文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >如何通过代码/windows API获得BSOD错误检查代码文本描述

如何通过代码/windows API获得BSOD错误检查代码文本描述
EN

Stack Overflow用户
提问于 2021-08-16 09:11:05
回答 2查看 745关注 0票数 0

我可以得到一个BSOD的错误代码和参数。

然后我可以从错误检查代码引用获得文本描述。

但是,如何使用一些windows或c++代码从错误检查代码和参数中获得这样的文本描述。

例如,对于the代码0x9F,如何将文本作为

DRIVER_POWER_STATE_FAILURE (9f)驱动程序未能在特定时间内完成电源IRP。

使用一些windows或从某个DLL读取。

或者说,如何实现类似于WinDbg的功能:

代码语言:javascript
复制
1: kd> !analyze -show 0x9F 0x3
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: 0000000000000000, Physical Device Object of the stack
Arg3: 0000000000000000, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: 0000000000000000, The blocked IRP

我看到了像KeGetBugMessageText()这样的API,但是它是由Windows本身保存的。

有人能在这方面提供帮助并给出一些线索或建议吗?

Update:用于执行带有“blabb”建议的命令的代码的主要部分:

代码语言:javascript
复制
#pragma comment ( lib ,"dbgeng.lib")
#include <iostream>
#include <dbgeng.h>
#include "StdioOutputCallbacks.h"

//#include <wdbgexts.h>
//WINDBG_EXTENSION_APIS64 ExtensionApis;
StdioOutputCallbacks g_OutputCb;
int main()
{
    IDebugClient* DebugClient = NULL;
    HRESULT Hr = S_OK;

    if ((Hr = DebugCreate(__uuidof(IDebugClient),
       (void**)&DebugClient)) != S_OK) {
       return Hr;
    }
    
    PDEBUG_CONTROL DebugControl;
    if ((Hr = DebugClient->QueryInterface(__uuidof(IDebugControl),
       (void**)&DebugControl)) == S_OK) {
       DebugClient->SetOutputCallbacks(&g_OutputCb);

       Hr = DebugClient->OpenDumpFile("C:\\Dev\\Deem\\bug\\dcp938\\MEMORY.DMP");
       if (Hr != S_OK) {
          return Hr;
       }
       
       DebugControl->Execute(DEBUG_OUTCTL_THIS_CLIENT, "!analyze -show 9f 3", DEBUG_EXECUTE_DEFAULT);
       DebugControl->Release();
    }
    // done
    DebugClient->Release();
}
and in outputcallback, kept as the msdn sample:
STDMETHODIMP
StdioOutputCallbacks::Output(
   THIS_
   _In_ ULONG Mask,
   _In_ PCSTR Text
)
{
   UNREFERENCED_PARAMETER(Mask);
   fputs(Text, stdout);
   return S_OK;
}

但是执行"!analyze -show 9f3“(fput()中的文本内容)的结果是”没有导出分析发现“。我还尝试了命令".opendump C:...MEMORY.DMP;!analysis -show 9f3“,它正确地执行了opendump命令,加载了dmp并得到了文本输出,其中包括”用于分析该文件,运行!分析-v",但“!analysis”和“!analysis.”“没有发现出口分析”。命令没有“!”将导致命令解析错误。

windows
kernel
windbg
bsod
EN

回答 2

Stack Overflow用户

回答已采纳

发布于 2021-08-25 20:10:10

添加另一个答案,因为先前的答案过于混乱和评论。

目录预编译和链接的内容

代码语言:javascript
复制
F:\bugdesc>ls -lg
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP                                                                   
-rw-r--r-- 1 197121       600 Aug 26 01:22 bugdesc.cpp
-rw-r--r-- 1 197121       109 Aug 19 00:04 complink.bat
-rw-r--r-- 1 197121      1019 Aug 26 01:21 stdioimpl.h

bat文件内容

代码语言:javascript
复制
F:\bugdesc>cat complink.bat
cl  /nologo /W4 /Od  /Zi /EHsc /I"C:\Program Files (x86)\Windows Kits\10\Debuggers\inc" %1.cpp /link /RELEASE

