这是老生常谈的一个问题,先说一个一般性的方法。
Shutdown occurred at (Thu Mar 22 15:54:25.345 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Thu Mar 22 15:54:36.162 2012 (UTC + 8:00)), ptr64 FALSE
Kernel Debugger connection established.
......
System Uptime: not available
nt!DebugService2+0xe:
804d88ad cc int 3
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
kd> ds 600c4
0005ffc4 "\WINDOWS\system32\ntoskrnl.exe"
start end module name
804d4000 806c6980 nt(pdb symbols) d:\windbg\symbols\raymond_xp_sp1\ntoskrnl.pdb\C95EC79CFBFB4220AF2B6E9D09551A1F2\ntoskrnl.pdb
kd> sx
......
Command: "ds poi(@esp+4); kv"
(only break for serial)
ud - Unload module - ignore
......
816862a8 "\WINDOWS\System32\DRIVERS\serial"
816862c8 ".sys"
ChildEBP RetAddr Args to Child
f9e9b67c 804d88e7 f9e9b758 f9e9b690 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
f9e9b6a0 8055c9ab f9e9b758 f9b1c000ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
f9e9b844 80558b1e f9e9b904 00000000 00000000 nt! MmLoadSystemImage+0xa6b (FPO: [Non-Fpo])
f9e9b910 80555417 80000774 00000000 f9e9b900 nt! IopLoadDriver+0x311 (FPO: [4,40,3])
f9e9b954 80571f85 e1492868 00000001 80000774 nt!PipCallDriverAddDeviceQueryRoutine+0x239 (FPO: [Non-Fpo])
f9e9b9a0 80571fb3 f9e9ba2c e1492854 f9e9ba00 nt!RtlpCallQueryRegistryRoutine+0x3af (FPO: [Non-Fpo])
f9e9ba04 8055a84d 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a4 (FPO: [Non-Fpo])
f9e9bad8 8055a657 00000000 00000001 f9e9bd54 nt!PipCallDriverAddDevice+0x237 (FPO: [3,43,3])
f9e9bd24 805a9093 817b54c8 00000001 00000000 nt!PipProcessDevNodeTree+0x147 (FPO: [Non-Fpo])
f9e9bd4c 805071b0 00000003 80549fc0 8054eddc nt!PiProcessStartSystemDevices+0x38 (FPO: [Non-Fpo])
f9e9bd74 804ed629 00000000 00000000 817c7640 nt!PipDeviceActionWorker+0x158 (FPO: [Non-Fpo])
f9e9bdac 8057c73a 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9bddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
nt!DebugService2+0xe:
804d88ad cc int 3
kd> lm a f9b1c000
start end module name
f9b1c000 f9b2b400 serial (deferred)
kd> dt _image_dos_header f9b1c000
nt!_IMAGE_DOS_HEADER
+0x000 e_magic : 0x5a4d
+0x002 e_cblp : 0x90
+0x004 e_cp : 3
+0x006 e_crlc : 0
+0x008 e_cparhdr : 4
+0x00a e_minalloc : 0
+0x00c e_maxalloc : 0xffff
+0x00e e_ss : 0
+0x010 e_sp : 0xb8
+0x012 e_csum : 0
+0x014 e_ip : 0
+0x016 e_cs : 0
+0x018 e_lfarlc : 0x40
+0x01a e_ovno : 0
+0x01c e_res : [4] 0
+0x024 e_oemid : 0
+0x026 e_oeminfo : 0
+0x028 e_res2 : [10] 0
+0x03c e_lfanew : 0n208
kd> dt -r2 _image_nt_headers f9b1c000+0n208
ntdll!_IMAGE_NT_HEADERS
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 8
+0x004 TimeDateStamp : 0x3d6de48b
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x10e
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x7 ''
+0x003 MinorLinkerVersion : 0 ''
+0x004 SizeOfCode : 0xc200
+0x008 SizeOfInitializedData : 0x2e80
+0x00c SizeOfUninitializedData : 0
+0x010 AddressOfEntryPoint : 0xa793
+0x014 BaseOfCode : 0x380
+0x018 BaseOfData : 0x2d80
+0x01c ImageBase : 0x10000
+0x020 SectionAlignment : 0x80
+0x024 FileAlignment : 0x80
+0x028 MajorOperatingSystemVersion : 5
+0x02a MinorOperatingSystemVersion : 1
+0x02c MajorImageVersion : 5
+0x02e MinorImageVersion : 1
+0x030 MajorSubsystemVersion : 5
+0x032 MinorSubsystemVersion : 1
+0x034 Win32VersionValue : 0
