- I-IRQL ichaza izinto eziphambili ngokwenziwa kwaye iimaski ziphazamisa ngokwenqanaba, ngaphezulu kwe-DISPATCH iyalela i-IRQL, hayi intambo ephambili.
- Los BSOD I-0xA/0xD1 idla ngokubangelwa kukufikelela kwi-pageable okanye kwimemori engasebenziyo kwi-IRQL ephezulu kunye needilesi ezingachanekanga okanye ikhowudi ephepheni.
- I-WinDbg kunye ne-Driver Verifier zingundoqo: sebenzisa !hlalutya, !irql, ln, .trap, !pool, !idilesi kwaye uhlolisise iiparamitha 1, 3 kunye no-4.
- En abaqhubi, inqanda iimpazamo zephepha kwi-IRQL ephezulu, isebenzisa imemori engabonakaliyo kunye ne-spin locks; kumsebenzisi, uhlaziyo/ukwahlula abaqhubi abanengxaki.
Ukuba ukhe wabona isikrini esiluhlaza kunye nemiyalezo efana IRQL_NOT_LESS_OR_EQUAL o DRIVER_IRQL_NOT_LESS_OR_EQUAL, mhlawumbi udibene nengqikelelo eyaziwa kancinci ngaphandle kwelizwe labaqhubi: i-IRQL (Inqanaba LokuPhakamisa lesicelo). Kwi Windows, eli nqanaba lokuphazamiseka kokuphambili lithatha indawo ephambili ngaphezu kokubaluleka kwentambo xa inkqubo ingaphezulu komda othile, kwaye oku kuneziphumo ezithe ngqo kuzinzo.
Kwimigca elandelayo uya kufumana unayo Isikhokelo esipheleleyo kunye neSpanishi ukusuka eSpain malunga nokuba yintoni i-IRQL, isebenza njani, kutheni ibangela izikrini eziluhlaza, indlela yokuxilonga ingxaki ngeWinDbg, kwaye wenze ntoni nokuba ungumsebenzisi ofumana impazamo okanye uphuhlisa abaqhubi bemowudi yekernel. Masihle siye kwishishini.
Yintoni i-IRQL (iNqanaba lokuPhakamisa lesicelo) kwi-Windows?
KwiWindows, ifayile ye- I-IRQL ichaza iprayorithi ye hardware apho iprosesa isebenza khona nangaliphi na ixesha. Ngaphakathi kweModeli yoMqhubi weWindows (WDM), ikhowudi esebenza kwi-IRQL ephantsi inokuphazamiseka ngekhowudi esebenza kwi-IRQL ephezulu. Ngapha koko, kwikhompyuter enye yee-multi-core, i-CPU nganye inokuba kwi-IRQL eyahlukileyo, eyenza nzima ulungelelwaniso.
Kukho umgaqo omnye ongundoqo: Xa i-CPU ibaleka kwi-IRQL ngaphezulu kwe-PASSIVE_LEVEL, inokubalelwa kuphela ngumsebenzi kwi-IRQL ephezulu.Oku kuququzelela ukuhlalisana phakathi kwekhowudi yomsebenzisi, imisebenzi ye-kernel, abafowni abahlehliweyo (DPCs), kunye nesixhobo sokuphazamiseka kweendlela zenkonzo (ISRs).
Amanqanaba nezinto eziphambili: PASSIVE_LEVEL, APC_LEVEL, DISPATCH_LEVEL kunye neDIRQL
Ngokubanzi, Kwi-x86, amaxabiso e-IRQL phakathi kwe-0 kunye ne-31 asetyenziswa; kwi-x64, phakathi kwe-0 kunye ne-15Intsingiselo esebenzayo iyafana: IRQL 0 (PASSIVE_LEVEL) kulapho ikhowudi yomsebenzisi eqhelekileyo kunye nemisebenzi emininzi yomqhubi eyenziwa; Iimpazamo ze-APC kunye nephepha Ziqhele ukuboniswa kwi-IRQL 1 (APC_LEVEL); I-IRQL 2 (DISPATCH_LEVEL) iquka umcwangcisi womsonto kunye neeDPC. Ngaphezulu kwe-DISPATCH_LEVEL kukho amanqanaba agcinelwe ukuphazamiseka kwesixhobo (esaziwa ngokuba yi-DIRQL) kunye nolunye usebenziso lwangaphakathi olunje nge-HIGH_LEVEL.