包含StdioOutputCallbacks实现的文件

代码语言:javascript
复制
F:\bugdesc>cat stdioimpl.h
#include <windows.h>
#include <stdio.h>
#include <dbgeng.h>
#pragma comment(lib, "dbgeng.lib")
class StdioOutputCallbacks : public IDebugOutputCallbacks {
public:
    STDMETHOD(QueryInterface)(THIS_ _In_ REFIID ifid, _Out_ PVOID *iface);
    STDMETHOD_(ULONG, AddRef)(THIS);
    STDMETHOD_(ULONG, Release)(THIS);
    STDMETHOD(Output)(THIS_ IN ULONG Mask, IN PCSTR Text);
};
STDMETHODIMP
StdioOutputCallbacks::QueryInterface(THIS_ _In_ REFIID ifid, _Out_ PVOID *iface){
    *iface = NULL;
    if (IsEqualIID(ifid, __uuidof(IDebugOutputCallbacks))){
        *iface = (IDebugOutputCallbacks *)this;
        AddRef();
        return S_OK;
    }    else    {
        return E_NOINTERFACE;
    }
}
STDMETHODIMP_(ULONG)
StdioOutputCallbacks::AddRef(THIS) { return 1; }
STDMETHODIMP_(ULONG)
StdioOutputCallbacks::Release(THIS) { return 0; }
STDMETHODIMP StdioOutputCallbacks::Output(THIS_ IN ULONG, IN PCSTR Text){
    fputs(Text, stdout);
    return S_OK;
}

主源文件内容

代码语言:javascript
复制
F:\bugdesc>cat bugdesc.cpp
#include "stdioimpl.h"
//implement proper error handling and release of Interfaces
void __cdecl main(void)
{
    IDebugClient *g_Client;
    IDebugControl *g_Control;
    StdioOutputCallbacks g_OutputCb;
    DebugCreate(__uuidof(IDebugClient), (void **)&g_Client);
    g_Client->QueryInterface(__uuidof(IDebugControl), (void **)&g_Control);
    g_Client->SetOutputCallbacks(&g_OutputCb);
    g_Client->SetOutputCallbacks(&g_OutputCb);
    g_Client->OpenDumpFile("F:\\bugdesc\\memory.dmp");
    g_Control->WaitForEvent(0, INFINITE);
    g_Control->Execute(0, "!analyze -show 9f 3", 0);
}

编译并链接vs-社区2017年为x64

代码语言:javascript
复制
F:\bugdesc>complink.bat bugdesc

F:\bugdesc>cl  /nologo /W4 /Od  /Zi /EHsc /I"C:\Program Files (x86)\Windows Kits\10\Debuggers\inc" bugdesc.cpp /link /RELEASE
bugdesc.cpp

目录后编译和链接的内容

代码语言:javascript
复制
F:\bugdesc>ls -lg
total 159485
-rw-r--r-- 1 197121 156689581 Aug 17 23:49 MEMORY.DMP
-rw-r--r-- 1 197121       600 Aug 26 01:22 bugdesc.cpp
-rwxr-xr-x 1 197121    406016 Aug 26 01:25 bugdesc.exe
-rw-r--r-- 1 197121     30072 Aug 26 01:25 bugdesc.obj
-rw-r--r-- 1 197121   5992448 Aug 26 01:25 bugdesc.pdb
-rw-r--r-- 1 197121       109 Aug 19 00:04 complink.bat
-rw-r--r-- 1 197121      1019 Aug 26 01:21 stdioimpl.h
-rw-r--r-- 1 197121    176128 Aug 26 01:25 vc140.pdb

执行时没有适当的dll和失败。

代码语言:javascript
复制
F:\bugdesc>bugdesc.exe
No .natvis files found at C:\WINDOWS\SYSTEM32\Visualizers.
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip 
Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip
Loading Dump File [F:\bugdesc\memory.dmp]
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip
***    Type referenced: nt!_MMPTE_TRANSITION                          ***
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip
For analysis of this file, run !analyze -v
No export analyze found<<<<<<<<<<<<<<<<<<

从windbg安装文件夹复制相关dll

代码语言:javascript
复制
F:\bugdesc>copy ..\windbg_dlls\*.* .
..\windbg_dlls\dbgeng.dll
..\windbg_dlls\dbghelp.dll
..\windbg_dlls\ext.dll
..\windbg_dlls\symsrv.dll
        4 file(s) copied.

