求助张老师,怎样快速查找到造成堆栈溢出有问题的代码

Windows内核调试

求助张老师,怎样快速查找到造成堆栈溢出有问题的代码

cqyczj 2014-05-02, 19:01 下午
我加载一个驱动没好久就BSOD了,后来通过dump文件知道是堆栈溢出所造成的蓝屏。知道是在哪行执行后就蓝屏,但关键是不知道怎么样查找造成堆栈溢出的代码。请老师能够给个思路,点拨一下,谢谢。

以下是dump文件的分析



kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00000004, Actual security check cookie from the stack
Arg2: ac38fd5b, Expected security check cookie
Arg3: 53c702a4, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:
------------------


FAULTING_LOCAL_VARIABLE_NAME:  

GSFAILURE_MEMORY_READ_ERROR:  TRUE

GSFAILURE_FUNCTION: SafeSystem!KernelOpenFile

GSFAILURE_MODULE_COOKIE: ac38fd5b SafeSystem!__security_cookie [ 835f4120 ]

SECURITY_COOKIE:  Expected ac38fd5b found 00000004

GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in SafeSystem!KernelOpenFile or one of its callees

Analyzing __report_gsfailure frame (2)...
LEA usage: Function @0xFFFFFFFF835A6F20-0xFFFFFFFF835A72E4 is NOT using LEA
Module canary at 0xFFFFFFFF835F4120 (SafeSystem!__security_cookie): 0xAC38FD5B
Complement at 0xFFFFFFFF835F411C: 0x53C702A4  (matches OK)
Couldn't find Canary! Function is likely not using GS or dont know how to find the canary
Couldn't find Canary! Function is likely not using GS or dont know how to find the canary
Canary Complement addr at gsfailure frame not found. (Non-fatal)
Canary complement at gsfailure frame not found. (Non-fatal)

Analyzing faulting frame(2)...
Couldn't find Canary! Function is likely not using GS or dont know how to find the canary
Can't find stack canary.
Fatal error - aborting analysis!

BUGCHECK_STR:  STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID:  GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

GS_FALSE_POSITIVE:  TRUE

PROCESS_NAME:  System

CURRENT_IRQL:  2

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

STACK_TEXT:  
94ec3bd4 835be769 000000f7 00000004 ac38fd5b nt!KeBugCheckEx+0x1e
94ec3bf4 835a72e4 003e003c 87c8d390 94ec3c1c SafeSystem!__report_gsfailure+0x25 [d:\wbrtm\minkernel\tools\gs_support\kmode\gs_report.c @ 49]
94ec3ca4 835a7573 87c8b0e0 94ec3ce8 00100020 SafeSystem!KernelOpenFile+0x3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338]
94ec3cec 835ae07f 87c8b0e0 835f477c 87bb3858 SafeSystem!PeLoad+0x23 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 799]
94ec3d0c 835ae4c8 87bb3858 87c8b0e0 83805000 SafeSystem!InitSafeOperationModule+0x5f [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 107]
94ec3d28 835b406c 87bb3858 839a8728 00000000 SafeSystem!ReLoadNtos+0x148 [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 631]
94ec3d50 83a1366d 00000000 a1865fe5 00000000 SafeSystem!IsKernelBooting+0xac [d:\visual studio 2012\projects\safesystem\safesystem\safesystem.c @ 166]
94ec3d90 838c50d9 835b3fc0 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
SafeSystem!KernelOpenFile+3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338]
835a72e4 8be5            mov     esp,ebp

FAULTING_SOURCE_LINE:  d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c

FAULTING_SOURCE_FILE:  d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c

FAULTING_SOURCE_LINE_NUMBER:  338

FAULTING_SOURCE_CODE:  
   334: 
   335: 
   336: return status;
   337: 
>  338: }
   339: 
   340: NTSTATUS  KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize)
   341: {
   342: NTSTATUS status;
   343: PFILE_OBJECT FileObject;


SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  SafeSystem!KernelOpenFile+3c4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SafeSystem

IMAGE_NAME:  SafeSystem.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  53605ee8

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_SafeSystem!KernelOpenFile+3c4

BUCKET_ID:  STACK_BUFFER_OVERRUN_SafeSystem!KernelOpenFile+3c4

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:stack_buffer_overrun_safesystem!kernelopenfile+3c4

