版主及各路高手们,我利用winddk下的bulkusb例程进行修改,开发wdm下的usb驱动,遇到了问题,纠结了很多天,希望能够获得大家的指点。
之前做过一个东西直接用的该例程,在应用程序中进行writefile和readfile没有任何问题。先在需要利用DeviceIoControl来进行通信,采用Method_Direct_OUT方式。为了快速达到能够应用的目的,我将writefile和
readfile中的派遣例程中的代码直接拷贝到deviceiocontrol的相关派遣例程中,并做适当修改,用一个局部变量选择进行读操作或者写操作。
编译通过,安装并用应用程序对其进行deviceIoControl方式读写后,电脑果断蓝屏,用DebugMonitor查看打印信息发现设备驱动程序执行流程正常,后来我用windbg和在虚拟机中安装xp进行调试,单步执行后,本身驱动
的源代码全部执行完后,再执行几步虚拟机崩溃,查看dump文件发现是在一个地址上进行了读操作导致系统崩溃,发起读操作的是底层的驱动,在DISPATCH_LEVEL的中断请求级上对分页内存进行访问导致系统崩溃。以下是调试信息
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f827850a, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000004
CURRENT_IRQL: 2
FAULTING_IP:
USBPORT!USBPORT_FindUrbInIrpTable+7a
f827850a 8b7604 mov esi,dword ptr [esi+4]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: ComTest.exe
TRAP_FRAME: f88d2a64 -- (.trap 0xfffffffff88d2a64)
ErrCode = 00000000
eax=82873008 ebx=805436e8 ecx=82873024 edx=00000006 esi=00000000 edi=825ec430
eip=f827850a esp=f88d2ad8 ebp=f88d2aec iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
USBPORT!USBPORT_FindUrbInIrpTable+0x7a:
f827850a 8b7604 mov esi,dword ptr [esi+4] ds:0023:00000004=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f8bad to 80528bec
STACK_TEXT:
f88d2618 804f8bad 00000003 f88d2974 00000000 nt!RtlpBreakWithStatusInstruction
f88d2664 804f979a 00000003 00000004 f827850a nt!KiBugCheckDebugBreak+0x19
f88d2a44 80541693 0000000a 00000004 00000002 nt!KeBugCheck2+0x574
f88d2a44 f827850a 0000000a 00000004 00000002 nt!KiTrap0E+0x233
f88d2aec f827e362 828bf028 82873008 82816658 USBPORT!USBPORT_FindUrbInIrpTable+0x7a
f88d2b54 f827f3c6 0281cdf8 ffffffff 805436e8 USBPORT!USBPORT_FlushPendingList+0x43a
f88d2b84 f8286350 82914bd0 f88d2bbc f8285f14 USBPORT!USBPORT_QueueTransferUrb+0x248
f88d2b90 f8285f14 828bf028 8281c438 82816658 USBPORT!USBPORT_AsyncTransfer+0x30
f88d2bbc f828b088 82887030 828bf028 00000090 USBPORT!USBPORT_ProcessURB+0x3f4
f88d2bdc f82743d2 82887030 8281c438 8281c438 USBPORT!USBPORT_PdoInternalDeviceControlIrp+0x7e
f88d2c00 804ef129 8281c514 82887188 82816658 USBPORT!USBPORT_Dispatch+0x148
f88d2c10 f85ef59c f88d2c38 f85f382d 8281c438 nt!IopfCallDriver+0x31
f88d2c18 f85f382d 8281c438 82887030 8281c438 usbhub!USBH_PassIrp+0x18
f88d2c38 f85f40ae 82887d50 8281c438 8281d648 usbhub!USBH_PdoUrbFilter+0xbd
f88d2c54 f85f15e4 82816658 8281c438 f88d2c90 usbhub!USBH_PdoDispatch+0x202
f88d2c64 804ef129 82896788 8281c438 82816aa0 usbhub!USBH_HubDispatch+0x48
f88d2c74 f87984db 00220003 8281c514 80000000 nt!IopfCallDriver+0x31
f88d2c90 f879776b 82816948 8281c438 804f793f usbccgp!ParentInternalDeviceControl+0xbb
f88d2cb4 f87975d3 82816940 8281c438 0000000f usbccgp!USBC_InternalDeviceControl+0x3b
f88d2cf0 804ef129 82816888 8281c438 82816aa0 usbccgp!USBC_Dispatch+0x183
f88d2d00 f8799391 80000000 00000009 00220003 nt!IopfCallDriver+0x31
f88d2d30 f8797786 8281b9b8 8281c438 8281b9b8 usbccgp!FunctionInternalDeviceControl+0x1c1
