- I-IRQL ichaza izinto eziza kuqala ekusebenziseni futhi imaski iphazanyiswa ngeleveli, ngenhla kwe-DISPATCH iyala i-IRQL, hhayi ukubaluleka kochungechunge.
- I-Los BSOD I-0xA/0xD1 ivamise ukubangelwa ukufinyelela kumemori emakhasi noma engavumelekile ku-IRQL ephezulu kanye namakheli angalungile noma ikhodi ephephekayo.
- I-WinDbg ne-Driver Verifier zibalulekile: sebenzisa !hlaziya, !irql, ln, .trap, !pool, !ikheli futhi uhlole amapharamitha 1, 3 kanye no-4.
- En abashayeli, ivimbela amaphutha ekhasi ku-IRQL ephezulu, isebenzisa inkumbulo engaphekiwe kanye nezingidi zokuphotha; kumsebenzisi, izibuyekezo/ihlukanisa abashayeli abanenkinga.
Uma uke wabona isikrini esiluhlaza esinemiyalezo efana nale I-IRQL_NOT_LESS_OR_EQUAL o DRIVER_IRQL_NOT_LESS_OR_EQUAL, cishe uhlangabezane nomqondo owaziwa kancane ngaphandle kwabashayeli: i-IRQL (I-Interrupt Request Level). Ku Windows, leli zinga lokubalulekile kokuphazamiseka liza kuqala ngaphezu kokubalulekile kochungechunge lapho isistimu ingaphezu komkhawulo othile, futhi lokhu kunemiphumela eqondile ekuzinzeni.
Emigqeni elandelayo uzothola una umhlahlandlela ophelele nangeSpanishi esivela eSpain mayelana nokuthi iyini i-IRQL, ukuthi isebenza kanjani, kungani icupha izikrini eziluhlaza, indlela yokuxilonga inkinga nge-WinDbg, nokuthi yini okufanele uyenze noma ngabe ungumsebenzisi obhekene nephutha noma uthuthukisa abashayeli bemodi ye-kernel. Ake sehlele ebhizinisini.
Iyini i-IRQL (Izinga Lesicelo Sokuphazamisa) ku-Windows?
Ku-Windows, ifayela le- I-IRQL ichaza okubalulekile kwe hardware lapho iprosesa isebenza khona nganoma yisiphi isikhathi. Ngaphakathi kwe-Windows Driver Model (WDM), ikhodi esebenza nge-IRQL ephansi ingaphazanyiswa ikhodi esebenza ku-IRQL ephakeme. Eqinisweni, kukhompuyutha eyodwa yama-multi-core, i-CPU ngayinye ingaba ku-IRQL ehlukile, okwenza kube nzima ukuvumelanisa.
Kunomthetho owodwa obalulekile: Uma i-CPU isebenza ku-IRQL ngaphezu kwe-PASSIVE_LEVEL, ingaqalwa kuphela ngomsebenzi ku-IRQL ephakeme nakakhulu.Lokhu kuhlela ukuphilisana phakathi kwekhodi yomsebenzisi, imisebenzi ye-kernel, abafonayo abahlehlisiwe (ama-DPC), kanye nezinqubo zesevisi eziphazamisa idivayisi (ISRs).
Amaleveli nezinto ezibalulekile: PASSIVE_LEVEL, APC_LEVEL, DISPATCH_LEVEL ne-DIRQL
Ngokujwayelekile, Ku-x86, kusetshenziswa amanani e-IRQL phakathi kuka-0 no-31; ku-x64, phakathi kuka-0 no-15Incazelo engokoqobo iyafana: I-IRQL 0 (PASSIVE_LEVEL) yilapho ikhodi yomsebenzisi evamile nemisebenzi eminingi yomshayeli isetshenziswa; I-APC namaphutha ekhasi Ngokuvamile zidwetshwa ku-IRQL 1 (APC_LEVEL); I-IRQL 2 (DISPATCH_LEVEL) ihlanganisa umhleli wochungechunge nama-DPC. Ngaphezulu kuka-DISPATCH_LEVEL kunamaleveli abekelwe iziphazamiso zedivayisi (okwaziwa nge-DIRQL) nokunye ukusetshenziswa kwangaphakathi okufana ne-HIGH_LEVEL.
