Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

Windows内核调试

刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-20, 12:56 下午

1.我把断点设置在SysEnter上,打算跟进SysEnter看看里面的情况,没想到怎么都进不去,会的哥儿请指点一下.


2.在Xp上怎么也找不到w32pServiceTable,着是怎么回事? dd w32pServiceTable 出了一堆问号.

 

环境:Windbg附加虚拟机Vpc2007(内核调试模式)

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

王宇 2009-02-20, 14:07 下午

1:

kd> rdmsr 176
msr[176] = 00000000`80541510

kd> ln 00000000`80541510
(80541510)   nt!KiFastCallEntry   |  (8054161e)   nt!KiServiceExit
Exact matches:
    nt!KiFastCallEntry = <no type information>

kd> u nt!KiFastCallEntry
nt!KiFastCallEntry:
80541510 b923000000      mov     ecx,23h
80541515 6a30            push    30h
80541517 0fa1            pop     fs
80541519 8ed9            mov     ds,cx
8054151b 8ec1            mov     es,cx
8054151d 648b0d40000000  mov     ecx,dword ptr fs:[40h]
80541524 8b6104          mov     esp,dword ptr [ecx+4]
80541527 6a23            push    23h

2:

和 nt!KiServiceTable 不同,win32k!W32pServiceTable 初始化很晚的。
比如你在 Boot0 的驱动下断点会看到:

kd> dd KeServiceDescriptorTableShadow
8055c6a0  80504734 00000000 0000011c 80504ba8
8055c6b0  00000000 00000000 00000000 00000000
8055c6c0  00000000 00000000 00000000 00000000
8055c6d0  00000000 00000000 00000000 00000000
8055c6e0  80504734 00000000 0000011c 80504ba8
8055c6f0  00000000 00000000 00000000 00000000
8055c700  00000000 00000000 00000000 00000000
8055c710  00000000 00000000 00000000 00000000

初始化 OK 了就是:

kd> dd KeServiceDescriptorTableShadow
8055c6a0  80504734 00000000 0000011c 80504ba8
8055c6b0  bf997600 00000000 0000029b bf998310
8055c6c0  00000000 00000000 00000000 00000000
8055c6d0  00000000 00000000 00000000 00000000
8055c6e0  80504734 00000000 0000011c 80504ba8
8055c6f0  00000000 00000000 00000000 00000000
8055c700  00000000 00000000 00000000 00000000
8055c710  00000000 00000000 00000000 00000000

kd> ln bf997600
(bf997600)   win32k!W32pServiceTable   |  (bf99830c)   win32k!W32pServiceLimit
Exact matches:
    win32k!W32pServiceTable = <no type information>

kd> dd w32pServiceTable
bf997600  bf934ffe bf946a92 bf8bf295 bf93e718
bf997610  bf9480a9 bf935262 bf935307 bf839cb5
bf997620  bf9479d0 bf933a9d bf947fc8 bf90e7e0
bf997630  bf88e5fe bf80ba4f bf947e9a bf949694
bf997640  bf88d61c bf8a2669 bf947f78 bf9497c7
bf997650  bf81c2fc bf858a31 bf8daf38 bf8e6821
bf997660  bf90fa14 bf80e2f2 bf8fad2a bf94948e
bf997670  bf94a38b bf8102e8 bf80c235 bf8c5a6d

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-20, 14:32 下午
 WANGyu wrote:

1:

kd> rdmsr 176
msr[176] = 00000000`80541510

kd> ln 00000000`80541510
(80541510)   nt!KiFastCallEntry   |  (8054161e)   nt!KiServiceExit
Exact matches:
    nt!KiFastCallEntry =

kd> u nt!KiFastCallEntry
nt!KiFastCallEntry:
80541510 b923000000      mov     ecx,23h
80541515 6a30            push    30h
80541517 0fa1            pop     fs
80541519 8ed9            mov     ds,cx
8054151b 8ec1            mov     es,cx
8054151d 648b0d40000000  mov     ecx,dword ptr fs:[40h]
80541524 8b6104          mov     esp,dword ptr [ecx+4]
80541527 6a23            push    23h

2:

