Ситуация такая.. я создал новый каталог страниц процесса.. изменил лишь один PDE и... crash.. ВОПРОС: кто знает в чем проблема???? *** Fatal System Error: 0x0000007f (0x00000008,0x80042000,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading Kernel Symbols .............WARNING: Process directory table base 00003000 doesn't match CR3 00039000 WARNING: Process directory table base 00003000 doesn't match CR3 00039000 UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: 80042000 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=00000001 ebx=ffffffff ecx=ffffffff edx=ffffffff esi=ffa8ede0 edi=ffffffff eip=804e9634 esp=fc92dff4 ebp=fc92e018 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!MmAccessFault+0xc: 804e9634 53 push ebx Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: TOTALCMD.EXE LAST_CONTROL_TRANSFER: from 00000000 to 804e9634 STACK_TEXT: 8054d730 805328e7 00000003 8054da8c 00000000 nt!RtlpBreakWithStatusInstruction 8054d77c 805333be 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x19 8054db5c 804e0fad 0000007f 00000008 80042000 nt!KeBugCheck2+0x574 8054db5c 804e9634 0000007f 00000008 80042000 nt!KiTrap08+0x44 fc92e018 00000000 00000000 00000000 00000000 nt!MmAccessFault+0xc STACK_COMMAND: kb FOLLOWUP_IP: nt!KiTrap08+44 804e0fad ebee jmp nt!KiTrap08+0x34 (804e0f9d) SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: nt!KiTrap08+44 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 41108004 FAILURE_BUCKET_ID: 0x7f_8_nt!KiTrap08+44 BUCKET_ID: 0x7f_8_nt!KiTrap08+44 Followup: MachineOwner ---------
По этому анализу ничего не ясно.. давай код сюда. ЗЫ. Меняя каталоги страниц стоит помнить, что некоторая информация дублируется в MMPFN и т.д. К тому же там есть указатели на PTE.
Еще как ясно, кончился kernel-stack. Обычно такое случается из-за вкусной рекурсии или когда кто-то умный выделяет массивы прямо на стеке.
PVOID Address1 = ExAllocatePool(NonPagedPool, PAGE_SIZE); RtlZeroMemory(Address1, PAGE_SIZE); PHYSICAL_ADDRESS PhysicalAddress1 = MmGetPhysicalAddress(Address1); PFN_NUMBER AddressIndex1 = PhysicalAddress1.QuadPart >> PAGE_SHIFT; PMMPTE PointerPte = MiReserveSystemPtes(1, SystemPteSpace); MMPTE TempPte; TempPte.u.Long = ValidKernelPte.u.Long; TempPte.u.Hard.PageFrameNumber = AddressIndex1; MI_WRITE_VALID_PTE(PointerPte, TempPte); PVOID Va = MiGetVirtualAddressMappedByPte (PointerPte); PMMPTE PointerPde = MiGetPdeAddress(Va); ULONG Offset = (ULONG)PointerPde - PDE_BASE; PHYSICAL_ADDRESS HighestAcceptableAddress; HighestAcceptableAddress.QuadPart = 0x00000000FFFFFF; PVOID DirectoryTableVa = MmAllocateContiguousMemory(PAGE_SIZE, HighestAcceptableAddress); PVOID TableVa = MmAllocateContiguousMemory(PAGE_SIZE, HighestAcceptableAddress); PHYSICAL_ADDRESS DirectoryTable = MmGetPhysicalAddress(DirectoryTableVa); PHYSICAL_ADDRESS Table = MmGetPhysicalAddress(TableVa); PFN_NUMBER TablePfn = Table.QuadPart >> PAGE_SHIFT; RtlZeroMemory(DirectoryTableVa, PAGE_SIZE); PEPROCESS Process; PsLookupProcessByProcessId((HANDLE)444, &Process); KeAttachProcess(&Process->Pcb); RtlCopyMemory((void *)DirectoryTableVa, (const void *)PDE_BASE, PAGE_SIZE); PMMPTE PointerPde1 = (PMMPTE)((PCHAR)DirectoryTableVa + Offset); MMPTE TempPde; MI_MAKE_VALID_PTE (TempPde, TablePfn, MM_READWRITE, 0); PointerPde1->u.Long = TempPde.u.Long; KeDetachProcess(); PspLockProcessExclusive(Process); LOCK_ADDRESS_SPACE(Process); Process->Pcb.DirectoryTableBase[0] = (PVOID)DirectoryTable.QuadPart; UNLOCK_ADDRESS_SPACE(Process); PspUnlockProcessExclusive(Process);
