680
騰訊TenProtect導致 KMODE
啟動DNF的時候,騰訊的TenProtect啟動過程中突然提示 KMODE_EXCEPTION_NOT_HANDLED 藍屏死機
【核心內存轉儲比較大,但如果有必要我會上傳】
相關的DMP分析報告如下
Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.1358.amd64fre.rs1_release.170602-2252
Machine Name:
Kernel base = 0xfffff800`48a16000 PsLoadedModuleList = 0xfffff800`48d15000
Debug session time: Thu Jun 29 23:46:23.857 2017 (UTC + 9:00)
System Uptime: 0 days 0:09:27.704
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...........
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000096, ffff80029903fdee, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt!KiDispatchException+220 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: ffff80029903fdee, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 14393.1358.amd64fre.rs1_release.170602-2252
SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd.
SYSTEM_PRODUCT_NAME: GE72 6QD
SYSTEM_SKU: Default string
SYSTEM_VERSION: REV:1.0
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: E1795IMS.114
BIOS_DATE: 04/29/2016
BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd.
BASEBOARD_PRODUCT: MS-1795
BASEBOARD_VERSION: REV:0.A
DUMP_TYPE: 1
BUGCHECK_P1: ffffffffc0000096
BUGCHECK_P2: ffff80029903fdee
BUGCHECK_P3: 0
BUGCHECK_P4: 0
EXCEPTION_CODE: (NTSTATUS) 0xc0000096 - {
FAULTING_IP:
+0
ffff8002`9903fdee 0f015df6 lidt tbyte ptr [rbp-0Ah]
BUGCHECK_STR: 0x1E_c0000096
CPU_COUNT: 8
CPU_MHZ: a20
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 84'00000000 (cache) 84'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: e
ANALYSIS_SESSION_HOST: MSI-GE72
ANALYSIS_SESSION_TIME: 06-30-2017 12:07:05.0700
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
LAST_CONTROL_TRANSFER: from fffff80048abd8c0 to fffff80048b64ce0
STACK_TEXT:
ffffd781`77fbb4b8 fffff800`48abd8c0 : 00000000`0000001e ffffffff`c0000096 ffff8002`9903fdee 00000000`00000000 : nt!KeBugCheckEx
ffffd781`77fbb4c0 fffff800`48b6ff0e : 00000000`00000000 ffffc33a`00044200 00000000`00000000 00005d7d`bab296cf : nt!KiDispatchException+0x220
ffffd781`77fbbb80 fffff800`48b6e1bd : ffffd781`7bc75950 fffff800`48a16000 00000000`00000246 00000000`00000fff : nt!KiExceptionDispatch+0xce
ffffd781`77fbbd60 ffff8002`9903fdee : 0fff0000`00000006 ffffab8d`6438b000 ffffd781`77faca00 ffff8002`9921be16 : nt!KiGeneralProtectionFault+0xfd
ffffd781`77fbbef0 0fff0000`00000006 : ffffab8d`6438b000 ffffd781`77faca00 ffff8002`9921be16 00000000`000004ac : 0xffff8002`9903fdee
ffffd781`77fbbef8 ffffab8d`6438b000 : ffffd781`77faca00 ffff8002`9921be16 00000000`000004ac ffffd781`7bc75970 : 0x0fff0000`00000006
ffffd781`77fbbf00 ffffd781`77faca00 : ffff8002`9921be16 00000000`000004ac ffffd781`7bc75970 00000000`00000292 : 0xffffab8d`6438b000
ffffd781`77fbbf08 ffff8002`9921be16 : 00000000`000004ac ffffd781`7bc75970 00000000`00000292 00000000`00000202 : 0xffffd781`77faca00
ffffd781`77fbbf10 00000000`000004ac : ffffd781`7bc75970 00000000`00000292 00000000`00000202 d78177f8`ed700fff : 0xffff8002`9921be16
ffffd781`77fbbf18 ffffd781`7bc75970 : 00000000`00000292 00000000`00000202 d78177f8`ed700fff ffffd781`77fbffff : 0x4ac
ffffd781`77fbbf20 00000000`00000292 : 00000000`00000202 d78177f8`ed700fff ffffd781`77fbffff ffffd781`77f81180 : 0xffffd781`7bc75970
ffffd781`77fbbf28 00000000`00000202 : d78177f8`ed700fff ffffd781`77fbffff ffffd781`77f81180 fffff800`48ae3cf8 : 0x292
ffffd781`77fbbf30 d78177f8`ed700fff : ffffd781`77fbffff ffffd781`77f81180 fffff800`48ae3cf8 00000000`00000000 : 0x202
ffffd781`77fbbf38 ffffd781`77fbffff : ffffd781`77f81180 fffff800`48ae3cf8 00000000`00000000 ffffd781`77f87b00 : 0xd78177f8`ed700fff
