[转载]xx驱动蓝屏分析笔记
单机分析,可怜的我还得蓝屏一次获取dump文件,把dump文件载入WinDBG中。
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*G:/temp/*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 UP Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_gdr.070301-2306
Kernel base = 0x804e0000 PsLoadedModuleList = 0x8056ac08
Debug session time: Tue Feb 26 01:09:09.000 2008 (GMT+8)
System Uptime: 0 days 0:36:21.588
Loading Kernel Symbols
……………………………………………………………………………………………….
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001″ for details
Loading unloaded module list
……….
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {805107f4, ff, 1, f7e50dd4}
*** ERROR: Module load completed but symbols could not be loaded for SnipeSword.sys
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001″ for details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001″ for details
Probably caused by : SnipeSword.sys ( SnipeSword+4dd4 )
Followup: MachineOwner
———
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) //指明是BugCheck D1
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace. //驱动程序读取过高的IRQL造成的,可以使用内核调试器在堆栈中查找
Arguments:
Arg1: 805107f4, memory referenced // 参数1 参考地址
Arg2: 000000ff, IRQL // 参数2 中断请求 代号
Arg3: 00000001, value 0 = read operation, 1 = write operation // 参数3 操作类型
Arg4: f7e50dd4, address which referenced memory // 参数4 错误地址参考
Debugging Details:
——————
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001″ for details // 页面溢出
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001″ for details
WRITE_ADDRESS: 805107f4 // 参数1 [写入地址]
CURRENT_IRQL: 0 //当前IRQL
FAULTING_IP: //错误指令
SnipeSword+4dd4
f7e50dd4 893e mov dword ptr [esi],edi
DEFAULT_BUCKET_ID: DRIVER_FAULT // 错误类型:驱动错误
BUGCHECK_STR: 0xD1 // BUGCHECK索引
PROCESS_NAME: dumped_.exe // 错误所属进程
TRAP_FRAME: f8675b80 — (.trap 0xfffffffff8675b80) // 错误时各寄存器的状态
ErrCode = 00000003
eax=8050b1f2 ebx=00226000 ecx=00000200 edx=51fa0000 esi=805107f4 edi=f7e50cb6
eip=f7e50dd4 esp=f8675bf4 ebp=f8675c18 iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010046
SnipeSword+0x4dd4:
f7e50dd4 893e mov dword ptr [esi],edi ds:0023:805107f4={nt!NtOpenProcess (805cfdfb)}
Resetting default scope
LAST_CONTROL_TRANSFER: from 8050fa46 to 805418b0
STACK_TEXT:
/*
错误前堆栈中函数调用情况,最下面的SharedUserData!SystemCallStub+0×4处函数调用nt(Ntoskrnl)中的 KiSystemService,接着调用了nt中的NtDeviceIoControlFile,再接着调用了nt中的 NtDeviceIoControlFile,一直到 SnipeSword+0x4dd4 ,发生异常。
*/
f8675b64 8050fa46 0000000a 805107f4 000000ff nt!KeBugCheckEx+0×19
f8675b64 f7e50dd4 0000000a 805107f4 000000ff nt!KiTrap0E+0x21f
WARNING: Stack unwind information not available. Following frames may be wrong.
f8675c18 f7e51713 f8675cf0 f7e4c2a0 ff73ac48 SnipeSword+0x4dd4
f8675c3c 80505e25 ff4edb88 ff73ac48 ff9b7230 SnipeSword+0×5713
f8675c4c 805d884a ff73acb8 ff9b7230 ff73ac48 nt!IofCallDriver+0x3f
f8675c60 805ea953 ff4edb88 ff73ac48 ff9b7230 nt!IopSynchronousServiceTail+0x6c
f8675d00 805eaa4f 00000754 00000000 00000000 nt!IopXxxControlFile+0×607
f8675d34 8050caac 00000754 00000000 00000000 nt!NtDeviceIoControlFile+0×28
f8675d34 7ffe0304 00000754 00000000 00000000 nt!KiSystemService+0xcb
0012f974 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0×4
STACK_COMMAND: kb
FOLLOWUP_IP:
SnipeSword+4dd4
f7e50dd4 893e mov dword ptr [esi],edi
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: SnipeSword+4dd4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SnipeSword
