系统崩溃,错误码为page_fault_in_nonpagaged AREA当试图获取任何文件读访问的进程名时。代码在一段时间内运行良好。大约30分钟。当spyShelter运行时,就会发生崩溃。
我想不明白。敬请期待,期待各位专家的回复。
代码:
NTSTATUS GetProcessImageName(
PEPROCESS eProcess,
PUNICODE_STRING* ProcessImageName
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG returnedLength;
HANDLE hProcess = NULL;
PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process
if (eProcess == NULL)
{
return STATUS_INVALID_PARAMETER_1;
}
status = ObOpenObjectByPointer(eProcess,
0, NULL, 0, 0, KernelMode, &hProcess);
if (!NT_SUCCESS(status))
{
DbgPrint("ObOpenObjectByPointer Failed: %08xn", status);
return status;
}
if (ZwQueryInformationProcess == NULL)
{
UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"ZwQueryInformationProcess");
ZwQueryInformationProcess = (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);
if (ZwQueryInformationProcess == NULL)
{
DbgPrint("Cannot resolve ZwQueryInformationProcess");
status = STATUS_UNSUCCESSFUL;
goto cleanUp;
}
}
/* Query the actual size of the process path */
status = ZwQueryInformationProcess(hProcess,
ProcessImageFileName,
NULL, // buffer
0, // buffer size
&returnedLength);
DbgPrint("nnMiniPreRead: kernelToUserMode: ProcessNameLength: %un", returnedLength);
if (returnedLength >= 260) {
DbgPrint("ZwQueryInformationProcess status = %xn", status);
status = STATUS_UNSUCCESSFUL;
goto cleanUp;
}
if (STATUS_INFO_LENGTH_MISMATCH != status) {
DbgPrint("ZwQueryInformationProcess status = %xn", status);
status = STATUS_UNSUCCESSFUL;
goto cleanUp;
}
*ProcessImageName = ExAllocatePoolWithTag(PagedPool, returnedLength, SPY_TAG);
if (NULL == ProcessImageName) {
status = STATUS_INSUFFICIENT_RESOURCES;
goto cleanUp;
}
status = ZwQueryInformationProcess(hProcess,
ProcessImageFileName,
*ProcessImageName,
returnedLength,
&returnedLength);
if (!NT_SUCCESS(status)) {
ExFreePool(*ProcessImageName);
*ProcessImageName = NULL;
}
cleanUp:
if (hProcess) {
ZwClose(hProcess);
}
return status;
}
谢谢你。
现在堆栈显示文件minipy .c的第702行
**STACK_TEXT**
FAILED_INSTRUCTION_ADDRESS:
win32kbase!UserIsUserCritSecIn+0
ffffe54c`f35e0450 ?? ???
STACK_TEXT:
ffffec87`2d597dd8 fffff805`57ca8d02 : ffffe54c`f35e0450 00000000`00000003 ffffec87`2d597f40 fffff805`57b1afe0 : nt!DbgBreakPointWithStatus
ffffec87`2d597de0 fffff805`57ca83f7 : ffffe54c`00000003 ffffec87`2d597f40 fffff805`57bd81f0 ffffec87`2d598480 : nt!KiBugCheckDebugBreak+0x12
ffffec87`2d597e40 fffff805`57bc3b97 : fffff805`57e641f8 fffff805`57cd2855 ffffe54c`f35e0450 ffffe54c`f35e0450 : nt!KeBugCheck2+0x947
ffffec87`2d598540 fffff805`57c13ae0 : 00000000`00000050 ffffe54c`f35e0450 00000000`00000010 ffffec87`2d598820 : nt!KeBugCheckEx+0x107
ffffec87`2d598580 fffff805`57acdcbf : 00000000`00000000 00000000`00000010 00000000`00000000 ffffe54c`f35e0450 : nt!MiSystemFault+0x18f320
ffffec87`2d598680 fffff805`57bd1b5e : 00000000`00000240 00000000`00000240 00000000`00000000 ffffec87`2d598950 : nt!MmAccessFault+0x34f
ffffec87`2d598820 ffffe54c`f35e0450 : fffff807`cf85af9b ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 : nt!KiPageFault+0x35e
ffffec87`2d5989b8 fffff807`cf85af9b : ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 fffff807`cf86c772 : win32kbase!UserIsUserCritSecIn
ffffec87`2d5989c0 fffff807`cf85b8a9 : ffffec87`2d598c98 ffff9804`00000000 00000000`000047bb 00000000`00000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
ffffec87`2d598a50 fffff805`5801b10d : ffffbf80`6bec0d00 ffffec87`2d598c98 ffffec87`2d598c98 ffffec87`00000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
ffffec87`2d598a80 fffff805`5802afa5 : 00000000`00000000 ffffec87`2d598c20 00000000`00000000 ffff9804`9229de80 : nt!ObpCallPreOperationCallbacks+0x10d
