- lumenFC 축구 동호회
- 마샤블
- 웍스프레소
- 소셜@나눔<소셜미디어나눔연구소>
- 리버스코어
- LAIN
- LAIN 이사한 블로그
- TeamCR@K
- Sunnyday
- 보안 걱정이
- 리버싱 학습
- securityfirst_jo
- Practical Security Blog
- 세상, 그 유쾌한 전장
- 악성코드관련블로그
- Back to the Mac
- 패킷분석입문
- PacketInside / 네트워크 패킷 분석 블로그
- 침해사고분석 :: 네이버 블로그
- 소프트웨어 기술자경력관리시스템
- JK.Moon
- 자바 온라인학습
- Ezbeat의 도서관
- Dreams of a Final Journey
- IT eBooks - Free Download - Bi…
- Index of /madchat/coding/rever…
- Security Insight
- Reversing war game
- 고길고기
- clamav
- zerowine
- FORENSIC-PROOOF
- jquery 예제
- 조대협의블로그
- 국가과학기술인력개발원 교육포털 사이트
- 빅데이터, splunk
- 지식을 연주하는 사람
- malware analysis system
- 건국대토익스피킹
- 소프트웨어개발 및 협업도구
kisoo
safetdi 블루스크린 덤프 분석 (bugcheck 0xD1) 본문
오늘 G그룹사 사이트에서 safetdi.sys 에서 덤프가 발생 하였다.
심볼이 맞지 않으니 당연히 삽질 2시간 하다가 .... 선임한테 배포된 pdb , sys 파일이 있어서
분석이 가능 했다.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000001c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b07a4613, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 0000001c
CURRENT_IRQL: 2
FAULTING_IP:
safetdi!tdi_event_receive+217 [g:\cvs\cvs2007\safepc_entv3.0-dev\client_platform\safetdi\src\drv\ev_recv.c @ 138]
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: svchost.exe
TRAP_FRAME: f78b28c4 -- (.trap fffffffff78b28c4)
ErrCode = 00000000
eax=8a30c5b0 ebx=c000021b ecx=88f4d4e0 edx=05ca0006 esi=00000000 edi=00000000
eip=b07a4613 esp=f78b2938 ebp=f78b2d50 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
safetdi!tdi_event_receive+0x217:
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch] ds:0023:0000001c=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from b07a4613 to 804e2aac
STACK_TEXT:
f78b28c4 b07a4613 badb0d00 05ca0006 00000000 nt!KiTrap0E+0x238
f78b2d50 ad7268d0 88ea08cc 8a27de58 00000820 safetdi!tdi_event_receive+0x217 [g:\cvs\cvs2007\safepc_entv3.0-dev\client_platform\safetdi\src\drv\ev_recv.c @ 138]
WARNING: Stack unwind information not available. Following frames may be wrong.
f78b2dc4 ad731dcc 8a449320 88f5aa78 00000010 NVTcp!NVTCPStart+0x65d0
f78b2df0 ad731f84 896cb7c0 00000010 898f1e5a NVTcp!NVTCPRegisterHost+0xac02
f78b2e24 ad72c51e 89946e60 00000000 00000000 NVTcp!NVTCPRegisterHost+0xadba
f78b2e44 ad72d180 89946e60 f78b2e68 898f1a0e NVTcp!NVTCPRegisterHost+0x5354
f78b2e6c ad72e520 8a140d00 00000014 f78b2f74 NVTcp!NVTCPRegisterHost+0x5fb6
f78b2e88 ad7282bb 8a140d00 89946e60 89946dc0 NVTcp!NVTCPRegisterHost+0x7356
f78b2ef0 b8e327c6 8a1c3b04 00000603 b914159d NVTcp!NVTCPRegisterHost+0x10f1
f78b2efc b914159d b914d934 b914d498 b9140e6c nv4_mini+0x347c6
f78b2f08 b9140e6c 8a1319a8 f78b2f28 b9140efd NVNRM!NRM_OSApiInit+0x845f
f78b2f14 b9140efd 8a1319f8 b914d498 b914d498 NVNRM!NRM_OSApiInit+0x7d2e
f78b2f3c ad72119d 896cb610 00000001 8a140e54 NVNRM!NRM_OSApiInit+0x7dbf
f78b2f54 b9145fc4 8a140d00 f78b2f8c 00000001 NVTcp!NVTCPStart+0xe9d
f78b2f98 b913f955 00000000 b914d498 8a1319a8 NVNRM!DriverEntry+0x21cc
f78b2fb4 b9141a3e 00000000 8979de18 f771f9c0 NVNRM!NRM_OSApiInit+0x6817
f78b2fcc 804ded22 8a13195c 89c4f708 00000000 NVNRM!NRM_OSApiInit+0x8900
f78b2ff4 804de88d a7017c3c 00000000 00000000 nt!KiRetireDpcList+0x61
f78b2ff8 a7017c3c 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2b
804de88d 00000000 00000009 0081850f bb830000 0xa7017c3c
STACK_COMMAND: kb
FOLLOWUP_IP:
safetdi!tdi_event_receive+217 [g:\cvs\cvs2007\safepc_entv3.0-dev\client_platform\safetdi\src\drv\ev_recv.c @ 138]
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch] // 1C 를 ecx 에 저장 한다.