Kwi-ecosystem yabaqhubi, Uninzi lweendlela eziqhelekileyo ziqhutywa eDISPATCH_LEVEL: umzekelo, i-DPC kunye ne-StartIo. Olu yilo luqinisekisa ukuba ngelixa omnye wabo echukumisa imigca yangaphakathi okanye ezinye izibonelelo ekwabelwana ngazo, enye isiqhelo kwinqanaba elifanayo aliyifaki ngaphambili kwi-CPU, kuba umthetho wokukhusela uvumela kuphela ukuphazamiseka kumanqanaba aphezulu.
Phakathi kwe-DISPATCH_LEVEL kunye neprofayili / amanqanaba aphezulu kukho indawo ye Ukuphazamiseka kwehardware yesixhobo ngasinye (DIRQL)I-IRQL yesixhobo ichaza ukubaluleka kwayo ngaphezu kwezinye izixhobo. Umqhubi we-WDM ufumana le IRQL nge-IRP_MJ_PNP nge-IRP_MN_START_DEVICE. Esi sixhobo IRQL asilohlabathi jikelele, ixabiso elizinzileyo, kodwa ixabiso elinxulumene nomgca othile wokuphazamiseka.
I-IRQL vs. Ukubaluleka Komsonto
Kuyacetyiswa ukuba ungabhidani amagama: Ukubaluleka komsonto kugqiba xa umcwangcisi elungiselela kwaye ngowuphi umsonto ophumezayo; i-IRQL ilawula ukuba loluphi uhlobo lomsebenzi onokuthi lwenziwe kwaye zeziphi iziphazamisi ezifihliweyo. Ngaphezulu kwe-DISPATCH_LEVEL, akukho msonto utshintshayo: yiIRQL elawulayo, hayi umsonto ophambili.
I-IRQL kunye nePaging: Into ongafanele Uyenze
Isiphumo esikhawulezileyo sokunyusa i-IRQL kukuba inkqubo ayinakukwazi ukusingatha iimpazamo zephepha. Umthetho omkhulu: ikhowudi esebenzayo okanye ngaphezulu kwe-DISPATCH_LEVEL ayinakubangela iimpazamo zamaphepha. Ngokwenza, oku kuthetha ukuba ezo nkqubo kunye nedatha abayichukumisayo kufuneka ihlale kwimemori engamaphepha. Ukongeza, abancedisi abathile be-kernel banqanda ukusetyenziswa kwabo ngokusekelwe kwi-IRQL: umzekelo, KeWaitForSingleObject DISPATCH_LEVEL ingabizwa kuphela ukuba awuthinteli (zero timeout), kwaye ngamaxesha angengo-zero, kufuneka ube ngaphantsi DISPATCH_LEVEL.
Ulawulo olucacileyo nolucacileyo lwe-IRQL
Ngamaxesha amaninzi, Isixokelelwano ngokwaso sibhengeza iindlela zakho kwi-IRQL eyiyo kuba mabakwenze oko. Ukuhanjiswa kweendlela ze-IRPs ziqhutywa e-PASSIVE_LEVEL (zinokubhloka okanye zifowunele nawuphi na umncedi), i-StartIo kunye ne-DPC zibaleka e-DISPATCH_LEVEL ukukhusela imigca ekwabelwanayo ngayo, kwaye ii-ISRs zibaleka kwi-DIRQL.
Ukuba ufuna ukuyilawula ngokucacileyo, Unako ukuphakamisa kunye nokuthoba i-IRQL nge KeRaiseIrql y KeLowerIrqlKukho indlela emfutshane esetyenziswa kakhulu: KeRaiseIrqlToDpcLevel() ibuyisela i-IRQL yangaphambili kwaye ikushiye kwa DISPATCH_LEVEL. Kubalulekile: Ungaze uyihlise i-IRQL ngaphantsi kwexabiso ebikulo xa isixokelelwano ibikubiza; Ukwaphula olo ngqamaniso kunokuvula iifestile zogqatso olubi kakhulu.
