2011. 12. 1. 17:24

WinDbg 를 이용한 분석 (2) - 예제



1.!analyze -v 명령을 이용해 덤프분석 진행한 모습니다.

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000044, Attempt to free a non-allocated nonpaged pool address
Arg2: 00000000, Starting address
Arg3: 80000000, (reserved)
Arg4: 00000000, 0

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for IsDrv122.sys
Page 10b241 not present in the dump file. Type ".hh dbgerr004" for details       : 어떤모듈이 에러인지 나타납니다.

BUGCHECK_STR:  0xc2_44

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 8085c453 to 80827c83

STACK_TEXT:                                                                                              아래부터 스택 상황을 보여줍니다
bafd78ec 8085c453 000000c2 00000044 00000000 nt!KeBugCheckEx+0x1b
bafd7918 80892541 00000000 04000000 00000000 nt!MmGetSizeOfBigPoolAllocation+0x203
bafd7970 80892b6f 20474942 00000000 bafd7a34 nt!ExFreePoolWithTag+0x1fd
bafd7980 910996f2 00000000 bafd7c48 e577374a nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.          : 위 오류에 대한 스택입니다.
bafd7a34 91085d8b 8b10af38 e577374a 00000000 IsDrv122+0x156f2
bafd7c88 808f6e8d 8b10af38 8bfc6000 00000000 IsDrv122+0x1d8b
bafd7d58 808f6fa3 80002ec4 00000001 00000000 nt!IopLoadDriver+0x689
bafd7d80 80880475 80002ec4 00000000 8f325b40 nt!IopLoadUnloadDriver+0x45
bafd7dac 80949c5a 909bfcf4 00000000 00000000 nt!ExpWorkerThread+0xeb
bafd7ddc 8088e0c2 8088038a 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb                      kb 이 명령어를 command 창에 입력하란 얘기네요.

FOLLOWUP_IP:
IsDrv122+156f2
910996f2 8b74240c        mov     esi,dword ptr [esp+0Ch]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  IsDrv122+156f2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: IsDrv122

IMAGE_NAME:  IsDrv122.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  46919405

FAILURE_BUCKET_ID:  0xc2_44_IsDrv122+156f2

BUCKET_ID:  0xc2_44_IsDrv122+156f2

Followup: MachineOwner
---------

6: kd> kb                  kb 명령 입력한 상태인데 위 내용과 별차이 없습니다.
ChildEBP RetAddr  Args to Child             
bafd78ec 8085c453 000000c2 00000044 00000000 nt!KeBugCheckEx+0x1b
bafd7918 80892541 00000000 04000000 00000000 nt!MmGetSizeOfBigPoolAllocation+0x203
bafd7970 80892b6f 20474942 00000000 bafd7a34 nt!ExFreePoolWithTag+0x1fd
bafd7980 910996f2 00000000 bafd7c48 e577374a nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
bafd7a34 91085d8b 8b10af38 e577374a 00000000 IsDrv122+0x156f2
bafd7c88 808f6e8d 8b10af38 8bfc6000 00000000 IsDrv122+0x1d8b
bafd7d58 808f6fa3 80002ec4 00000001 00000000 nt!IopLoadDriver+0x689
bafd7d80 80880475 80002ec4 00000000 8f325b40 nt!IopLoadUnloadDriver+0x45
bafd7dac 80949c5a 909bfcf4 00000000 00000000 nt!ExpWorkerThread+0xeb
bafd7ddc 8088e0c2 8088038a 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


6: kd> kn            문제가 있는 스텍 프래임으로 가겠습니다.
 # ChildEBP RetAddr 
00 bafd78ec 8085c453 nt!KeBugCheckEx+0x1b
01 bafd7918 80892541 nt!MmGetSizeOfBigPoolAllocation+0x203
02 bafd7970 80892b6f nt!ExFreePoolWithTag+0x1fd
03 bafd7980 910996f2 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
04 bafd7a34 91085d8b IsDrv122+0x156f2
05 bafd7c88 808f6e8d IsDrv122+0x1d8b
06 bafd7d58 808f6fa3 nt!IopLoadDriver+0x689
07 bafd7d80 80880475 nt!IopLoadUnloadDriver+0x45
08 bafd7dac 80949c5a nt!ExpWorkerThread+0xeb
09 bafd7ddc 8088e0c2 nt!PspSystemThreadStartup+0x2e
0a 00000000 00000000 nt!KiThreadStartup+0x16


6: kd> lmvm IsDrv122                        여러가지 옵션들을 통해서 어디에 위치하고 있는지 등등을 확인할 수 있습니다.
start    end        module name
91084000 910b7b80   IsDrv122   (no symbols)          
    Loaded symbol image file: IsDrv122.sys
    Image path: \SystemRoot\System32\Drivers\IsDrv122.sys
    Image name: IsDrv122.sys
    Timestamp:        Mon Jul 09 10:48:53 2007 (46919405)
    CheckSum:         00038DF2
    ImageSize:        00033B80
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


6: kd> !dh 91084000 -f

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
     14C machine (i386)
       5 number of sections
46919405 time date stamp Mon Jul 09 10:48:53 2007

       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
     10E characteristics
            Executable
            Line numbers stripped
            Symbols stripped
            32 bit word machine

OPTIONAL HEADER VALUES
     10B magic #
    6.00 linker version
   17F00 size of code
   1B980 size of initialized data
       0 size of uninitialized data
    1B8A address of entry point
     300 base of code
         ----- new -----
00010000 image base
      80 section alignment
      80 file alignment
       1 subsystem (Native)
    5.00 operating system version
    5.00 image version
    1.10 subsystem version
   33B80 size of image
     300 size of headers
   38DF2 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
       0  DLL characteristics
       0 [       0] address [size] of Export Directory
   30800 [      3C] address [size] of Import Directory
       0 [       0] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
   31600 [    21B8] address [size] of Base Relocation Directory
     540 [      1C] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
     300 [     23C] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory