Сделал так… Всеравно BSOD.. !analyze -v показывает вот что:
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000e20, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8149f08d, address which referenced memory
Debugging Details:
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
MODULE_NAME: yk51x86
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 42de4146
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
00000e20
CURRENT_IRQL: 2
FAULTING_IP:
+ffffffff8149f08d
8149f08d 180b sbb byte ptr [ebx],cl
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0xD1
LAST_CONTROL_TRANSFER: from 8149f08d to 8053fa73
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
80548b54 8149f08d badb0d00 8226c458 f76e7992 nt!Kei386EoiHelper+0x27db
80548c18 aaca362d 8226c458 81446c48 00000e20 0x8149f08d
80548c7c aaca8e39 81446c48 00001850 80548d9c tcpip!ARPRcv+0x31ba
80548d04 aac9cef5 8207c460 2101a8c0 08ccb4d5 tcpip!ARPRcv+0x89c6
80548d64 aacbae4d 00000020 8207c460 aac9f076 tcpip!IPFreeBuff+0x634
80548e18 aac9b922 8207c460 81a02522 0000049b tcpip!tcpxsum+0x2d65
80548e58 aac9b84d 00000000 821be440 81a02500 tcpip!ARPRcvPacket+0x128
80548e94 f8138f45 82268008 00000000 f7658b40 tcpip!ARPRcvPacket+0x53
80548ee8 f765301d 00022350 820c2398 00000001 NDIS!FddiFilterDprIndicateReceive+0xd4d
80548efc f76531b4 821df710 820c2398 00000001 psched!RegisterPsComponent+0x6cef
80548f20 f76535f9 822631f0 00000000 821df710 psched!RegisterPsComponent+0x6e86
80548f38 f8138d40 822631e8 00000001 81a4a37c psched!RegisterPsComponent+0x72cb
80548f88 f770efe0 00022350 80548fa8 00000001 NDIS!FddiFilterDprIndicateReceive+0xb48
80548fd8 f7708c67 81a4a004 81a4a37c 82207130 yk51x86+0xdfe0
80549008 f770a1ea 60a4a004 8054902c f812ef09 yk51x86+0x7c67
80549014 f812ef09 81a4a004 80551d80 80551b20 yk51x86+0x91ea
8054902c 80540f7d 81a4a088 81a4a074 00000000 NDIS!NdisCompletePnPEvent+0x17b
80549050 80540ef6 00000000 0000000e 00000000 nt!KiDispatchInterrupt+0x35d
00000000 00000000 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2d6
STACK_COMMAND: kb
FOLLOWUP_IP:
yk51x86+dfe0
f770efe0 8b83e4010000 mov eax,dword ptr [ebx+1E4h]
SYMBOL_STACK_INDEX: d
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: yk51x86.sys
SYMBOL_NAME: yk51x86+dfe0
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
Причем здесь yk51x86.sys? Это не мой драйвер.. И всеравно падает при вызове оригинальной функции…
Перехваченная функция объявлена так:
NTSTATUS HookedClientEventReceive(IN PVOID TdiEventContext,
IN CONNECTION_CONTEXT ConnectionContext,
IN ULONG ReceiveFlags,
IN ULONG BytesIndicated,
IN ULONG BytesAvailable,
OUT ULONG *BytesTaken,
IN PVOID Tsdu,
OUT PIRP *IoRequestPacket)
{
...
return OldClientEventReceive(pBlockFromPagedLookasideList->EventContext,
ConnectionContext,
ReceiveFlags,
BytesIndicated,
BytesAvailable,
BytesTaken,
Tsdu,
IoRequestPacket);
}
но тут я думаю нормально все со звездочками…
Я как понимаю опять IRQL_NOT_LESS_OR_EQUAL.. Но у меня нестраничная память используется, как вы и говорили..