Читаем Windows® Internals, Sixth Edition, Part 2 полностью

There are, however, certain traps that are the result of software errors. Viewing the trap frame that was generated or the task gate (depending on the type of trap) displays the instruction that generated the trap:TSS: 00000028 -- (.tss 0x28) eax=8336001c ebx=86d57388 ecx=83360044 edx=00000000 esi=86d57388 edi=00000000 eip=96890918 esp=92985000 ebp=92987bc4 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 myfault+0x918: 96890918 e8f9ffffff call myfault+0x916 (96890916)

The type of trap described earlier, an EXCEPTION_DOUBLE_FAULT, is usually the result of one of two common causes—a kernel stack overflow or faulty hardware. A kernel stack overflow occurs when a kernel thread’s guard page is hit, as a result of having exhausted all of the current thread’s stack allocation. The kernel attempts to push a trap frame onto the stack—for which no more space exists—causing a double fault.

Using the !thread command to verify the stack limits of the thread that was executing confirms whether the double fault was caused by a kernel stack overflow:0: kd> !thread THREAD 850e3918 Cid 0fb8.0fbc Teb: 7ffde000 Win32Thread: fe4f0dd8 RUNNING on processor 0 IRP List: 86d57370: (0006,0094) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap 8fa3b8e8 Owning Process 85100670 Image: NotMyfault.exe Attached Process N/A Image: N/A Wait Start TickCount 21664 Ticks: 0 Context Switch Count 461 UserTime 00:00:00.000 KernelTime 00:00:00.046 Win32 Start Address 0x00fe27ff Stack Init 92987fd0 Current 92987af8 Base 92988000 Limit 92985000 Call 0 Priority 12 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 00000000 96890918 00000000 00000000 00000000 nt!KiTrap08+0x75 (FPO: TSS 28:0) WARNING: Stack unwind information not available. Following frames may be wrong. 92987bc4 96890b1c 87015038 00000001 00000000 myfault+0x918 92987bfc 82845593 85154158 86d57370 86d57370 myfault+0xb1c 92987c14 82a3999f 87015038 86d57370 86d573e0 nt!IofCallDriver+0x63 92987c34 82a3cb71 85154158 87015038 00000000 nt!IopSynchronousServiceTail+0x1f8 92987cd0 82a833f4 85154158 86d57370 00000000 nt!IopXxxControlFile+0x6aa 92987d04 8284c1ea 000000c4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 92987d04 779a70b4 000000c4 00000000 00000000 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 92987d34) 0012f424 00000000 00000000 00000000 00000000 0x779a70b4

The two values of interest are the stack base and the stack limit. Comparing the value of the stack limit with the value stored in the stack pointer register (esp in this case) of the task state segment shown earlier confirms that the lower limit of the stack has been reached. (Both locations contain the same value.)

To understand what component has used all of the kernel thread’s stack allocation requires the two values obtained earlier—the stack base and the stack limit. Using the dps command with both values displays the thread’s stack, using symbols to resolve any function names:0: kd> dps 92985000 92988000 92985000 9689091d myfault+0x91d 92985004 9689091d myfault+0x91d 92985008 9689091d myfault+0x91d ...

In this output, a repeating address is shown for the Myfault.sys driver. This is consistent with a device driver that is recursively calling into itself. Each call to a function pushes the return address onto the stack—growing the stack and contributing to the thread’s overall stack limit. The return address is popped off the stack only when the function returns. In the case of a driver or function recursively calling itself, each function called never returns.

0xC5 - DRIVER_CORRUPTED_EXPOOL

Diagnosing the cause of pool corruption can be difficult, if not virtually impossible, without the use of additional tools. The recommended course of action for troubleshooting any type of pool corruption issue is to enable the special pool option of Driver Verifier against any new or suspect drivers. Before you enable Driver Verifier, spending a few extra minutes analyzing the crash may yield some interesting results.