2. 软件开发
    3. dump文件分析笔记

    dump文件分析笔记

    xiaoxiao2022-07-14  158

    首先蓝屏时候,会发生文件转储,先开启蓝屏文件转储。

     

    一般内核开发,选核心内存转储即可,下面就是生成文件的位置,为了学习把自动重新启动点掉,不然蓝屏后系统会自动重启。

    下面写个蓝屏驱动让其发生BAD_POOL_CALLER(如果造成蓝屏的驱动是随系统启动而启动,会反复重启,则可以通过安全模式进入系统去拿dump文件)

    dump文件在之前设置的目录中,一般不修改位置就在window目录里。就是MEMORY.DMP,拖到开发机来,然后用windbg开始分析他,选择file里open crash dump开始分析它。首先加载符号。然后设置源文件的路径。

    然后运行命令!analyze -v,然后产生了如下图的一个蓝屏分析报告

    kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000099, Attempt to free pool with invalid address (or corruption in pool header) Arg2: 98acd700, Address being freed Arg3: 00000000, 0 Arg4: 00000000, 0 Debugging Details: ------------------ SYMSRV: BYINDEX: 0x5CF d:\symbols 7x86*http://msdl.microsoft.com/download/symbols ntkrpamp.exe 4CE78A09412000 SYMSRV: PATH: d:\symbols 7x86\ntkrpamp.exe\4CE78A09412000\ntkrpamp.exe SYMSRV: RESULT: 0x00000000 DBGHELP: d:\symbols 7x86\ntkrpamp.exe\4CE78A09412000\ntkrpamp.exe - OK SYMSRV: BYINDEX: 0x5D0 d:\symbols 7x86*http://msdl.microsoft.com/download/symbols UcOperDrv.sys 59ABCCDCc00 SYMSRV: UNC: d:\symbols 7x86\UcOperDrv.sys\59ABCCDCc00\UcOperDrv.sys - path not found SYMSRV: UNC: d:\symbols 7x86\UcOperDrv.sys\59ABCCDCc00\UcOperDrv.sy_ - path not found SYMSRV: UNC: d:\symbols 7x86\UcOperDrv.sys\59ABCCDCc00\file.ptr - path not found SYMSRV: HTTPGET: /download/symbols/UcOperDrv.sys/59ABCCDCc00/UcOperDrv.sys SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND SYMSRV: HTTPGET: /download/symbols/UcOperDrv.sys/59ABCCDCc00/UcOperDrv.sy_ SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND SYMSRV: HTTPGET: /download/symbols/UcOperDrv.sys/59ABCCDCc00/file.ptr SYMSRV: HttpQueryInfo: 80190194 - HTTP_STATUS_NOT_FOUND SYMSRV: RESULT: 0x80190194 DBGHELP: E:\MF\1firstl-Hello\dbgdemo\bsod\debug\i386\UcOperDrv.sys - OK KEY_VALUES_STRING: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 7601.17514.x86fre.win7sp1_rtm.101119-1850 SYSTEM_MANUFACTURER: VMware, Inc. VIRTUAL_MACHINE: VMware SYSTEM_PRODUCT_NAME: VMware Virtual Platform SYSTEM_VERSION: None BIOS_VENDOR: Phoenix Technologies LTD BIOS_VERSION: 6.00 BIOS_DATE: 05/19/2017 BASEBOARD_MANUFACTURER: Intel Corporation BASEBOARD_PRODUCT: 440BX Desktop Reference Platform BASEBOARD_VERSION: None DUMP_TYPE: 1 BUGCHECK_P1: 99 BUGCHECK_P2: ffffffff98acd700 BUGCHECK_P3: 0 BUGCHECK_P4: 0 FAULTING_IP: UcOperDrv!OperUnicodeStr+2ab [d:\mallocfree_2017\windows\1firstl-hello\dbgdemo\bsod\main.c @ 70] 98acd6db 8be5 mov esp,ebp BUGCHECK_STR: 0xc2_99 CPU_COUNT: 1 CPU_MHZ: 9c5 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3c CPU_STEPPING: 3 CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 25'00000000 (cache) 25'00000000 (init) DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT PROCESS_NAME: System CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: DESKTOP-4BL1C4H ANALYSIS_SESSION_TIME: 05-23-2019 22:50:18.0491 ANALYSIS_VERSION: 10.0.17763.1 amd64fre LAST_CONTROL_TRANSFER: from 84173f03 to 83f1bf20 STACK_TEXT: 807f18c4 84173f03 000000c2 00000099 98acd700 nt!KeBugCheckEx+0x1e 807f18e4 83f2d389 98acd700 98acd6f8 000001ff nt!VerifierBugCheckIfAppropriate+0x30 807f18f8 83f5eff9 98acd700 00000660 00000000 nt!VerifierFreeTrackedPool+0x24 807f1968 98acd6db 98acd700 00000000 0000000e nt!ExFreePoolWithTag+0x53e 807f19d0 98acd41a 807f1bbc 840012e6 86034190 UcOperDrv!OperUnicodeStr+0x2ab [d:\mallocfree_2017\windows\1firstl-hello\dbgdemo\bsod\main.c @ 70] 807f19d8 840012e6 86034190 86036000 00000000 UcOperDrv!DriverEntry+0xa [d:\mallocfree_2017\windows\1firstl-hello\dbgdemo\bsod\main.c @ 11] 807f1bbc 84004d98 00000001 00000000 807f1be4 nt!IopLoadDriver+0x7ed 807f1c00 83ebaaab 94f99bd0 00000000 85cdf798 nt!IopLoadUnloadDriver+0x70 807f1c50 84046f5e 00000001 a76e1e35 00000000 nt!ExpWorkerThread+0x10d 807f1c90 83eee219 83eba99e 00000001 00000000 nt!PspSystemThreadStartup+0x9e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19 THREAD_SHA1_HASH_MOD_FUNC: cb829f32645adac3007376ebdc069b62c0d10643 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6973de209d28a1de8ac3d73dd48d1020a3075ae5 THREAD_SHA1_HASH_MOD: 589add185ebdeba4826121bc925fe3e22f690d15 FOLLOWUP_IP: UcOperDrv!OperUnicodeStr+2ab [d:\mallocfree_2017\windows\1firstl-hello\dbgdemo\bsod\main.c @ 70] 98acd6db 8be5 mov esp,ebp FAULT_INSTR_CODE: c35de58b FAULTING_SOURCE_LINE: d:\mallocfree_2017\windows\1firstl-hello\dbgdemo\bsod\main.c FAULTING_SOURCE_FILE: d:\mallocfree_2017\windows\1firstl-hello\dbgdemo\bsod\main.c FAULTING_SOURCE_LINE_NUMBER: 70 FAULTING_SOURCE_CODE: 66: DbgPrint("%wZ\n", &uStr4); 67: 68: ExFreePool(uStr4.Buffer); 69: > 70: } SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: UcOperDrv!OperUnicodeStr+2ab FOLLOWUP_NAME: MachineOwner MODULE_NAME: UcOperDrv IMAGE_NAME: UcOperDrv.sys DEBUG_FLR_IMAGE_TIMESTAMP: 59abccdc STACK_COMMAND: .thread ; .cxr ; kb FAILURE_BUCKET_ID: 0xc2_99_UcOperDrv!OperUnicodeStr+2ab BUCKET_ID: 0xc2_99_UcOperDrv!OperUnicodeStr+2ab PRIMARY_PROBLEM_CLASS: 0xc2_99_UcOperDrv!OperUnicodeStr+2ab TARGET_TIME: 2019-05-23T13:35:36.000Z OSBUILD: 7601 OSSERVICEPACK: 1000 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2010-11-20 16:42:49 BUILDDATESTAMP_STR: 101119-1850 BUILDLAB_STR: win7sp1_rtm BUILDOSVER_STR: 6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850 ANALYSIS_SESSION_ELAPSED_TIME: c68 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xc2_99_ucoperdrv!operunicodestr+2ab FAILURE_ID_HASH: {6ef3c91d-9314-e8dd-6cc0-f9889f201760} Followup: MachineOwner ---------

