사실 굉장히 보기 힘든 Bugcheck 인데 제자리에서 발생했내요.( 운이 좋은건지 .. )
KERNEL_APC_PENDING_DURING_EXIT 굉장히 심플한 상황에서 발생합니다. 예전에 ntdebugging 에 있던 내용을 포스팅했던 기억이.. ( http://www.insidewindows.kr/?p=42 )
KeEnterCriticalRegion, KeWaitForSingleObject, KeWaitForMultipleObjects, KeWaitForMutexObject, or FsRtlEnterFileSystem 등의 함수를 호출하게 되면 APC disable count가 감소하게 되는데 이러한 시점에서 Thread의 종료가 발생하면 나타나게 되는것이 대부분입니다. 간략하게 살펴보죠 .
0: kd> !analyze -v
KERNEL_APC_PENDING_DURING_EXIT (20)
… 생략
Debugging Details:
——————
PEB is paged out (Peb.Ldr = 7ffdb00c). Type “.hh dbgerr001″ for details
PEB is paged out (Peb.Ldr = 7ffdb00c). Type “.hh dbgerr001″ for details
BUGCHECK_STR: 0×20_KAPC_NEGATIVE
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: xxxxxx.exe
LAST_CONTROL_TRANSFER: from 805d4750 to 804fbf43
STACK_TEXT:
a8418c58 805d4750 00000020 892b9f20 fffffffd nt!KeBugCheckEx+0×1b
a8418d08 805d48d6 00000001 892b9da8 00000000 nt!PspExitThread+0×6bc
a8418d28 805d4ab1 892b9da8 00000001 a8418d64 nt!PspTerminateThreadByPointer+0×52
a8418d54 8054363c 00000000 00000001 0013ea60 nt!NtTerminateProcess+0×105
a8418d54 7c93e514 00000000 00000001 0013ea60 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013ea60 00000000 00000000 00000000 00000000 0×7c93e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PspExitThread+6bc
805d4750 e87bb2f2ff call nt!KeTerminateThread (804ff9d0)
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!PspExitThread+6bc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4b1e9e60
FAILURE_BUCKET_ID: 0×20_KAPC_NEGATIVE_nt!PspExitThread+6bc
BUCKET_ID: 0×20_KAPC_NEGATIVE_nt!PspExitThread+6bc
Followup: MachineOwner
———
0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks.
Resource @ nt!HandleTableListLock (0×80566bc0) Exclusively owned
Contention Count = 5
NumberOfExclusiveWaiters = 5
Threads: 892b9da8-03<*>
Threads Waiting On Exclusive Access:
8915fda8 8a0a7968 88df7020 8987d208
89a91020
KD: Scanning for held
locks………………………….
Resource @ 0×890a8960 Shared 1 owning threads
Threads: 8a3178bb-01<*> *** Actual Thread 8a3178b8
KD: Scanning for held locks…………………………
Resource @ 0×896f8c48 Shared 1 owning threads
Threads: 892b9dab-01<*> *** Actual Thread 892b9da8
KD: Scanning for held locks.
16950 total locks, 3 locks currently held
nt!HandleTableListLock( ERESOURCE )를 이용하기 위해서 KeEnterCriticalRegion 를 호출했을 것을 추측할 수 있죠 .
최근 답글