+0x038 SizeOfImage : 0xf400
+0x03c SizeOfHeaders : 0x380
+0x040 CheckSum : 0x1ddb8
+0x044 Subsystem : 1
+0x046 DllCharacteristics : 0
+0x048 SizeOfStackReserve : 0x40000
+0x04c SizeOfStackCommit : 0x1000
+0x050 SizeOfHeapReserve : 0x100000
+0x054 SizeOfHeapCommit : 0x1000
+0x058 LoaderFlags : 0
+0x05c NumberOfRvaAndSizes : 0x10
+0x060 DataDirectory : [16] _IMAGE_DATA_DIRECTORY
+0x000 VirtualAddress : 0
+0x004 Size : 0
kd> ln f9b1c000+a793
( f9b26793) serial!DriverEntry | (f9b268d7) serial!SerialEnumerateLegacy
Exact matches:
serial!DriverEntry = <no type information>
kd> bl
0 e f9b26793 0001 (0001) serial!DriverEntry
Breakpoint 0 hit
serial!DriverEntry:
f9b26793 53 push ebx
kd> kv
ChildEBP RetAddr Args to Child
f9e9b854 80558d13 816862e0 81683000 00000000 serial! DriverEntry(FPO: [2,0,3])
f9e9b910 80555417 80000774 81683000 816862e0 nt! IopLoadDriver+0x5e0 (FPO: [4,40,3])
f9e9b954 80571f85 e1492868 00000001 80000774 nt!PipCallDriverAddDeviceQueryRoutine+0x239 (FPO: [Non-Fpo])
f9e9b9a0 80571fb3 f9e9ba2c e1492854 f9e9ba00 nt!RtlpCallQueryRegistryRoutine+0x3af (FPO: [Non-Fpo])
f9e9ba04 8055a84d 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a4 (FPO: [Non-Fpo])
f9e9bad8 8055a657 00000000 00000001 f9e9bd54 nt!PipCallDriverAddDevice+0x237 (FPO: [3,43,3])
f9e9bd24 805a9093 817b54c8 00000001 00000000 nt!PipProcessDevNodeTree+0x147 (FPO: [Non-Fpo])
f9e9bd4c 805071b0 00000003 80549fc0 8054eddc nt!PiProcessStartSystemDevices+0x38 (FPO: [Non-Fpo])
f9e9bd74 804ed629 00000000 00000000 817c7640 nt!PipDeviceActionWorker+0x158 (FPO: [Non-Fpo])
f9e9bdac 8057c73a 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9bddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
MmLoadSystemImage
DbgLoadImageSymbols
DriverEntry
==============================================================================================
kd> .reboot
Shutdown occurred at (Thu Mar 22 17:02:36.023 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
0005ffc4 "\WINDOWS\system32\ ntoskrnl.exe"
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
kd> sxe ld:*tdss*
kd> g
kd> .reboot
Shutdown occurred at (Thu Mar 22 17:08:52.694 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
0005ffc4 "\WINDOWS\system32\ ntoskrnl.exe"
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
IN PUNICODE_STRING ImageFileName,
IN PUNICODE_STRING NamePrefix OPTIONAL,
IN PUNICODE_STRING LoadedBaseName OPTIONAL,
IN ULONG LoadFlags,
OUT PVOID *ImageHandle,
OUT PVOID * ImageBaseAddress
)
\systemroot\system32\drivers\ TDSSmqxt.sys
ChildEBP RetAddr Args to Child
f9e63584 80558b1e f9e63644 00000000 00000000 nt! MmLoadSystemImage(FPO: [Non-Fpo])
f9e63650 8068b8b4 000002ec 00000001 00000000 nt! IopLoadDriver+0x311 (FPO: [4,40,3])
f9e636ac 8068a5f7 00034000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16d (FPO: [Non-Fpo])
f9e63844 8068b3a1 00820000 00000000 817cb928 nt!IoInitSystem+0x697 (FPO: [1,97,3])
f9e63dac 8057c73a 80087000 00000000 00000000 nt!Phase1Initialization+0x83b (FPO: [1,340,3])
f9e63ddc 805124c1 8068ad55 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
nt!MmLoadSystemImage:
8055cacf 6874010000 push 174h
nt!IopLoadDriver+0x311:
80558b1e 3bc3 cmp eax,ebx
kd> r eax
eax=c0000034
kd> g
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
......
