 |
|
|
|
|
|
|
|
Windows内核调试
帖子发起人: 女乃米分 发起时间: 2009-02-20 12:56 下午 回复: 10
  
|
|
帖子排序:
|
|
|
|
 2009-02-20, 12:56 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
1.我把断点设置在SysEnter上,打算跟进SysEnter看看里面的情况,没想到怎么都进不去,会的哥儿请指点一下.
2.在Xp上怎么也找不到w32pServiceTable,着是怎么回事? dd w32pServiceTable 出了一堆问号.
环境:Windbg附加虚拟机Vpc2007(内核调试模式)
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 14:32 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
 WANGyu wrote: | |
1:
kd> rdmsr 176
msr[176] = 00000000`80541510
kd> ln 00000000`80541510
(80541510) nt!KiFastCallEntry | (8054161e) nt!KiServiceExit
Exact matches:
nt!KiFastCallEntry =
kd> u nt!KiFastCallEntry
nt!KiFastCallEntry:
80541510 b923000000 mov ecx,23h
80541515 6a30 push 30h
80541517 0fa1 pop fs
80541519 8ed9 mov ds,cx
8054151b 8ec1 mov es,cx
8054151d 648b0d40000000 mov ecx,dword ptr fs:[40h]
80541524 8b6104 mov esp,dword ptr [ecx+4]
80541527 6a23 push 23h
2:
和 nt!KiServiceTable 不同,win32k!W32pServiceTable 初始化很晚的。
比如你在 Boot0 的驱动下断点会看到:
kd> dd KeServiceDescriptorTableShadow
8055c6a0 80504734 00000000 0000011c 80504ba8
8055c6b0 00000000 00000000 00000000 00000000
8055c6c0 00000000 00000000 00000000 00000000
8055c6d0 00000000 00000000 00000000 00000000
8055c6e0 80504734 00000000 0000011c 80504ba8
8055c6f0 00000000 00000000 00000000 00000000
8055c700 00000000 00000000 00000000 00000000
8055c710 00000000 00000000 00000000 00000000
初始化 OK 了就是:
kd> dd KeServiceDescriptorTableShadow
8055c6a0 80504734 00000000 0000011c 80504ba8
8055c6b0 bf997600 00000000 0000029b bf998310
8055c6c0 00000000 00000000 00000000 00000000
8055c6d0 00000000 00000000 00000000 00000000
8055c6e0 80504734 00000000 0000011c 80504ba8
8055c6f0 00000000 00000000 00000000 00000000
8055c700 00000000 00000000 00000000 00000000
8055c710 00000000 00000000 00000000 00000000
kd> ln bf997600
(bf997600) win32k!W32pServiceTable | (bf99830c) win32k!W32pServiceLimit
Exact matches:
win32k!W32pServiceTable =
kd> dd w32pServiceTable
bf997600 bf934ffe bf946a92 bf8bf295 bf93e718
bf997610 bf9480a9 bf935262 bf935307 bf839cb5
bf997620 bf9479d0 bf933a9d bf947fc8 bf90e7e0
bf997630 bf88e5fe bf80ba4f bf947e9a bf949694
bf997640 bf88d61c bf8a2669 bf947f78 bf9497c7
bf997650 bf81c2fc bf858a31 bf8daf38 bf8e6821
bf997660 bf90fa14 bf80e2f2 bf8fad2a bf94948e
bf997670 bf94a38b bf8102e8 bf80c235 bf8c5a6d
|
|
谢谢王老师答复
1.步入SysEnter难道没办法直接切入ring0,我就是想看看那一瞬间的变换.
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 14:59 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
貌似已经初始化完成了,为什么还是不行呢?
kd> dd KeServiceDescriptorTableShadow
8055ab40 804e3d20 00000000 0000011c 804d9f48
8055ab50 bf997600 00000000 0000029b bf998310
8055ab60 00000000 00000000 00000000 00000000
8055ab70 00000000 00000000 00000000 00000000
8055ab80 804e3d20 00000000 0000011c 804d9f48
8055ab90 00000000 00000000 00000000 00000000
8055aba0 00000000 00000000 00000000 00000000
8055abb0 00000000 00000000 00000000 00000000
kd> dd bf997600
bf997600 ???????? ???????? ???????? ????????
bf997610 ???????? ???????? ???????? ????????
bf997620 ???????? ???????? ???????? ????????
bf997630 ???????? ???????? ???????? ????????
bf997640 ???????? ???????? ???????? ????????
bf997650 ???????? ???????? ???????? ????????
bf997660 ???????? ???????? ???????? ????????
bf997670 ???????? ???????? ???????? ????????
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 16:12 下午
|
王宇
注册: 2007-05-08
发 贴: 306
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
-___- 别叫我老师...
