bug引入

我们在驱动中引入一个错误 ,在0x0地址位置写入数据
在用户态这样做,进程会崩溃,但是在驱动里这样写,系统会挂掉
先把符号文件加载到windebug,用分号隔开,勾选reload

image.png

  1. #include <ntddk.h>
  4. VOID Unload(IN PDRIVER_OBJECT DriverObject) {
  5.     DbgPrint("driver unload\r\n");
  6. }
  9. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {
  11.     PCHAR string;
  12.     DriverObject->DriverUnload = Unload;
  13.     //在 0x0的位置写入 'a'
  14.     string = 0;
  15.     *string = 'a';
  18.     DbgPrint("hello driver\r\n");
  21.     return STATUS_SUCCESS;
  22. }

加载驱动运行调试

加载运行驱动后,执行代码,调试器捕捉到,并中断
image.png

分析调试信息

使用 !analyze -v 命令自动分析,需要等一小会

  1. *******************************************************************************
  2. *                                                                             *
  3. *                        Bugcheck Analysis                                    *
  4. *                                                                             *
  5. *******************************************************************************
  7. SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
  8. This is a very common bugcheck.  Usually the exception address pinpoints
  9. the driver/function that caused the problem.  Always note this address
  10. as well as the link date of the driver/image that contains this address.
  11. Arguments:
  12. Arg1: c0000005, The exception code that was not handled
  13. Arg2: 94407018, The address that the exception occurred at
  14. Arg3: 807ed8fc, Exception Record Address
  15. Arg4: 807ed360, Context Record Address
  17. Debugging Details:
  18. ------------------
  20. DBGHELP: Timeout to store: e:\symbol*http://msdl.microsoft.com/download/symbols
  22. KEY_VALUES_STRING: 1
  24.     Key  : AV.Dereference
  25.     Value: NullPtr
  27.     Key  : AV.Fault
  28.     Value: Write
  30.     Key  : Analysis.CPU.mSec
  31.     Value: 14609
  33.     Key  : Analysis.DebugAnalysisManager
  34.     Value: Create
  36.     Key  : Analysis.Elapsed.mSec
  37.     Value: 181920
  39.     Key  : Analysis.Init.CPU.mSec
  40.     Value: 8046
  42.     Key  : Analysis.Init.Elapsed.mSec
  43.     Value: 840119
  45.     Key  : Analysis.Memory.CommitPeak.Mb
  46.     Value: 68
  48.     Key  : WER.OS.Branch
  49.     Value: win7sp1_ldr_escrow
  51.     Key  : WER.OS.Timestamp
  52.     Value: 2019-02-20T18:00:00Z
  54.     Key  : WER.OS.Version
  55.     Value: 7.1.7601.24384
  58. BUGCHECK_CODE:  7e
  60. BUGCHECK_P1: ffffffffc0000005
  62. BUGCHECK_P2: ffffffff94407018
  64. BUGCHECK_P3: ffffffff807ed8fc
  66. BUGCHECK_P4: ffffffff807ed360
  68. EXCEPTION_RECORD:  807ed8fc -- (.exr 0xffffffff807ed8fc)
  69. ExceptionAddress: 94407018 (helloDriver!DriverEntry+0x00000018)
  70.    ExceptionCode: c0000005 (Access violation)
  71.   ExceptionFlags: 00000000
  72. NumberParameters: 2
  73.    Parameter[0]: 00000001
  74.    Parameter[1]: 00000000
  75. Attempt to write to address 00000000
  77. CONTEXT:  807ed360 -- (.cxr 0xffffffff807ed360)
  78. eax=85b0d0f8 ebx=00000000 ecx=00000000 edx=00002351 esi=85b0d0f8 edi=86cd7000
  79. eip=94407018 esp=807ed9c4 ebp=807ed9c8 iopl=0         nv up ei pl nz na pe nc
  80. cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
  81. helloDriver!DriverEntry+0x18:
  82. 94407018 c60161          mov     byte ptr [ecx],61h         ds:0023:00000000=??
  83. Resetting default scope
  85. PROCESS_NAME:  System
  87. WRITE_ADDRESS:  00000000 
  89. ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p            0x%p                    %s
  91. EXCEPTION_CODE_STR:  c0000005
  93. EXCEPTION_PARAMETER1:  00000001
  95. EXCEPTION_PARAMETER2:  00000000
  97. EXCEPTION_STR:  0xc0000005
  99. STACK_TEXT:  
  100. 807ed9c8 840227b2     85b0d0f8 86cd7000 00000000 helloDriver!DriverEntry+0x18 [E:\codemix\windowsDevelopment\helloDriver\helloDriver\Source.c @ 18] 