Ku-ecosystem yomshayeli, Imizila eminingi evamile isebenza kokuthi DISPATCH_LEVEL: isibonelo, i-DPC ne-StartIo. Lo mklamo uqinisekisa ukuthi ngenkathi enye yazo ithinta olayini bangaphakathi noma ezinye izinsiza ezabiwe, enye indlela esezingeni elifanayo ayikuvimbeli kuleyo CPU, ngoba umthetho wokukhululwa uvumela kuphela ukuphazamiseka kumazinga aphezulu.
Phakathi kuka-DISPATCH_LEVEL namaleveli okuphrofayela/aphezulu kukhona isikhala se- iziphazamiso zehadiwe kudivayisi ngayinye (DIRQL)I-IRQL yedivayisi ichaza ukubaluleka kwayo ngaphezu kwamanye amadivayisi. Umshayeli we-WDM uthola le IRQL ngesikhathi se-IRP_MJ_PNP nge-IRP_MN_START_DEVICE. Le divayisi ye-IRQL ayilona inani lomhlaba wonke, eligxilile, kodwa inani elihlotshaniswa nolayini wokuphazamiseka othize.
I-IRQL vs. Okubalulekile Kochungechunge
Kutuswa ukuthi ungaphambanisi imiqondo: Okubalulekile kochungechunge kunquma ukuthi isihleli siqala nini nokuthi yiluphi uchungechunge olusebenzayo; i-IRQL ilawula ukuthi yiluphi uhlobo lomsebenzi ongenziwa nokuthi yiziphi iziphazamiso ezifihlwayo. Ngaphezulu kuka-DISPATCH_LEVEL, akukho ukushintsha kwentambo: yi-IRQL elawulayo, hhayi ukubaluleka kochungechunge.
I-IRQL kanye Nekhasi: Okungafanele Ukwenze
Umphumela osheshayo wokukhulisa i-IRQL ukuthi uhlelo ayikwazi ukuphatha amaphutha ekhasi. Umthetho oyigolide: ikhodi egijima ku-DISPATCH_LEVEL noma ngaphezulu ayikwazi ukudala amaphutha ekhasi. Empeleni, lokhu kusho ukuthi leyo mikhuba kanye nedatha abayithintayo kufanele ihlale kumemori engaphekiwe. Ngaphezu kwalokho, abasizi abathile be-kernel bakhawulela ukusetshenziswa kwabo ngokusekelwe ku-IRQL: isibonelo, KeWaitForSingleObject I-DISPATCH_LEVEL ingabizwa kuphela uma ungavimbeli (isikhathi sokuvala esinguziro), futhi ngezikhathi zokuvala ezingezona uziro, udinga ukuba ngaphansi kuka-DISPATCH_LEVEL.
Ukulawula okusobala nokusobala kwe-IRQL
Isikhathi esiningi, isistimu ngokwayo icela imikhuba yakho ku-IRQL efanele ngalokho okufanele bakwenze. Izinqubo zokuthunyelwa kwama-IRP zisebenza kokuthi PASSIVE_LEVEL (zingakwazi ukuvimba noma ukushayela noma yimuphi umsizi), i-StartIo ne-DPC zigijima kokuthi DISPATCH_LEVEL ukuze zivikele imigqa eyabiwe, futhi ama-ISR agijima ku-DIRQL.