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\ TDSSpaxt.sys
ChildEBP RetAddr Args to Child
f9e9fc80 80558b1e f9e9fd40 00000000 00000000 nt!MmLoadSystemImage (FPO: [Non-Fpo])
f9e9fd4c 80550cfb 000004e4 00000001 00000000 nt!IopLoadDriver+0x311 (FPO: [4,40,3])
f9e9fd74 804ed629 000004e4 00000000 817c73c8 nt!IopLoadUnloadDriver+0x43 (FPO: [Non-Fpo])
f9e9fdac 8057c73a f9afbcf4 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9fddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
nt!MmLoadSystemImage:
8055cacf 6874010000 push 174h
kd> dd f9e9fc80 l8
f9e9fc80 00000246 80558b1e f9e9fd40 00000000
f9e9fc90 00000000 00000000 f9e9fd24 f9e9fd30
kd> gu
nt!IopLoadDriver+0x311:
80558b1e 3bc3 cmp eax,ebx
eax=00000000
f9e9fd30 f9072000
kd> ? $iment(f9072000)
^ Unknown image error in '? $iment(f9072000)'
kd> dt _image_dos_header f9072000
nt!_IMAGE_DOS_HEADER
+0x000 e_magic : 0x5a4d
+0x002 e_cblp : 0x90
+0x004 e_cp : 3
+0x006 e_crlc : 0
+0x008 e_cparhdr : 4
+0x00a e_minalloc : 0
+0x00c e_maxalloc : 0xffff
+0x00e e_ss : 0
+0x010 e_sp : 0xb8
+0x012 e_csum : 0
+0x014 e_ip : 0
+0x016 e_cs : 0
+0x018 e_lfarlc : 0x40
+0x01a e_ovno : 0
+0x01c e_res : [4] 0
+0x024 e_oemid : 0
+0x026 e_oeminfo : 0
+0x028 e_res2 : [10] 0
+0x03c e_lfanew : 0n224
kd> dt -r2 _image_nt_headers f9072000+0n224
ntdll!_IMAGE_NT_HEADERS
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 5
+0x004 TimeDateStamp : 0x490f76f9
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x2102
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x8 ''
+0x003 MinorLinkerVersion : 0 ''
+0x004 SizeOfCode : 0x2400
+0x008 SizeOfInitializedData : 0xa800
+0x00c SizeOfUninitializedData : 0
+ 0x010 AddressOfEntryPoint : 0x2c13
+0x014 BaseOfCode : 0x1000
+0x018 BaseOfData : 0x4000
+0x01c ImageBase : 0x10000000
+0x020 SectionAlignment : 0x1000
+0x024 FileAlignment : 0x200
+0x028 MajorOperatingSystemVersion : 4
+0x02a MinorOperatingSystemVersion : 0
+0x02c MajorImageVersion : 0
+0x02e MinorImageVersion : 0
+0x030 MajorSubsystemVersion : 4
+0x032 MinorSubsystemVersion : 0
+0x034 Win32VersionValue : 0
+0x038 SizeOfImage : 0x12000
+0x03c SizeOfHeaders : 0x400
+0x040 CheckSum : 0xf4d3
+0x044 Subsystem : 1
+0x046 DllCharacteristics : 0
+0x048 SizeOfStackReserve : 0x100000
+0x04c SizeOfStackCommit : 0x1000
+0x050 SizeOfHeapReserve : 0x100000
+0x054 SizeOfHeapCommit : 0x1000
+0x058 LoaderFlags : 0
+0x05c NumberOfRvaAndSizes : 0x10
+0x060 DataDirectory : [16] _IMAGE_DATA_DIRECTORY
+0x000 VirtualAddress : 0
+0x004 Size : 0
kd> bp f9072000+2c13
kd> bl
