1.30.0.0
BUGCHECK_CODE:f7
BUGCHECK_P1: aa19c0deed8
BUGCHECK_P2: aa12f256a5a
BUGCHECK_P3: fffff55ed0da95a5
BUGCHECK_P4: 0
FILE_IN_CAB:041826-20312-01.dmp
TAG_NOT_DEFINED_202b:*** Unknown TAG in analysis list 202b
DUMP_FILE_ATTRIBUTES: 0x21808
Kernel Generated Triage Dump
FAULTING_THREAD:ffffc709357d60c0
SECURITY_COOKIE:Expected 00000aa12f256a5a found 00000aa19c0deed8
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1 (!blackboxwinlogon) (!blackboxwinlogonnotify)
CUSTOMER_CRASH_COUNT:1
PROCESS_NAME:ZhuDongFangYu.
STACK_TEXT:
fffffa0d`5c0defa8 fffff807`a473a435 : 00000000`000000f7 00000aa1`9c0deed8 00000aa1`2f256a5a fffff55e`d0da95a5 : nt!KeBugCheckEx
fffffa0d`5c0defb0 fffff807`a451fe89 : 00000000`00000000 00000000`ffffffff 00000000`00000000 00000000`00000000 : nt!_report_gsfailure+0x25
fffffa0d`5c0deff0 fffff807`a45221bc : 00000000`00000001 fffff807`a4db98b3 00000000`00000000 ffff8880`13efe4b0 : nt!HalpInterruptSendIpi+0xa9
fffffa0d`5c0df310 fffff807`a4db992b : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KiUnstackDetachProcess+0x2fc
fffffa0d`5c0df380 fffff807`a461ec47 : 00000000`00000001 00000000`00000000 ffff8880`1831cab0 00000000`00000001 : nt!CmpDetachFromRegistryProcess+0xb
fffffa0d`5c0df3b0 fffff807`a4b6a4d3 : fffffa0d`5c0df6c0 00000000`00000000 00000000`00000000 00000000`00000001 : nt!CmpDoQueryKeyName+0x227
fffffa0d`5c0df500 fffff807`a4b69b1e : 00000000`00000000 ffff8880`c9b8f190 00000000`206c5420 00000000`00000000 : nt!CmpQueryKeyName+0x13
fffffa0d`5c0df550 fffff807`a4b69a1e : ffff8880`1831cab0 00000000`00000000 00000000`00000000 fffffa0d`5c0df728 : nt!ObQueryNameStringMode+0xee
fffffa0d`5c0df6b0 fffff807`38931f34 : 00000000`00000003 fffffa0d`5c0df8f8 ffff8880`0e8ae320 fffff807`370a9152 : nt!ObQueryNameString+0xe
fffffa0d`5c0df6f0 00000000`00000003 : fffffa0d`5c0df8f8 ffff8880`0e8ae320 fffff807`370a9152 00000000`00000000 : hotfixplatform+0x1f34
fffffa0d`5c0df6f8 fffffa0d`5c0df8f8 : ffff8880`0e8ae320 fffff807`370a9152 00000000`00000000 fffff807`38932291 : 0x3
fffffa0d`5c0df700 ffff8880`0e8ae320 : fffff807`370a9152 00000000`00000000 fffff807`38932291 00000000`00000000 : 0xfffffa0d`5c0df8f8
fffffa0d`5c0df708 fffff807`370a9152 : 00000000`00000000 fffff807`38932291 00000000`00000000 fffff807`a44bb10a : 0xffff8880`0e8ae320
fffffa0d`5c0df710 00000000`00000000 : fffff807`38932291 00000000`00000000 fffff807`a44bb10a fffffa0d`5c0dfaa0 : DsArk64+0x9152
SYMBOL_NAME:hotfixplatform+1f34
MODULE_NAME: hotfixplatform
IMAGE_NAME:hotfixplatform.sys
STACK_COMMAND: .process /r /p 0xffffc708e0b9d080; .thread /r /p 0xffffc709357d60c0 ; kb
BUCKET_ID_FUNC_OFFSET:1f34
FAILURE_BUCKET_ID:0xF7_MISSING_GSFRAME_hotfixplatform!unknown_function
OSPLATFORM_TYPE:x64
OSNAME:Windows 10
FAILURE_ID_HASH:{2ccf49bc-d91e-18e0-8146-353d94162f22}
Followup: MachineOwner
---------
您好,您加下工程师的微信,帮您看下具体的问题
页:
[1]