  101. 807edbac 840262c1     00000001 00000000 807edbd4 nt!IopLoadDriver+0x7ed
  102. 807edbf4 83ebdb4b     8d427bd0 855c38c8 855d84c0 nt!IopLoadUnloadDriver+0x70
  103. 807edc44 84068b38     00000001 9cdb13d2 00000000 nt!ExpWorkerThread+0x10d
  104. 807edc90 83f06301     83ebda3e 00000001 00000000 nt!PspSystemThreadStartup+0x159
  105. 00000000 00000000     00000000 00000000 00000000 nt!KiThreadStartup+0x19
  108. CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
  109.     83eb76a7 - nt!SwapContext_XRstorBegin+2
  110.     [ 89:a9 ]
  111.     83eb794d - nt!EnlightenedSwapContext_XRstorBegin+2 (+0x2a6)
  112.     [ 89:a9 ]
  113. 2 errors : !nt (83eb76a7-83eb794d)
  115. MODULE_NAME: memory_corruption
  117. IMAGE_NAME:  memory_corruption
  119. MEMORY_CORRUPTOR:  ONE_BIT_LARGE
  121. STACK_COMMAND:  .cxr 0xffffffff807ed360 ; kb
  123. FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_ONE_BIT_LARGE
  125. OS_VERSION:  7.1.7601.24384
  127. BUILDLAB_STR:  win7sp1_ldr_escrow
  129. OSPLATFORM_TYPE:  x86
  131. OSNAME:  Windows 7
  133. FAILURE_ID_HASH:  {31545515-196b-fab5-2300-9ce714226f43}
  135. Followup:     memory_corruption
  136. ---------
  139. ************* Path validation summary **************
  140. Response                         Time (ms)     Location
  141. OK                                             E:\codemix\windowsDevelopment\helloDriver\helloDriver
  143. ************* Path validation summary **************
  144. Response                         Time (ms)     Location
  145. OK                                             E:\codemix\windowsDevelopment\helloDriver\helloDriver
  146. kd> g
  147. Shutdown occurred at (Wed Jul 13 21:01:42.441 2022 (UTC + 8:00))...unloading all symbol tables.
  149. ************* Path validation summary **************
  150. Response                         Time (ms)     Location
  151. Deferred                                       SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  152. Deferred                                       srv*c:\symbols* http://msdl.microsoft.com/download/symbols
  153. OK                                             E:\codemix\windowsDevelopment\helloDriver\Debug
  154. Deferred                                       SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  155. Waiting to reconnect...
  156. BD: Boot Debugger Initialized
  157. Connected to Windows Boot Debugger 7601 x86 compatible target at (Wed Jul 13 21:01:54.082 2022 (UTC + 8:00)), ptr64 FALSE
  158. Kernel Debugger connection established.
  160. ************* Path validation summary **************
  161. Response                         Time (ms)     Location
  162. Deferred                                       SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  163. Deferred                                       srv*c:\symbols* http://msdl.microsoft.com/download/symbols
  164. OK                                             E:\codemix\windowsDevelopment\helloDriver\Debug
  165. Deferred                                       SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  166. Symbol search path is: SRV*E:\symbol*http://msdl.microsoft.com/download/symbols;srv*c:\symbols* http://msdl.microsoft.com/download/symbols;E:\codemix\windowsDevelopment\helloDriver\Debug;SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  167. Executable search path is: 
  168. ReadVirtual() failed in GetXStateConfiguration() first read attempt (error == 0.)
  169. Windows Boot Debugger Kernel Version 7601 UP Free x86 compatible
  170. Machine Name:
  171. Primary image base = 0x00539000 Loaded module list = 0x005dbd60
  172. System Uptime: not available
  174. ************* Path validation summary **************
  175. Response                         Time (ms)     Location
  176. Deferred                                       SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  177. Deferred                                       srv*c:\symbols* http://msdl.microsoft.com/download/symbols
