1032
windows
腾讯TenProtect导致 KMODE
启动DNF的时候,腾讯的TenProtect启动过程中突然提示 KMODE_EXCEPTION_NOT_HANDLED 蓝屏死机
【核心内存转储比较大,但如果有必要我会上传】
相关的DMP分析报告如下
Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.1358.amd64fre.rs1_release.170602-2252
Machine Name:
Kernel base = 0xfffff800`48a16000 PsLoadedModuleList = 0xfffff800`48d15000
Debug session time: Thu Jun 29 23:46:23.857 2017 (UTC + 9:00)
System Uptime: 0 days 0:09:27.704
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...........
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000096, ffff80029903fdee, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt!KiDispatchException+220 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: ffff80029903fdee, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 14393.1358.amd64fre.rs1_release.170602-2252
SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd.
SYSTEM_PRODUCT_NAME: GE72 6QD
SYSTEM_SKU: Default string
SYSTEM_VERSION: REV:1.0
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: E1795IMS.114
BIOS_DATE: 04/29/2016
BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd.
BASEBOARD_PRODUCT: MS-1795
BASEBOARD_VERSION: REV:0.A
DUMP_TYPE: 1
BUGCHECK_P1: ffffffffc0000096
BUGCHECK_P2: ffff80029903fdee
BUGCHECK_P3: 0
BUGCHECK_P4: 0
EXCEPTION_CODE: (NTSTATUS) 0xc0000096 - {
FAULTING_IP:
+0
ffff8002`9903fdee 0f015df6 lidt tbyte ptr [rbp-0Ah]
BUGCHECK_STR: 0x1E_c0000096
CPU_COUNT: 8
CPU_MHZ: a20
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 84'00000000 (cache) 84'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: e
ANALYSIS_SESSION_HOST: MSI-GE72
ANALYSIS_SESSION_TIME: 06-30-2017 12:07:05.0700
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
LAST_CONTROL_TRANSFER: from fffff80048abd8c0 to fffff80048b64ce0
STACK_TEXT:
ffffd781`77fbb4b8 fffff800`48abd8c0 : 00000000`0000001e ffffffff`c0000096 ffff8002`9903fdee 00000000`00000000 : nt!KeBugCheckEx
ffffd781`77fbb4c0 fffff800`48b6ff0e : 00000000`00000000 ffffc33a`00044200 00000000`00000000 00005d7d`bab296cf : nt!KiDispatchException+0x220
ffffd781`77fbbb80 fffff800`48b6e1bd : ffffd781`7bc75950 fffff800`48a16000 00000000`00000246 00000000`00000fff : nt!KiExceptionDispatch+0xce
ffffd781`77fbbd60 ffff8002`9903fdee : 0fff0000`00000006 ffffab8d`6438b000 ffffd781`77faca00 ffff8002`9921be16 : nt!KiGeneralProtectionFault+0xfd
ffffd781`77fbbef0 0fff0000`00000006 : ffffab8d`6438b000 ffffd781`77faca00 ffff8002`9921be16 00000000`000004ac : 0xffff8002`9903fdee
ffffd781`77fbbef8 ffffab8d`6438b000 : ffffd781`77faca00 ffff8002`9921be16 00000000`000004ac ffffd781`7bc75970 : 0x0fff0000`00000006
ffffd781`77fbbf00 ffffd781`77faca00 : ffff8002`9921be16 00000000`000004ac ffffd781`7bc75970 00000000`00000292 : 0xffffab8d`6438b000
ffffd781`77fbbf08 ffff8002`9921be16 : 00000000`000004ac ffffd781`7bc75970 00000000`00000292 00000000`00000202 : 0xffffd781`77faca00
ffffd781`77fbbf10 00000000`000004ac : ffffd781`7bc75970 00000000`00000292 00000000`00000202 d78177f8`ed700fff : 0xffff8002`9921be16
ffffd781`77fbbf18 ffffd781`7bc75970 : 00000000`00000292 00000000`00000202 d78177f8`ed700fff ffffd781`77fbffff : 0x4ac
ffffd781`77fbbf20 00000000`00000292 : 00000000`00000202 d78177f8`ed700fff ffffd781`77fbffff ffffd781`77f81180 : 0xffffd781`7bc75970
ffffd781`77fbbf28 00000000`00000202 : d78177f8`ed700fff ffffd781`77fbffff ffffd781`77f81180 fffff800`48ae3cf8 : 0x292