执行与成功

代码语言:javascript
复制
F:\bugdesc>bugdesc.exe

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip
Loading Dump File [F:\bugdesc\memory.dmp]
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

Probably caused by : Unknown_Image
 *** Followup info cannot be found !!! Please contact "BADEV"

---------

DRIVER_POWER_STATE_FAILURE (9f)<<<<<<<<<<<<<<<<<<<<<<<
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: 0000000000000000, Physical Device Object of the stack
Arg3: 0000000000000000, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: 0000000000000000, The blocked IRP
xxxxxxxxxxxxxxxxxxxxxxxxxxx snip
票数 0
EN

Stack Overflow用户

发布于 2021-08-16 13:53:46

我不知道你在找什么。所有这些都是在windows sdk/ddk的bugcodes.h中定义的。

代码语言:javascript
复制
C:\Program Files (x86)\Windows Kits\10\Include>pss DRIVER_POWER_STATE_FAILURE
.\10.0.17763.0\shared\bugcodes.h
1505:// MessageId: DRIVER_POWER_STATE_FAILURE
1509://  DRIVER_POWER_STATE_FAILURE
1511:#define DRIVER_POWER_STATE_FAILURE       ((ULONG)0x0000009FL)

或者用另一种方式来庆祝

代码语言:javascript
复制
C:\Program Files (x86)\Windows Kits\10\Include>grep -ir #define.*0x0000009fl --include *.h *
10.0.17763.0/shared/bugcodes.h:#define DRIVER_POWER_STATE_FAILURE       ((ULONG)0x0000009FL)

或者使用DbgEng编写WinDbg扩展或独立的可执行文件。

打开转储->WaitForEvent->Executecommands !bugdump .bug****

或者您也可以探索IDebugDataSpaces::****tag****方法,如读、开始、下一步、结束。

编辑

Scott可能正在指示ext.dll,这是内置的windbg扩展。

正如我已经说过的,您可能需要编写windbg分析扩展,无论是作为扩展还是作为独立的扩展。

其中大多数不是没有文档记录的,就是措辞不当的文档。

下面是在ext.dll中编译的错误代码的转储,这可能是scott在他的回答中所指出的。

代码语言:javascript
复制
0:000> dps ext!g_BugCheckApiRefs l10
00007ff9`4a45ccc0  00000000`00000001
00007ff9`4a45ccc8  00007ff9`49efead0 ext!BugCheckAPC_INDEX_MISMATCH
00007ff9`4a45ccd0  00000000`00000002
00007ff9`4a45ccd8  00007ff9`49efeb60 ext!BugCheckDEVICE_QUEUE_NOT_BUSY
00007ff9`4a45cce0  00000000`00000003
00007ff9`4a45cce8  00007ff9`49efebc0 ext!BugCheckINVALID_AFFINITY_SET
00007ff9`4a45ccf0  00000000`00000004
00007ff9`4a45ccf8  00007ff9`49efec20 ext!BugCheckINVALID_DATA_ACCESS_TRAP
00007ff9`4a45cd00  00000000`00000005
00007ff9`4a45cd08  00007ff9`49efec80 ext!BugCheckINVALID_PROCESS_ATTACH_ATTEMPT
00007ff9`4a45cd10  00000000`00000006
00007ff9`4a45cd18  00007ff9`49efece0 ext!BugCheckINVALID_PROCESS_DETACH_ATTEMPT
00007ff9`4a45cd20  00000000`00000007
00007ff9`4a45cd28  00007ff9`49efed40 ext!BugCheckINVALID_SOFTWARE_INTERRUPT
00007ff9`4a45cd30  00000000`00000008
00007ff9`4a45cd38  00007ff9`49efeda0 ext!BugCheckIRQL_NOT_DISPATCH_LEVEL
0:000>