Iimpazamo zesikrini eziluhlaza ezinxulumene ne-IRQL: IRQL_NOT_LESS_OR_EQUAL kunye ne-DRIVER_IRQL_NOT_LESS_OR_EQUAL
Iitshekhi ezimbini ze-bug zakudala ezinxulumene nale miba IRQL_NOT_LESS_OR_EQUAL (0xA) y DRIVER_IRQL_NOT_LESS_OR_EQUAL (0xD1)Zombini zibonisa umzamo wokufikelela kwidilesi ekwiphepha (okanye engasebenziyo) kwi-IRQL ephezulu kakhulu. Oku kudla ngokuba ngenxa yabaqhubi abasebenzisa iidilesi ezingachanekanga, ukurhoxisa izikhombisi ezingalunganga, okanye ukusebenzisa ikhowudi ephepheni kumanqanaba angafanelekanga.
Kwimeko ethile DRIVER_IRQL_NOT_LESS_OR_EQUAL (0x000000D1), iiparamitha zinolwazi kakhulu: 1) idilesi yememori ekhankanyiweyo; 2) IRQL ngelo xesha; 3) uhlobo lokufikelela (0 funda, 1 bhala, 2/8 execute); 4) idilesi yomyalelo obhekiselele kwimemori. Nge debugger ungasebenzisa ln kwiparameter 4 ye dwelisa isimboli ekufutshane kwaye uyazi ukuba ngowuphi umsebenzi obusebenza.
Izizathu eziqhelekileyo ukuba zigcinwe engqondweni
Ngaphandle kwekhowudi ethile, kukho iipateni eziphindaphindiweyo. Ijikisa isalathisi esingasebenziyo ukuya ku-DISPATCH_LEVEL okanye ngaphezulu Le yiresiphi eqinisekileyo yentlekele. Ukufikelela kwidatha ephephekayo kwelo nqanaba, okanye ukwenza ikhowudi ephepheni (umzekelo, umsebenzi ophawulwe njengephepha), nako kubangela uqwalaselo lwegciwane.
Ezinye iimeko eziqhelekileyo ziquka fowunela umsebenzi komnye umqhubi osele ukhutshiwe (isalathisi somsebenzi ojingayo), okanye ngokungathanga ngqo kusetyenziswa isalathisi somsebenzi esingasebenziyo. Rhoqo, ukuba inkqubo iyakwazi ukuchonga imodyuli, uyakubona igama layo kwiscreen esiluhlaza ngokwaso, kwaye ikwagcinwe kuyo. KiBugCheckDriver, iyafikeleleka nge dx KiBugCheckDriver ukusuka WinDbg.
Iinkcukacha ezisebenzayo: Kuninzi lwe-D1/A, eyona ngxaki ayikho i-IRQL ngokwayo, kodwa idilesi yememori ekhankanyiweyo. Yiyo loo nto iiparamitha 1, 3, kunye no-4 zibalulekile ekugxininiseni uxilongo.
Ukuxilongwa nge-WinDbg: Imiyalelo eluncedo kunye nokufunda ipharamitha
Ukusebenza kwezi meko, WinDbg sisixhobo esiphambili, kwaye ukuba iBSOD ikhankanya imosnl.exe Olu lwazi lubonelela ngokhokelo oluninzi malunga nokuba impazamo ikwindlela esezantsi yekernel. Qala nge !analyze -v ukufumana isishwankathelo sokukhangela ibug, istaki, kwaye, ukuba unethamsanqa, imodyuli ebandakanyekayo. Ukuba ukulahla kubandakanya isakhelo sokubamba, .trap ikubeka kumxholo weCPU engaphumelelanga.