Uma udinga ukuyilawula ngokusobala, Ungakhuphula futhi wehlise i-IRQL nge KeRaiseIrql y KeLowerIrqlKukhona isinqamuleli esisetshenziswa kakhulu: KeRaiseIrqlToDpcLevel() ibuyisela i-IRQL yangaphambilini futhi ikushiye ku-DISPATCH_LEVEL. Okubalulekile: Ungalokothi wehlise i-IRQL ngaphansi kwevelu eyayikuyo ngenkathi isistimu ikubiza; ukwephula lokho kuvumelanisa kungavula amafasitela omjaho onzima kakhulu.
Amaphutha esikrini esiluhlaza ahlobene ne-IRQL: IRQL_NOT_LESS_OR_EQUAL kanye ne-DRIVER_IRQL_NOT_LESS_OR_EQUAL
Ukuhlola iziphazamisi okubili kwakudala okuhlotshaniswa nalezi zinkinga kukhona IRQL_NOT_LESS_OR_EQUAL (0xA) y DRIVER_IRQL_NOT_LESS_OR_EQUAL (0xD1)Kokubili kubonisa umzamo wokufinyelela ekhelini elinekhasi (noma elingavumelekile) ku-IRQL eliphezulu kakhulu. Lokhu kuvame ukubangelwa abashayeli abasebenzisa amakheli angalungile, ukuhoxisa izikhombi ezimbi, noma ukusebenzisa ikhodi ephekayo emazingeni angafanele.
Esimweni esithile DRIVER_IRQL_NOT_LESS_OR_EQUAL (0x000000D1), amapharamitha afundisa kakhulu: 1) ikheli lenkumbulo ekhonjiwe; 2) I-IRQL ngaleso sikhathi; 3) uhlobo lokufinyelela (0 funda, 1 bhala, 2/8 khipha); 4) ikheli lomyalelo owawubhekise inkumbulo. Nge-debugger ungasebenzisa ln kupharamitha 4 ye bhala uphawu oluseduze futhi wazi ukuthi yimuphi umsebenzi owawusebenza.
Izimbangela ezijwayelekile okufanele uzikhumbule
Ngale kwekhodi ethile, kunamaphethini aphindaphindiwe. Ihoxisa i-pointer engavumelekile kokuthi DISPATCH_LEVEL noma ngaphezulu Lena iresiphi eqinisekile yenhlekelele. Ukufinyelela idatha ekwazi ukumakhasi kuleyo leveli, noma ukwenza ikhodi ephekayo (isb., umsebenzi omakwe njengekhasi), kuphinda kuqalise ukuhlolwa kwesiphazamisi.
Ezinye izimo ezivamile zihlanganisa shayela umsebenzi komunye umshayeli osevele ulandiwe (isikhombi sokusebenza esilengayo), noma sicelwe ngokungaqondile ngesikhombisi sokusebenza esingavumelekile. Ngokuvamile, uma isistimu ikwazi ukuhlonza imojuli, uzobona igama layo esikrinini esiluhlaza ngokwaso, futhi iphinde igcinwe KiBugCheckDriver, kufinyeleleke nge dx KiBugCheckDriver kusuka ku-WinDbg.
Imininingwane esebenzayo: Ku-D1/A eminingi, inkinga yangempela akuyona i-IRQL ngokwayo, kodwa kunalokho ikheli lenkumbulo elikhonjiwe. Yingakho amapharamitha 1, 3, kanye no-4 ebalulekile ekugxiliseni ukuxilongwa.
Ukuxilongwa nge-WinDbg: Imiyalo ewusizo nokufunda ipharamitha
Ukuze usebenze kulezi zimo, I-WinDbg iyithuluzi eliyinhloko, futhi uma i-BSOD isho insika.exe Lolu lwazi luhlinzeka ngeziqondiso eziningi zokuthi ingabe iphutha liku-kernel subsystem. Qala ngokuthi !analyze -v ukuze uthole isifinyezo sokuhlola iziphazamisi, isitaki, futhi, uma unenhlanhla, imojuli ehilelekile. Uma ukulahlwa kubandakanya uhlaka lokuthwebula, .trap ikubeka kumongo we-CPU ehlulekile.
