Windows10蓝屏触发及分析

一、重现环境:

1、windows10版本

Windows10蓝屏触发及分析_第1张图片

2、idapro7_5499
3、vs2008运行库(vcredist2008sp1.zip)

二、触发蓝屏

1、触发poc

#include
#include

int main()
{
WCHAR fileName[] = L”\\.\globalroot\device\condrv\kernelconnect”;
WIN32_FILE_ATTRIBUTE_DATA data;
GetFileAttributesEx(fileName, GetFileExInfoStandard, &data);
}

编译运行,蓝屏;

2、设置蓝屏生成dump
“我的电脑”->”属性”->”高级”->”启动与恢复设置”

Windows10蓝屏触发及分析_第2张图片

Windows10蓝屏触发及分析_第3张图片

Windows10蓝屏触发及分析_第4张图片

三、windbg分析

3.1、符号路径设置
“File”->”Symbol File Path”,输入”SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols”

Windows10蓝屏触发及分析_第5张图片

Windows10蓝屏触发及分析_第6张图片

点击”Save Workspace”保存,避免下次打开还要重新输入配置;

Windows10蓝屏触发及分析_第7张图片

3.2、windbg加载dump文件

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\minidump\012721-9562-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

* Path validation summary **
Response Time (ms) Location
Deferred SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 18362 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff80326600000 PsLoadedModuleList = 0xfffff80326a48150
Debug session time: Wed Jan 27 17:43:46.105 2021 (UTC + 8:00)
System Uptime: 4 days 6:38:28.252
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………………………….
…..
Loading User Symbols
Loading unloaded module list
………..
For analysis of this file, run !analyze -v
8: kd> !analyze -v


  • *
  • Bugcheck Analysis *
  • *

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80323b4b04f, Address of the instruction which caused the bugcheck
Arg3: fffff004a056c870, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 2

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-MAMOHSH

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 116

Key  : Analysis.Memory.CommitPeak.Mb
Value: 79

Key  : Analysis.System
Value: CreateObject

VIRTUAL_MACHINE: VMware

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff80323b4b04f

BUGCHECK_P3: fffff004a056c870

BUGCHECK_P4: 0

CONTEXT: fffff004a056c870 — (.cxr 0xfffff004a056c870)
rax=ffffd2081e3176a8 rbx=ffffd20822b8bbc0 rcx=0000000000000000
rdx=ffffd2081e317590 rsi=0000000000000000 rdi=ffffd2081e317590
rip=fffff80323b4b04f rsp=fffff004a056d260 rbp=0000000000000000
r8=ffffd2081e317590 r9=ffffd20821d638e0 r10=fffff80323b4b030
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffffd20821d638e0
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050286
condrv!CdpDispatchCleanup+0x1f:
fffff80323b4b04f 488b01 mov rax,qword ptr [rcx] ds:002b:0000000000000000=????????????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: ConsoleApplica

STACK_TEXT:
fffff004a056d260 fffff80326631f79 : ffffd2081e317590 fffff80326631e5d 0000000000000000 0000000000000000 : condrv!CdpDispatchCleanup+0x1f
fffff004a056d290 fffff80326be42b8 : 0000000000000000 ffffd20822b8bbc0 0000000000000000 ffffd2081e317590 : nt!IofCallDriver+0x59
fffff004a056d2d0 fffff80326be6939 : fffff004a056d820 0000000000000001 ffffd2081e317590 fffff80326be5b00 : nt!IopCloseFile+0x188
fffff004a056d360 fffff80326bed1bf : ffffd20821d638e0 ffffd20821d63800 ffffd20822bf3aa0 0000000000000001 : nt!IopParseDevice+0xd79
fffff004a056d4d0 fffff80326beb621 : ffffd20822bf3a00 fffff004a056d718 0000000000000040 ffffca0e016f26c0 : nt!ObpLookupObjectName+0x78f
fffff004a056d690 fffff80326c30234 : 0000000000000001 000000000043e048 0000000000000028 000000000043e930 : nt!ObOpenObjectByNameEx+0x201
fffff004a056d7d0 fffff803267d2d15 : ffffd208245b7080 0000000000000000 ffffd208245b7080 ffffd208213da760 : nt!NtQueryFullAttributesFile+0x1b4
fffff004a056da80 00007ffa23f9e8b4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
000000000043e008 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`23f9e8b4