Los imiyalelo yemfumba njenge k, kb, kc, kd, kp, kP, kv Bakubonisa amanqanaba ahlukeneyo eenkcukacha zomva. Nge ln kwiparameter 4 ungatsiba kumyalelo obhekiselele kwinkumbulo kwaye ufumane isimboli ekufutshane. Kwaye ukuba uyakrokrela inqanaba eliphambili eliqhuba phambi kokuphazamiseka, !irql ikubonisa i-IRQL egciniweyo yomqhubekekisi ekujoliswe kuwo (umzekelo. DISPATCH_LEVEL).
Ukuhlalutya ulwalathiso lweparameter 1, !pool Iya kukuxelela ukuba yeyephuli ephejiweyo; !address y !pte zijonge kwimephu yenkumbulo yaloo ndawo. Ungasebenzisa imiyalelo yokubonisa imemori ukuhlola umxholo ozanywe ukufikeleleka. Ekugqibeleni, u, ub, uu ikuvumela ukuba udibanise malunga nedilesi yeparameter 4.
Ungalibali lm t n ukudwelisa iimodyuli ezilayishiwe y !memusage kwimo yenkumbulo jikelele. Ukuba KiBugCheckDriver unento, dx KiBugCheckDriver Iza kubuyisela igama lemodyuli ye-Unicode: kumzekelo oqhelekileyo, "Wdf01000.sys" yabonwa njengomqhubi obandakanyekayo ngexesha lokujonga i-bug.
Izixhobo zeNkqubo: UQinisekiso loMqhubi, uMboni weMicimbi kunye noDiagnostics
El Umqinisekisi womqhubi Ivavanya isimilo sabaqhubi ngexesha lokwenyani kwaye inyanzela iimpazamo xa ibona ukusetyenziswa kwesixhobo esingalunganga (efana nephuli), iphakamisa umkhethe wokuhlukanisa indawo eyingxaki yekhowudi. Iqaliswa nge verifier kusuka isikhawulezisi somyalelo kwaye kuyacetyiswa ukuba ukhethe eyona seti incinci yabaqhubi ukuthintela ukongeza ngaphezulu kakhulu.
Ukuba awuziboni kunye neWinDbg, sebenzisa amanyathelo asisiseko: Jonga inkqubo yokungena kwiSibonelelo seMsitho ngeemposiso ezikhomba isixhobo/umqhubi othile; hlaziya okanye uvale umqhubi ocatshulwe kwiscreen esiluhlaza; qinisekisa ukuhambelana kwehardware noguqulelo lwakho lweWindows; kwaye usebenzise i-Windows Memory Diagnostic ukuba uyakrokrela i-RAM. Ezi zenzo, nangona zilula, basombulula inani elikhulu lamatyala.
Iimeko zobomi bokwenyani: Xa iiBSOD zibonakala zingenamkhethe
Umsebenzisi oneWindows 10 Pro (AMD Ryzen 5 3400G CPU, GPU NVIDIA GeForce GTX 1660 Ti kunye Gigabyte B450 AORUS PRO WIFI ibhodi, I-16 GB ye-RAM) ibijongene nezikrini ezithi "IRQL_LESS_OR_NOT_EQUAL". Ndandisele ndihlaziye abaqhubi ababalulekileyo (inethiwekhi, imizobo), ndifake zonke uhlaziyo lweWindows, kwaye ndiqhube isixhobo sememori, zonke ngaphandle kokubona naziphi na iingxaki.
Kwiimeko ezinje, Inyathelo elilandelayo kukuhlalutya iindawo zokulahla ngeWinDbg kwaye ujonge iipateni: iinkqubo ezibandakanyekayo xa isiwa (umzekelo, explorer.exe), iimodyuli zojongano lomzobo (win32kfull.sys) kunye nemisebenzi enje xxxProcessNotifyWinEvent ebonakala kwisitaki. Nangona le modyuli iyiWindows, i-trigger ihlala ingumqhubi womntu wesithathu (imizobo, igalelo, isigqubuthelo, amakhadi okubamba) esebenzisa imemori kwi-IRQL engafanelekanga kwaye impazamo ivela ngaphakathi. win32k.