0 e 8055cacf 0001 (0001) nt!MmLoadSystemImage "aS /msu ${ModuleName} poi(@esp+4); .block {.echo ${ModuleName}; r @$t1 = $spat(@\"${ModuleName}\", \"*tdss*\"); }; ad /q ${ModuleName}; .if(@$t1<=0) {g} .else { kv }"
1 e f9074c13 0001 (0001)
Breakpoint 1 hit
f9074c13 eb2a jmp f9074c3f
断点命中,接下来就可以开始调试之旅了。但为什么TDSS驱动的模块加载断点不起作用呢?
==============================================================================================
Shutdown occurred at (Fri Mar 23 15:16:11.518 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
0005ffc4 "\WINDOWS\system32\ ntoskrnl.exe"
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
kd> bu serial!driverentry
kd> bl
0 eu 0001 (0001) (serial!driverentry)
Breakpoint 0 hit
serial!DriverEntry:
f9b26793 53 push ebx
kd> kv
ChildEBP RetAddr Args to Child
f9e9b854 80558d13 81686480 81684000 00000000 serial! DriverEntry(FPO: [2,0,3])
f9e9b910 80555417 80000370 81684000 81686480 nt! IopLoadDriver+0x5e0 (FPO: [4,40,3])
f9e9b954 80571f85 e1492f20 00000001 80000370 nt!PipCallDriverAddDeviceQueryRoutine+0x239 (FPO: [Non-Fpo])
f9e9b9a0 80571fb3 f9e9ba2c e1492f0c f9e9ba00 nt!RtlpCallQueryRegistryRoutine+0x3af (FPO: [Non-Fpo])
f9e9ba04 8055a84d 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a4 (FPO: [Non-Fpo])
f9e9bad8 8055a657 00000000 00000001 f9e9bd54 nt!PipCallDriverAddDevice+0x237 (FPO: [3,43,3])
f9e9bd24 805a9093 817b54c8 00000001 00000000 nt!PipProcessDevNodeTree+0x147 (FPO: [Non-Fpo])
f9e9bd4c 805071b0 00000003 80549fc0 8054eddc nt!PiProcessStartSystemDevices+0x38 (FPO: [Non-Fpo])
f9e9bd74 804ed629 00000000 00000000 817c7640 nt!PipDeviceActionWorker+0x158 (FPO: [Non-Fpo])
f9e9bdac 8057c73a 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9bddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
kd> .reboot
Shutdown occurred at (Fri Mar 23 22:07:42.387 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
String(30,31) at 000600c4: \WINDOWS\system32\ ntoskrnl.exe
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
Shutdown occurred at (Fri Mar 23 16:34:59.709 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Machine Name:
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
0005ffc4 "\WINDOWS\system32\ ntoskrnl.exe"
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt! DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
f9e63634 80690e14
eax=c0000034
f9e63634 80690e14
f9e63634 80690e14
eax=c0000034
f9e63634 80690e14
f9e63634 80690e14
eax=c0000034
f9e63634 80690e14
f9e63634 80690e14
eax=c0000034
f9e63634 80690e14
f9e63634 80690e14
eax=c0000034
f9e63634 80690e14
f9e9bd30 00000018
eax=00000000
f9e9bd30 f8f2a000
......