ffffd781`77fbbf30 d78177f8`ed700fff : ffffd781`77fbffff ffffd781`77f81180 fffff800`48ae3cf8 00000000`00000000 : 0x202
ffffd781`77fbbf38 ffffd781`77fbffff : ffffd781`77f81180 fffff800`48ae3cf8 00000000`00000000 ffffd781`77f87b00 : 0xd78177f8`ed700fff
ffffd781`77fbbf40 ffffd781`77f81180 : fffff800`48ae3cf8 00000000`00000000 ffffd781`77f87b00 ffffd781`77f87b00 : 0xffffd781`77fbffff
ffffd781`77fbbf48 fffff800`48ae3cf8 : 00000000`00000000 ffffd781`77f87b00 ffffd781`77f87b00 fffff800`48a29c26 : 0xffffd781`77f81180
ffffd781`77fbbf50 fffff800`48b69a60 : ffffd781`77f81180 ffffab8d`6309d640 ffffd781`77f87c40 00000000`00000000 : nt!KiIpiProcessRequests+0x1d8
ffffd781`77fbbfb0 fffff800`48b6980f : 00000000`00000001 00000000`00000000 ffffd781`77facb80 00000000`00000001 : nt!KiIpiInterruptSubDispatch+0x80
ffffd781`77faca50 fffff800`48b67d42 : ffffffff`00000000 ffffd781`77f81180 ffffd781`77f8dcc0 ffffab8d`6ad6e080 : nt!KiIpiInterrupt+0xff
ffffd781`77facbe0 00000000`00000000 : ffffd781`77fad000 ffffd781`77fa6000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x32
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 3ff97afc7bd548a8627dd182eeca906539fd834a
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1d2a93f59a13e5a6189edb6f2ba8d50744c9a2b8
THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8
FOLLOWUP_IP:
nt!KiDispatchException+220
fffff800`48abd8c0 cc int 3
FAULT_INSTR_CODE: b68b49cc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiDispatchException+220
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 593278b1
BUCKET_ID_FUNC_OFFSET: 220
FAILURE_BUCKET_ID: 0x1E_c0000096_nt!KiDispatchException
BUCKET_ID: 0x1E_c0000096_nt!KiDispatchException
PRIMARY_PROBLEM_CLASS: 0x1E_c0000096_nt!KiDispatchException
TARGET_TIME: 2017-06-29T14:46:23.000Z
OSBUILD: 14393
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-06-03 17:52:01
BUILDDATESTAMP_STR: 170602-2252
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14393.1358.amd64fre.rs1_release.170602-2252
ANALYSIS_SESSION_ELAPSED_TIME: 498
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x1e_c0000096_nt!kidispatchexception
FAILURE_ID_HASH: {505cfaff-0bdc-8a96-0650-5a81952f0ba1}
Followup: MachineOwner
---------
补充一个我找到的东西:【也许对你们的分析有一定帮助】
腾讯的TenProtect驱动保护会对系统核心进程有一定的修改,这也是为什么TenProtect导致的死机一定与内核进程有关。
它在ring0层一共HOOK了几个地方和一些其他的工作。来达到保护的目的
下面是简报:
NtOpenThread //防止调试器在它体内创建线程
NtOpenProcess //防止OD等在进程列表看到它
KiAttachProcess //防止其他软件附加它
NtReadVirtualMemory //防止别人读取它的内存
NtWriteVirtualMemory //防止别人在它的内存里面乱写乱画
KDCOM.dll:KdReceivePacket //这两个是COM串口的接受和发送数据
KDCOM.dll:KdSendPacket //主要用来防止别人双机调试
——引用自https://bbs.pediy.com/thread-126802.htm
最后更新:2017-06-30 11:46:30
上一篇: ip配置问题
下一篇: 蓝屏
- 你的设备已过期,并缺少重要的安全和质量更新,因此存在风险。让我们带你重回正轨,这样
- Microsoft store 无法联网,显示Microsoft Store需要联网,你似乎没有联网
- 设备以迁移 由于仅部分匹配或匹配不明确,因此无法迁移设备
- 由于在创建转储期间出错,创建转储文件失败。
- 发生临时 DNS 错误
- 应用商店,在我们这边发生问题,无法使你登陆,错误代码: 0xD000000D
- 照相机不可用,错误代码:0xA00F4244(0xC00DABE0)
- 应用商店打开异常提示“清单中指定了未知的布局”
- 自定义扫描Windows defender里面的设备性能和运行状况 黄色感叹号问题
- windows预口体验成员内口版本遇到问题需要重启
热门内容
- windows10 点开此电脑后,有两个显示硬盘盘符的目录是怎么回事?
- windows 10 专业版无法下载中文语言包
- KB4056892
- win10不能共享文件夹
- 在Surfacebook上用Windows to go 1703版本,更新后重启蓝屏,无法进入系统
- windows10 1709版本更新失败,错误0x8007001f
- microdoft visual c++ 2015 redistributable
- WIN10 Insider Preview 17025更新失败,错误代码0x80096004
- 计算机管理服务 出现一个内部错误(INVALID
- 关于控制面板中的安全和维护内提示Windows defender 防病毒已关闭的问题