    然后通过报告去看引起错误的地方,这里可以通过.open -a UcOperDrv!OperUnicodeStr+0x2ab查看

    #include <ntddk.h> VOID OperUnicodeStr(VOID); NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegPath) { OperUnicodeStr(); return STATUS_SUCCESS; } VOID OperUnicodeStr(VOID) { UNICODE_STRING uStr1 = {0}; UNICODE_STRING uStr2 = {0}; UNICODE_STRING uStr3 = {0}; UNICODE_STRING uStr4 = {0}; ANSI_STRING aStr1 = {0}; RtlInitUnicodeString(&uStr1, L"hello"); RtlInitUnicodeString(&uStr2, L"Goodbye"); DbgPrint("uStr1=%wZ\n", uStr1); DbgPrint("uStr2=%wZ\n", uStr2); RtlInitAnsiString(&aStr1, "Ansi string"); DbgPrint("aStr1=%Z\n", aStr1); RtlCopyUnicodeString(&uStr3, &uStr1); DbgPrint("uStr3=%wZ\n", uStr3); RtlAppendUnicodeToString(&uStr1, L"world"); DbgPrint("uStr1=%wZ\n", uStr1); RtlAppendUnicodeStringToString(&uStr1, &uStr2); DbgPrint("uStr1=%wZ\n", uStr1); if (RtlCompareUnicodeString(&uStr1, &uStr2, TRUE) == 0)//TRUE:case sensible { DbgPrint("%wZ == %wZ\n", uStr1, uStr2); } else { DbgPrint("%wZ != %wZ\n", uStr1, uStr2); } RtlAnsiStringToUnicodeString(&uStr3, &aStr1, TRUE);//TRUE: memory allocation for uStr1 and should be freed by RtlFreeUnicodeString DbgPrint("%wZ\n", uStr3); RtlFreeUnicodeString(&uStr3); uStr4.Buffer = ExAllocatePoolWithTag(PagedPool, wcslen(L"Nice to meet u")+sizeof(WCHAR), 'POCU'); if (uStr4.Buffer == NULL) { return; } RtlZeroMemory(uStr4.Buffer, wcslen(L"Nice to meet u")+sizeof(WCHAR)); uStr4.Length = 0; uStr4.MaximumLength = wcslen(L"Nice to meet u")+sizeof(WCHAR); RtlInitUnicodeString(&uStr4, L"Nice to meet u"); DbgPrint("%wZ\n", &uStr4); ExFreePool(uStr4.Buffer); }

    就可以分析,一般造成蓝屏原因比如

    关闭了无效handle

    在没有ObReferenceObject(pFileObject)下ObDereferenceObject(pFileObject)

    引用NULL指针

    内存访问越界 BAD POOL HEADER

    高中断访问了缺页内存 DRIVER_IRQL_NOT_LESS_OR_EQUAL

    另外可以参考微软文档

    https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2

    最新回复(0)