nt!MmLoadSystemImage+0x9ca:
8055c919 ff37 push dword ptr [edi]
8055c91b e887050000 call nt! CacheImageSymbols(8055cea7)
8055c920 85c0 test eax,eax
8055c922 0f8487000000 je nt!MmLoadSystemImage+0xa6f (8055c9af)
8055c928 66837da416 cmp word ptr [ebp-5Ch],16h
8055c92d 0f867bd70700 jbe nt!MmLoadSystemImage+0xa38 (805da0ae)
8055c933 6a0b push 0Bh
8055c935 68ee915980 push offset nt!MmGetSystemRoutineAddress+0x124 (805991ee)
8055c93a ff75a8 push dword ptr [ebp-58h]
8055c93d e8a986f8ff call nt!_wcsnicmp (804e4feb)
8055c942 83c40c add esp,0Ch
8055c945 85c0 test eax,eax
8055c947 0f8561d70700 jne nt!MmLoadSystemImage+0xa38 (805da0ae)
8055c94d 8b45a4 mov eax,dword ptr [ebp-5Ch]
8055c950 89851cffffff mov dword ptr [ebp-0E4h],eax
8055c956 8b45a8 mov eax,dword ptr [ebp-58h]
8055c959 898520ffffff mov dword ptr [ebp-0E0h],eax
8055c95f 83c016 add eax,16h
8055c962 898520ffffff mov dword ptr [ebp-0E0h],eax
8055c968 6683851cffffffea add word ptr [ebp-0E4h],0FFEAh
8055c970 8d851cffffff lea eax,[ebp-0E4h]
8055c976 50 push eax
8055c977 683400dfff push 0FFDF0034h
8055c97c 6806925980 push offset nt!MmGetSystemRoutineAddress+0x13c (80599206)
8055c981 ff75cc push dword ptr [ebp-34h]
8055c984 e8c9bef7ff call nt!sprintf (804d8852)
8055c989 83c410 add esp,10h
8055c98c ff75cc push dword ptr [ebp-34h]
8055c98f 8d8514ffffff lea eax,[ebp-0ECh]
8055c995 50 push eax
8055c996 e8f23bfbff call nt!RtlInitString (8051058d)
8055c99b 6aff push 0FFFFFFFFh
8055c99d ff37 push dword ptr [edi]
8055c99f 8d8514ffffff lea eax,[ebp-0ECh]
8055c9a5 50 push eax
8055c9a6 e806bff7ff call nt! DbgLoadImageSymbols(804d88b1)
8055c9ab 804b3610 or byte ptr [ebx+36h],10h
......
