发表于: 2010-04-27 21:14 | 显示全部 短消息 资料
字号: 1楼

瑞星全功能安全软件中存在重大漏洞,望瑞星尽快修复!

本人可以说是瑞星的忠实用户,从XP一直用到Windows 7,一直用的是正版瑞星全功能安全软件。但前几天,用得好好的电脑在重启后突然蓝屏,蓝屏后迅速重启,重启后选择正常启动又好了,只不过进入了欢迎屏幕后又黑屏卡了半天才进入桌面。启动后用Debugging Tools for Windows调试蓝屏内存转储文件,发现引起蓝屏的是一个叫“hooksys.sys”的系统文件,微软工程师认为这是瑞星的实时监控文件,也就是说引起蓝屏的是瑞星!瑞星全功能安全软件不是说完全兼容Windows 7的吗?那为什么会在32位的Windows 7环境中发生蓝屏这种严重的错误?如果这是瑞星的Bug,望瑞星尽快修正。

在Microsoft Answers上的原帖:http://social.answers.microsoft.com/Forums/zh-CN/w7repairzhcn/thread/0a9d6793-481a-4571-bbb3-f4ebc86198e7
蓝屏调试结果:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [E:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*e:\temp*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16539.x86fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0x8424c000 PsLoadedModuleList = 0x84394810
Debug session time: Sun Apr 18 15:02:38.018 2010 (GMT+8)
System Uptime: 0 days 0:00:18.720
WARNING: Process directory table base 7EC9E0E0 doesn't match CR3 00185000
WARNING: Process directory table base 7EC9E0E0 doesn't match CR3 00185000
Loading Kernel Symbols
...............................................................
................................................................
..
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c).  Type ".hh dbgerr001" for details
Loading unloaded module list
....
*******************************************************************************
*                                                                            *
*                        Bugcheck Analysis                                    *
*                                                                            *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 807c3750, 0, 0}
*** ERROR: Module load completed but symbols could not be loaded for HookSys.sys
PEB is paged out (Peb.Ldr = 7ffd400c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c).  Type ".hh dbgerr001" for details
Probably caused by : HookSys.sys ( HookSys+fb3b )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*                                                                            *
*                        Bugcheck Analysis                                    *
*                                                                            *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 807c3750
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd400c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c).  Type ".hh dbgerr001" for details
BUGCHECK_STR:  0x7f_8
TSS:  00000028 -- (.tss 0x28)
eax=8dfcca6c ebx=909efcf6 ecx=909efcd5 edx=87063338 esi=0019f578 edi=00000000
eip=909bbb3b esp=8d6c4f54 ebp=8d6c55b8 iopl=0        nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000            efl=00010286
HookSys+0xfb3b:
909bbb3b 53              push    ebx
Resetting default scope
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  wininit.exe
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from 909bbd9d to 909bbb3b
STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
8d6c55b8 909bbd9d 00000000 00000000 0019f58c HookSys+0xfb3b
8d6c5c48 909bbd9d 00000000 00000000 0019f58c HookSys+0xfd9d
8d6c62d8 909bbd9d 00000000 00000000 0019f58c HookSys+0xfd9d
8d6c6968 909bbd9d 00000000 00000000 0019f58c HookSys+0xfd9d
8d6c6ff8 909bbd9d 00000000 00000000 0019f58c HookSys+0xfd9d
8d6c7688 909bbd9d 00000000 00000000 0019f58c HookSys+0xfd9d
8d6c7d18 8428f44a 00000000 00000000 0019f58c HookSys+0xfd9d
8d6c7d18 77b764f4 00000000 00000000 0019f58c nt!KiFastCallEntry+0x12a
0019f59c 00000000 00000000 00000000 00000000 0x77b764f4

STACK_COMMAND:  .tss 0x28 ; kb
FOLLOWUP_IP:
HookSys+fb3b
909bbb3b 53              push    ebx
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  HookSys+fb3b
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: HookSys
IMAGE_NAME:  HookSys.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4b8775de
FAILURE_BUCKET_ID:  0x7f_8_HookSys+fb3b
BUCKET_ID:  0x7f_8_HookSys+fb3b
Followup: MachineOwner
---------

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; .NET4.0C; .NET4.0E; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)