ffffec87`2d598b00 fffff805`5800774c : 00000000`00000000 00000000`00000000 ffff9804`998ed4c0 006e0069`00000000 : nt!ObpCreateHandle+0xab5
ffffec87`2d598d30 fffff805`5631104b : ffff9804`99d1bb50 00000000`10000004 ffffec87`2d599549 fffff805`57b1b02c : nt!ObOpenObjectByPointer+0xec
ffffec87`2d598f90 fffff805`56311321 : fffff805`56312c60 00000000`00000200 00000000`00000000 ffff9804`99d1bdb0 : minispy!GetProcessImageName+0x4b [C:UsersjayDocumentsVisual Studio 2015ProjectsminispyNetworkShareBlockfilterminispy.c @ 702]
ffffec87`2d5994a0 fffff805`5c5845d0 : ffffec87`2d599680 00000000`00000000 ffff9804`96fbbb03 00000000`00060900 : FLTMGR!FltpPerformPreCallbacks+0x2fd
ffffec87`2d5995b0 fffff805`5c584142 : 00000000`00000000 ffffec87`2d599680 ffff9804`96fbbb20 ffffec87`2d599690 : FLTMGR!FltpPassThroughInternal+0x90
ffffec87`2d5995e0 fffff805`5c583f2e : 00000000`00000000 00000000`00000000 00000000`00000000 fffff805`580319a5 : FLTMGR!FltpPassThrough+0x162
ffffec87`2d599660 fffff805`57a467f9 : ffff9804`96fbbb20 00000000`00000200 00000000`00000000 ffffffff`80001ef8 : FLTMGR!FltpDispatch+0x9e
ffffec87`2d5996c0 fffff805`58029d65 : 00000000`00000000 ffff9804`9a12c990 ffff9804`9a12c9e0 ffff9804`9a12c990 : nt!IofCallDriver+0x59
ffffec87`2d599700 fffff805`58026cbf : ffff9804`00000000 ffff9804`9abda8e0 ffffec87`2d599af0 ffffec87`2d599980 : nt!IopSynchronousServiceTail+0x1a5
ffffec87`2d5997a0 fffff805`57bd5355 : 00000000`00000001 ffffffff`80001ef8 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x59f
ffffec87`2d599890 fffff805`57bc78b0 : fffff805`57b28996 ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
ffffec87`2d599a98 fffff805`57b28996 : ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
ffffec87`2d599aa0 fffff805`580da37c : ffffbf80`744d7000 ffffec87`2d599c30 ffffbf80`00000000 ffffbf80`744d7000 : nt!CmpDoFileRead+0xb6
ffffec87`2d599b50 fffff805`58086ca4 : 00000000`00000030 ffffbf80`782e1000 ffffbf80`782e1000 ffffbf80`71f2cb90 : nt!CmpFileRead+0x2c
ffffec87`2d599ba0 fffff805`58084e5d : 00000000`00000030 ffffec87`2d59a3d0 ffffbf80`782e1000 ffffbf80`782e1000 : nt!HvpGetHiveHeader+0x7c
ffffec87`2d599be0 fffff805`58086e8c : ffffec87`2d599e60 01d714ee`4baa7a6a 00000000`00000001 ffffbf80`782e1000 : nt!HvLoadHive+0xa1
ffffec87`2d599d20 fffff805`580844ae : ffffffff`ffffffff ffffec87`2d599e60 00000000`00000001 00000000`00000000 : nt!HvHiveStartFileBacked+0x100
ffffec87`2d599d60 fffff805`57fe2151 : 00000000`00000000 00000000`0000009c ffffec87`2d59a090 00000000`00000000 : nt!CmpCreateHive+0x62a
ffffec87`2d599f90 fffff805`58099833 : ffff9804`99bd93a0 fffff805`57a4e5b6 ffff9804`99bd9118 fffff805`57e63878 : nt!CmpInitHiveFromFile+0x3f9
ffffec87`2d59a1d0 fffff805`57fe2f10 : fffff805`57e63880 ffffec87`2d59a350 00000000`00000000 ffffec87`2d59a768 : nt!CmpCmdHiveOpen+0xd7
ffffec87`2d59a250 fffff805`57fe4ba5 : 00000000`00000000 ffffec87`00000010 00000000`00000000 00000000`00000001 : nt!CmLoadAppKey+0x364
ffffec87`2d59a6a0 fffff805`57fe4331 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff813d`8d0f6699 : nt!CmLoadDifferencingKey+0x869
ffffec87`2d59aa20 fffff805`57bd5355 : 00000000`00000620 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtLoadKeyEx+0x51
ffffec87`2d59aa90 00007ffe`ecb7ee04 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000a9`b57fe238 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`ecb7ee04
第702行:
status = ObOpenObjectByPointer(eProcess,
0, NULL, 0, 0, KernelMode, &hProcess);
if (!NT_SUCCESS(status))
{
DbgPrint("ObOpenObjectByPointer Failed: %08xn", status);
return status;
}
IRP_MJ_READ操作回调例程经常在DISPATCH_LEVEL被调用。但是ObOpenObjectByPointer函数必须在ACP_LEVEL或更低的级别调用,根据WDK文档
我建议你在IRP_MJ_CREATE操作回调中获取并保存进程名,并在IRP_MJ_READ操作中使用它。