nt!CacheImageSymbols:
8055cea7 6a10 push 10h
8055cea9 6820f44f80 push offset nt!MMDB+0x18 (804ff420)
8055ceae e86e4efbff call nt!_SEH_prolog (80511d21)
8055ceb3 8365fc00 and dword ptr [ebp-4],0
8055ceb7 8d45e4 lea eax,[ebp-1Ch]
8055ceba 50 push eax
8055cebb 6a06 push 6
8055cebd 6a01 push 1
8055cebf ff7508 push dword ptr [ebp+8]
8055cec2 e8c2abf9ff call nt! RtlImageDirectoryEntryToData(804f7a89)
8055cec7 8945e0 mov dword ptr [ebp-20h],eax
8055ceca 85c0 test eax,eax
8055cecc 740f je nt!CacheImageSymbols+0x37 (8055cedd)
8055cece 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
8055ced2 33c0 xor eax,eax
8055ced4 40 inc eax
8055ced5 e8804efbff call nt!_SEH_epilog (80511d5a)
8055ceda c20400 ret 4
8055cedd 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
8055cee1 33c0 xor eax,eax
8055cee3 ebf0 jmp nt!CacheImageSymbols+0x3d (8055ced5)
还可以做个简单的实验,用工具把serial.sys的调试信息去掉,测试一下。
重启系统,再设置一下上面那个高级的条件断点,输出结果里多了一条
\SystemRoot\System32\DRIVERS\serial.sys
f9e9b8f4 f9e9ba80
eax=00000000
f9e9b8f4 f9afc000
象TDSS一样,serial.sys也加载成功,但没有调用DbgLoadImageSymbols。
这时再试试模块的加载断点,
kd> sxe ld:serial
kd> .reboot
Shutdown occurred at (Sun Mar 25 11:52:08.382 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
如预期的那样,OS已经启动完成,但模块加载断点没有起作用。下面的调试记录从另一个角度证明了这点。
kd> .reboot
Shutdown occurred at (Sun Mar 25 12:27:35.747 2012 (UTC + 8:00))...unloading all symbol tables.
Waiting to reconnect...
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
String(30,31) at 000600c4: \WINDOWS\system32\ntoskrnl.exe
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt!DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
设置条件断点,如果CacheImageSymbols函数返回0,打印参数和栈。
kd> bp CacheImageSymbols "r @$t1 = poi(@esp+4); gu; .if( eax > 0 ) { gc } .else { ? @$t1; kv }"
kd> g
Evaluate expression: -105988096 = f9aec000
ChildEBP RetAddr Args to Child
f9e9b844 80558b1e f9e9b904 00000000 00000000 nt!MmLoadSystemImage+0x9d1 (FPO: [Non-Fpo])
f9e9b910 80555417 8000054c 00000000 f9e9b900 nt!IopLoadDriver+0x311 (FPO: [4,40,3])
f9e9b954 80571f85 e1445b18 00000001 8000054c nt!PipCallDriverAddDeviceQueryRoutine+0x239 (FPO: [Non-Fpo])
f9e9b9a0 80571fb3 f9e9ba2c e1445b04 f9e9ba00 nt!RtlpCallQueryRegistryRoutine+0x3af (FPO: [Non-Fpo])
f9e9ba04 8055a84d 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a4 (FPO: [Non-Fpo])
f9e9bad8 8055a657 00000000 00000001 f9e9bd54 nt!PipCallDriverAddDevice+0x237 (FPO: [3,43,3])
f9e9bd24 805a9093 817b54c8 00000001 00000000 nt!PipProcessDevNodeTree+0x147 (FPO: [Non-Fpo])
f9e9bd4c 805071b0 00000003 80549fc0 8054eddc nt!PiProcessStartSystemDevices+0x38 (FPO: [Non-Fpo])
f9e9bd74 804ed629 00000000 00000000 817c7640 nt!PipDeviceActionWorker+0x158 (FPO: [Non-Fpo])
f9e9bdac 8057c73a 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9bddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
nt!MmLoadSystemImage+0x9d1:
8055c920 85c0 test eax,eax
kd> !ustr poi(@ebp+8); r @$t1=poi(@ebp+1c); dd @$t1 l1; gu ; reax;
String(78,80) at f9e9b904: \SystemRoot\System32\DRIVERS\serial.sys
f9e9b8f4 f9aec000
eax=00000000
kd> ? $iment(f9aec000)
^ Unknown image error in '? $iment(f9aec000)'
kd> g
Evaluate expression: -118317056 = f8f2a000
ChildEBP RetAddr Args to Child
f9e9bc80 80558b1e f9e9bd40 00000000 00000000 nt!MmLoadSystemImage+0x9d1 (FPO: [Non-Fpo])
f9e9bd4c 80550cfb 000003e4 00000001 00000000 nt!IopLoadDriver+0x311 (FPO: [4,40,3])
f9e9bd74 804ed629 000003e4 00000000 817c7640 nt!IopLoadUnloadDriver+0x43 (FPO: [Non-Fpo])
f9e9bdac 8057c73a f9ccbcf4 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9bddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
nt!MmLoadSystemImage+0x9d1:
8055c920 85c0 test eax,eax
kd> !ustr poi(@ebp+8); r @$t1=poi(@ebp+1c); dd @$t1 l1; gu ; reax;
String(88,90) at f9e9bd40: \??\C:\WINDOWS\system32\drivers\TDSSpaxt.sys
f9e9bd30 f8f2a000
eax=00000000
kd> ? $iment(f8f2a000)
^ Unknown image error in '? $iment(f8f2a000)'
kd> g
系统启动过程中,总共2个模块发现了问题,一个是刚刚去掉调试目录信息的serial.sys,另一个是TDSS。$iment 信赖于调试符号,对于没有调试目录的模块,失效了。
4. 驱动程序的入口是如何被调用的?