FAILURE_ID_HASH:  {e992cded-1b49-27da-eb13-e2a29e110d0d}

Followup: MachineOwner
---------

kd> k
ChildEBP RetAddr  
94ec3bd4 835be769 nt!KeBugCheckEx+0x1e
94ec3bf4 835a72e4 SafeSystem!__report_gsfailure+0x25 [d:\wbrtm\minkernel\tools\gs_support\kmode\gs_report.c @ 49]
94ec3ca4 835a7573 SafeSystem!KernelOpenFile+0x3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338]
94ec3cec 835ae07f SafeSystem!PeLoad+0x23 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 799]
94ec3d0c 835ae4c8 SafeSystem!InitSafeOperationModule+0x5f [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 107]
94ec3d28 835b406c SafeSystem!ReLoadNtos+0x148 [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 631]
94ec3d50 83a1366d SafeSystem!IsKernelBooting+0xac [d:\visual studio 2012\projects\safesystem\safesystem\safesystem.c @ 166]
94ec3d90 838c50d9 nt!PspSystemThreadStartup+0x9e
00000000 00000000 nt!KiThreadStartup+0x19

Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码

cqyczj 2014-05-04, 00:16 上午
问题已解决,不过还是要感谢张老师的好书格蠹汇编,在书中的案例给了启示,希望张老师多出这样的好书。

NTSTATUS  KernelOpenFile(wchar_t *FileFullName, 
PHANDLE FileHandle, 
ACCESS_MASK DesiredAccess, 
ULONG FileAttributes, 
ULONG ShareAccess, 
ULONG CreateDisposition, 
ULONG CreateOptions)
{
WCHAR SystemRootName[28]=L"\\SystemRoot";
WCHAR *FileNodeName=NULL;
UNICODE_STRING FilePath;
PDEVICE_OBJECT RealDevice,DeviceObject;
NTSTATUS status=STATUS_UNSUCCESSFUL;
PFILE_OBJECT FileObject=NULL ;

FileNodeName=ExAllocatePool(NonPagedPool,260*2);
if (FileNodeName==NULL)
{
return status;
}
RtlZeroMemory(FileNodeName,260*2);

if (DebugOn)
KdPrint(("FileFullName:%ws--%ws",FileFullName,SystemRootName));

if (_wcsnicmp(FileFullName,SystemRootName,wcslen(SystemRootName))==0)
{
int Len;
if(!GetWindowsRootName(FileNodeName))
{
ExFreePool(FileNodeName);
return status;
}
Len=wcslen(SystemRootName);
wcscat(FileNodeName,&FileFullName[Len]);
}
else
{
if (FileFullName[1]!=0x003A||FileFullName[2]!=0x005C)
{
return status;

}
wcscpy(FileNodeName,&FileFullName[2]);
}
if (DebugOn)
KdPrint(("%S\n",FileNodeName));

if(!GetDeviceObjectFromFileFullName(FileFullName,&RealDevice,&DeviceObject))
{
if (DebugOn)
KdPrint(("get device object and real device object faild\n"));
ExFreePool(FileNodeName);
return status;
}
RtlInitUnicodeString(&FilePath,FileNodeName);
if (DebugOn)
KdPrint(("start IrpCreateFile\n"));

status=IrpCreateFile(&FilePath,DesiredAccess,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,DeviceObject,RealDevice,&FileObject);
if (!NT_SUCCESS(status))
{
if (DebugOn)
KdPrint(("Irp create file failed\n"));
ExFreePool(FileNodeName);
return status;
}
if (DebugOn)
KdPrint(("IrpCreate File Ok\n"));

status=ObOpenObjectByPointer(
FileObject,
OBJ_KERNEL_HANDLE,    //verifier下测试要指定OBJ_KERNEL_HANDLE
0,
DesiredAccess|0x100000,
*IoFileObjectType,
0,
FileHandle);

ObfDereferenceObject(FileObject);


return status;

}
以上代码加粗部分是有问题的代码,源代码为WCHAR SystemRootName[32]=L"\\SystemRoot";把数组下标32改为28就解决溢出问题

Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码

格蠹老雷 2014-05-04, 12:54 下午
多谢分享,本来FileNodeName是不是也是局部变量?

Powered by Community Server Powered by CnForums.Net