和 nt!KiServiceTable 不同,win32k!W32pServiceTable 初始化很晚的。
比如你在 Boot0 的驱动下断点会看到:

kd> dd KeServiceDescriptorTableShadow
8055c6a0  80504734 00000000 0000011c 80504ba8
8055c6b0  00000000 00000000 00000000 00000000
8055c6c0  00000000 00000000 00000000 00000000
8055c6d0  00000000 00000000 00000000 00000000
8055c6e0  80504734 00000000 0000011c 80504ba8
8055c6f0  00000000 00000000 00000000 00000000
8055c700  00000000 00000000 00000000 00000000
8055c710  00000000 00000000 00000000 00000000

初始化 OK 了就是:

kd> dd KeServiceDescriptorTableShadow
8055c6a0  80504734 00000000 0000011c 80504ba8
8055c6b0  bf997600 00000000 0000029b bf998310
8055c6c0  00000000 00000000 00000000 00000000
8055c6d0  00000000 00000000 00000000 00000000
8055c6e0  80504734 00000000 0000011c 80504ba8
8055c6f0  00000000 00000000 00000000 00000000
8055c700  00000000 00000000 00000000 00000000
8055c710  00000000 00000000 00000000 00000000

kd> ln bf997600
(bf997600)   win32k!W32pServiceTable   |  (bf99830c)   win32k!W32pServiceLimit
Exact matches:
    win32k!W32pServiceTable =

kd> dd w32pServiceTable
bf997600  bf934ffe bf946a92 bf8bf295 bf93e718
bf997610  bf9480a9 bf935262 bf935307 bf839cb5
bf997620  bf9479d0 bf933a9d bf947fc8 bf90e7e0
bf997630  bf88e5fe bf80ba4f bf947e9a bf949694
bf997640  bf88d61c bf8a2669 bf947f78 bf9497c7
bf997650  bf81c2fc bf858a31 bf8daf38 bf8e6821
bf997660  bf90fa14 bf80e2f2 bf8fad2a bf94948e
bf997670  bf94a38b bf8102e8 bf80c235 bf8c5a6d

 

谢谢王老师答复

1.步入SysEnter难道没办法直接切入ring0,我就是想看看那一瞬间的变换.

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-20, 14:59 下午
貌似已经初始化完成了,为什么还是不行呢?
kd> dd KeServiceDescriptorTableShadow
8055ab40 804e3d20 00000000 0000011c 804d9f48
8055ab50 bf997600 00000000 0000029b bf998310
8055ab60 00000000 00000000 00000000 00000000
8055ab70 00000000 00000000 00000000 00000000
8055ab80 804e3d20 00000000 0000011c 804d9f48
8055ab90 00000000 00000000 00000000 00000000
8055aba0 00000000 00000000 00000000 00000000
8055abb0 00000000 00000000 00000000 00000000
kd> dd bf997600
bf997600 ???????? ???????? ???????? ????????
bf997610 ???????? ???????? ???????? ????????
bf997620 ???????? ???????? ???????? ????????
bf997630 ???????? ???????? ???????? ????????
bf997640 ???????? ???????? ???????? ????????
bf997650 ???????? ???????? ???????? ????????
bf997660 ???????? ???????? ???????? ????????
bf997670 ???????? ???????? ???????? ????????

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

王宇 2009-02-20, 16:12 下午
-___- 别叫我老师...

补充一下:SysEnter 就是一条指令(它和 MOV 等指令没有本质区别,跟踪它的实现估计只有 Intel 有工具),它会去调用 MSR 176 寄存器里面的 Handler 执行,即内核入口nt!KiFastCallEntry。

我知道你为什么会出现这种情况了:

kd> dd w32pServiceTable
bf997600 ???????? ???????? ???????? ????????
bf997610 ???????? ???????? ???????? ????????
bf997620 ???????? ???????? ???????? ????????
bf997630 ???????? ???????? ???????? ????????
bf997640 ???????? ???????? ???????? ????????
bf997650 ???????? ???????? ???????? ????????
bf997660 ???????? ???????? ???????? ????????
bf997670 ???????? ???????? ???????? ????????

尝试 .process /i (explorer.exe 's _EPROCESS)

然后:
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.

就可以了。

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-20, 16:53 下午
恩,好象我有点钻牛角尖.

的确只能在指定的进程上下文才能查看w32pServiceTable,具体原因我还不能领悟.

这么说系统上下文不能访问w32pServiceTable?这种理解对不?

又或者说w32pServiceTable每个进程都有一份拷贝?