还是要从代码下手,重启系统,
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Sun Mar 25 13:29:15.138 2012 (UTC + 8:00)), ptr64 FALSE
Kernel Debugger connection established.
......
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
System Uptime: not available
String(30,31) at 000600c4: \WINDOWS\system32\ntoskrnl.exe
ChildEBP RetAddr Args to Child
0005ff80 804d88e7 000600c4 0005ff94 00000003 nt!DebugService2+0xe (FPO: [3,0,0])
0005ffa4 80656c46 000600c4 804d4000 ffffffff nt!DbgLoadImageSymbols+0x40 (FPO: [Non-Fpo])
000600cc 80691ac8 00000000 80087000 80542268 nt!KdInitSystem+0x23e (FPO: [Non-Fpo])
00060100 00420e53 80087000 00467904 00438ab7 nt!KiSystemStartup+0x264
WARNING: Frame IP not in any known module. Following frames may be wrong.
00060e3c 0041ec40 00000007 00060e5c 00000000 0x420e53
00060ecc 004014fe 004678e0 0047164f 00051d68 0x41ec40
00061ff0 10101010 00000002 00000000 04e4000d 0x4014fe
00061ff4 00000000 00000000 04e4000d 003f0001 0x10101010
nt!DebugService2+0xe:
804d88ad cc int 3
设置断点,重复上面的实验,第一个断点会在serial.sys处,用这个作例子,
kd> bp CacheImageSymbols "r @$t1 = poi(@esp+4); gu; .if( eax > 0 ) { gc } .else { ? @$t1; kv }"
kd> g
Evaluate expression: -105988096 = f9aec000
ChildEBP RetAddr Args to Child
f9e9f844 80558b1e f9e9f904 00000000 00000000 nt!MmLoadSystemImage+0x9d1 (FPO: [Non-Fpo])
f9e9f910 80555417 80000548 00000000 f9e9f900 nt!IopLoadDriver+0x311 (FPO: [4,40,3])
f9e9f954 80571f85 e1444fb0 00000001 80000548 nt!PipCallDriverAddDeviceQueryRoutine+0x239 (FPO: [Non-Fpo])
f9e9f9a0 80571fb3 f9e9fa2c e1444f9c f9e9fa00 nt!RtlpCallQueryRegistryRoutine+0x3af (FPO: [Non-Fpo])
f9e9fa04 8055a84d 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a4 (FPO: [Non-Fpo])
f9e9fad8 8055a657 00000000 00000001 f9e9fd54 nt!PipCallDriverAddDevice+0x237 (FPO: [3,43,3])
f9e9fd24 805a9093 817b54c8 00000001 00000000 nt!PipProcessDevNodeTree+0x147 (FPO: [Non-Fpo])
f9e9fd4c 805071b0 00000003 80549fc0 8054eddc nt!PiProcessStartSystemDevices+0x38 (FPO: [Non-Fpo])
f9e9fd74 804ed629 00000000 00000000 817c73c8 nt!PipDeviceActionWorker+0x158 (FPO: [Non-Fpo])
f9e9fdac 8057c73a 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9fddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
nt!MmLoadSystemImage+0x9d1:
8055c920 85c0 test eax,eax
kd> !dh -f f9aec000
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
8 number of sections
3D6DE48B time date stamp Thu Aug 29 17:08:27 2002
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
7.00 linker version
C200 size of code
2E80 size of initialized data
0 size of uninitialized data
A793 address of entry point
380 base of code
......