SYMBOL_NAME: condrv!CdpDispatchCleanup+1f

MODULE_NAME: condrv

IMAGE_NAME: condrv.sys

IMAGE_VERSION: 10.0.18362.1350

STACK_COMMAND: .cxr 0xfffff004a056c870 ; kb

BUCKET_ID_FUNC_OFFSET: 1f

FAILURE_BUCKET_ID: 0x3B_c0000005_condrv!CdpDispatchCleanup

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {4713cd15-5baf-96a2-7e8b-3fec2da6a08d}Followup: MachineOwner

四、idapro分析condrv.sys

1、拷贝本机电脑(windows10操作系统)的condrv.sys文件到其它非C盘;
本次环境是在C:\Windows\WinSxS\amd64_microsoft-windows-console-driver_31bf3856ad364e35_10.0.18362.1_none_da133b564b0d4aee路径

2、idapro配置
为了在分析condrv.sys时自动加载微软提供的pdb调试符号文件,修改配置文件pdb.cfg(idapro安装根目录下的cfg文件底下),分别去掉PDBSYM_DOWNLOAD_PATH,PDBSYM_SYMPATH 注释

// PDB plugin

ifdef PC // INTEL 80×86 PROCESSORS

//
// The downloaded symbols are stored in the specified directory.
// Microsoft’s public symbol store is used for downloading the symbols.
//
// If this option is omitted or empty – use _NT_SYMBOL_PATH if set, otherwise use %TEMP%\ida directory
// If the value is not empty – use it

PDBSYM_DOWNLOAD_PATH = “c:\symbols”;

// Full symbol path (in _NT_SYMBOL_PATH format)
// If set, PDBSYM_DOWNLOAD_PATH and _NT_SYMBOL_PATH are ignored
PDBSYM_SYMPATH = “SRVc:\symbolshttp://symbols.mozilla.org/firefox;SRVc:\symbolshttp://msdl.microsoft.com/download/symbols”;

// remote server where win32_remote.exe is running
// used when loading PDB symbols on non-Windows platforms
// NB: it will be used only if there is not already an existing debugging session started
PDB_REMOTE_SERVER = “localhost”;
PDB_REMOTE_PORT = 23946
// password for the remote server
PDB_REMOTE_PASSWD = “”;

endif

首次打开condrv.sys,会询问并根据上面的配置下载符号文件到本地

Windows10蓝屏触发及分析_第8张图片

出现下面的错误,是因为pdb.cfg配置文件中的符号本地存储路径不存在,手动创建C盘symbols文件夹即可;

Windows10蓝屏触发及分析_第9张图片

3、vs2008 rumtime环境安装
重新打开idapro后,发现会报如下错误:failed to load pdb info. 不支持此接口
搜索得到的解决方案主要有两种情况
1、condrv.sys不要放在包含中文字符的路径;
2、需要安装vs2008 rumtime环境;

Windows10蓝屏触发及分析_第10张图片

这里是因为第二种原因,安装后,再重新打开idapro加载condrv.sys文件
下载并加载好符号文件后,对应的函数名称就显示出来了

Windows10蓝屏触发及分析_第11张图片

对比没加载符号文件的情况

Windows10蓝屏触发及分析_第12张图片

4、最后,可以参考1的文件进行静态分析跟踪,蓝屏直接原因,condrv的设备对象,随后关闭该对象的时候进入IRP_MJ_CLEANUP分发函数,尝试释放资源,但在创建的时候由于被拒绝所以没有分配任何资源,导致释放资源时访问空指针最后系统BSOD。

查看原文

参考:
1、https://blog.csdn.net/xuandao_ahfengren/article/details/112855004
2、https://bbs.pediy.com/thread-265438.htm

你可能感兴趣的:(信息安全)