我正在写一个Windows设备驱动程序。司机非常简单。它没什么特别的。我只是想熟悉Windows驱动程序开发。
在我的驱动程序中,我正在从NonPagedPool分配一些内存,但是有一个非常奇怪的错误。
这是我的代码段:
pMyNode = (PMY_NODE)ExAllocatePoolWithTag(NonPagedPool, sizeof(MY_NODE), 'TEST');
if (pMyNode == NULL){
DbgPrint("Not Enough Memory\n");
}
else{
// Do Some Stuffs and free memory
}
相应的汇编代码(来自IDA Pro Disassembler)是:
call ds:__imp__ExAllocatePoolWithTag
mov [ebp+pMyNode], eax
cmp [ebp+pMyNode], 0
jnz SOME_OFFSET
call _DbgPrint
SOME_OFFSET:
.........
.........
此代码段进入PsSetCreateProcessNotifyRoutine的处理函数。因此,每次创建新进程时,都会执行此代码段。现在,如果我长时间运行驱动程序,我会突然出现BSoD错误。并且WinDbg触发指令mov [ebp+pMyNode], eax作为错误指令。该行实际上将ExAllocatePoolWithTag的返回值指定为pMyNode指针。我不明白这可能是一个错误的指示。
BSoD屏幕中的错误消息为A Device Driver Has Pool。查看下面的WinDbg日志:
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: e252a000, memory referenced
Arg2: 0000000d, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8054baee, address which referenced memory
任何帮助都是值得的。