搜索论坛 帖子排序:  Oldest to newest Newest to oldest

2014-05-02, 19:01 下午 cqyczj 注册: 2013-09-25 发 贴: 11 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码 我加载一个驱动没好久就BSOD了,后来通过dump文件知道是堆栈溢出所造成的蓝屏。知道是在哪行执行后就蓝屏,但关键是不知道怎么样查找造成堆栈溢出的代码。请老师能够给个思路，点拨一下，谢谢。 以下是dump文件的分析 kd> !analyze -v ******************************************************************************* *                                                                             * *                        Bugcheck Analysis                                    * *                                                                             * ******************************************************************************* DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer.  This overrun could potentially allow a malicious user to gain control of this machine. DESCRIPTION A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned.  This is the classic "buffer overrun" hacking attack and the system has been brought down to prevent a malicious user from gaining complete control of it. Do a kb to get a stack backtrace -- the last routine on the stack before the buffer overrun handlers and bugcheck call is the one that overran its local variable(s). Arguments: Arg1: 00000004, Actual security check cookie from the stack Arg2: ac38fd5b, Expected security check cookie Arg3: 53c702a4, Complement of the expected security check cookie Arg4: 00000000, zero Debugging Details: ------------------ FAULTING_LOCAL_VARIABLE_NAME:   GSFAILURE_MEMORY_READ_ERROR:  TRUE GSFAILURE_FUNCTION: SafeSystem!KernelOpenFile GSFAILURE_MODULE_COOKIE: ac38fd5b SafeSystem!__security_cookie [ 835f4120 ] SECURITY_COOKIE:  Expected ac38fd5b found 00000004 GSFAILURE_ANALYSIS_TEXT: !gs output: Corruption occurred in SafeSystem!KernelOpenFile or one of its callees Analyzing __report_gsfailure frame (2)... LEA usage: Function @0xFFFFFFFF835A6F20-0xFFFFFFFF835A72E4 is NOT using LEA Module canary at 0xFFFFFFFF835F4120 (SafeSystem!__security_cookie): 0xAC38FD5B Complement at 0xFFFFFFFF835F411C: 0x53C702A4  (matches OK) Couldn't find Canary! Function is likely not using GS or dont know how to find the canary Couldn't find Canary! Function is likely not using GS or dont know how to find the canary Canary Complement addr at gsfailure frame not found. (Non-fatal) Canary complement at gsfailure frame not found. (Non-fatal) Analyzing faulting frame(2)... Couldn't find Canary! Function is likely not using GS or dont know how to find the canary Can't find stack canary. Fatal error - aborting analysis! BUGCHECK_STR:  STACK_BUFFER_OVERRUN DEFAULT_BUCKET_ID:  GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS GS_FALSE_POSITIVE:  TRUE PROCESS_NAME:  System CURRENT_IRQL:  2 ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre STACK_TEXT:   94ec3bd4 835be769 000000f7 00000004 ac38fd5b nt!KeBugCheckEx+0x1e 94ec3bf4 835a72e4 003e003c 87c8d390 94ec3c1c SafeSystem!__report_gsfailure+0x25 [d:\wbrtm\minkernel\tools\gs_support\kmode\gs_report.c @ 49] 94ec3ca4 835a7573 87c8b0e0 94ec3ce8 00100020 SafeSystem!KernelOpenFile+0x3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338] 94ec3cec 835ae07f 87c8b0e0 835f477c 87bb3858 SafeSystem!PeLoad+0x23 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 799] 94ec3d0c 835ae4c8 87bb3858 87c8b0e0 83805000 SafeSystem!InitSafeOperationModule+0x5f [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 107] 94ec3d28 835b406c 87bb3858 839a8728 00000000 SafeSystem!ReLoadNtos+0x148 [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 631] 94ec3d50 83a1366d 00000000 a1865fe5 00000000 SafeSystem!IsKernelBooting+0xac [d:\visual studio 2012\projects\safesystem\safesystem\safesystem.c @ 166] 94ec3d90 838c50d9 835b3fc0 00000000 00000000 nt!PspSystemThreadStartup+0x9e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19 STACK_COMMAND:  kb FOLLOWUP_IP:  SafeSystem!KernelOpenFile+3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338] 835a72e4 8be5            mov     esp,ebp FAULTING_SOURCE_LINE:  d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c FAULTING_SOURCE_FILE:  d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c FAULTING_SOURCE_LINE_NUMBER:  338 FAULTING_SOURCE_CODE:      334:     335:     336: return status;    337:  >  338: }    339:     340: NTSTATUS  KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize)    341: {    342: NTSTATUS status;    343: PFILE_OBJECT FileObject; SYMBOL_STACK_INDEX:  2 SYMBOL_NAME:  SafeSystem!KernelOpenFile+3c4 FOLLOWUP_NAME:  MachineOwner MODULE_NAME: SafeSystem IMAGE_NAME:  SafeSystem.sys DEBUG_FLR_IMAGE_TIMESTAMP:  53605ee8 FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_SafeSystem!KernelOpenFile+3c4 BUCKET_ID:  STACK_BUFFER_OVERRUN_SafeSystem!KernelOpenFile+3c4 ANALYSIS_SOURCE:  KM FAILURE_ID_HASH_STRING:  km:stack_buffer_overrun_safesystem!kernelopenfile+3c4 FAILURE_ID_HASH:  {e992cded-1b49-27da-eb13-e2a29e110d0d} Followup: MachineOwner --------- kd> k ChildEBP RetAddr   94ec3bd4 835be769 nt!KeBugCheckEx+0x1e 94ec3bf4 835a72e4 SafeSystem!__report_gsfailure+0x25 [d:\wbrtm\minkernel\tools\gs_support\kmode\gs_report.c @ 49] 94ec3ca4 835a7573 SafeSystem!KernelOpenFile+0x3c4 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 338] 94ec3cec 835ae07f SafeSystem!PeLoad+0x23 [d:\visual studio 2012\projects\safesystem\safesystem\kernelreload.c @ 799] 94ec3d0c 835ae4c8 SafeSystem!InitSafeOperationModule+0x5f [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 107] 94ec3d28 835b406c SafeSystem!ReLoadNtos+0x148 [d:\visual studio 2012\projects\safesystem\safesystem\ntos.c @ 631] 94ec3d50 83a1366d SafeSystem!IsKernelBooting+0xac [d:\visual studio 2012\projects\safesystem\safesystem\safesystem.c @ 166] 94ec3d90 838c50d9 nt!PspSystemThreadStartup+0x9e 00000000 00000000 nt!KiThreadStartup+0x19 IP 地址: 已记录   报告