ffffd781`77fbbf40 ffffd781`77f81180 : fffff800`48ae3cf8 00000000`00000000 ffffd781`77f87b00 ffffd781`77f87b00 : 0xffffd781`77fbffff
ffffd781`77fbbf48 fffff800`48ae3cf8 : 00000000`00000000 ffffd781`77f87b00 ffffd781`77f87b00 fffff800`48a29c26 : 0xffffd781`77f81180
ffffd781`77fbbf50 fffff800`48b69a60 : ffffd781`77f81180 ffffab8d`6309d640 ffffd781`77f87c40 00000000`00000000 : nt!KiIpiProcessRequests+0x1d8
ffffd781`77fbbfb0 fffff800`48b6980f : 00000000`00000001 00000000`00000000 ffffd781`77facb80 00000000`00000001 : nt!KiIpiInterruptSubDispatch+0x80
ffffd781`77faca50 fffff800`48b67d42 : ffffffff`00000000 ffffd781`77f81180 ffffd781`77f8dcc0 ffffab8d`6ad6e080 : nt!KiIpiInterrupt+0xff
ffffd781`77facbe0 00000000`00000000 : ffffd781`77fad000 ffffd781`77fa6000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x32
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 3ff97afc7bd548a8627dd182eeca906539fd834a
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1d2a93f59a13e5a6189edb6f2ba8d50744c9a2b8
THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8
FOLLOWUP_IP:
nt!KiDispatchException+220
fffff800`48abd8c0 cc int 3
FAULT_INSTR_CODE: b68b49cc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiDispatchException+220
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 593278b1
BUCKET_ID_FUNC_OFFSET: 220
FAILURE_BUCKET_ID: 0x1E_c0000096_nt!KiDispatchException
BUCKET_ID: 0x1E_c0000096_nt!KiDispatchException
PRIMARY_PROBLEM_CLASS: 0x1E_c0000096_nt!KiDispatchException
TARGET_TIME: 2017-06-29T14:46:23.000Z
OSBUILD: 14393
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-06-03 17:52:01
BUILDDATESTAMP_STR: 170602-2252
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14393.1358.amd64fre.rs1_release.170602-2252
ANALYSIS_SESSION_ELAPSED_TIME: 498
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x1e_c0000096_nt!kidispatchexception
FAILURE_ID_HASH: {505cfaff-0bdc-8a96-0650-5a81952f0ba1}
Followup: MachineOwner
---------
補充一個我找到的東西:【也許對你們的分析有一定幫助】
騰訊的TenProtect驅動保護會對係統核心進程有一定的修改,這也是為什麼TenProtect導致的死機一定與內核進程有關。
它在ring0層一共HOOK了幾個地方和一些其他的工作。來達到保護的目的
下麵是簡報:
NtOpenThread //防止調試器在它體內創建線程
NtOpenProcess //防止OD等在進程列表看到它
KiAttachProcess //防止其他軟件附加它
NtReadVirtualMemory //防止別人讀取它的內存
NtWriteVirtualMemory //防止別人在它的內存裏麵亂寫亂畫
KDCOM.dll:KdReceivePacket //這兩個是COM串口的接受和發送數據
KDCOM.dll:KdSendPacket //主要用來防止別人雙機調試
——引用自https://bbs.pediy.com/thread-126802.htm
您好!
Netwtw04.sys造成,嚐試至品牌官網下載更新您的網卡驅動。
最後更新:2017-07-10 16:08:36
上一篇:
鎖屏設置中的選擇要顯示快速狀態的應用,無法生效
下一篇: 如何獲取C盤的完全控製權限?
- \Nst\AutoNeoGrub0.mbr錯誤導致無法開機,重置電腦驅動被鎖
- Windows10家庭版無法添加家庭成員或其他人員
- 係統檢查更新失敗(安裝更新時出現一些問題,但我們稍後會重試。如果你繼續看到此錯誤,並
- Microsoft Visual C++Runtime Library 這個要怎麼解決?
- edge打開任意一個網頁後都會再閃一下,可有解決方法
- 備份應用程序無法啟動:指定服務未安裝。(0x80070424)
- Windows 10 Insider Preview 16299.15 (rs3
- 小娜可以語音喚醒卻沒法語音輸入
- windows10 insider preview 17035升級失敗並提示錯誤代碼0x80070005
- 無法在桌麵創建快捷方式
相關內容
- 你的設備已過期,並缺少重要的安全和質量更新,因此存在風險。讓我們帶你重回正軌,這樣
- Microsoft store 無法聯網,顯示Microsoft Store需要聯網,你似乎沒有聯網
- 設備以遷移 由於僅部分匹配或匹配不明確,因此無法遷移設備
- 由於在創建轉儲期間出錯,創建轉儲文件失敗。
- 發生臨時 DNS 錯誤
- 應用商店,在我們這邊發生問題,無法使你登陸,錯誤代碼: 0xD000000D
- 照相機不可用,錯誤代碼:0xA00F4244(0xC00DABE0)
- 應用商店打開異常提示“清單中指定了未知的布局”
- 自定義掃描Windows defender裏麵的設備性能和運行狀況 黃色感歎號問題
- windows預口體驗成員內口版本遇到問題需要重啟
熱門內容
- windows10 點開此電腦後,有兩個顯示硬盤盤符的目錄是怎麼回事?
- windows 10 專業版無法下載中文語言包
- KB4056892
- win10不能共享文件夾
- 在Surfacebook上用Windows to go 1703版本,更新後重啟藍屏,無法進入係統
- windows10 1709版本更新失敗,錯誤0x8007001f
- microdoft visual c++ 2015 redistributable
- WIN10 Insider Preview 17025更新失敗,錯誤代碼0x80096004
- 計算機管理服務 出現一個內部錯誤(INVALID
- 關於控製麵板中的安全和維護內提示Windows defender 防病毒已關閉的問題