或者你的电源故障

代码语言:javascript
复制
0:000> .shell -ci "dps ext!g_BugCheckApiRefs l150" grep -A 1 -i 09f
00007ff9`4a45d600  00000000`0000009f
00007ff9`4a45d608  00007ff9`49f04450 ext!BugCheckDRIVER_POWER_STATE_FAILURE
.shell: Process exited
0:000>

下面是stackLeadign对yourQuery的完整调用!分析-show 9f3

代码语言:javascript
复制
Child-SP          RetAddr           Call Site
000000d3`6d67b768 00007ff9`49fa302a ext!GetBugCheckDescription
000000d3`6d67b770 00007ff9`49f822c2 ext!DebugFailureAnalysis::ParseInputArgs+0xc66
000000d3`6d67bb00 00007ff9`49f549c5 ext!AnalyzeBugCheck+0x10a
000000d3`6d67bbd0 00007ff9`4ae0187d ext!analyze+0x4e5
000000d3`6d67bd90 00007ff9`4ae01a31 dbgeng!ExtensionInfo::CallA+0x27d
000000d3`6d67be50 00007ff9`4ae01d0e dbgeng!ExtensionInfo::Call+0x121
000000d3`6d67c050 00007ff9`4adff9d8 dbgeng!ExtensionInfo::CallAny+0x17a
000000d3`6d67c570 00007ff9`4ae43662 dbgeng!ParseBangCmd+0xe0c
000000d3`6d67cd30 00007ff9`4ae44635 dbgeng!ProcessCommands+0xcd6
000000d3`6d67ce20 00007ff9`4ad6baf7 dbgeng!ProcessCommandsAndCatch+0x79
000000d3`6d67ce90 00007ff9`4ad6be04 dbgeng!Execute+0x2bb
000000d3`6d67d380 00007ff6`4c7b62dc dbgeng!DebugClient::ExecuteWide+0x94
000000d3`6d67d3e0 00007ff6`4c7b879a kd!MainLoop+0x514
000000d3`6d67f460 00007ff6`4c7bb55d kd!wmain+0x3e6
000000d3`6d67f700 00007ff9`857c7c24 kd!__wmainCRTStartup+0x14d
000000d3`6d67f740 00007ff9`85d8d721 KERNEL32!BaseThreadInitThunk+0x14
000000d3`6d67f770 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000>

函数是一个简单的比较返回例程,如

代码语言:javascript
复制
while array[i] != 0x9f skip 
return String array[i]+0x8

详细的描述是由

代码语言:javascript
复制
void PrintBugDescription(_BUGCHECK_ANALYSIS *param_1,DebugFailureAnalysis *param_2)

编辑自我上次评论后,我一直在想

  1. 我将如何在不编写代码的情况下完成这个场景?
  2. 而没有要操作的内核内存转储。
  3. 可能可扩展到未知的远程机器

我想出了一个使用sysinternals livekd.exe的小python包装器。

脚本

代码语言:javascript
复制
:\>cat liv.py
import subprocess
import regex
foo = subprocess.run(
    [r"f:\sysint\livekd", "-b" ,"-c \"!analyze -show 9f 03;q\""],
    stdout=subprocess.PIPE,
    universal_newlines=True
    )
resta = regex.search("Reading" , foo.stdout).start()
reend = regex.search("quit:" , foo.stdout).end()
print(foo.stdout[resta:reend])

脚本执行结果

代码语言:javascript
复制
:\>python liv.py
Reading initial command '!analyze -show 9f 03;q'
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: 0000000000000000, Physical Device Object of the stack
Arg3: 0000000000000000, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: 0000000000000000, The blocked IRP
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 0, {0, 0, 0, 0}

Probably caused by : LiveKdD.SYS ( LiveKdD+2f4f )

Followup:     MachineOwner
---------

quit:
票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/68800134

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档