sculida 发表于 2021-8-16 10:54

关于Windows进程spoolsv崩溃,rip=c0000001的讨论

Windows自有的打印机服务总是莫名其妙崩溃,从dmp(https://pan.ruijie.com.cn/share/0466ca14b9f81f6306a31b33bb)上看,是rip=c000001导致。
从栈上的代码地址看,
00000000`034bea2000000000`00000080
00000000`034bea2800000000`00003010
00000000`034bea3000000000`034beb70
00000000`034bea3800000000`034beac0
00000000`034bea4000000000`034beb70
00000000`034bea4800000000`00000000
00000000`034bea5000000000`00000000
00000000`034bea5800000000`00003010
00000000`034bea6000000000`00000000
00000000`034bea6800000000`00153290
00000000`034bea7000000000`00600060
00000000`034bea7800000000`034beb80
00000000`034bea8000000000`00000000
00000000`034bea8800000000`03be0080
00000000`034bea9000000000`03be0080
00000000`034bea9800000000`0228c090
00000000`034beaa000000000`034becd0
00000000`034beaa800000000`76e735bd kernel32!RegOpenKeyExW+0x1d
00000000`034beab000000000`00000020
00000000`034beab800000000`00000001
00000000`034beac000000000`00000001
00000000`034beac800000000`03128600
00000000`034bead000000000`034beb70
00000000`034bead800000000`00000000
00000000`034beae000000000`03123500
00000000`034beae8000007fe`fd174223 advapi32!RegOpenKeyExWStub+0x13
00000000`034beaf000000000`034becd0
00000000`034beaf800000000`00000001
00000000`034beb00000007fe`e8c8a218 EA6LMTMT!InitializePrintMonitor2+0x277c8
00000000`034beb0800000000`03be0080
00000000`034beb1000000000`034beb70
00000000`034beb1800000000`000000a9
00000000`034beb2000000000`03949bd0
00000000`034beb28000007fe`e8c56efe EA6LMTMT+0x6efe
00000000`034beb30ffffffff`fffffffe
00000000`034beb3800000000`00040000
00000000`034beb4000000000`00000000
00000000`034beb48000007fe`fda225ed msvcrt!vsnprintf+0x11
00000000`034beb5000000000`034beb70
00000000`034beb58000007fe`e90a336e localspl!NDebug::DebugLibraryMalloc+0xe6
00000000`034beb6000000000`03949bd0
00000000`034beb68000007fe`fce4132c KERNELBASE!SetEvent+0xc
00000000`034beb7000000000`00000000
00000000`034beb78000007fe`e9115d7a localspl!SetPrinterChange+0x10e
00000000`034beb8000540046`004f0053
00000000`034beb8800450052`00410057
00000000`034beb9000530050`0045005c
00000000`034beb980045005c`004e004f
00000000`034beba0004e004f`00530050
00000000`034beba800760064`00410020
00000000`034bebb000650063`006e0061
00000000`034bebb800720050`00200064
00000000`034bebc000650074`006e0069
00000000`034bebc800720044`00200072
00000000`034bebd000720065`00760069
00000000`034bebd80000005c`00360020
00000000`034bebe00000eeb1`5cefd5cd
00000000`034bebe8000007fe`e8c571ea EA6LMTMT+0x71ea
00000000`034bebf000000000`00000001
00000000`034bebf8000007fe`e8c63510 EA6LMTMT!InitializePrintMonitor2+0xac0
00000000`034bec00000007fe`e8c8a218 EA6LMTMT!InitializePrintMonitor2+0x277c8
00000000`034bec08000007fe`e8c8d738 EA6LMTMT!InitializePrintMonitor2+0x2ace8
00000000`034bec1000000000`00000001
00000000`034bec1800000000`00000000
00000000`034bec20000007fe`e8c8aab0 EA6LMTMT!InitializePrintMonitor2+0x28060
00000000`034bec2800000000`034becd0
00000000`034bec30ffffffff`fffffffe
00000000`034bec3800000000`00003010
00000000`034bec4000000000`034bedf8
00000000`034bec4800000000`00000001
00000000`034bec5000000000`0000003f