2014-05-04, 00:16 上午 cqyczj 注册: 2013-09-25 发 贴: 11 Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码 问题已解决,不过还是要感谢张老师的好书格蠹汇编，在书中的案例给了启示，希望张老师多出这样的好书。 NTSTATUS  KernelOpenFile(wchar_t *FileFullName,  PHANDLE FileHandle,  ACCESS_MASK DesiredAccess,  ULONG FileAttributes,  ULONG ShareAccess,  ULONG CreateDisposition,  ULONG CreateOptions) { WCHAR SystemRootName[28]=L"\\SystemRoot"; WCHAR *FileNodeName=NULL; UNICODE_STRING FilePath; PDEVICE_OBJECT RealDevice,DeviceObject; NTSTATUS status=STATUS_UNSUCCESSFUL; PFILE_OBJECT FileObject=NULL ; FileNodeName=ExAllocatePool(NonPagedPool,260*2); if (FileNodeName==NULL) { return status; } RtlZeroMemory(FileNodeName,260*2); if (DebugOn) KdPrint(("FileFullName:%ws--%ws",FileFullName,SystemRootName)); if (_wcsnicmp(FileFullName,SystemRootName,wcslen(SystemRootName))==0) { int Len; if(!GetWindowsRootName(FileNodeName)) { ExFreePool(FileNodeName); return status; } Len=wcslen(SystemRootName); wcscat(FileNodeName,&FileFullName[Len]); } else { if (FileFullName[1]!=0x003A||FileFullName[2]!=0x005C) { return status; } wcscpy(FileNodeName,&FileFullName[2]); } if (DebugOn) KdPrint(("%S\n",FileNodeName)); if(!GetDeviceObjectFromFileFullName(FileFullName,&RealDevice,&DeviceObject)) { if (DebugOn) KdPrint(("get device object and real device object faild\n")); ExFreePool(FileNodeName); return status; } RtlInitUnicodeString(&FilePath,FileNodeName); if (DebugOn) KdPrint(("start IrpCreateFile\n")); status=IrpCreateFile(&FilePath,DesiredAccess,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,DeviceObject,RealDevice,&FileObject); if (!NT_SUCCESS(status)) { if (DebugOn) KdPrint(("Irp create file failed\n")); ExFreePool(FileNodeName); return status; } if (DebugOn) KdPrint(("IrpCreate File Ok\n")); status=ObOpenObjectByPointer( FileObject, OBJ_KERNEL_HANDLE,    //verifier下测试要指定OBJ_KERNEL_HANDLE 0, DesiredAccess|0x100000, *IoFileObjectType, 0, FileHandle); ObfDereferenceObject(FileObject); return status; } 以上代码加粗部分是有问题的代码,源代码为WCHAR SystemRootName[32]=L"\\SystemRoot";把数组下标32改为28就解决溢出问题 IP 地址: 已记录   报告