I-Los imiyalo kwenqwaba njengoba k, kb, kc, kd, kp, kP, kv Bakubonisa amaleveli ahlukene emininingwane ye-backtrace. Nge ln kupharamitha 4 ungakwazi ukweqa emyalweni obhekise inkumbulo bese uthola uphawu oluseduze. Futhi uma usola izinga elibalulekile elisebenza ngaphambi kokuphazamiseka, !irql ikubonisa i-IRQL elondoloziwe yephrosesa eqondiwe (isb. DISPATCH_LEVEL).
Ukuze uhlaziye isiqondiso sepharamitha 1, !pool Izokutshela uma ingeyechibi elinamakhasi; !address y !pte hlolisisa imephu yenkumbulo yaleyo ndawo. Ungasebenzisa imiyalo yokubonisa inkumbulo ukuhlola okuqukethwe okuzanywe ukutholakala. Ekugcineni, u, ub, uu ikuvumela ukuthi uhlukanise eduze kwekheli lepharamitha 4.
Ungakhohlwa lm t n ukuze ufake kuhlu amamojula alayishiwe y !memusage esimweni esijwayelekile senkumbulo. Uma KiBugCheckDriver unokuthile, dx KiBugCheckDriver Izobuyisela igama lemojuli ye-Unicode: esibonelweni esijwayelekile, i-“Wdf01000.sys” ibonwe njengomshayeli ohilelekile ngesikhathi sokuhlolwa kweziphazamisi.
Amathuluzi Esistimu: Isiqinisekisi Somshayeli, Isibukeli Somcimbi kanye Nokuxilongwa
El Isiqinisekisi Somshayeli Ihlola ukuziphatha kwabashayeli ngesikhathi sangempela futhi iphoqelela amaphutha lapho ithola ukusetshenziswa okungalungile kwensiza (njengechibi lokubhukuda), iphakamisa okuhlukile ukuze kuhlukaniswe indawo eyinkinga yekhodi. Yethulwa nge verifier funa ngokushesha komyalo futhi kuyatuseka ukuthi ukhethe isethi encane yabashayeli ngangokunokwenzeka ukuze ugweme ukwengeza phezulu kakhulu.
Uma ungaziboni nge-WinDbg, sebenzisa izinyathelo eziyisisekelo: Hlola ukungena kwesistimu kusibukeli somcimbi ukuze uthole amaphutha akhomba idivayisi/umshayeli othile; buyekeza noma vala umshayeli ocashunwe isikrini esiluhlaza; qinisekisa ukuhambisana kwehadiwe nenguqulo yakho ye-Windows; futhi usebenzise i-Windows Memory Diagnostic uma usola i-RAM. Lezi zenzo, nakuba zilula, baxazulula inombolo enkulu yamacala.
Izimo zangempela: Lapho ama-BSOD ebonakala engahleliwe
Umsebenzisi ona Windows 10 Pro (AMD Ryzen 5 3400G CPU, GPU I-NVIDIA I-GeForce GTX 1660 Ti ne-Gigabyte B450 AORUS PRO WIFI board, 16 GB ye-RAM) ibikade ihlangabezana nezikrini ze-"IRQL_LESS_OR_NOT_EQUAL". Ngangivele ngibuyekeze abashayeli ababalulekile (inethiwekhi, ihluzo), ngifake zonke izibuyekezo ze-Windows, futhi ngisebenzise ithuluzi lememori, konke ngaphandle kokubona izinkinga.
