I’ve made a tdi network-filter-driver. But It seems that my driver has a
problem with symantec antivirus 9.0
version(SYMTDI.SYS : I think this driver is a tdi network filter driver,
too).
Both my driver and symantec driver are same layer.
In this case, Isn’t there any possibility of mistake?
Anaysis of memory dump is following.
What’s the reason of this problem and how can i solve this problem?
Thanks for any suggestions!
Microsoft (R) Windows Debugger Version 6.3.0011.2
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrnlmp.exe -
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86
compatible
Product: Server
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484520
Debug session time: Thu Nov 11 07:09:37 2004
System Uptime: 0 days 8:45:20.796
Symbols can not be loaded because symbol path is not initialized.
The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrnlmp.exe -
Loading Kernel Symbols
…
…
Loading unloaded module list
…
Loading User Symbols
PEB address is NULL !
******
Bugcheck Analysis
***************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {c0000000, 2, 0, 80437c8e}
** Kernel symbols are WRONG. Please fix symbols to do analysis.
ERROR: Symbol file could not be found. Defaulted to export symbols for
SYMTDI.SYS -
ERROR: Symbol file could not be found. Defaulted to export symbols for
tcpip.sys -
ERROR: Symbol file could not be found. Defaulted to export symbols for
NDIS.sys -
ERROR: Module load completed but symbols could not be loaded for
adpu160m.sys
ERROR: Module load completed but symbols could not be loaded for
n100nt5.sys
ERROR: Symbol file could not be found. Defaulted to export symbols for
rdbss.sys -
ERROR: Module load completed but symbols could not be loaded for
openhci.sys
ERROR: Symbol file could not be found. Defaulted to export symbols for
TDI.SYS -
ERROR: Symbol file could not be found. Defaulted to export symbols for
SCSIPORT.SYS -
Probably caused by : SYMTDI.SYS ( SYMTDI!ACMRegisterFilterModule+2332 )
Followup: MachineOwner
---------
0: kd> !analyze -v
Bugcheck Analysis
******
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: c0000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80437c8e, address which referenced memory
Debugging Details:
------------------
** Kernel symbols are WRONG. Please fix symbols to do analysis.
READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
c0000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!MmBuildMdlForNonPagedPool+76
80437c8e 8b10 mov edx,[eax]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from f241fc90 to 8046987c
SYMBOL_ON_RAW_STACK: 1
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f241fc30 f241fc90 00000000 8041d5b0 fed96a7f nt!Kei386EoiHelper+0x2ae4
f241fd10 00000000 f1e4ed86 fed96aa0 fed7c8a8 0xf241fc90
STACK_COMMAND: dds @$csp ; kb
FOLLOWUP_IP:
SYMTDI!ACMRegisterFilterModule+2332
f1e4ba4a b9a82ee7f1 mov ecx,0xf1e72ea8
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: SYMTDI!ACMRegisterFilterModule+2332
MODULE_NAME: SYMTDI
IMAGE_NAME: SYMTDI.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4050ed2d
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------</symbol_path></symbol_path>