menu

北方天空下

i am not a man of too many faces,the mask i wear is one...

Avatar

今天vista又蓝屏了

家里的vista最近已经连续遭遇了两次蓝屏,今天晚上又蓝了,实在忍不了了,用windbg看了一下dump文件,怀疑是在安装Windows Defender的特征更新时,我的反病毒软件nod32的文件监控驱动amon.sys出现了异常,导致蓝屏死机,但是后来没有重现,所以仅仅是推测。dump分析如下:1.找到死机的直接原因\SystemRoot\system32\drivers\amon.sys,amon是我的杀毒软件nod32的文件监控驱动程序:

MODULE_NAME: amon

IMAGE_NAME: amon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 46440bc2

FAILURE_BUCKET_ID: 0x7f_8_amon+4395

BUCKET_ID: 0x7f_8_amon+4395

Followup: MachineOwner
---------
1: kd> lmvm amon
start end module name
a4d85000 a4dff8c0 amon (no symbols)
Loaded symbol image file: amon.sys
Image path: \SystemRoot\system32\drivers\amon.sys
Image name: amon.sys
Timestamp: Fri May 11 14:22:58 2007 (46440BC2)
CheckSum: 0008C539
ImageSize: 0007A8C0
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0


看下面的堆栈中似乎在“创建目录”“写文件”。。

STACK_TEXT:
a33db5ec a45a2302 b3b00000 00000000 00004000 nt!memset+0x45
a33db644 a45a881c 875f4bb8 b6ca0008 00004000 fastfat!FatPrepareWriteDirectoryFile+0x130a33db69c a45a4d42 00000000 b3b00000 a3b80360 fastfat!FatInitializeDirectoryDirent+0x2c
a33db758 a45a6523 875f4bb8 85c9eb18 87609a10 fastfat!FatCreateNewDirectory+0x27ca33db9a0 a45a6a48 875f4bb8 85cbcd70 a399e441 fastfat!FatCommonCreate+0xe83
a33db9e4 81c27fae 01609918 85cbcd70 85cbcd70 fastfat!FatFsdCreate+0x52
......
a33dbab0 81c27fae 8846cb60 85cbcd70 85c9eb74 amon+0x4395
a33dbac8 81d96f3c a33d00c0 85be6844 86c009f8 nt!IofCallDriver+0x63
......
突然想起来当时正在安装一个WindowsDefander的更新,于是!process 0一下进程,找到了mpas-d.exe(WindowsDefander的一个进程),发现果然有一个线程是留在“犯罪现场”的:THREAD 85ca1a98 Cid 0f44.0f4c Teb: 7ffdf000 Win32Thread: feec5418 RUNNING on processor 1,完整的见下图

1: kd> !thread 85ca1a98
THREAD 85ca1a98 Cid 0f44.0f4c Teb: 7ffdf000 Win32Thread: feec5418 RUNNING on processor 1
IRP List:
85cbcd70: (0006,028c) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap b0c63498
Owning Process 85c66910 Image: mpas-d.exe


而堆栈中从最开始的FatCreateNewDirectory到后来出现KiDispatchException以及后来的fastfat!_except_handler,我觉得这里可能已经异常了
......
a33da164 81c921ae a33da230 a33dab80 a33da280 fastfat!_except_handler4+0x14f (FPO: [Non-Fpo])
.......
a33daa54 81c8d4ea a33daa70 00000000 a33daac4 nt!KiDispatchException+0x170
........
a33daba0 a459b296 a459b194 a33dac2c a459b1a4 fastfat!FatCreateNewDirectory+0x460 (FPO: [SEH])
.........
到此做了上述的推测: 文件更新会有文件的创建和读写,而这些是受到amon.sys监控的,监控不知道出了啥问题,然后就挂了,于是有了这次蓝屏,只是后来没有重现,所以也不知道真实的情况到底是怎么样..

评论已关闭