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: safetdi!tdi_event_receive+217
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: safetdi
IMAGE_NAME: safetdi.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 478efee7
FAILURE_BUCKET_ID: 0xD1_safetdi!tdi_event_receive+217
BUCKET_ID: 0xD1_safetdi!tdi_event_receive+217
Followup: MachineOwner
---------
1: kd> u //어셈블리어로 보자...
nt!KiTrap0E+0x238:
804e2aac f7457000000200 test dword ptr [ebp+70h],20000h
804e2ab3 740d je nt!KiTrap0E+0x24e (804e2ac2)
804e2ab5 833d94da558000 cmp dword ptr [nt!KeI386VdmIoplAllowed (8055da94)],0
804e2abc 0f8568feffff jne nt!KiTrap0E+0xb6 (804e292a)
804e2ac2 833d4044568000 cmp dword ptr [nt!KiFreezeFlag (80564440)],0
804e2ac9 0f855bfeffff jne nt!KiTrap0E+0xb6 (804e292a)
804e2acf 833dc04e568000 cmp dword ptr [nt!KiBugCheckData (80564ec0)],0
804e2ad6 0f854efeffff jne nt!KiTrap0E+0xb6 (804e292a)
1: kd> .trap fffffffff78b28c4 //트랩을 한 후
ErrCode = 00000000
eax=8a30c5b0 ebx=c000021b ecx=88f4d4e0 edx=05ca0006 esi=00000000 edi=00000000
eip=b07a4613 esp=f78b2938 ebp=f78b2d50 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
safetdi!tdi_event_receive+0x217:
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch] ds:0023:0000001c=????????
1: kd> u //다시 어셈블리로 보자
nt!KiTrap0E+0x268:
804e2adc b8ff000000 mov eax,0FFh
804e2ae1 eba8 jmp nt!KiTrap0E+0x217 (804e2a8b)
804e2ae3 64a154000000 mov eax,dword ptr fs:[00000054h]
804e2ae9 64c7055400000000000000 mov dword ptr fs:[54h],0
804e2af4 894568 mov dword ptr [ebp+68h],eax
804e2af7 8be5 mov esp,ebp
804e2af9 e92bd7ffff jmp nt!Kei386EoiHelper (804e0229)
804e2afe 8bff mov edi,edi
1: kd> r //레지스터를 보자
Last set context:
eax=8a30c5b0 ebx=c000021b ecx=88f4d4e0 edx=05ca0006 esi=00000000 edi=00000000
eip=b07a4613 esp=f78b2938 ebp=f78b2d50 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
safetdi!tdi_event_receive+0x217:
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch] ds:0023:0000001c=????????
1: kd>
Last set context:
eax=8a30c5b0 ebx=c000021b ecx=88f4d4e0 edx=05ca0006 esi=00000000 edi=00000000
eip=b07a4613 esp=f78b2938 ebp=f78b2d50 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
safetdi!tdi_event_receive+0x217:
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch] ds:0023:0000001c=????????
1C 의 값이 무엇일 까???
Disassembly 로 보니
b07a4603 ff156c4f7ab0 call dword ptr [safetdi!_imp__ExAllocatePoolWithTag (b07a4f6c)]
b07a4609 3bc7 cmp eax,edi
b07a460b 7430 je safetdi!tdi_event_receive+0x241 (b07a463d)
b07a460d 8b4df8 mov ecx,dword ptr [ebp-8]
b07a4610 894809 mov dword ptr [eax+9],ecx
b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch]
allocate 하는 부분 밑이다. 소스를 보자
new_ctx = (struct tdi_client_irp_ctx *)malloc_np(sizeof(*new_ctx)); // 이부분 이다.
if (new_ctx != NULL) // cmp eax,edi
{
new_ctx->connobj = connobj; // b07a4610 894809 mov dword ptr [eax+9],ecx
// dt tdi_client_irp_ctx 8a30c5b0 ==> eax 가 tdi_client_irp_ctx 구조체 이고
// + 9 하면 connobj 값을 의미한다.
if (irps->CompletionRoutine != NULL) //b07a4613 8b4e1c mov ecx,dword ptr [esi+1Ch]
// esi + 1CH 인데 esi 값이 00000000 이다. address 가 0 이란 NULL 이란 것이다.
b07a4616 3bcf cmp ecx,edi
아래를 보면 알겠지만 +0x01c CompletionRoutine : Ptr32 이다. 즉 irps 가 NULL 인 상태에서
irps->CompletionRoutine != NULL 을 할 수 없다. irps 가 NULL 인데 당연히 안되겠지... Read Access 가 발생 하는게
당연하다.
f (irps->CompletionRoutine != NULL)
1: kd> dt tdi_client_irp_ctx 8a30c5b0
+0x000 completion : (null)
+0x004 context : 0x8a34aeb0
+0x008 old_control : 0xe0 ''
+0x009 connobj : 0x88f4d4e0 _FILE_OBJECT
1: kd> dt _IO_STACK_LOCATION
+0x000 MajorFunction : UChar
+0x001 MinorFunction : UChar
+0x002 Flags : UChar
+0x003 Control : UChar
+0x004 Parameters : __unnamed
+0x014 DeviceObject : Ptr32 _DEVICE_OBJECT
+0x018 FileObject : Ptr32 _FILE_OBJECT
+0x01c CompletionRoutine : Ptr32
+0x020 Context : Ptr32 Void