我正在编写一个 Windows 设备驱动程序。驱动程序非常简单。它没有什么花哨的。我只是想熟悉 Windows 驱动程序开发。
在我的驱动程序中,我分配了一些内存NonPagedPool,但是有一个非常奇怪的错误。
这是我的代码段:
pMyNode = (PMY_NODE)ExAllocatePoolWithTag(NonPagedPool, sizeof(MY_NODE), 'TEST');
if (pMyNode == NULL){
DbgPrint("Not Enough Memory\n");
}
else{
// Do Some Stuffs and free memory
}
对应的汇编代码(来自 IDA Pro Disassembler)是:
call ds:__imp__ExAllocatePoolWithTag
mov [ebp+pMyNode], eax
cmp [ebp+pMyNode], 0
jnz SOME_OFFSET
call _DbgPrint
SOME_OFFSET:
.........
.........
此代码段进入PsSetCreateProcessNotifyRoutine. 因此,每次创建新进程时,都会执行此代码段。现在如果我长时间运行驱动程序,我会BSoD突然出错。并将该指令作为故障指令WinDbg触发。mov [ebp+pMyNode], eax这一行实际上将返回值分配ExAllocatePoolWithTag给pMyNode指针。我不明白这怎么可能是一个错误的指令。
BSoD屏幕中的错误消息是A Device Driver Has Pool。检查以下WinDbg日志:
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: e252a000, memory referenced
Arg2: 0000000d, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8054baee, address which referenced memory
任何帮助都是可观的。