dro
commented
5 years ago @DiskGetor Please attach the accompanying crash dump.
Closed ddkwork closed 4 years ago
dro
commented
5 years ago @DiskGetor Please attach the accompanying crash dump.
ddkwork
commented
5 years ago hello,i was do some test: log("KeGenericCallDpc-->0x%p", KeGenericCallDpc); auto irql = KeGetCurrentIrql(); log("irql-->%03u", irql); if (irql >= PASSIVE_LEVEL && irql <= APC_LEVEL) { // Generates a DPC that makes all processors execute the broadcast function. KeGenericCallDpc(HvpDPCBroadcastFunction, (PVOID)GlobalContext);//windows7 X64 BSID 0x1E } else{ return NULL; }
HvpDPCBroadcastFunction was bsod:0x1e on windows7 X64 121818-11731-01.zip
Gbps
commented
5 years ago The dump file you attached does not have enough information to debug the crash.
Could you provide a log output from DebugView before the crash?
ddkwork
commented
5 years ago 您附加的转储文件没有足够的信息来调试崩溃。
你可以在崩溃之前提供DebugView的日志输出吗? for get log,i do this--> //KeGenericCallDpc(HvpDPCBroadcastFunction, (PVOID)GlobalContext); kGe64.log
ddkwork
commented
5 years ago A strange problem is that hook NtCreateFile works well over a long period of time, but hook NtDeviceIoControlFile automatically exits EPT SHADOW PAGE after about 20 minutes.
NTSTATUS fake_NtDeviceIoControlFile (
In HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
In PIO_APC_ROUTINE Apc Routine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatus Block,
In ULONG IoControl Code,
In PVOID InputBuffer OPTIONAL,
In ULONG Input Buffer Length,
OUT PVOID Output Buffer OPTIONAL,
IN ULONG Output Buffer Length
{
Log_("on fake_NtDeviceIoControlFile");
Return orig_NtDeviceIoControlFile (
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
IoControl Code,
InputBuffer,
Input Buffer Length,
Output Buffer,
Output Buffer Length
);
} nt.log
i am got a bsod 0x139 on win10 1809 when unload driver ,and bsod page fult on win7 when load driver ,tested on with my notebook cpu intel i3.