好友
阅读权限10
听众
最后登录1970-1-1
|
Windows自有的打印机服务总是莫名其妙崩溃,从dmp(https://pan.ruijie.com.cn/share/0466ca14b9f81f6306a31b33bb)上看,是rip=c000001导致。
从栈上的代码地址看,
[Asm] 纯文本查看 复制代码 00000000`034bea20 00000000`00000080
00000000`034bea28 00000000`00003010
00000000`034bea30 00000000`034beb70
00000000`034bea38 00000000`034beac0
00000000`034bea40 00000000`034beb70
00000000`034bea48 00000000`00000000
00000000`034bea50 00000000`00000000
00000000`034bea58 00000000`00003010
00000000`034bea60 00000000`00000000
00000000`034bea68 00000000`00153290
00000000`034bea70 00000000`00600060
00000000`034bea78 00000000`034beb80
00000000`034bea80 00000000`00000000
00000000`034bea88 00000000`03be0080
00000000`034bea90 00000000`03be0080
00000000`034bea98 00000000`0228c090
00000000`034beaa0 00000000`034becd0
00000000`034beaa8 00000000`76e735bd kernel32!RegOpenKeyExW+0x1d
00000000`034beab0 00000000`00000020
00000000`034beab8 00000000`00000001
00000000`034beac0 00000000`00000001
00000000`034beac8 00000000`03128600
00000000`034bead0 00000000`034beb70
00000000`034bead8 00000000`00000000
00000000`034beae0 00000000`03123500
00000000`034beae8 000007fe`fd174223 advapi32!RegOpenKeyExWStub+0x13
00000000`034beaf0 00000000`034becd0
00000000`034beaf8 00000000`00000001
00000000`034beb00 000007fe`e8c8a218 EA6LMTMT!InitializePrintMonitor2+0x277c8
00000000`034beb08 00000000`03be0080
00000000`034beb10 00000000`034beb70
00000000`034beb18 00000000`000000a9
00000000`034beb20 00000000`03949bd0
00000000`034beb28 000007fe`e8c56efe EA6LMTMT+0x6efe
00000000`034beb30 ffffffff`fffffffe
00000000`034beb38 00000000`00040000
00000000`034beb40 00000000`00000000
00000000`034beb48 000007fe`fda225ed msvcrt!vsnprintf+0x11
00000000`034beb50 00000000`034beb70
00000000`034beb58 000007fe`e90a336e localspl!NDebug::DebugLibraryMalloc+0xe6
00000000`034beb60 00000000`03949bd0
00000000`034beb68 000007fe`fce4132c KERNELBASE!SetEvent+0xc
00000000`034beb70 00000000`00000000
00000000`034beb78 000007fe`e9115d7a localspl!SetPrinterChange+0x10e
00000000`034beb80 00540046`004f0053
00000000`034beb88 00450052`00410057
00000000`034beb90 00530050`0045005c
00000000`034beb98 0045005c`004e004f
00000000`034beba0 004e004f`00530050
00000000`034beba8 00760064`00410020
00000000`034bebb0 00650063`006e0061
00000000`034bebb8 00720050`00200064
00000000`034bebc0 00650074`006e0069
00000000`034bebc8 00720044`00200072
00000000`034bebd0 00720065`00760069
00000000`034bebd8 0000005c`00360020
00000000`034bebe0 0000eeb1`5cefd5cd
00000000`034bebe8 000007fe`e8c571ea EA6LMTMT+0x71ea
00000000`034bebf0 00000000`00000001
00000000`034bebf8 000007fe`e8c63510 EA6LMTMT!InitializePrintMonitor2+0xac0
00000000`034bec00 000007fe`e8c8a218 EA6LMTMT!InitializePrintMonitor2+0x277c8
00000000`034bec08 000007fe`e8c8d738 EA6LMTMT!InitializePrintMonitor2+0x2ace8
00000000`034bec10 00000000`00000001
00000000`034bec18 00000000`00000000
00000000`034bec20 000007fe`e8c8aab0 EA6LMTMT!InitializePrintMonitor2+0x28060
00000000`034bec28 00000000`034becd0
00000000`034bec30 ffffffff`fffffffe
00000000`034bec38 00000000`00003010
00000000`034bec40 00000000`034bedf8
00000000`034bec48 00000000`00000001
00000000`034bec50 00000000`0000003f
00000000`034bec58 000007fe`e90ee234 localspl!SplWritePrinter+0x284