Ingcebiso esebenzayo apha khubaza okwethutyana isoftware eyongezelelweyo (bamba, i-GPU OSD), abaqhubi besoftware enobundlongondlongo (iimpuku/izitshixo ezinemakhro), kunye neenguqulelo zebeta zabaqhubi bemizobo, kwaye uyicuthe. Ukusebenzisa i-Driver Verifier kubarhanelwa kunokunceda ukunciphisa ingxaki ngesitaki esicacileyo.
Ipateni yenethiwekhi eqhelekileyo: ndis.sys ayisoloko ingumoni
Enye imeko eqhelekileyo: umfanekiso wekhusi kunye ndis.sys (iWindows network layer). Kwikhompyuter yokwenyani, inkqubo iya konakala kwangoko xa iqalwa. Isisombululo esisebenzayo yayikukuqalisa Indlela ekhuselekileyo ngaphandle kwemisebenzi yenethiwekhi, vula i Umphathi wesixhobo kwaye uvale iiadaptha phantsi kwe "Network Adapters" ukwahlula ingxaki.
Kwelo qela kwakukho a I-Realtek PCIe GBE yoMlawuli woSapho kunye ne-Atheros AR5007G. Ngokwenza ukuba zombini zingasebenzi, kwafunyaniswa ukuba oyena nobangela yayinguye athrx.sys (Atheros), nangona isikrini esiluhlaza sikhankanywe ndis.sysIndawo yokulahla inkunkuma ikuqinisekisile oku: isitaki sagqitha ndis!NdisFreeTimerObject kodwa imodyuli enetyala yayi athrx.sysUlungiso lokugqibela lwaba khupha isixhobo kwaye ufake abaqhubi abasemthethweni abahlaziyiweyo Ukusuka kwiwebhusayithi yomenzi we-Atheros. Ukuziphatha: Imodyuli ekhankanywe kwi-BSOD inokuba yinxalenye yenkqubo engaphantsi echaphazelekayo, kungekhona umthombo.
Impendulo yenkxaso eqhelekileyo kunye namanyathelo akhawulezayo kubasebenzisi
Kutshintshiselwano lwenkxaso yokwenyani, igcisa laphendula: "Ndiyaxolisa ngokuphazamiseka. Inokuba ngumqhubi, imemori, okanye umcimbi we-antivirus. Nceda uhlaziye abaqhubi bakho kwaye, ukuba iyaqhubeka, sebenzisa ukuxilongwa kwememori."Eli licebiso elisisiseko kodwa elisebenzayo; nangona kunjalo, ukuba iimpazamo ziyaqhubeka, luluvo oluhle ukuya phambili kunye noMqinisekisi kunye nohlalutyo lokulahla.
Kubasebenzisi abangezizo ezobuchwephesha, iprotocol efanelekileyo iya kuba: 1) Jonga imicimbi yenkqubo, 2) Hlaziya abaqhubi abaphambili (i-chipset/inethiwekhi/imizobo), 3) Jonga i-RAM ngesixhobo esidibeneyo, i-4) uvavanyo iboot icocekile ngaphandle kwesoftware yomntu wesithathu efaka amagwegwe kwikernel/GUI, kunye 5) sebenzisa uMqinisekisi kubaqhubi beqela lesithathu ukuba akukho nto icacileyo.
Iindlela ezilungileyo zokuphuhlisa abaqhubi
Ukuba uyaphuhla kwaye uyakhubeka kwi-D1/A, khangela ukuba i Indlela yokusebenza ayiphawulwanga njengephepha Sukufowunela imisebenzi enokuphepheka ngelixa ubaleka e DISPATCH_LEVEL okanye ngaphezulu. Oku kubandakanya ukuphepha ukubhekisela kwidatha kumacandelo aphejelwe kunye nokuhlonipha izithintelo ze-IRQL kubancedisi be-kernel abachazwe kwi-DDK.