kd> bp f9aec000+A793
kd> g
Breakpoint 1 hit
f9af6793 53 push ebx
这是断在了serial.sys!DriverEntry,也就是驱动的入口处。
kd> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
f9e9f854 80558d13 816bc2c8 816ae000 00000000 0xf9af6793
f9e9f910 80555417 80000548 816ae000 816bc2c8 nt!IopLoadDriver+0x5e0 (FPO: [4,40,3])
f9e9f954 80571f85 e1444fb0 00000001 80000548 nt!PipCallDriverAddDeviceQueryRoutine+0x239 (FPO: [Non-Fpo])
f9e9f9a0 80571fb3 f9e9fa2c e1444f9c f9e9fa00 nt!RtlpCallQueryRegistryRoutine+0x3af (FPO: [Non-Fpo])
f9e9fa04 8055a84d 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a4 (FPO: [Non-Fpo])
f9e9fad8 8055a657 00000000 00000001 f9e9fd54 nt!PipCallDriverAddDevice+0x237 (FPO: [3,43,3])
f9e9fd24 805a9093 817b54c8 00000001 00000000 nt!PipProcessDevNodeTree+0x147 (FPO: [Non-Fpo])
f9e9fd4c 805071b0 00000003 80549fc0 8054eddc nt!PiProcessStartSystemDevices+0x38 (FPO: [Non-Fpo])
f9e9fd74 804ed629 00000000 00000000 817c73c8 nt!PipDeviceActionWorker+0x158 (FPO: [Non-Fpo])
f9e9fdac 8057c73a 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe (FPO: [Non-Fpo])
f9e9fddc 805124c1 804ed556 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
看下代码,驱动入口是如何被调用的,
kd> ub 80558d13
nt!IopLoadDriver+0x5cd:
80558d00 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
80558d02 8bc8 mov ecx,eax
80558d04 83e103 and ecx,3
80558d07 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
80558d09 8b7d78 mov edi,dword ptr [ebp+78h]
80558d0c ff7574 push dword ptr [ebp+74h]
80558d0f 57 push edi
80558d10 ff572c call dword ptr [edi+2Ch]
kd> dd ebp+74 l1
f9e9f91c 816ae000
kd> dS 816ae000
816ae008 "\REGISTRY\MACHINE\SYSTEM\Control"
816ae048 "Set001\Services\Serial"
驱动入口的原型如下,
NTSTATUS DriverEntry(
__in struct _DRIVER_OBJECT *DriverObject,
__in PUNICODE_STRING RegistryPath
);
2 个参数,第一个是对象,第二个是串。
kd> dt _driver_object 816bc2c8
ntdll!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : (null)
+0x008 Flags : 2
+0x00c DriverStart : 0xf9aec000 Void
+0x010 DriverSize : 0xf400
+0x014 DriverSection : 0x816bb868 Void
+0x018 DriverExtension : 0x816bc370 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\Driver\Serial"
+0x024 HardwareDatabase : 0x806680c8 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xf9af6793 long +fffffffff9af6793
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0x804f886f long nt!IopInvalidDeviceRequest+0
也就是说函数IopLoadDriver初始化了数据结构_DRIVER_OBJECT,然后调用了驱动的入口(+0x02c DriverInit)。
转载于:https://blog.51cto.com/whatday/1382193