补充一下:SysEnter 就是一条指令(它和 MOV 等指令没有本质区别,跟踪它的实现估计只有 Intel 有工具),它会去调用 MSR 176 寄存器里面的 Handler 执行,即内核入口nt!KiFastCallEntry。
我知道你为什么会出现这种情况了:
kd> dd w32pServiceTable
bf997600 ???????? ???????? ???????? ????????
bf997610 ???????? ???????? ???????? ????????
bf997620 ???????? ???????? ???????? ????????
bf997630 ???????? ???????? ???????? ????????
bf997640 ???????? ???????? ???????? ????????
bf997650 ???????? ???????? ???????? ????????
bf997660 ???????? ???????? ???????? ????????
bf997670 ???????? ???????? ???????? ????????
尝试 .process /i (explorer.exe 's _EPROCESS)
然后:
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
就可以了。
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 16:53 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
恩,好象我有点钻牛角尖.
的确只能在指定的进程上下文才能查看w32pServiceTable,具体原因我还不能领悟.
这么说系统上下文不能访问w32pServiceTable?这种理解对不?
又或者说w32pServiceTable每个进程都有一份拷贝?
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 18:22 下午
|
王宇
注册: 2007-05-08
发 贴: 306
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
奶粉..
那是因为 w32k.sys 是 GDI 相关的,而 System 进程没有自己的用户态空间。类似的还有 Idel 进程。不信你切换过去试试~
今天我郁闷啊我... NND
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 18:52 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
呵呵,似乎明白了,谢谢王宇,人好少哦,只有你进来看...
你为什么郁闷啊?
还有刚才试着断了下Bp nt!KiFastCallEntry,系统就挂了
kd> Bp nt!KiFastCallEntry
kd> g
Breakpoint 0 hit
nt!KiFastCallEntry:
804dff6f b923000000 mov ecx,23h
kd> g
*** Fatal System Error: 0x00000050
(0xF896D004,0x00000000,0x804E09A6,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Fri Feb 20 18:50:55.796 2009 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................
Loading User Symbols
................................................................
................................................................
...
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {f896d004, 0, 804e09a6, 0}
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 21:05 下午
|
王宇
注册: 2007-05-08
发 贴: 306
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
PAGE_FAULT_IN_NONPAGED_AREA
信息不够多
1. 看看 f896d004 是什么模块?
2. 看看 804e09a6 能访问吗?
3. IRQL 是多少?
或者发 dump 文件
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-20, 21:19 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
![Crying [:'(]](/emoticons/emotion-9.gif)
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
|
找了半天,没发现上传的地方,传不了Dump文件
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: f896d004, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 804e09a6, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* READ_ADDRESS: f896d004 FAULTING_IP: nt!Kei386EoiHelper+ab 804e09a6 cf iretd MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: CODE_CORRUPTION BUGCHECK_STR: 0x50 PROCESS_NAME: LSASS.EXE TRAP_FRAME: f896cf80 -- (.trap 0xfffffffff896cf80) Unable to read trap frame at f896cf80 LAST_CONTROL_TRANSFER: from 805338e7 to 804e4b25 STACK_TEXT: f896cad0 805338e7 00000003 f896d004 00000000 nt!RtlpBreakWithStatusInstruction f896cb1c 805343be 00000003 806ee03c c03e25b4 nt!KiBugCheckDebugBreak+0x19 f896cefc 805349ae 00000050 f896d004 00000000 nt!KeBugCheck2+0x574 f896cf1c 805256fb 00000050 f896d004 00000000 nt!KeBugCheckEx+0x1b f896cf68 804e2ff1 00000000 f896d004 00000000 nt!MmAccessFault+0x6f5 f896cf68 804e09a6 00000000 f896d004 00000000 nt!KiTrap0E+0xcc 00eefb94 00000000 00000548 00eefbb8 00000000 nt!Kei386EoiHelper+0xab WARNING: Frame IP not in any known module. Following frames may be wrong. 