Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码
Windows内核调试
求助张老师,怎样快速查找到造成堆栈溢出有问题的代码
cqyczj
2014-05-02, 19:01 下午
我加载一个驱动没好久就BSOD了,后来通过dump文件知道是堆栈溢出所造成的蓝屏。知道是在哪行执行后就蓝屏,但关键是不知道怎么样查找造成堆栈溢出的代码。请老师能够给个思路,点拨一下,谢谢。
以下是dump文件的分析
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00000004, Actual security check cookie from the stack
Arg2: ac38fd5b, Expected security check cookie
Arg3: 53c702a4, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
------------------
FAULTING_LOCAL_VARIABLE_NAME:
GSFAILURE_MEMORY_READ_ERROR: TRUE
GSFAILURE_FUNCTION: SafeSystem!KernelOpenFile
GSFAILURE_MODULE_COOKIE: ac38fd5b SafeSystem!__security_cookie [ 835f4120 ]
SECURITY_COOKIE: Expected ac38fd5b found 00000004
GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in SafeSystem!KernelOpenFile or one of its callees
Analyzing __report_gsfailure frame (2)...
LEA usage: Function @0xFFFFFFFF835A6F20-0xFFFFFFFF835A72E4 is NOT using LEA
Module canary at 0xFFFFFFFF835F4120 (SafeSystem!__security_cookie): 0xAC38FD5B
Complement at 0xFFFFFFFF835F411C: 0x53C702A4 (matches OK)
Couldn't find Canary! Function is likely not using GS or dont know how to find the canary
Couldn't find Canary! Function is likely not using GS or dont know how to find the canary
Canary Complement addr at gsfailure frame not found. (Non-fatal)
Canary complement at gsfailure frame not found. (Non-fatal)
Analyzing faulting frame(2)...
Couldn't find Canary! Function is likely not using GS or dont know how to find the canary
Can't find stack canary.
Fatal error - aborting analysis!
BUGCHECK_STR: STACK_BUFFER_OVERRUN
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS
GS_FALSE_POSITIVE: TRUE
PROCESS_NAME: System
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre
STACK_TEXT:
94ec3bd4 835be769 000000f7 00000004 ac38fd5b nt!KeBugCheckEx+0x1e
94ec3bf4 835a72e4 003e003c 87c8d390 94ec3c1c SafeSystem!__report_gsfailure+0x25 [d:\wbrtm\minkernel\tools\gs_support\kmode\gs_report.c @ 49]
94ec3ca4 835a7573 87c8b0e0 94ec3ce8 00100020 SafeSystem!KernelOpenFile+0x3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338]
94ec3cec 835ae07f 87c8b0e0 835f477c 87bb3858 SafeSystem!PeLoad+0x23 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 799]
94ec3d0c 835ae4c8 87bb3858 87c8b0e0 83805000 SafeSystem!InitSafeOperationModule+0x5f [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 107]
94ec3d28 835b406c 87bb3858 839a8728 00000000 SafeSystem!ReLoadNtos+0x148 [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 631]
94ec3d50 83a1366d 00000000 a1865fe5 00000000 SafeSystem!IsKernelBooting+0xac [d:\visual studio 2012\projects\safesystem\safesystem\safesystem.c @ 166]
94ec3d90 838c50d9 835b3fc0 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kb
FOLLOWUP_IP:
SafeSystem!KernelOpenFile+3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338]
835a72e4 8be5 mov esp,ebp
FAULTING_SOURCE_LINE: d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c
FAULTING_SOURCE_FILE: d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c
FAULTING_SOURCE_LINE_NUMBER: 338
FAULTING_SOURCE_CODE:
334:
335:
336:
return status;
337:
> 338: }
339:
340: NTSTATUS KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize)
341: {
342:
NTSTATUS status;
343:
PFILE_OBJECT FileObject;
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: SafeSystem!KernelOpenFile+3c4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SafeSystem