00000000`034bec58000007fe`e90ee234 localspl!SplWritePrinter+0x284
00000000`034bec6000000000`0229f5b0
00000000`034bec6800000000`00003010
00000000`034bec7000000000`022a2b60
00000000`034bec78000007fe`e8c8a218 EA6LMTMT!InitializePrintMonitor2+0x277c8
00000000`034bec8000000000`00000000
00000000`034bec88000007fe`e90efe96 localspl!LocalReadPrinter+0x16
00000000`034bec9000000000`034bf120
00000000`034bec9800000000`00000000
00000000`034beca000000000`00000000
00000000`034beca800000000`034bf120
00000000`034becb000000000`022a2b60
00000000`034becb800000000`03be0080
00000000`034becc000000000`00000000
00000000`034becc800000000`ff87c77a spoolsv!WritePrinter+0x26
00000000`034becd000000000`00000000
00000000`034becd800000000`00000000
00000000`034bece000000000`00000000
00000000`034bece800000000`00000000
00000000`034becf000000000`022a2b60
00000000`034becf8000007fe`f7ff3fad spoolss!WritePrinter+0x1d
00000000`034bed0000000000`00000000
00000000`034bed0800000000`00000000
00000000`034bed1000000000`03be0080
00000000`034bed18000007fe`00000001
00000000`034bed2000000000`00000000
00000000`034bed28000007fe`eaaf1c41 winprint!PrintRawJob+0x129
00000000`034bed3000000000`03946868
00000000`034bed3800000000`02730040
00000000`034bed4000000000`0229f460
00000000`034bed48000007fe`e90a3c32 localspl!NDebug::vFormatA+0x78
00000000`034bed5000000000`022adbc0
00000000`034bed5800000000`02296a10
00000000`034bed6000000000`00000000
00000000`034bed6800000000`0229d710
00000000`034bed7000000000`02298920
00000000`034bed7800000000`00000000
00000000`034bed8000000000`00000000
00000000`034bed88000007fe`fda225ed msvcrt!vsnprintf+0x11
00000000`034bed9000000000`034bee50
00000000`034bed98000007fe`fda28e83 msvcrt!msize+0x41
00000000`034beda000000000`00000000
00000000`034beda800000000`002ca77a
00000000`034bedb000000000`002ca7b2
00000000`034bedb800000000`034bf120
00000000`034bedc000000000`00000000
00000000`034bedc800000000`002c8b00
00000000`034bedd000000000`002ca7e0
00000000`034bedd8000007fe`eaaf2f67 winprint!PrintDocumentOnPrintProcessor+0x5b
00000000`034bede000000000`00003010
00000000`034bede800000000`034bf120
00000000`034bedf000000000`0311b3d0
00000000`034bedf800000000`00000000
00000000`034bee0000000000`00000000
00000000`034bee08000007fe`f7fe6be2 PrintIsolationProxy!sandbox::PrintProcessor::PrintDocThroughPrintProcessor+0x82
00000000`034bee10000007fe`e914db24 localspl!_chkstk+0xa84
00000000`034bee1800000000`002c8b20
00000000`034bee2000000000`002ca77a
00000000`034bee2800000000`00000001
00000000`034bee3000000000`002ca7b2
00000000`034bee38000007fe`e90b8b05 localspl!atexit+0x9
00000000`034bee40000007fe`e9156470 localspl!`string'
00000000`034bee4800000000`003d8de0
00000000`034bee5000000000`00000000
00000000`034bee5800000000`00000000
00000000`034bee6000000000`00000001
00000000`034bee68000007fe`e914c6bc localspl!sandbox::PrintProcessorExecuteObserver::PrintDocThroughPrintProcessor+0x124
00000000`034bee7000000000`002ca7b2
00000000`034bee7800000000`034bf120
00000000`034bee8000000000`002c8b20
00000000`034bee8800000000`002ca77a
00000000`034bee9000000000`0000007b
00000000`034bee9800000000`00000000
00000000`034beea000000000`00000000