Ukulungelelanisa idatha ekwabelwanayo ngayo, sebenzisa umthetho othi "hlala ufikelela kwidatha ekwabelwana ngayo kwi-IRQL ephezulu" kwaye usebenzise izitshixo zokutshixa xa kufanelekile. Kwiiprosesa ezininzi, i-IRQL iyodwa ayiqinisekisi kukhutshelwa ngaphandle phakathi kwee-CPU ezahlukeneyo; spin izitshixo phakamisa IRQL (ukuya DISPATCH_LEVEL) nokulungelelanisa ufikelelo phakathi kweecores. Ukuba ufuna ukusebenza kwiirejista zehardware ezibuthathaka, KeSynchronizeExecution ikunceda wenze amacandelo abalulekileyo kwi-DIRQL echanekileyo.
Xa isicwangciso sifuna ukunyusa i-IRQL, i-USA KeRaiseIrqlToDpcLevel ye DISPATCH_LEVEL okanye KeRaiseIrql ngononophelo, ukugcina i-IRQL yangaphambili kunye nokuyibuyisela kanye ngayo KeLowerIrql. Yiya ngezantsi kwegalelo le-IRQL, nokuba nje okomzuzwana, Yimpazamo enkulu yongqamaniso.
Ubudlelwane kunye nokuphazamiseka kunye ne-hardware
I-IRQL yindlela esetyenziswa ngayo iWindows imiyalelo iphazamisa izinto eziphambili kunye nemisebenzi ethile yangaphakathiKwinqanaba loyilo, inxulumene neekhonsepthi ezinje ngo "Interrupt", "Interrupt handler" okanye "Iinterrupt priority level" kwaye, kumaqonga akudala, kunye IsiLawuli esiPhakamisa esiCwangcisiweyo (PIC)Kwezinye iinkqubo, ulawulo oluphambili lubonakaliswa ngeendlela ezifana spl en Unix; ingcamango jikelele iyafana: ngubani onokuphazamisa bani.
Iingcebiso zokulungisa ezikwinqanaba eliphezulu
Kwiindawo zokulahla apho isitaki sikhomba khona win32kfull!xxxProcessNotifyWinEvent ngokujonga ibug 0xA/0xD1, jonga umxholo nge .process y .thread (ukuba ikhona), jonga iinkqubo ezifana explorer.exe en !process 0 1 kwaye khangela ii-overlays kunye nabaqhubi bentsebenziswano ye-GUI. Amaxesha amaninzi ingxaki Yinkumbulo eyonakaliswe ngumntu wesithathu ovela kuloo ndlela.
Ungalibali ukujonga i-IRQL nge !irql, kunye nokuchasanisa: ukuba use DISPATCH_LEVEL (2) kunye neparameter 3 ibonisa funda/bhala/wenza kwiphepha elinomfanekiso, sele unomkhondo wokuba kutheni iwe. Qhuba ngalo mkhondo ln kwiparameter 4 ukufumana umsebenzi othile.
Qonda Yintoni i-IRQL? kwaye ingena njani ekuphunyezweni kwekernel inceda ukwahlula ingxolo kwimiqondiso. Ukuba ungumsebenzisi, gxininisa abaqhubi kunye hardware (kunye nomQinisekisi, iziganeko, kunye novavanyo ngokungagqibekanga). Ukuba uyaphuhlisa, landela ngokungqongqo imigaqo ye-IRQL, imemori engamaphepha, kunye nongqamaniso kunye nezitshixo zokutshixa. Ngezixhobo ezifanelekileyo (WinDbg, Verifier) kunye nokufunda ngononophelo iiparamitha (1, 3, kunye ne-4), Olu qwalaselo lwe-bug aluseyo mfihlakalo. kwaye ziba ziingxaki ezinokusonjululwa ngendlela.
Umbhali onomdla malunga nehlabathi le-bytes kunye netekhnoloji ngokubanzi. Ndiyakuthanda ukwabelana ngolwazi lwam ngokubhala, kwaye yile nto ndiza kuyenza kule bhlog, ndikubonise zonke izinto ezinomdla malunga nezixhobo, isoftware, ihardware, iindlela zetekhnoloji, kunye nokunye. Injongo yam kukukunceda uhambe kwihlabathi ledijithali ngendlela elula neyonwabisayo.