本本上装的WinMount在把一个有密码的压缩包Mount到新驱动器的时候，我输完密码按确定之后，BSOD了。搞得我深夜分析dump。

dump加载后windbg产生的信息摘要：

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ff116000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f907347f, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: ff116000

CURRENT_IRQL: 2

FAULTING_IP:
WinMTBus+1647f
f907347f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: WinMount.exe

LAST_CONTROL_TRANSFER: from f907a8cc to f907347f

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f0cf2ba4 f907a8cc ff115fb0 03300000 fee97d48 WinMTBus+0x1647f
f0cf2bd8 f90647d7 03300000 feea9950 81d85c40 WinMTBus+0x1d8cc
f0cf2c18 f905d759 00ea9950 f905d64c 81d85c40 WinMTBus+0x77d7
f0cf2c58 8057ba9f 81d85b88 feea9950 ff0fa398 WinMTBus+0x759
f0cf2d00 8058ffe3 0000011c 00000000 00000000 nt!IopXxxControlFile+0x611
f0cf2d34 804df7ec 0000011c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f0cf2d34 7c92e514 0000011c 00000000 00000000 nt!KiFastCallEntry+0xf8
023eff38 00000000 00000000 00000000 00000000 0x7c92e514

STACK_COMMAND: kb

FOLLOWUP_IP:
WinMTBus+1647f
f907347f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: WinMTBus+1647f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WinMTBus

IMAGE_NAME: WinMTBus.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45d27c40

FAILURE_BUCKET_ID: 0xD1_WinMTBus+1647f

BUCKET_ID: 0xD1_WinMTBus+1647f

Followup: MachineOwner
---------

从以上内容可以看到系统在IRQL==DISPATCH_LEVEL的时候读取了一个分页地址或无效地址，从而触发了BSOD。

kd> !process
GetPointerFromAddress: unable to read from 80560bd4
PROCESS feeb2da0 SessionId: none Cid: 0f54    Peb: 7ffda000 ParentCid: 0938
    DirBase: 07530000 ObjectTable: e11c1fb8 HandleCount: <Data Not Accessible>
    Image: WinMount.exe
    VadRoot ff5f7a60 Vads 186 Clone 0 Private 3086. Modified 1951. Locked 256.
（以下省略一些信息）

kd> r edi, esi, ecx
edi=03300060 esi=ff116000 ecx=00000004
kd> dd esi
ff116000 ???????? ???????? ???????? ????????
ff116010 ???????? ???????? ???????? ????????
ff116020 ???????? ???????? ???????? ????????
ff116030 ???????? ???????? ???????? ????????
ff116040 ???????? ???????? ???????? ????????
ff116050 ???????? ???????? ???????? ????????
ff116060 ???????? ???????? ???????? ????????
ff116070 ???????? ???????? ???????? ????????

发生BSOD的进程是WinMount.exe，位置在驱动 WinMTBus+1647f处，为一条rep movsd指令，这条指令在读取esi的地址所指向的内存时由于此内存地址无效而引发了BSOD。从ecx=4可以看出这里本来还要有0x10字节以供拷贝的。

从栈回溯信息可以看出这个操作来源是WinMount.exe在用户层的一次NtDeviceIoControlFile与驱动交互的调用，从进入NtDeviceIoControlFile时的堆栈：
kd> dd f0cf2d38
f0cf2d38 804df7ec 0000011c 00000000 00000000
f0cf2d48 00000000 023eff14 0022200a 00000000
f0cf2d58 00000000 03300000 00100000 023eff38
对照NtDeviceIoControlFile的函数原型可以看出，驱动符号链接句柄是0x11c（或许因为dump文件信息太少，查不出这个句柄对应的对象信息），IOCTL为0x0022200a，用于从驱动输出缓冲区信息到用户层，OutputBuffer为0x03300000，OutputBufferLength为0x100000。
可以看到edi=03300060正是在输出缓冲区中，可以判断此时正是驱动向里面拷数据。

kd> r eax
eax=03300000

可以看到eax正是指向缓冲区开头。

kd> dd eax
03300000 00000002 00000000 00000000 00000000
03300010 000b0050 00000000 00000000 00000000
03300020 00000000 00000000 00000012 ff0f1b58
03300030 00000000 00000000 00000000 00000000
03300040 ff115fb0 00000040 00000000 00000000
03300050 e244fd50 00000000 010000aa 00000000
03300060 00000000 00000000 00000000 00000000
03300070 00000000 00000000 00000000 00000000
kd> dd esi-60
ff115fa0 00000000 00000001 0a0b0007 53414d55
ff115fb0 000b0050 00000000 00000000 00000000
ff115fc0 00000000 00000000 00000012 ff0f1b58
ff115fd0 00000000 00000000 00000000 00000000
ff115fe0 ff115fb0 00000040 00000000 00000000
ff115ff0 e244fd50 00000000 010000aa 00000000
ff116000 ???????? ???????? ???????? ????????
ff116010 ???????? ???????? ???????? ????????

以上两部分内存对比，看出rep movsd指令已经把一部分数据拷过去了，可以猜测这条指令执行前ecx大概为0x18。

WinMount作者最令人佩服的是他的扭曲变换，可以说把代码混淆发挥到极致了，驱动被扭曲之后反汇编结果看起来也令人十分痛苦，故而我也没进一步分析这个的想法了，发此文章纯属记录。

因为我用的是WinMount 2.x最后一个稳定版本，不知道3.x怎么样，beta版的又怕怕，暂时不鼓捣它了。不过就其功能而言，WinMount的确是个比较强大的东东。

睡觉去了……