Ezimeni ezifana nalezi, Isinyathelo esilandelayo ukuhlaziya ukulahlwa nge-WinDbg futhi ubheke amaphethini: izinqubo ezihilelekile lapho kuwa (isibonelo, explorer.exe), amamojula esixhumi esibonakalayo (win32kfull.sys) kanye nemisebenzi enjengokuthi xxxProcessNotifyWinEvent evela esitakini. Nakuba le moduli kuyi-Windows, i-trigger ivame ukuba umshayeli wenkampani yangaphandle (izithombe, okokufaka, ukumbondela, amakhadi okuthwebula) esebenzisa inkumbulo ku-IRQL engalungile futhi iphutha livela ngaphakathi. win32k.
Isincomo esisebenzayo lapha khubaza okwesikhashana isofthiwe yembondela (thwebula, i-GPU OSD), izishayeli zesofthiwe ezinolaka (amagundane/amakhibhodi anama-macro), nezinguqulo ze-beta zamadrayivu wezithombe, futhi uyinciphise. Ukusebenzisa i-Driver Verifier kubasolwa kungasiza ekwehliseni inkinga ngesitaki esicacile.
Iphethini ejwayeleke kakhulu kunethiwekhi: ndis.sys ayihlali iyicala
Esinye isimo esijwayelekile: isithombe-skrini nge ndis.sys (i-Windows network layer). Kukhompyutha yangempela, isistimu izophahlazeka ngokushesha lapho iqalwa. Isixazululo esisebenzayo kwaba ukuqala Imodi ephephile ngaphandle kwemisebenzi yenethiwekhi, vula i Umlawuli wedivayisi futhi ukhubaze ama-adaptha ngaphansi kokuthi “Ama-adaptha enethiwekhi” ukuze uhlukanise inkinga.
Kulelo qembu kwakukhona a I-Realtek PCIe GBE Family Controller kanye ne-Atheros AR5007G. Ngokuvala kokubili, kwatholakala ukuthi imbangela yangempela kwakuyi- athrx.sys (Atheros), nakuba isikrini esiluhlaza kushiwo ndis.sysUkulahlwa kuqinisekise lokhu: isitaki sidlule ndis!NdisFreeTimerObject kodwa module enecala kwaba athrx.sysUkulungiswa kokugcina kwaba khipha idivayisi futhi ufake abashayeli abasemthethweni ababuyekeziwe Kusuka kuwebhusayithi yomkhiqizi we-Atheros. Ukuziphatha: Imojula eshiwo ku-BSOD ingase ibe yingxenye yesistimu engaphansi ethintekile, hhayi umthombo.
Impendulo evamile yosekelo nezinyathelo ezisheshayo zabasebenzisi
Ekushintshaneni kosekelo lwangempela, uchwepheshe waphendula: "Ngiyaxolisa ngokuphazamiseka. Kungenzeka kube inkinga yomshayeli, inkumbulo, noma i-antivirus. Sicela ubuyekeze abashayeli bakho futhi, uma kuqhubeka, sebenzisa ukuxilonga inkumbulo."Lesi iseluleko esiyisisekelo kodwa esisebenzayo; kodwa-ke, uma amaphutha eqhubeka, kuwumqondo omuhle ukuya phambili ngeSiqinisekisi nokuhlaziya kokulahla.
Kubasebenzisi abangebona abezobuchwepheshe, iphrothokholi enengqondo ingaba: 1) Hlola imicimbi yesistimu, 2) Buyekeza izishayeli zokhiye (chipset/network/graphics), 3) Hlola i-RAM ngethuluzi elihlanganisiwe, 4) isivivinyo ibhuthini clean ngaphandle kwesofthiwe yenkampani yangaphandle efaka amahhuku ku-kernel/GUI, kanye 5) sebenzisa i-Verifier kubashayeli bezinkampani zangaphandle uma kungekho okucacile.
Imikhuba emihle yonjiniyela babashayeli
Uma uthuthuka futhi ukhubeka ku-D1/A, hlola ukuthi i- umjikelezo osebenzayo awumakwa njengekhasi Ungayibizi imisebenzi ephesekayo ngenkathi isebenza ku-DISPATCH_LEVEL noma ngaphezulu. Lokhu kufaka phakathi ukugwema izinkomba zedatha esezigabeni ezinamakhasi nokuhlonipha imikhawulo ye-IRQL yabasizi be-kernel abachazwe ku-DDK.