00000000`034bec60 00000000`0229f5b0
00000000`034bec68 00000000`00003010
00000000`034bec70 00000000`022a2b60
00000000`034bec78 000007fe`e8c8a218 EA6LMTMT!InitializePrintMonitor2+0x277c8
00000000`034bec80 00000000`00000000
00000000`034bec88 000007fe`e90efe96 localspl!LocalReadPrinter+0x16
00000000`034bec90 00000000`034bf120
00000000`034bec98 00000000`00000000
00000000`034beca0 00000000`00000000
00000000`034beca8 00000000`034bf120
00000000`034becb0 00000000`022a2b60
00000000`034becb8 00000000`03be0080
00000000`034becc0 00000000`00000000
00000000`034becc8 00000000`ff87c77a spoolsv!WritePrinter+0x26
00000000`034becd0 00000000`00000000
00000000`034becd8 00000000`00000000
00000000`034bece0 00000000`00000000
00000000`034bece8 00000000`00000000
00000000`034becf0 00000000`022a2b60
00000000`034becf8 000007fe`f7ff3fad spoolss!WritePrinter+0x1d
00000000`034bed00 00000000`00000000
00000000`034bed08 00000000`00000000
00000000`034bed10 00000000`03be0080
00000000`034bed18 000007fe`00000001
00000000`034bed20 00000000`00000000
00000000`034bed28 000007fe`eaaf1c41 winprint!PrintRawJob+0x129
00000000`034bed30 00000000`03946868
00000000`034bed38 00000000`02730040
00000000`034bed40 00000000`0229f460
00000000`034bed48 000007fe`e90a3c32 localspl!NDebug::vFormatA+0x78
00000000`034bed50 00000000`022adbc0
00000000`034bed58 00000000`02296a10
00000000`034bed60 00000000`00000000
00000000`034bed68 00000000`0229d710
00000000`034bed70 00000000`02298920
00000000`034bed78 00000000`00000000
00000000`034bed80 00000000`00000000
00000000`034bed88 000007fe`fda225ed msvcrt!vsnprintf+0x11
00000000`034bed90 00000000`034bee50
00000000`034bed98 000007fe`fda28e83 msvcrt!msize+0x41
00000000`034beda0 00000000`00000000
00000000`034beda8 00000000`002ca77a
00000000`034bedb0 00000000`002ca7b2
00000000`034bedb8 00000000`034bf120
00000000`034bedc0 00000000`00000000
00000000`034bedc8 00000000`002c8b00
00000000`034bedd0 00000000`002ca7e0
00000000`034bedd8 000007fe`eaaf2f67 winprint!PrintDocumentOnPrintProcessor+0x5b
00000000`034bede0 00000000`00003010
00000000`034bede8 00000000`034bf120
00000000`034bedf0 00000000`0311b3d0
00000000`034bedf8 00000000`00000000
00000000`034bee00 00000000`00000000
00000000`034bee08 000007fe`f7fe6be2 PrintIsolationProxy!sandbox::PrintProcessor::PrintDocThroughPrintProcessor+0x82
00000000`034bee10 000007fe`e914db24 localspl!_chkstk+0xa84
00000000`034bee18 00000000`002c8b20
00000000`034bee20 00000000`002ca77a
00000000`034bee28 00000000`00000001
00000000`034bee30 00000000`002ca7b2
00000000`034bee38 000007fe`e90b8b05 localspl!atexit+0x9
00000000`034bee40 000007fe`e9156470 localspl!`string'
00000000`034bee48 00000000`003d8de0
00000000`034bee50 00000000`00000000
00000000`034bee58 00000000`00000000
00000000`034bee60 00000000`00000001
00000000`034bee68 000007fe`e914c6bc localspl!sandbox::PrintProcessorExecuteObserver::PrintDocThroughPrintProcessor+0x124
00000000`034bee70 00000000`002ca7b2
00000000`034bee78 00000000`034bf120
00000000`034bee80 00000000`002c8b20
00000000`034bee88 00000000`002ca77a
00000000`034bee90 00000000`0000007b
00000000`034bee98 00000000`00000000
00000000`034beea0 00000000`00000000