IMAGE_NAME: SafeSystem.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 53605ee8
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_SafeSystem!KernelOpenFile+3c4
BUCKET_ID: STACK_BUFFER_OVERRUN_SafeSystem!KernelOpenFile+3c4
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:stack_buffer_overrun_safesystem!kernelopenfile+3c4
FAILURE_ID_HASH: {e992cded-1b49-27da-eb13-e2a29e110d0d}
Followup: MachineOwner
---------
kd> k
ChildEBP RetAddr
94ec3bd4 835be769 nt!KeBugCheckEx+0x1e
94ec3bf4 835a72e4 SafeSystem!__report_gsfailure+0x25 [d:\wbrtm\minkernel\tools\gs_support\kmode\gs_report.c @ 49]
94ec3ca4 835a7573 SafeSystem!KernelOpenFile+0x3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338]
94ec3cec 835ae07f SafeSystem!PeLoad+0x23 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 799]
94ec3d0c 835ae4c8 SafeSystem!InitSafeOperationModule+0x5f [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 107]
94ec3d28 835b406c SafeSystem!ReLoadNtos+0x148 [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 631]
94ec3d50 83a1366d SafeSystem!IsKernelBooting+0xac [d:\visual studio 2012\projects\safesystem\safesystem\safesystem.c @ 166]
94ec3d90 838c50d9 nt!PspSystemThreadStartup+0x9e
00000000 00000000 nt!KiThreadStartup+0x19
Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码
cqyczj
2014-05-04, 00:16 上午
问题已解决,不过还是要感谢张老师的好书格蠹汇编,在书中的案例给了启示,希望张老师多出这样的好书。
NTSTATUS KernelOpenFile(wchar_t *FileFullName,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions)
{
WCHAR SystemRootName[28]=L"\\SystemRoot";
WCHAR *FileNodeName=NULL;
UNICODE_STRING FilePath;
PDEVICE_OBJECT RealDevice,DeviceObject;
NTSTATUS status=STATUS_UNSUCCESSFUL;
PFILE_OBJECT FileObject=NULL ;
FileNodeName=ExAllocatePool(NonPagedPool,260*2);
if (FileNodeName==NULL)
{
return status;
}
RtlZeroMemory(FileNodeName,260*2);
if (DebugOn)
KdPrint(("FileFullName:%ws--%ws",FileFullName,SystemRootName));
if (_wcsnicmp(FileFullName,SystemRootName,wcslen(SystemRootName))==0)
{
int Len;
if(!GetWindowsRootName(FileNodeName))
{
ExFreePool(FileNodeName);
return status;
}
Len=wcslen(SystemRootName);
wcscat(FileNodeName,&FileFullName[Len]);
}
else
{
if (FileFullName[1]!=0x003A||FileFullName[2]!=0x005C)
{
return status;
}
wcscpy(FileNodeName,&FileFullName[2]);
}
if (DebugOn)
KdPrint(("%S\n",FileNodeName));
if(!GetDeviceObjectFromFileFullName(FileFullName,&RealDevice,&DeviceObject))
{
if (DebugOn)
KdPrint(("get device object and real device object faild\n"));
ExFreePool(FileNodeName);
return status;
}
RtlInitUnicodeString(&FilePath,FileNodeName);
if (DebugOn)
KdPrint(("start IrpCreateFile\n"));
status=IrpCreateFile(&FilePath,DesiredAccess,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,DeviceObject,RealDevice,&FileObject);
if (!NT_SUCCESS(status))
{
if (DebugOn)
KdPrint(("Irp create file failed\n"));
ExFreePool(FileNodeName);
return status;
}
if (DebugOn)
KdPrint(("IrpCreate File Ok\n"));
status=ObOpenObjectByPointer(
FileObject,
OBJ_KERNEL_HANDLE, //verifier下测试要指定OBJ_KERNEL_HANDLE
0,
DesiredAccess|0x100000,
*IoFileObjectType,
0,
FileHandle);
ObfDereferenceObject(FileObject);
return status;
}
以上代码加粗部分是有问题的代码,源代码为
WCHAR SystemRootName[32]=L"\\SystemRoot";把数组下标32改为28就解决溢出问题
Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码
格蠹老雷
2014-05-04, 12:54 下午
多谢分享,本来
FileNodeName是不是也是局部变量?