标签:触发 symbols Windows10 Analysis Key 0000000000000000 Value condrv 蓝屏
一、重现环境:
1、windows10版本
2、idapro7_5499
3、vs2008运行库(vcredist2008sp1.zip)
二、触发蓝屏
1、触发poc
include
include
int main()
{
WCHAR fileName[] = L”\\.\globalroot\device\condrv\kernelconnect”;
WIN32_FILE_ATTRIBUTE_DATA data;
GetFileAttributesEx(fileName, GetFileExInfoStandard, &data);
}
编译运行,蓝屏;
2、设置蓝屏生成dump
“我的电脑”->”属性”->”高级”->”启动与恢复设置”
三、windbg分析
3.1、符号路径设置
“File”->”Symbol File Path”,输入”SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols”
点击”Save Workspace”保存,避免下次打开还要重新输入配置;
3.2、windbg加载dump文件
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\minidump\012721-9562-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
* Path validation summary **
Response Time (ms) Location
Deferred SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff80326600000 PsLoadedModuleList = 0xfffff80326a48150
Debug session time: Wed Jan 27 17:43:46.105 2021 (UTC + 8:00)
System Uptime: 4 days 6:38:28.252
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………………………….
…..
Loading User Symbols
Loading unloaded module list
………..
For analysis of this file, run !analyze -v
8: kd> !analyze -v
- *
- Bugcheck Analysis *
- *
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80323b4b04f, Address of the instruction which caused the bugcheck
Arg3: fffff004a056c870, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-MAMOHSH
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 116
Key : Analysis.Memory.CommitPeak.Mb
Value: 79
Key : Analysis.System
Value: CreateObjectVIRTUAL_MACHINE: VMware
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff80323b4b04f
BUGCHECK_P3: fffff004a056c870
BUGCHECK_P4: 0
CONTEXT: fffff004a056c870 — (.cxr 0xfffff004a056c870)
rax=ffffd2081e3176a8 rbx=ffffd20822b8bbc0 rcx=0000000000000000
rdx=ffffd2081e317590 rsi=0000000000000000 rdi=ffffd2081e317590
rip=fffff80323b4b04f rsp=fffff004a056d260 rbp=0000000000000000
r8=ffffd2081e317590 r9=ffffd20821d638e0 r10=fffff80323b4b030
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffffd20821d638e0
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050286
condrv!CdpDispatchCleanup+0x1f:
fffff80323b4b04f 488b01 mov rax,qword ptr [rcx] ds:002b:0000000000000000=????????????????
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: ConsoleApplica
STACK_TEXT:
fffff004a056d260 fffff80326631f79 : ffffd2081e317590 fffff80326631e5d 0000000000000000 0000000000000000 : condrv!CdpDispatchCleanup+0x1f
fffff004a056d290 fffff80326be42b8 : 0000000000000000 ffffd20822b8bbc0 0000000000000000 ffffd2081e317590 : nt!IofCallDriver+0x59
fffff004a056d2d0 fffff80326be6939 : fffff004a056d820 0000000000000001 ffffd2081e317590 fffff80326be5b00 : nt!IopCloseFile+0x188
fffff004a056d360 fffff80326bed1bf : ffffd20821d638e0 ffffd20821d63800 ffffd20822bf3aa0 0000000000000001 : nt!IopParseDevice+0xd79
fffff004a056d4d0 fffff80326beb621 : ffffd20822bf3a00 fffff004a056d718 0000000000000040 ffffca0e016f26c0 : nt!ObpLookupObjectName+0x78f
fffff004a056d690 fffff80326c30234 : 0000000000000001 000000000043e048 0000000000000028 000000000043e930 : nt!ObOpenObjectByNameEx+0x201
fffff004a056d7d0 fffff803267d2d15 : ffffd208245b7080 0000000000000000 ffffd208245b7080 ffffd208213da760 : nt!NtQueryFullAttributesFile+0x1b4
fffff004a056da80 00007ffa23f9e8b4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
000000000043e008 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`23f9e8b4
SYMBOL_NAME: condrv!CdpDispatchCleanup+1f
MODULE_NAME: condrv
IMAGE_NAME: condrv.sys
IMAGE_VERSION: 10.0.18362.1350
STACK_COMMAND: .cxr 0xfffff004a056c870 ; kb
BUCKET_ID_FUNC_OFFSET: 1f
FAILURE_BUCKET_ID: 0x3B_c0000005_condrv!CdpDispatchCleanup
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4713cd15-5baf-96a2-7e8b-3fec2da6a08d}Followup: MachineOwner
四、idapro分析condrv.sys
1、拷贝本机电脑(windows10操作系统)的condrv.sys文件到其它非C盘;
本次环境是在C:\Windows\WinSxS\amd64_microsoft-windows-console-driver_31bf3856ad364e35_10.0.18362.1_none_da133b564b0d4aee路径
2、idapro配置
为了在分析condrv.sys时自动加载微软提供的pdb调试符号文件,修改配置文件pdb.cfg(idapro安装根目录下的cfg文件底下),分别去掉PDBSYM_DOWNLOAD_PATH,PDBSYM_SYMPATH 注释
// PDB plugin
ifdef PC // INTEL 80×86 PROCESSORS
//
// The downloaded symbols are stored in the specified directory.
// Microsoft’s public symbol store is used for downloading the symbols.
//
// If this option is omitted or empty – use _NT_SYMBOL_PATH if set, otherwise use %TEMP%\ida directory
// If the value is not empty – use it
PDBSYM_DOWNLOAD_PATH = “c:\symbols”;
// Full symbol path (in _NT_SYMBOL_PATH format)
// If set, PDBSYM_DOWNLOAD_PATH and _NT_SYMBOL_PATH are ignored
PDBSYM_SYMPATH = “SRVc:\symbolshttp://symbols.mozilla.org/firefox;SRVc:\symbolshttp://msdl.microsoft.com/download/symbols”;
// remote server where win32_remote.exe is running
// used when loading PDB symbols on non-Windows platforms
// NB: it will be used only if there is not already an existing debugging session started
PDB_REMOTE_SERVER = “localhost”;
PDB_REMOTE_PORT = 23946
// password for the remote server
PDB_REMOTE_PASSWD = “”;
endif
首次打开condrv.sys,会询问并根据上面的配置下载符号文件到本地
出现下面的错误,是因为pdb.cfg配置文件中的符号本地存储路径不存在,手动创建C盘symbols文件夹即可;
3、vs2008 rumtime环境安装
重新打开idapro后,发现会报如下错误:failed to load pdb info. 不支持此接口
搜索得到的解决方案主要有两种情况
1、condrv.sys不要放在包含中文字符的路径;
2、需要安装vs2008 rumtime环境;
这里是因为第二种原因,安装后,再重新打开idapro加载condrv.sys文件
下载并加载好符号文件后,对应的函数名称就显示出来了
对比没加载符号文件的情况
4、最后,可以参考1的文件进行静态分析跟踪,蓝屏直接原因,condrv的设备对象,随后关闭该对象的时候进入IRP_MJ_CLEANUP分发函数,尝试释放资源,但在创建的时候由于被拒绝所以没有分配任何资源,导致释放资源时访问空指针最后系统BSOD。
参考:
1、https://blog.csdn.net/xuandao_ahfengren/article/details/112855004
2、https://bbs.pediy.com/thread-265438.htm
标签:触发,symbols,Windows10,Analysis,Key,0000000000000000,Value,condrv,蓝屏 来源: https://blog.csdn.net/itgather/article/details/113347375
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。