f88d2d54 f87975d3 8281b9b0 8281c438 0000000f usbccgp!USBC_InternalDeviceControl+0x56
f88d2d90 804ef129 8281b8f8 8281c438 82816658 usbccgp!USBC_Dispatch+0x183
f88d2da0 f8977f8f 8281c438 828f7bd8 82815898 nt!IopfCallDriver+0x31
f88d2dc4 f89775bd 8281d648 827da770 f88d2de3 hidusb!HumReadReport+0xef
f88d2de4 f867fe8d 8281d648 8281c438 8281c438 hidusb!HumInternalIoctl+0x6b
f88d2df8 f8681284 8281d648 8281c438 8281c438 HIDCLASS!HidpCallDriver+0x3f
f88d2e14 f86810ec 8281d714 82815898 f88d2e5f HIDCLASS!HidpSubmitInterruptRead+0x84
f88d2e4c 804f16ae 00000000 8281c438 0081d714 HIDCLASS!HidpInterruptReadComplete+0x1d2
f88d2e7c f827c0d5 8281c438 82611cb0 828bf028 nt!IopfCompleteRequest+0xa2
f88d2ee4 f827cd47 82816658 00000000 828bf7d8 USBPORT!USBPORT_CompleteTransfer+0x373
f88d2f14 f827d944 026e6f44 828bf0e0 828bf0e0 USBPORT!USBPORT_DoneTransfer+0x137
f88d2f4c f827f13a 828bf028 805436e8 828bf230 USBPORT!USBPORT_FlushDoneTransferList+0x16c
f88d2f78 f828d24b 828bf028 805436e8 828bf028 USBPORT!USBPORT_DpcWorker+0x224
f88d2fb4 f828d3c2 828bf028 00000001 806d3732 USBPORT!USBPORT_IsrDpcWorker+0x38f
f88d2fd0 80542b9d 828bf64c 6b755044 00000000 USBPORT!USBPORT_IsrDpc+0x166
f88d2ff4 8054286a f6799b6c 00000000 00000000 nt!KiRetireDpcList+0x46
f88d2ff8 f6799b6c 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
WARNING: Frame IP not in any known module. Following frames may be wrong.
8054286a 00000000 00000009 bb835675 00000128 0xf6799b6c
STACK_COMMAND: kb
FOLLOWUP_IP:
hidusb!HumReadReport+ef
f8977f8f 8b4d10 mov ecx,dword ptr [ebp+10h]
SYMBOL_STACK_INDEX: 19
SYMBOL_NAME: hidusb!HumReadReport+ef
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hidusb
IMAGE_NAME: hidusb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 480254c7
FAILURE_BUCKET_ID: 0xD1_hidusb!HumReadReport+ef
BUCKET_ID: 0xD1_hidusb!HumReadReport+ef
Followup: MachineOwner
---------
kd> kp
ChildEBP RetAddr
f88d2618 804f8bad nt!RtlpBreakWithStatusInstruction
f88d2664 804f979a nt!KiBugCheckDebugBreak+0x19
f88d2a44 80541693 nt!KeBugCheck2+0x574
f88d2a44 f827850a nt!KiTrap0E+0x233
f88d2aec f827e362 USBPORT!USBPORT_FindUrbInIrpTable+0x7a
f88d2b54 f827f3c6 USBPORT!USBPORT_FlushPendingList+0x43a
f88d2b84 f8286350 USBPORT!USBPORT_QueueTransferUrb+0x248
f88d2b90 f8285f14 USBPORT!USBPORT_AsyncTransfer+0x30
f88d2bbc f828b088 USBPORT!USBPORT_ProcessURB+0x3f4
f88d2bdc f82743d2 USBPORT!USBPORT_PdoInternalDeviceControlIrp+0x7e
f88d2c00 804ef129 USBPORT!USBPORT_Dispatch+0x148
f88d2c10 f85ef59c nt!IopfCallDriver+0x31
f88d2c18 f85f382d usbhub!USBH_PassIrp+0x18
f88d2c38 f85f40ae usbhub!USBH_PdoUrbFilter+0xbd
f88d2c54 f85f15e4 usbhub!USBH_PdoDispatch+0x202
f88d2c64 804ef129 usbhub!USBH_HubDispatch+0x48
f88d2c74 f87984db nt!IopfCallDriver+0x31
f88d2c90 f879776b usbccgp!ParentInternalDeviceControl+0xbb
f88d2cb4 f87975d3 usbccgp!USBC_InternalDeviceControl+0x3b
f88d2cf0 804ef129 usbccgp!USBC_Dispatch+0x183
我如何具体定位到源代码中的错误呢?在驱动程序中定义一个比较大的全局数组是否不安全?这种方法本身是否可行?谢谢大家 |