调试 Minifilter 无法卸载

来源：互联网发布：魅力商城淘宝编辑：程序博客网时间：2024/04/28 00:21

在做驱动开发的测试过程中，发现有时候驱动无法成功的unload，程序发生了死锁，导致驱动程序无法成功卸载。
打开windbg，连接运行的虚拟机。
在命令窗口输入： !locks
得到如下的输出：

        *** DUMP OF ALL RESOURCE OBJECTS ****
        KD: Scanning for held locks.........................................
        Resource @ 0x8691210c    Exclusively owned
             Threads: 86fb38b8-01<*>
        KD: Scanning for held locks..................................
        Resource @ 0x86cd5948    Shared 1 owning threads
             Threads: 86fb4913-01<*> *** Actual Thread 86fb4910
   2. dt nt!_ERESOURCE -b 0x8691210c
           +0x000 Flink            : 0x86912024
           +0x004 Blink            : 0xf72218a8
           +0x008 OwnerTable       : (null)
           +0x00c ActiveCount      : 0n1
           +0x00e Flag             : 0x80
           +0x010 SharedWaiters    : (null)
           +0x014 ExclusiveWaiters : (null)
           +0x018 OwnerThreads     :
            [00] _OWNER_ENTRY
              +0x000 OwnerThread      : 0x86fb38b8
              +0x004 OwnerCount       : 0n1
              +0x004 TableSize        : 1
            [01]
              +0x000 OwnerThread      : 0
              +0x004 OwnerCount       : 0n0
              +0x004 TableSize        : 0
           +0x028 ContentionCount : 0
           +0x02c NumberOfSharedWaiters : 0
           +0x02e NumberOfExclusiveWaiters : 0
           +0x030 Address          : (null)
           +0x030 CreatorBackTraceIndex : 0
           +0x034 SpinLock         : 0
dt nt!_ERESOURCE -b 0x86cd5948
          +0x000 SystemResourcesList : _LIST_ENTRY [ 0x80566d70 - 0x86c7d8c0 ]
          +0x000 Flink            : 0x80566d70
          +0x004 Blink            : 0x86c7d8c0
          +0x008 OwnerTable       : (null)
          +0x00c ActiveCount      : 0n1
          +0x00e Flag             : 8
          +0x010 SharedWaiters    : (null)
          +0x014 ExclusiveWaiters : (null)
          +0x018 OwnerThreads     :
           [00] _OWNER_ENTRY
             +0x000 OwnerThread      : 0
             +0x004 OwnerCount       : 0n0
             +0x004 TableSize        : 0
           [01]
             +0x000 OwnerThread      : 0x86fb4913
             +0x004 OwnerCount       : 0n1
             +0x004 TableSize        : 1
          +0x028 ContentionCount : 0
          +0x02c NumberOfSharedWaiters : 0
          +0x02e NumberOfExclusiveWaiters : 0
          +0x030 Address          : (null)
          +0x030 CreatorBackTraceIndex : 0
          +0x034 SpinLock         : 0
Resource object （0x8691210c）的 ownerThrad 是    0x86fb38b8
Resource object (0x86cd5948) 的 ownerThrad 是    0x86fb4913
3. 运行：  !thread 0x86fb38b8
            THREAD 86fb38b8 Cid 0004.002c Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
            f7944b50 SynchronizationEvent
            Not impersonating
            DeviceMap                 e10001e0
            Owning Process            0       Image:         <Unknown>
            Attached Process          86fb57c0       Image:         System
            Wait Start TickCount      482446         Ticks: 60846 (0:00:15:50.718)
            Context Switch Count      12170          IdealProcessor: 0
            UserTime                  00:00:00.000
            KernelTime                00:00:04.921
            Start Address nt!ExpWorkerThread (0x8053967e)
            Stack Init f7945000 Current f7944adc Base f7945000 Limit f7942000 Call 0
            Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
            *** ERROR: Module load completed but symbols could not be loaded for DocECFilter.sys
            ChildEBP RetAddr Args to Child
            f7944af4 80504836 86fb3928 86fb38b8 804fc068 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
            f7944b00 804fc068 86d02010 86d02008 00000004 nt!KiSwapThread+0x8a (FPO: [0,0,0]) (CONV: fastcall)
            f7944b28 f7230aa4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall)
            f7944b68 f722ee3e f7944b90 f722f831 86d02008 fltmgr!FltpExWaitForRundownProtectionRelease+0x72 (FPO: [Non-Fpo]) (CONV: fastcall)
            f7944b70 f722f831 86d02008 86d05030 86912000 fltmgr!FltpObjectRundownWait+0x10 (FPO: [Non-Fpo]) (CONV: stdcall)
            f7944b90 ee853310 86d02070 00000000 00000001 fltmgr!FltUnregisterFilter+0xb1 (FPO: [Non-Fpo]) (CONV: stdcall)
            WARNING: Stack unwind information not available. Following frames may be wrong.
            f7944ba4 f722ae00 00000001 80536770 86912004 DocECFilter+0x7310
            f7944d3c f722afb3 86d02008 00000001 00000001 fltmgr!FltpDoUnloadFilter+0xf8 (FPO: [Non-Fpo]) (CONV: stdcall)
            f7944d60 8058245b 00000000 ee647b84 8056585c fltmgr!FltpMiniFilterDriverUnload+0xab (FPO: [Non-Fpo]) (CONV: stdcall)
            f7944d7c 8053976d ee647b84 00000000 86fb38b8 nt!IopLoadUnloadDriver+0x19 (FPO: [Non-Fpo]) (CONV: stdcall)
            f7944dac 805d0f64 ee647b84 00000000 00000000 nt!ExpWorkerThread+0xef (FPO: [Non-Fpo]) (CONV: stdcall)
            f7944ddc 805470de 8053967e 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo]) (CONV: stdcall)
            00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

      !thread 0x86fb4913
        86fb4913 is not a thread object, interpreting as stack value...
        TYPE mismatch for thread object at 86fb4913
        说明线程已经结束。而仍然有一个resource 的owner 是这个线程，说明这个线程中没有正确释放 Resource 资源。
        看了一下代码，发现是自己没有正确处理 context reference。

0 0