2014-05-04, 12:54 下午 格蠹老雷 注册: 2005-12-19 发 贴: 1,303 Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码 多谢分享，本来FileNodeName是不是也是局部变量？ IP 地址: 已记录   报告

高端调试 » 软件调试 » Windows内核调试 » Re: 求助张老师,怎样快速查找到造成堆栈溢出有问题的代码

请选择 论坛首页 |- 论坛搜索 |- 热门主题 |- 未回复的主题 用户选项 |- 登录 |- 注册 |- 找回密码 软件调试 |- Windows内核调试 |- C/C++本地代码调试 |- .Net程序调试 |- 脚本程序调试 |- Java程序调试 |- Linux内核调试 |- 《程序员》杂志调试专栏 |- WinDbg |- GDB |- 远程调试 |- 调试ACPI和BIOS |- 特殊的调试任务 |- 转储分析 |- GDK7 内核探秘 |- Windows内核 |- Linux内核 系统架构 |- CPU架构 |- PCI/PCI Express架构 程序人生 |- 软件物语 |- 社区活动 |- 名人逸事 联盟论坛 |- 欢迎使用CnForums 没有银弹 |- BUG也精彩 |- 豆腐工程 |- 软件圈里十大怪 Windows Vista |- 用调试利剑剖析VISTA内幕 |- 老专家如何破解新问题 |- 我的电脑谁说了算？ |- 资源 Office开发 |- Visio 驱动程序开发 |- Windows驱动开发 |- Linux驱动开发 |- Windows CE驱动开发 用户态开发 |- Windows本地代码（native）高级开发 |- Web应用开发 |- WinFX和.Net |- Office开发 本站建设 |- 高端调试团队 |- 版面布局 |- 活动建议 |- 网站维护 64位计算 |- 64-bit Windows |- 64-bit CPU 图书 |- 《软件调试》的示例程序 |- 《软件调试》的工具 |- 《软件调试》书友 |- 《软件调试》答疑 |- 《软件调试》勘误和意见 |- 《格蠹汇编》 |- 《软件调试》第二版卷1 |- 《软件调试》第二版卷2 云计算 |- IaaS |- 云存储 |- 大数据 |- PaaS和SaaS GPU |- CUDA |- OpenCL |- HSA |- 游戏开发与调试