Scenario 1
dispatch level > APC level > passive level
看到藍幕時,歡迎使用 bug check codes 看看發生什麼事。
!analyze -v
mov edi,edi 原來是每個函式進入點都有的東西,原因「微軟常常有安全更新,所以這邊可以改成 jmp ...」
一定要會的指令: "!analyze -v", dv, dt, r, db, eb, "?? 變數=值", ub, uf, u, k, kp, kP, bl, bc, bp, bu, bm (/1, /t, /p), x, .logopen, .logclose, .reload
vertarget, !process 0 0, lm, !drvobj, !devobj, !devstack, !devnode 0 1, !irpfind, !vm 1, !memusage, .chain, .trap, .cxr, .tss
!vm, !pool, !poolused, !poolvar, !memusage, !poolfind, !pte
Scenario 2
dt nt!_IRP addr
dt nt!_DEVICE_OBJECT addr
dt nt!_EPROCESS addr
!process 0 0
!process -1 0x1E
!thread -1 0xF
!thread ← 推卸責任的好工具 (誤)
.bugcheck
!verifier 3 SIoctl.sys
Scenario 3
kn
.frame 0
dv /V 可以看到 rsp+xx 的偏移量
ub 再 u 看上下文
啊,找到常見的 ptr = 0; *ptr = 1234; 這種錯。
f3cf6bbc f8b9a878 83a3ec00 00000000 00000420 nt!memset+0x41
!verifier 1
!pool 83a3ec00
上面是 memset(0x83a3ec00, 0x00000420);
從 !verifier 1 可以看到分配的 pool 有多大 (0x400)
然後發現給的太少要的太多 (笑)
Scenario 4
kd> !object \Driver
kd> !drvobj usbhub
Driver object (82931a00) is for:
\Driver\usbhub
Driver Extension List: (id , addr)
Device Object list:
82976918 82900c98
kd> !devstack 82976918
!DevObj !DrvObj !DevExt ObjectName
> 82976918 \Driver\usbhub 829769d0 00000063
8282e618 \Driver\usbuhci 8282e6d0 USBPDO-1
!DevNode 82926648 :
DeviceInst is "USB\ROOT_HUB\4&231024c6&0"
ServiceName is "usbhub"
kd> !devnode 82926648
DevNode 0x82926648 for PDO 0x8282e618
Parent 0x82a7aa68 Sibling 0000000000 Child 0000000000
InstancePath is "USB\ROOT_HUB\4&231024c6&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
StateHistory[09] = DeviceNodeEnumerateCompletion (0x30d)
StateHistory[08] = DeviceNodeStarted (0x308)
StateHistory[07] = DeviceNodeEnumerateCompletion (0x30d)
StateHistory[06] = DeviceNodeStarted (0x308)
StateHistory[05] = DeviceNodeStartPostWork (0x307)
StateHistory[04] = DeviceNodeStartCompletion (0x306)
StateHistory[03] = DeviceNodeResourcesAssigned (0x304)
StateHistory[02] = DeviceNodeDriversAdded (0x303)
StateHistory[01] = DeviceNodeInitialized (0x302)
StateHistory[00] = DeviceNodeUninitialized (0x301)
StateHistory[19] = Unknown State (0x0)
StateHistory[18] = Unknown State (0x0)
StateHistory[17] = Unknown State (0x0)
StateHistory[16] = Unknown State (0x0)
StateHistory[15] = Unknown State (0x0)
StateHistory[14] = Unknown State (0x0)
StateHistory[13] = Unknown State (0x0)
StateHistory[12] = Unknown State (0x0)
StateHistory[11] = Unknown State (0x0)
StateHistory[10] = Unknown State (0x0)
Flags (0x00000130) DNF_ENUMERATED, DNF_IDS_QUERIED,
DNF_NO_RESOURCE_REQUIRED
CapabilityFlags (0x00001602) DeviceD2, SurpriseRemovalOK,
WakeFromD0, WakeFromD2
kd> !devnode 82926648 1
DevNode 0x82926648 for PDO 0x8282e618
InstancePath is "USB\ROOT_HUB\4&231024c6&0"
ServiceName is "usbhub"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)
skip to main |
skip to sidebar
以前叫 iuj pro programistoj ,是程式設計的筆記。現在專注在 ICS (工業控制系統)、 SDR (軟體無線電) 、Smart City (智慧城市) 這三個方面。
