1、windows10版本
2、idapro7_5499
3、vs2008运行库(vcredist2008sp1.zip)
1、触发poc
#include
#include
int main()
{
WCHAR fileName[] = L”\\.\globalroot\device\condrv\kernelconnect”;
WIN32_FILE_ATTRIBUTE_DATA data;
GetFileAttributesEx(fileName, GetFileExInfoStandard, &data);
}
编译运行,蓝屏;
2、设置蓝屏生成dump
“我的电脑”->”属性”->”高级”->”启动与恢复设置”
3.1、符号路径设置
“File”->”Symbol File Path”,输入”SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols”
点击”Save Workspace”保存,避免下次打开还要重新输入配置;
3.2、windbg加载dump文件
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\minidump\012721-9562-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
* Path validation summary **
Response Time (ms) Location
Deferred SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff80326600000 PsLoadedModuleList = 0xfffff803
26a48150
Debug session time: Wed Jan 27 17:43:46.105 2021 (UTC + 8:00)
System Uptime: 4 days 6:38:28.252
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………………………….
…..
Loading User Symbols
Loading unloaded module list
………..
For analysis of this file, run !analyze -v
8: kd> !analyze -v
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80323b4b04f, Address of the instruction which caused the bugcheck
Arg3: fffff004a056c870, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-MAMOHSH
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 116
Key : Analysis.Memory.CommitPeak.Mb
Value: 79
Key : Analysis.System
Value: CreateObject
VIRTUAL_MACHINE: VMware
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff80323b4b04f
BUGCHECK_P3: fffff004a056c870
BUGCHECK_P4: 0
CONTEXT: fffff004a056c870 — (.cxr 0xfffff004a056c870)
rax=ffffd2081e3176a8 rbx=ffffd20822b8bbc0 rcx=0000000000000000
rdx=ffffd2081e317590 rsi=0000000000000000 rdi=ffffd2081e317590
rip=fffff80323b4b04f rsp=fffff004a056d260 rbp=0000000000000000
r8=ffffd2081e317590 r9=ffffd20821d638e0 r10=fffff80323b4b030
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffffd20821d638e0
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050286
condrv!CdpDispatchCleanup+0x1f:
fffff80323b4b04f 488b01 mov rax,qword ptr [rcx] ds:002b:00000000
00000000=????????????????
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: ConsoleApplica
STACK_TEXT:
fffff004a056d260 fffff803
26631f79 : ffffd2081e317590 fffff803
26631e5d 0000000000000000 00000000
00000000 : condrv!CdpDispatchCleanup+0x1f
fffff004a056d290 fffff803
26be42b8 : 0000000000000000 ffffd208
22b8bbc0 0000000000000000 ffffd208
1e317590 : nt!IofCallDriver+0x59
fffff004a056d2d0 fffff803
26be6939 : fffff004a056d820 00000000
00000001 ffffd2081e317590 fffff803
26be5b00 : nt!IopCloseFile+0x188
fffff004a056d360 fffff803
26bed1bf : ffffd20821d638e0 ffffd208
21d63800 ffffd20822bf3aa0 00000000
00000001 : nt!IopParseDevice+0xd79
fffff004a056d4d0 fffff803
26beb621 : ffffd20822bf3a00 fffff004
a056d718 0000000000000040 ffffca0e
016f26c0 : nt!ObpLookupObjectName+0x78f
fffff004a056d690 fffff803
26c30234 : 0000000000000001 00000000
0043e048 0000000000000028 00000000
0043e930 : nt!ObOpenObjectByNameEx+0x201
fffff004a056d7d0 fffff803
267d2d15 : ffffd208245b7080 00000000
00000000 ffffd208245b7080 ffffd208
213da760 : nt!NtQueryFullAttributesFile+0x1b4
fffff004a056da80 00007ffa
23f9e8b4 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
000000000043e008 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffa`23f9e8b4
SYMBOL_NAME: condrv!CdpDispatchCleanup+1f
MODULE_NAME: condrv
IMAGE_NAME: condrv.sys
IMAGE_VERSION: 10.0.18362.1350
STACK_COMMAND: .cxr 0xfffff004a056c870 ; kb
BUCKET_ID_FUNC_OFFSET: 1f
FAILURE_BUCKET_ID: 0x3B_c0000005_condrv!CdpDispatchCleanup
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {4713cd15-5baf-96a2-7e8b-3fec2da6a08d}Followup: MachineOwner
1、拷贝本机电脑(windows10操作系统)的condrv.sys文件到其它非C盘;
本次环境是在C:\Windows\WinSxS\amd64_microsoft-windows-console-driver_31bf3856ad364e35_10.0.18362.1_none_da133b564b0d4aee路径
2、idapro配置
为了在分析condrv.sys时自动加载微软提供的pdb调试符号文件,修改配置文件pdb.cfg(idapro安装根目录下的cfg文件底下),分别去掉PDBSYM_DOWNLOAD_PATH,PDBSYM_SYMPATH 注释
// PDB plugin
//
// The downloaded symbols are stored in the specified directory.
// Microsoft’s public symbol store is used for downloading the symbols.
//
// If this option is omitted or empty – use _NT_SYMBOL_PATH if set, otherwise use %TEMP%\ida directory
// If the value is not empty – use it
PDBSYM_DOWNLOAD_PATH = “c:\symbols”;
// Full symbol path (in _NT_SYMBOL_PATH format)
// If set, PDBSYM_DOWNLOAD_PATH and _NT_SYMBOL_PATH are ignored
PDBSYM_SYMPATH = “SRVc:\symbolshttp://symbols.mozilla.org/firefox;SRVc:\symbolshttp://msdl.microsoft.com/download/symbols”;
// remote server where win32_remote.exe is running
// used when loading PDB symbols on non-Windows platforms
// NB: it will be used only if there is not already an existing debugging session started
PDB_REMOTE_SERVER = “localhost”;
PDB_REMOTE_PORT = 23946
// password for the remote server
PDB_REMOTE_PASSWD = “”;
endif
首次打开condrv.sys,会询问并根据上面的配置下载符号文件到本地
出现下面的错误,是因为pdb.cfg配置文件中的符号本地存储路径不存在,手动创建C盘symbols文件夹即可;
3、vs2008 rumtime环境安装
重新打开idapro后,发现会报如下错误:failed to load pdb info. 不支持此接口
搜索得到的解决方案主要有两种情况
1、condrv.sys不要放在包含中文字符的路径;
2、需要安装vs2008 rumtime环境;
这里是因为第二种原因,安装后,再重新打开idapro加载condrv.sys文件
下载并加载好符号文件后,对应的函数名称就显示出来了
对比没加载符号文件的情况
4、最后,可以参考1的文件进行静态分析跟踪,蓝屏直接原因,condrv的设备对象,随后关闭该对象的时候进入IRP_MJ_CLEANUP分发函数,尝试释放资源,但在创建的时候由于被拒绝所以没有分配任何资源,导致释放资源时访问空指针最后系统BSOD。
查看原文
参考:
1、https://blog.csdn.net/xuandao_ahfengren/article/details/112855004
2、https://bbs.pediy.com/thread-265438.htm