73ed13ac 8b55ff8b 0cec83ec be575653 73f01280 0x0 73ed13b0 0cec83ec be575653 73f01280 4c15ff56 0x8b55ff8b 73ed13b4 be575653 73f01280 4c15ff56 ff73ed12 0xcec83ec 73ed13b8 73f01280 4c15ff56 ff73ed12 ed121815 0xbe575653 73ed13bc 4c15ff56 ff73ed12 ed121815 9c0d8b73 oakley!TimerLock 73f01280 ffffffff 00000000 00000000 00000000 0x4c15ff56 73f01284 00000000 00000000 00000000 00000000 0xffffffff STACK_COMMAND: kb CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt 804da10c - nt!KiXMMIZeroPage+73 [ fb:90 ] 804da112-804da115 4 bytes - nt!KiXMMIZeroPage+79 (+0x06) [ 57 ff ff ff:cd d0 a1 01 ] 804da545-804da54a 6 bytes - nt!ExAcquireResourceSharedLite+10 (+0x433) [ fa 8b 75 08 33 db:e9 03 cd a1 01 cc ] 804da564 - nt!ExAcquireResourceSharedLite+98 (+0x1f) [ fb:90 ] 804da569-804da570 8 bytes - nt!ExAcquireResourceSharedLite+b8 (+0x05) [ c2 08 00 90 90 90 90 90:e9 79 2b 9f 01 c2 08 00 ] 804dcb82 - nt!ExReleaseResourceLite+ba (+0x2619) [ 99:3f ] 804dcb94 - nt!ExReleaseResourceLite+c8 (+0x12) [ 87:2d ] 804dcba0 - nt!ExReleaseResourceLite+d0 (+0x0c) [ 7e:24 ] 804dcbc5-804dcbcd 9 bytes - nt!ExReleaseResourceLite+f5 (+0x25) [ 90 90 90 90 90 90 90 90:e9 d4 04 9f 01 5f 5e 5b ] 804dcbd5-804dcbda 6 bytes - nt!ExReleaseResourceLite+5 (+0x10) [ 64 a1 24 01 00 00:e9 54 a6 a1 01 cc ] 804dcbe8 - nt!ExReleaseResourceLite+18 (+0x13) [ 36:dc ] 804dcbf9 - nt!ExReleaseResourceLite+29 (+0x11) [ 25:cb ] 804dcc16-804dcc1a 5 bytes - nt!ExReleaseResourceLite+75 (+0x1d) [ 66 81 e2 7f ff:e9 01 a6 a1 01 ] 804dfff2-804dfff8 7 bytes - nt!KiFastCallEntry+7f (+0x33dc) [ c7 45 08 00 0d db ba:e9 f6 71 a1 01 cc cc ] 804e007c-804e0080 5 bytes - nt!KiServiceExit (+0x8a) [ fa f7 45 70 00:e9 7c d0 9e 01 ] 804e016b-804e016d 3 bytes - nt!KiSystemCallExitBranch+2 (+0xef) [ 5a 59 9d:c8 02 04 ] 804e08fb-804e08ff 5 bytes - nt!KiExceptionExit (+0x790) [ fa f7 45 70 00:e9 30 c8 9e 01 ] 804e2fc9-804e2fce 6 bytes - nt!KiTrap0E+a4 (+0x26ce) [ fb f7 45 70 00 02:90 e9 7e a1 9e 01 ] 804e44b4-804e44b8 5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x14eb) [ fa 8b 01 89 02:e9 e3 2c a1 01 ] 804e44d1-804e44d6 6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d) [ fa 8b 41 04 89 0a:e9 e9 2c a1 01 cc ] 804e44f2-804e44f6 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21) [ fa 8b 01 3b c1:e9 7d 2c a1 01 ] 804e4874-804e4878 5 bytes - nt!KeUpdateSystemTime+137 (+0x382) [ fa ff 15 dc 85:e9 7c 89 9e 01 ] 804e4b4c-804e4b50 5 bytes - nt!ExAcquireResourceExclusiveLite+7 (+0x2d8) [ 64 a1 24 01 00:e9 19 85 9e 01 ] 804e4b6d-804e4b71 5 bytes - nt!ExAcquireResourceExclusiveLite+47 (+0x21) [ 89 46 1c 66 89:e9 42 85 9e 01 ] 804ea175-804ea17a 6 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x5608) [ fa 8b 75 08 33 db:e9 c4 d0 a0 01 cc ] 804ea194 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f) [ fb:90 ] 804ea199-804ea1a0 8 bytes - nt!ExAcquireSharedWaitForExclusive+ef (+0x05) [ c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00 ] 804ee809-804ee80f 7 bytes - nt!CcGetActiveVacb+5 (+0x4670) [ fa 8b 45 08 8b 48 48:e9 4e 8a a0 01 cc cc ] 804f01dc-804f01e3 8 bytes - nt!CcSetActiveVacb+7 (+0x19d3) [ fa 8b 45 08 83 78 48 00:e9 d0 70 a0 01 cc cc cc ] 804f01ff-804f020c 14 bytes - nt!CcSetActiveVacb+a3 (+0x23) [ 8b 0a 89 48 48 89 58 50:e9 9d 70 a0 01 e9 8c 70 ] 146 errors : !nt (804da10c-804f020c) MODULE_NAME: memory_corruption IMAGE_NAME: memory_corruption FOLLOWUP_NAME: memory_corruption DEBUG_FLR_IMAGE_TIMESTAMP: 0 MEMORY_CORRUPTOR: LARGE FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE BUCKET_ID: MEMORY_CORRUPTION_LARGE Followup: memory_corruption --------- kd> g Shutdown occurred at (Fri Feb 20 21:17:05.218 2009 (GMT+8))...unloading all symbol tables. Waiting to reconnect...
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-02-21, 16:34 下午
|
女乃米分
注册: 2009-02-20
发 贴: 9
|
Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|
郁闷,我换Vmare调试好象又没问题了,为什么用Vpc会错呢?
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
高端调试 » 软件调试 » Windows内核调试 » Re: 刚注册,问两个问题,希望能给小弟一点信心,走过路过不答也来看看.
|
|
|
|
|
|