00000000`034beea8 00000000`00000000
00000000`034beeb0 00000000`002c3c50
00000000`034beeb8 00000000`00000000
00000000`034beec0 00000000`00000000
00000000`034beec8 00000000`034bf120
00000000`034beed0 00000000`002c7030
00000000`034beed8 00000000`ff87fd95 spoolsv!SetJobW+0x25
00000000`034beee0 00000000`00000002
00000000`034beee8 00000000`00000002
00000000`034beef0 00000000`00000000
00000000`034beef8 00000000`00000000
00000000`034bef00 00000000`00000008
00000000`034bef08 000007fe`e90a336e localspl!NDebug::DebugLibraryMalloc+0xe6
00000000`034bef10 00000000`00000000
00000000`034bef18 00000000`002c3c50
00000000`034bef20 00000000`002ca77a
00000000`034bef28 000007fe`e914ad86 localspl!sandbox::PrintProcessorAdapterImpl::PrintDocumentOnPrintProcessor+0x3a
00000000`034bef30 00000000`00000000
00000000`034bef38 00000000`034bf120
00000000`034bef40 00000000`00000000
00000000`034bef48 00000000`00000000
00000000`034bef50 00000000`00000000
00000000`034bef58 000007fe`e914946d localspl!sandbox::PrintProcessorAdapter::PrintDocumentOnPrintProcessor+0x9d
00000000`034bef60 00000000`002c7030
00000000`034bef68 00000000`00000000
00000000`034bef70 00000000`0228c090
00000000`034bef78 000007fe`e90a33cc localspl!TDebugMsg_Fmt+0x20
00000000`034bef80 00000000`002ca7b2
00000000`034bef88 00000000`0000031f
00000000`034bef90 00000000`0228c090
00000000`034bef98 000007fe`e9159ad0 localspl!`string'
00000000`034befa0 00000000`00000001
00000000`034befa8 000007fe`e9106af0 localspl!PrintDocumentThruPrintProcessor+0x46c
00000000`034befb0 00000000`0229f920
00000000`034befb8 00000000`0229f780
00000000`034befc0 00000000`0000031f
00000000`034befc8 00000000`00000000
00000000`034befd0 00000000`00000002
00000000`034befd8 00000000`00000000
00000000`034befe0 00000000`7446f5d2
00000000`034befe8 00000000`00000000
00000000`034beff0 00000000`00000001
00000000`034beff8 00000000`00000000
00000000`034bf000 00000000`00000001
00000000`034bf008 00000000`00000000
00000000`034bf010 00000404`00000000
00000000`034bf018 00000000`00000000
00000000`034bf020 00000000`00000558
00000000`034bf028 00000000`771f022a ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3da
00000000`034bf030 00000000`00000005
00000000`034bf038 00000000`00000000
00000000`034bf040 00000000`00000000
00000000`034bf048 00000000`00000000
00000000`034bf050 00000000`034bf0f0
00000000`034bf058 00000000`00000000
00000000`034bf060 00000000`00000000
00000000`034bf068 00000000`00000006
00000000`034bf070 000007fe`0010000e
00000000`034bf078 00000000`0311d3c0
00000000`034bf080 00000000`00000000
00000000`034bf088 00000000`00000000
00000000`034bf090 00000000`00000000
00000000`034bf098 00000000`00000000
00000000`034bf0a0 00000000`00000000
00000000`034bf0a8 00000000`00800000
00000000`034bf0b0 00000000`034bf1d0
00000000`034bf0b8 00000000`00000000
00000000`034bf0c0 00000000`771c73c0 ntdll!LdrpDefaultExtension
大约是要打开注册表的key
SOFTWARE\EPSON\EPSON Advanced Printer Driver 6
时rip变成非法值了。
我推测此时已经进入函数体call qword ptr [kernel32!g_RegKrnGlobalState+0x188 (00000000`76f6a988)]内,即kernel32!RegOpenKeyExInternalW。
或许这里面有过call又遭遇栈溢出,在ret的时候就能改变rip的值为非法。
但是这些都是微软自己的dll,不大可能出现这么低级的错误。
不知各位大佬有何高见?
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2021-8-16 10:54