00000000`034beea800000000`00000000
00000000`034beeb000000000`002c3c50
00000000`034beeb800000000`00000000
00000000`034beec000000000`00000000
00000000`034beec800000000`034bf120
00000000`034beed000000000`002c7030
00000000`034beed800000000`ff87fd95 spoolsv!SetJobW+0x25
00000000`034beee000000000`00000002
00000000`034beee800000000`00000002
00000000`034beef000000000`00000000
00000000`034beef800000000`00000000
00000000`034bef0000000000`00000008
00000000`034bef08000007fe`e90a336e localspl!NDebug::DebugLibraryMalloc+0xe6
00000000`034bef1000000000`00000000
00000000`034bef1800000000`002c3c50
00000000`034bef2000000000`002ca77a
00000000`034bef28000007fe`e914ad86 localspl!sandbox::PrintProcessorAdapterImpl::PrintDocumentOnPrintProcessor+0x3a
00000000`034bef3000000000`00000000
00000000`034bef3800000000`034bf120
00000000`034bef4000000000`00000000
00000000`034bef4800000000`00000000
00000000`034bef5000000000`00000000
00000000`034bef58000007fe`e914946d localspl!sandbox::PrintProcessorAdapter::PrintDocumentOnPrintProcessor+0x9d
00000000`034bef6000000000`002c7030
00000000`034bef6800000000`00000000
00000000`034bef7000000000`0228c090
00000000`034bef78000007fe`e90a33cc localspl!TDebugMsg_Fmt+0x20
00000000`034bef8000000000`002ca7b2
00000000`034bef8800000000`0000031f
00000000`034bef9000000000`0228c090
00000000`034bef98000007fe`e9159ad0 localspl!`string'
00000000`034befa000000000`00000001
00000000`034befa8000007fe`e9106af0 localspl!PrintDocumentThruPrintProcessor+0x46c
00000000`034befb000000000`0229f920
00000000`034befb800000000`0229f780
00000000`034befc000000000`0000031f
00000000`034befc800000000`00000000
00000000`034befd000000000`00000002
00000000`034befd800000000`00000000
00000000`034befe000000000`7446f5d2
00000000`034befe800000000`00000000
00000000`034beff000000000`00000001
00000000`034beff800000000`00000000
00000000`034bf00000000000`00000001
00000000`034bf00800000000`00000000
00000000`034bf01000000404`00000000
00000000`034bf01800000000`00000000
00000000`034bf02000000000`00000558
00000000`034bf02800000000`771f022a ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3da
00000000`034bf03000000000`00000005
00000000`034bf03800000000`00000000
00000000`034bf04000000000`00000000
00000000`034bf04800000000`00000000
00000000`034bf05000000000`034bf0f0
00000000`034bf05800000000`00000000
00000000`034bf06000000000`00000000
00000000`034bf06800000000`00000006
00000000`034bf070000007fe`0010000e
00000000`034bf07800000000`0311d3c0
00000000`034bf08000000000`00000000
00000000`034bf08800000000`00000000
00000000`034bf09000000000`00000000
00000000`034bf09800000000`00000000
00000000`034bf0a000000000`00000000
00000000`034bf0a800000000`00800000
00000000`034bf0b000000000`034bf1d0
00000000`034bf0b800000000`00000000
00000000`034bf0c000000000`771c73c0 ntdll!LdrpDefaultExtension
大约是要打开注册表的key
SOFTWARE\EPSON\EPSON Advanced Printer Driver 6
时rip变成非法值了。
我推测此时已经进入函数体call    qword ptr 内,即kernel32!RegOpenKeyExInternalW。
或许这里面有过call又遭遇栈溢出,在ret的时候就能改变rip的值为非法。
但是这些都是微软自己的dll,不大可能出现这么低级的错误。
不知各位大佬有何高见?
页: [1]
查看完整版本: 关于Windows进程spoolsv崩溃,rip=c0000001的讨论


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn