我用挂钩了 KiSystemService 和 kiFastCallEntry 的方法替换了 ZwOpenFile 函数, 这种方法绝大多数时候运行良好, 但偶尔会蓝屏死机, 不知什么原因, 望各位大大提供帮助. 以下是 dump 文件的文字版, 再拜谢.

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Documents and Settings\Administrator\桌面\Mini052010-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

WARNING: Whitespace at end of path element
Symbol search path is: SRV*D:\symbols*d04K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3#2K6k6r3I4Q4x3X3g2E0K9h3y4J5L8%4y4G2k6Y4c8Q4x3X3g2U0L8$3#2Q4x3V1k6V1L8%4N6F1L8r3!0S2k6q4)9J5c8Y4y4&6L8h3u0G2L8s2x3`.
;F:\works\fpa-new\sys\Debug
Executable search path is: F:\works\fpa-new\sys\Debug
Windows Vista Kernel Version 6000 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16386.x86fre.vista_rtm.061101-2205
Machine Name:
Kernel base = 0x81800000 PsLoadedModuleList = 0x81911db0
Debug session time: Thu May 20 17:44:56.554 2010 (GMT+8)
System Uptime: 0 days 0:02:22.414
Loading Kernel Symbols
...............................................................
................................................................
.......................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {30, 2, 1, 8180b393}

*** WARNING: Unable to verify timestamp for ncfpa.sys
Probably caused by : ncfpa.sys ( ncfpa!NewNtOpenFile+998 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000030, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
        bit 0 : value 0 = read operation, 1 = write operation
        bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8180b393, address which referenced memory

Debugging Details:
------------------

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 819315ac
Unable to read MiSystemVaType memory at 81911780
00000030

CURRENT_IRQL:  2

FAULTING_IP:
nt!IopMountInitializeVpb+41
8180b393 884130          mov     byte ptr [ecx+30h],al

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  explorer.exe

TRAP_FRAME:  994448a0 -- (.trap 0xffffffff994448a0)
ErrCode = 00000002
eax=8424b204 ebx=8a91ad78 ecx=00000000 edx=00000000 esi=8419fbc0 edi=00000000
eip=8180b393 esp=99444914 ebp=99444920 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopMountInitializeVpb+0x41:
8180b393 884130          mov     byte ptr [ecx+30h],al      ds:0023:00000030=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8180b393 to 8188fc44

STACK_TEXT:  
994448a0 8180b393 badb0d00 00000000 83fc86d0 nt!KiTrap0E+0x2ac
99444920 819878ce 8424b230 8424b230 00000000 nt!IopMountInitializeVpb+0x41
99444994 81827583 8424b230 83f03400 00000000 nt!IopMountVolume+0x21c
994449cc 8199678a 83f03420 99444b10 99444a6c nt!IopCheckVpbMounted+0x64
99444a90 819eef0d 8424b230 00000000 8481f5c8 nt!IopParseDevice+0x537
99444b20 819ec6b9 00000000 99444b78 00000040 nt!ObpLookupObjectName+0x615
99444b84 819839e0 0636ead8 00000000 83991001 nt!ObOpenObjectByName+0x13c
99444bf8 819900f5 0636eb0c 00100000 0636ead8 nt!IopCreateFile+0x5ec
99444c40 99490198 0636eb0c 00100000 0636ead8 nt!NtOpenFile+0x2a
99444d44 8188c96a 0636eb0c 00100000 0636ead8 ncfpa!NewNtOpenFile+0x998 [f:\works\fpa-new\sys\hookfile.c @ 1233]
99444d44 77870f34 0636eb0c 00100000 0636ead8 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0636eb04 00000000 00000000 00000000 00000000 0x77870f34

STACK_COMMAND:  kb

FOLLOWUP_IP:
ncfpa!NewNtOpenFile+998 [f:\works\fpa-new\sys\hookfile.c @ 1233]
99490198 ??              ???

FAULTING_SOURCE_CODE:  
  1229:                 wszFile = NULL;
  1230:         }
  1231:         return RealNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes,
  1232:                 IoStatusBlock, ShareAccess, OpenOptions );
> 1233: }
  1234:
  1235: /*********************************************************************
  1236: *
  1237: * ¦Ì¡Â¨®?¡¤?¨º?:    NTSTATUS
  1238: RealNtSetInformationFile(

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  ncfpa!NewNtOpenFile+998

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ncfpa

IMAGE_NAME:  ncfpa.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4bf3b3d3

FAILURE_BUCKET_ID:  0xA_ncfpa!NewNtOpenFile+998

BUCKET_ID:  0xA_ncfpa!NewNtOpenFile+998

Followup: MachineOwner
---------

kd> lmvm ncfpa
start    end        module name
99489000 994b2000   ncfpa    M (private pdb symbols)  f:\works\fpa-new\sys\debug\ncfpa.pdb
    Loaded symbol image file: ncfpa.sys
    Image path: \??\C:\Windows\System32\drivers\ncfpa.sys
    Image name: ncfpa.sys
    Timestamp:        Wed May 19 17:48:03 2010 (4BF3B3D3)
    CheckSum:         0002D295
    ImageSize:        00029000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
kd> .trap 0xffffffff994448a0
ErrCode = 00000002
eax=8424b204 ebx=8a91ad78 ecx=00000000 edx=00000000 esi=8419fbc0 edi=00000000
eip=8180b393 esp=99444914 ebp=99444920 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopMountInitializeVpb+0x41:
8180b393 884130          mov     byte ptr [ecx+30h],al      ds:0023:00000030=??

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课