  178. OK                                             E:\codemix\windowsDevelopment\helloDriver\Debug
  179. Deferred                                       SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  181. ************* Path validation summary **************
  182. Response                         Time (ms)     Location
  183. OK                                             E:\codemix\windowsDevelopment\helloDriver\helloDriver
  184. winload!DbgLoadImageSymbols+0x44:
  185. 0056f93d cc              int     3
  186. kd> g
  187. Shutdown occurred at (Wed Jul 13 21:02:18.377 2022 (UTC + 8:00))...unloading all symbol tables.
  189. ************* Path validation summary **************
  190. Response                         Time (ms)     Location
  191. Deferred                                       SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  192. Deferred                                       srv*c:\symbols* http://msdl.microsoft.com/download/symbols
  193. OK                                             E:\codemix\windowsDevelopment\helloDriver\Debug
  194. Deferred                                       SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  195. Waiting to reconnect...
  196. Connected to Windows 7 7601 x86 compatible target at (Wed Jul 13 21:02:19.339 2022 (UTC + 8:00)), ptr64 FALSE
  197. Kernel Debugger connection established.
  199. ************* Path validation summary **************
  200. Response                         Time (ms)     Location
  201. Deferred                                       SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  202. Deferred                                       srv*c:\symbols* http://msdl.microsoft.com/download/symbols
  203. OK                                             E:\codemix\windowsDevelopment\helloDriver\Debug
  204. Deferred                                       SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  205. Symbol search path is: SRV*E:\symbol*http://msdl.microsoft.com/download/symbols;srv*c:\symbols* http://msdl.microsoft.com/download/symbols;E:\codemix\windowsDevelopment\helloDriver\Debug;SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  206. Executable search path is: 
  207. Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
  208. Edition build lab: 7601.24384.x86fre.win7sp1_ldr_escrow.190220-1800
  209. Machine Name:
  210. Kernel base = 0x83e4c000 PsLoadedModuleList = 0x83fa1730
  211. System Uptime: not available
  213. ************* Path validation summary **************
  214. Response                         Time (ms)     Location
  215. Deferred                                       SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
  216. Deferred                                       srv*c:\symbols* http://msdl.microsoft.com/download/symbols
  217. OK                                             E:\codemix\windowsDevelopment\helloDriver\Debug
  218. Deferred                                       SRV*E:\symboll* http://msdl.microsoft.com/download/symbols
  220. ************* Path validation summary **************
  221. Response                         Time (ms)     Location
  222. OK                                             E:\codemix\windowsDevelopment\helloDriver\helloDriver
  223. nt!DbgLoadImageSymbols+0x47:
  224. 83e64d0e cc              int     3

报错参数

image.png
arg1 : 错误代码 c000005
arg2:94407018 发生错误的内存地址

image.png

报错位置

发生错误的代码在 helloDriver!DriverEntry+0x00000018 的位置
错误码:c0000005 (Access violation)
原因,尝试在0x0 地址写入数据 :Attempt to write to address 00000000

寄存器状态

寄存器状态:
image.png

发生错误代码
image.png

  1. 94407018 c60161          mov     byte ptr [ecx],61h         ds:0023:00000000=??

调用栈

image.png
在E:\codemix\windowsDevelopment\helloDriver\helloDriver\Source.c @ 18 第18行发生错误