人要是倒霉,电脑都蓝屏

今天,笔记本又蓝屏了,dump嗷嗷奇怪,

Win10 x64的系统,用WinDbg10加载dmp 之后,竟然无法正确下载符号。

擦,这要我怎么办,手动下载符号?

好吧,手动下载符号之后,

.reload 之后,

!analyze -v

结果就给我这些破玩艺。。。

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000fff6a322, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 00000000000000ca, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff803e7d0ed17, address which referenced memory

其实,这里出现了两个问题:

1:这异常,十分可怕啊,调用时的IRQL竟然是0xFF,这是怎么搞得,为什么IRQL会这么高,X64下,没记错的话,应该是R8保存着IRQL,R8的值确实就是这个值

2:

 1 fffff803`e7d0ecfc 654c8b042520000000 mov   r8,qword ptr gs:[20h]
 2 fffff803`e7d0ed05 4caf            scas    qword ptr [rdi]
 3 fffff803`e7d0ed07 35f4a2f6ff      xor     eax,0FFF6A2F4h
 4 fffff803`e7d0ed0c 458bdf          mov     r11d,r15d
 5 fffff803`e7d0ed0f 4d8b8840060000  mov     r9,qword ptr [r8+640h]
 6 fffff803`e7d0ed16 fd              std
 7 fffff803`e7d0ed17 8b4024          mov     eax,dword ptr [rax+24h]
 8 fffff803`e7d0ed1a 498b9188310000  mov     rdx,qword ptr [r9+3188h]
 9 fffff803`e7d0ed21 418b8c8640a33a00 mov     ecx,dword ptr [r14+rax*4+3AA340h]
10 fffff803`e7d0ed29 410fb68051870000 movzx   eax,byte ptr [r8+8751h]
11 fffff803`e7d0ed31 83e13f          and     ecx,3Fh
12 fffff803`e7d0ed34 410fb79992000000 movzx   ebx,word ptr [r9+92h]
13 fffff803`e7d0ed3c 480fb3ca        btr     rdx,rcx
14 fffff803`e7d0ed40 498b4940        mov     rcx,qword ptr [r9+40h]

上面代码是dmp 里面得到的代码,注意看第6行处

 1 .text:0000000140095CFC 65 4C 8B 04 25 20 00 00 00                    mov     r8, gs:20h
 2 .text:0000000140095D05 4C 8D 35 F4 A2 F6 FF                          lea     r14, cs:140000000h
 3 .text:0000000140095D0C 45 8B DF                                      mov     r11d, r15d
 4 .text:0000000140095D0F 4D 8B 88 40 06 00 00                          mov     r9, [r8+640h]
 5 .text:0000000140095D16 41 8B 40 24                                   mov     eax, [r8+24h]
 6 .text:0000000140095D1A 49 8B 91 88 00 00 00                          mov     rdx, [r9+88h]
 7 .text:0000000140095D21 41 8B 8C 86 40 A3 3A 00                       mov     ecx, ds:rva KiProcessorIndexToNumberMappingTable[r14+rax*4]
 8 .text:0000000140095D29 41 0F B6 80 51 06 00 00                       movzx   eax, byte ptr [r8+651h]
 9 .text:0000000140095D31 83 E1 3F                                      and     ecx, 3Fh
10 .text:0000000140095D34 41 0F B7 99 92 00 00 00                       movzx   ebx, word ptr [r9+92h]
11 .text:0000000140095D3C 48 0F B3 CA                                   btr     rdx, rcx
12 .text:0000000140095D40 49 8B 49 40                                   mov     rcx, [r9+40h]

这段代码,是我反汇编WinDbg工具集里面那个pdb下载工具,下载回来的exe得到的代码,

代码长度不同啊,我电脑里面跑着的内核内存被改了,为什么被改,被谁改了,怎么改的,擦,

一个又一个问题啊,

先工作,有空回头再来看。

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/suanguade/p/5953193.html