Ukuze uvumelanise idatha eyabiwe, sebenzisa umthetho othi "hlala ufinyelela idatha eyabiwe ku-IRQL ephezulu efanayo" futhi usebenzise ama-spin locks uma kufanele. Kuma-multiprocessors, i-IRQL iyodwa ayiqinisekisi ukukhishwa phakathi kwama-CPU ahlukene; ama-spin locks aphakamisa i-IRQL (ukuze DISPATCH_LEVEL) futhi axhumanise ukufinyelela phakathi kwama-cores. Uma udinga ukusebenza kumarejista wehadiwe ebucayi, KeSynchronizeExecution ikusiza ukuthi wenze izigaba ezibalulekile ku-DIRQL efanele.
Lapho uhlelo ludinga ukukhushulwa kwe-IRQL, usa KeRaiseIrqlToDpcLevel okwe-DISPATCH_LEVEL noma KeRaiseIrql ngokucophelela, ilondoloza i-IRQL yangaphambilini nokuyibuyisela ngayo kanye KeLowerIrql. Hamba ngezansi kokufaka kwe-IRQL, noma umzuzwana nje, Kuyiphutha elibi lokuvumelanisa.
Ubudlelwano neziphazamiso kanye nehadiwe
I-IRQL iyindlela esebenzisa ngayo iWindows imiyalo iphazamisa okubalulekile kanye nemisebenzi ethile yangaphakathiEzingeni lezakhiwo, ihlobene nemiqondo efana nokuthi "Phazamisa", "Isibambi sokuphazamisa" noma "Izinga elibalulekile lokuphazamisa" futhi, kumapulatifomu akudala, I-Programmable Interrupt Controller (PIC)Kwezinye izinhlelo, ukulawula okubalulekile kuvezwa ngezindlela ezifana nalezi spl en Unix; umqondo ojwayelekile uyafana: ubani ongaphazamisa bani.
Amathiphu Okulungisa Okuthuthukile
Ezindaweni zokulahla lapho isitaki sikhomba khona win32kfull!xxxProcessNotifyWinEvent ngokuhlola iziphazamisi 0xA/0xD1, hlola umongo nge .process y .thread (uma ikhona), bheka izinqubo ezifana nalezi explorer.exe en !process 0 1 futhi uhlole ukumbondelana namashayeli okusebenzisana kwe-GUI. Izikhathi eziningi inkinga Kuyinkumbulo eyonakaliswe umuntu wesithathu ovela kulowo mzila.
Ungakhohlwa ukuhlola i-IRQL nayo !irql, nokuqhathanisa: uma uku-DISPATCH_LEVEL (2) futhi ipharamitha 3 ikhombisa ukuthi funda/bhala/wenza ekhasini elibhalwe phansi, usuvele unomkhondo wokuthi kungani iwe. Yeqa ngalolo mkhondo ln kupharamitha 4 ukuthola umsebenzi othize.
Qonda Iyini i-IRQL? nokuthi ingena kanjani ekusebenziseni i-kernel isiza ukuhlukanisa umsindo kumasignali. Uma ungumsebenzisi, gxila kukho abashayeli kanye hardware (Ngesiqinisekisi, imicimbi, nezivivinyo ngokuzenzakalela). Uma uthuthuka, landela ngokuqinile imithetho ye-IRQL, inkumbulo engenamakhasi, nokuvumelanisa nokukhiya okuphonswayo. Ngamathuluzi afanele (WinDbg, Verifier) kanye nokufunda ngokucophelela kwemingcele (1, 3, no-4), Lokhu kuhlola iziphazamisi akuseyona imfihlakalo. futhi ziba yizinkinga ezingalungiswa ngendlela.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.