IMAGE_NAME: SnipeSword.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45cd2b24
FAILURE_BUCKET_ID: 0xD1_W_SnipeSword+4dd4
BUCKET_ID: 0xD1_W_SnipeSword+4dd4
Followup: MachineOwner
小结:
从上面的信息可以知道蓝屏的原因是Bugcheck D1引起的,是由于驱动程序SnipeSword.sys读操作了过高的IRQL引起的。
没有源码,IDA之。
二、 逆向分析
出错函数:
.text:00014D5F sub_14D5F proc near ; CODE XREF: sub_15579+195 p
.text:00014D5F
.text:00014D5F BaseAddress = dword ptr -4
.text:00014D5F
.text:00014D5F push ebp
.text:00014D60 mov ebp, esp
.text:00014D62 add esp, 0FFFFFFFCh
.text:00014D65 pusha
.text:00014D66 mov eax, offset KeServiceDescriptorTable
.text:00014D6B mov eax, [eax]
.text:00014D6D mov esi, [eax]
.text:00014D6F mov dword_1AF28, 1
.text:00014D79 push offset stru_1679C ; SystemRoutineName
.text:00014D7E call MmGetSystemRoutineAddress
.text:00014D83 cmp byte ptr [eax], 0B8h
.text:00014D86 jnz short loc_14D8D
.text:00014D88 mov ecx, [eax+1]
.text:00014D8B jmp short loc_14D8F
.text:00014D8D ; —————————————————————————
.text:00014D8D
.text:00014D8D loc_14D8D: ; CODE XREF: sub_14D5F+27 j
.text:00014D8D xor ecx, ecx
.text:00014D8F
.text:00014D8F loc_14D8F: ; CODE XREF: sub_14D5F+2C j
.text:00014D8F or ecx, ecx
.text:00014D91 jz short loc_14DF3
.text:00014D93 shl ecx, 2
.text:00014D96 add esi, ecx
.text:00014D98 mov dword_1AF24, esi
.text:00014D9E cmp MajorVersion, 5
.text:00014DA5 jnz short loc_14DC6
.text:00014DA7 cmp MinorVersion, 2
.text:00014DAE jnb short loc_14DC6
.text:00014DB0 push esi ; BaseAddress
.text:00014DB1 call MmGetPhysicalAddress
.text:00014DB6 push 0 ; CacheType
.text:00014DB8 push 4 ; NumberOfBytes
.text:00014DBA push edx
.text:00014DBB push eax ; PhysicalAddress
.text:00014DBC call MmMapIoSpace
.text:00014DC1 mov [ebp+BaseAddress], eax
.text:00014DC4 mov esi, eax
.text:00014DC6
.text:00014DC6 loc_14DC6: ; CODE XREF: sub_14D5F+46 j
.text:00014DC6 ; sub_14D5F+4F j
.text:00014DC6 mov edi, [esi]
.text:00014DC8 mov dword_1AEFC, edi
.text:00014DCE mov edi, offset sub_14CB6
.text:00014DD3 cli
.text:00014DD4 mov [esi], edi
.text:00014DD6 sti
.text:00014DD7 cmp MajorVersion, 5
.text:00014DDE jnz short loc_14DF3
.text:00014DE0 cmp MinorVersion, 2
.text:00014DE7 jnb short loc_14DF3
.text:00014DE9 push 4 ; NumberOfBytes
.text:00014DEB push [ebp+BaseAddress] ; BaseAddress
.text:00014DEE call MmUnmapIoSpace
.text:00014DF3
.text:00014DF3 loc_14DF3: ; CODE XREF: sub_14D5F+32 j
.text:00014DF3 ; sub_14D5F+7F j …
.text:00014DF3 popa
.text:00014DF4 mov eax, 0
.text:00014DF9 leave
.text:00014DFA retn
.text:00014DFA sub_14D5F endp
.text:00014DFA
/*
菜菜的反了下上面的代码
*/
SnipeSword_dirverFunction_xx PROC
pushad
mov eax, addr KeServiceDescriptorTable
mov esi, [eax]
mov esi, [esi]
invoke MmGetSystemRoutineAddress, SystemRoutineName
.if al == 0B8h
xor ecx, ecx
.else
mov ecx, dword ptr[eax+1]
.endif
.if ecx == NULL
jmp over
.else
shl ecx, 2
add esi, ecx
mov Addr_1, esi
.if (MajorVersion == 5) || (MajorVersion < 2)
invoke MmGetPhysicalAddress, esi
invoke MmMapIoSpace, PhysicalAddress, 4, 0
mov esi, eax
.else
mov edi, [esi]
mov Addr_2, edi
cli
mov dword ptr[esi],edi
.if (MajorVersion == 5) || (MajorVersion < 2)
invoke MmMapIoSpace, PhysicalAddress, 4, 0
.endif
.endif
over:
popad
xor eax, eax
ret
SnipeSword_dirverFunction_xx endp
三、 总结
不懂驱动,所以只能简单的调试下而已。查看了下相关的资料:(调用KeRaiseIrql的必要条件:新IRQL必须大于或等于当前IRQL。如果这个关系不成立,KeRaiseIrql将导致bug check。)