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

王宇 2009-02-20, 18:22 下午
奶粉..

那是因为 w32k.sys 是 GDI 相关的,而 System 进程没有自己的用户态空间。类似的还有 Idel 进程。不信你切换过去试试~

今天我郁闷啊我... NND

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-20, 18:52 下午
呵呵,似乎明白了,谢谢王宇,人好少哦,只有你进来看...

你为什么郁闷啊?

还有刚才试着断了下Bp nt!KiFastCallEntry,系统就挂了
kd> Bp nt!KiFastCallEntry
kd> g
Breakpoint 0 hit
nt!KiFastCallEntry:
804dff6f b923000000 mov ecx,23h
kd> g

*** Fatal System Error: 0x00000050
(0xF896D004,0x00000000,0x804E09A6,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Fri Feb 20 18:50:55.796 2009 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................
Loading User Symbols
................................................................
................................................................
...
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f896d004, 0, 804e09a6, 0}

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

王宇 2009-02-20, 21:05 下午
PAGE_FAULT_IN_NONPAGED_AREA

信息不够多

1. 看看 f896d004 是什么模块?
2. 看看 804e09a6 能访问吗?
3. IRQL 是多少?

或者发 dump 文件

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-20, 21:19 下午

找了半天,没发现上传的地方,传不了Dump文件

kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: f896d004, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 804e09a6, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* READ_ADDRESS: f896d004 FAULTING_IP: nt!Kei386EoiHelper+ab 804e09a6 cf iretd MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: CODE_CORRUPTION BUGCHECK_STR: 0x50 PROCESS_NAME: LSASS.EXE TRAP_FRAME: f896cf80 -- (.trap 0xfffffffff896cf80) Unable to read trap frame at f896cf80 LAST_CONTROL_TRANSFER: from 805338e7 to 804e4b25 STACK_TEXT: f896cad0 805338e7 00000003 f896d004 00000000 nt!RtlpBreakWithStatusInstruction f896cb1c 805343be 00000003 806ee03c c03e25b4 nt!KiBugCheckDebugBreak+0x19 f896cefc 805349ae 00000050 f896d004 00000000 nt!KeBugCheck2+0x574 f896cf1c 805256fb 00000050 f896d004 00000000 nt!KeBugCheckEx+0x1b f896cf68 804e2ff1 00000000 f896d004 00000000 nt!MmAccessFault+0x6f5 f896cf68 804e09a6 00000000 f896d004 00000000 nt!KiTrap0E+0xcc 00eefb94 00000000 00000548 00eefbb8 00000000 nt!Kei386EoiHelper+0xab WARNING: Frame IP not in any known module. Following frames may be wrong. 73ed13ac 8b55ff8b 0cec83ec be575653 73f01280 0x0 73ed13b0 0cec83ec be575653 73f01280 4c15ff56 0x8b55ff8b 73ed13b4 be575653 73f01280 4c15ff56 ff73ed12 0xcec83ec 73ed13b8 73f01280 4c15ff56 ff73ed12 ed121815 0xbe575653 73ed13bc 4c15ff56 ff73ed12 ed121815 9c0d8b73 oakley!TimerLock 73f01280 ffffffff 00000000 00000000 00000000 0x4c15ff56 73f01284 00000000 00000000 00000000 00000000 0xffffffff STACK_COMMAND: kb CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt 804da10c - nt!KiXMMIZeroPage+73 [ fb:90 ] 804da112-804da115 4 bytes - nt!KiXMMIZeroPage+79 (+0x06) [ 57 ff ff ff:cd d0 a1 01 ] 804da545-804da54a 6 bytes - nt!ExAcquireResourceSharedLite+10 (+0x433) [ fa 8b 75 08 33 db:e9 03 cd a1 01 cc ] 804da564 - nt!ExAcquireResourceSharedLite+98 (+0x1f) [ fb:90 ] 804da569-804da570 8 bytes - nt!ExAcquireResourceSharedLite+b8 (+0x05) [ c2 08 00 90 90 90 90 90:e9 79 2b 9f 01 c2 08 00 ] 804dcb82 - nt!ExReleaseResourceLite+ba (+0x2619) [ 99:3f ] 804dcb94 - nt!ExReleaseResourceLite+c8 (+0x12) [ 87:2d ] 804dcba0 - nt!ExReleaseResourceLite+d0 (+0x0c) [ 7e:24 ] 804dcbc5-804dcbcd 9 bytes - nt!ExReleaseResourceLite+f5 (+0x25) [ 90 90 90 90 90 90 90 90:e9 d4 04 9f 01 5f 5e 5b ] 804dcbd5-804dcbda 6 bytes - nt!ExReleaseResourceLite+5 (+0x10) [ 64 a1 24 01 00 00:e9 54 a6 a1 01 cc ] 804dcbe8 - nt!ExReleaseResourceLite+18 (+0x13) [ 36:dc ] 804dcbf9 - nt!ExReleaseResourceLite+29 (+0x11) [ 25:cb ] 804dcc16-804dcc1a 5 bytes - nt!ExReleaseResourceLite+75 (+0x1d) [ 66 81 e2 7f ff:e9 01 a6 a1 01 ] 804dfff2-804dfff8 7 bytes - nt!KiFastCallEntry+7f (+0x33dc) [ c7 45 08 00 0d db ba:e9 f6 71 a1 01 cc cc ] 804e007c-804e0080 5 bytes - nt!KiServiceExit (+0x8a) [ fa f7 45 70 00:e9 7c d0 9e 01 ] 804e016b-804e016d 3 bytes - nt!KiSystemCallExitBranch+2 (+0xef) [ 5a 59 9d:c8 02 04 ] 804e08fb-804e08ff 5 bytes - nt!KiExceptionExit (+0x790) [ fa f7 45 70 00:e9 30 c8 9e 01 ] 804e2fc9-804e2fce 6 bytes - nt!KiTrap0E+a4 (+0x26ce) [ fb f7 45 70 00 02:90 e9 7e a1 9e 01 ] 804e44b4-804e44b8 5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x14eb) [ fa 8b 01 89 02:e9 e3 2c a1 01 ] 804e44d1-804e44d6 6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d) [ fa 8b 41 04 89 0a:e9 e9 2c a1 01 cc ] 804e44f2-804e44f6 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21) [ fa 8b 01 3b c1:e9 7d 2c a1 01 ] 804e4874-804e4878 5 bytes - nt!KeUpdateSystemTime+137 (+0x382) [ fa ff 15 dc 85:e9 7c 89 9e 01 ] 804e4b4c-804e4b50 5 bytes - nt!ExAcquireResourceExclusiveLite+7 (+0x2d8) [ 64 a1 24 01 00:e9 19 85 9e 01 ] 804e4b6d-804e4b71 5 bytes - nt!ExAcquireResourceExclusiveLite+47 (+0x21) [ 89 46 1c 66 89:e9 42 85 9e 01 ] 804ea175-804ea17a 6 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x5608) [ fa 8b 75 08 33 db:e9 c4 d0 a0 01 cc ] 804ea194 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f) [ fb:90 ] 804ea199-804ea1a0 8 bytes - nt!ExAcquireSharedWaitForExclusive+ef (+0x05) [ c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00 ] 804ee809-804ee80f 7 bytes - nt!CcGetActiveVacb+5 (+0x4670) [ fa 8b 45 08 8b 48 48:e9 4e 8a a0 01 cc cc ] 804f01dc-804f01e3 8 bytes - nt!CcSetActiveVacb+7 (+0x19d3) [ fa 8b 45 08 83 78 48 00:e9 d0 70 a0 01 cc cc cc ] 804f01ff-804f020c 14 bytes - nt!CcSetActiveVacb+a3 (+0x23) [ 8b 0a 89 48 48 89 58 50:e9 9d 70 a0 01 e9 8c 70 ] 146 errors : !nt (804da10c-804f020c) MODULE_NAME: memory_corruption IMAGE_NAME: memory_corruption FOLLOWUP_NAME: memory_corruption DEBUG_FLR_IMAGE_TIMESTAMP: 0 MEMORY_CORRUPTOR: LARGE FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE BUCKET_ID: MEMORY_CORRUPTION_LARGE Followup: memory_corruption --------- kd> g Shutdown occurred at (Fri Feb 20 21:17:05.218 2009 (GMT+8))...unloading all symbol tables. Waiting to reconnect...

Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.

女乃米分 2009-02-21, 16:34 下午
郁闷,我换Vmare调试好象又没问题了,为什么用Vpc会错呢?

Powered by Community Server Powered by CnForums.Net