零 打开驱动测试测试工具
verifier /standard /driver fileflt.sys 然后重启电脑等待生效
一 设置 Windows 内核调试的符号路径和模块加载
1. 设置微软符号服务器路径:
在 WinDbg 中,可以通过以下命令设置符号路径:
```
.sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
```
或者在环境变量中设置 _NT_SYMBOL_PATH:
```
set _NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
```
2. 重新加载符号:
```
.reload /f
```
3. 检查已加载的模块:
```
lm # 列出所有加载的模块
lm m nt # 查看特定模块(如 nt)
```
4. 加载自己的驱动模块符号:
如果你的驱动模块已经加载但符号未正确加载,可以:
```
.reload /f yourdriver.sys # 替换 yourdriver.sys 为你的驱动名称
```
5. 验证符号是否正确加载:
```
!sym noisy # 打开详细符号加载信息
x *!* # 显示所有符号
```
6. 常用调试命令:
```
!analyze -v # 详细分析当前异常
db # 显示内存内容
dt # 显示数据类型
```
二设置驱动卸载断点 (用于查看线程 dpc 其他资源)
在 fileflt 驱动模块中查找 FilterUnload 函数 比如模块叫fileflt.sys
在 WinDbg 中使用以下命令:
```
x fileflt!*FilterUnload*
```
这个命令会显示所有包含 "FilterUnload" 的符号。如果没有显示结果,可以尝试以下排查步骤:
1. 首先确认模块是否正确加载:
```
lm m fileflt # 查看 fileflt 模块的加载状态
```
2. 如果需要重新加载符号:
```
.reload /f fileflt
```
3. 可以使用更宽泛的搜索:
```
x fileflt* # 列出 fileflt 模块的所有符号
```
4. 检查符号路径是否正确:
```
.sympath # 显示当前符号路径
```
5. 打开详细的符号加载信息:
```
!sym noisy # 开启详细符号加载信息
```
三 由于内存泄露 verifier可能会触发蓝屏特别是win10
!analyze -v
windbg返回
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, BugChecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: ffff8687553fad48, name of the driver having the issue.
Arg3: ffff868756236710, verifier internal structure with driver information.
Arg4: 0000000000000003, total # of (paged+nonpaged) allocations that weren't freed.
Type !verifier 3 drivername.sys for info on the allocations
that were leaked that caused the bugcheck.
执行 !verifier 3 查看 哪块内存泄露
查看 ExAllocatePoolWithTag 分配代带标记的内存 可以直接定位到代码行
RaiseIrqls 0x0
AcquireSpinLocks 0x0
Synch Executions 0x0
Trims 0xa77
Pool Allocations Attempted 0x46d737
Pool Allocations Succeeded 0x46d736
Pool Allocations Succeeded SpecialPool 0x46d736
Pool Allocations With NO TAG 0x0
Pool Allocations Failed 0x0
Current paged pool allocations 0x0 for 00000000 bytes
Peak paged pool allocations 0x7 for 0000008B bytes
Current nonpaged pool allocations 0x3 for 00000108 bytes
Peak nonpaged pool allocations 0x66 for 0007D390 bytes
Driver Verification List
------------------------
nt!_VF_TARGET_DRIVER 0xffff868754cf8360: fileflt.sys (Loaded and Unloaded)
Pool Allocation Statistics: ( NonPagedPool / PagedPool )
Current Pool Allocations: ( 0x00000003 / 0x00000000 )
Current Pool Bytes: ( 0x00000108 / 0x00000000 )
Peak Pool Allocations: ( 0x00000066 / 0x00000007 )
Peak Pool Bytes: ( 0x0007d390 / 0x0000008b )
Contiguous Memory Bytes: 0x00000000
Peak Contiguous Memory Bytes: 0x00000000
Pool Allocations:
Address Length Tag Caller Address
------------------ ---------- ---- ------------------
0xffff868753374fa0 0x00000058 Vfwi 0xfffff805649335c2 fileflt!QueueAsyncSendCommPort+0x92
0xffff868758086fa0 0x00000058 Vfwi 0xfffff805649335c2 fileflt!QueueAsyncSendCommPort+0x92
0xffff868758d40fa0 0x00000058 Vfwi 0xfffff805649335c2 fileflt!QueueAsyncSendCommPort+0x92
Contiguous allocations are not displayed with public symbols.
然后 ln fileflt!QueueAsyncSendCommPort+0x92 就可以定位到某段代码然后解决问题。。。
具体命令还有
!verifier 3 fileflt.sys
)
:日志)
)
【第15篇(完结):讨论和未来展望】)
——配置MyBatis)
