SlideShare uma empresa Scribd logo

Windows kernel debugging workshop in florida

Transferir como PPTX, PDF
Sisimon Soman
Sisimon Soman
1 de 13
Windows Kernel Debugging Sisimon Soman
Agenda • Introduction to BSOD • Common approaches to analyze Windows crash. • Story 1 – Memory corruption. • Story 2 – Stack Overflow • Story 3 – Deadlock • Story 4 - Memory Leak • Q&A – Bring your dumps to discuss here.
Why BSOD • Cause by buggy drivers. • Drivers share address space with Kernel. • Alternate stack to write dumps. • KeBugcheckEx() – Turn off interrupts. – SMB box say all processor I am dying.. – Paint blue screen and write dump to pagefile. • Winlogon role in writing crash dump. • Type of crash dumps.
Common approaches to Kernel issue • What bugcheck code says • Which instruction cause crash • How the stack looks at the time of crash • Is third party drivers involved in stack • The IRP which cause the crash. • Is crash or system hung.
Story 1– Memory Corruption • Driver Verifier – Heap Corruption – Special pool check (Guard Page) • WinDBG commands to demo. – !analyze –v – kv –u – !pool
Pool corruption continued.. Make sure the pool chaining is correct kd> !pool bc00248c – Pool page bc00248c region is Paged session pool – bc002000 size: 90 previous size: 0 (Allocated) Gla@ – bc002090 size: 10 previous size: 90 (Allocated) Glnk – bc0020a0 size: 20 previous size: 10 (Allocated) Vtfd – bc0020c0 size: 8 previous size: 20 (Free) Gtmp – bc0020c8 size: 38 previous size: 8 (Free ) Usqm – bc002100 size: 28 previous size: 38 (Allocated) Gldv – bc002128 size: 58 previous size: 28 (Allocated) GFil – bc002180 size: 198 previous size: 58 (Allocated) Uspi Process: 856b2a58 – bc002318 size: 18 previous size: 198 (Allocated) Uspi Process: 856b4528 – bc002330 size: 90 previous size: 18 (Allocated) Gla@ – bc0023c0 size: c0 previous size: 90 (Allocated) Gla4 – *bc002480 size: 80 previous size: c0 (Allocated) *Usms P
Stack Frames in Windows • The purpose of EBP register – Frame Pointer. • Function parameter, local variables in stack and, it’s the same thread stack (one stack per thread). • EBP + offset points to function parameter • EBP – offset points to local variables. • X64 Stack frames.
Stack Frames continued.. • 0:000> u Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154]: • 00401580 55 push ebp - First Push EBP to stack • 00401581 8bec mov ebp,esp  Set new ebp as current esp • 00401583 83ec14 sub esp,14h  make enough room for local variable • 00401586 894dec mov dword ptr [ebp-14h],ecx <- Copy the this pointer to stack first element for the current stack frame • 00401589 c745f400000000 mov dword ptr [ebp-0Ch],0  one of the local var to 0 • 00401590 c745fc0a000000 mov dword ptr [ebp-4],0Ah  Another local var to 10 • 00401597 c745f80f000000 mov dword ptr [ebp-8],0Fh  Another local var to 15 • 0040159e cc int 3  Our hard coded break point
• 0:000> r • eax=00000000 ebx=00000111 ecx=0013fe74 edx=00000000 esi=00403444 edi=00000001 • eip=0040159e esp=0013f860 ebp=0013f874 iopl=0 nv up ei pl nz na pe nc • cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1+0x1e: • 0040159e cc int 3 • 0:000> dds 0013f860 • 0013f860 0013fe74 • 0013f864 7e41b788 USER32!GetParent+0x59 • 0013f868 00000000 • 0013f86c 0000000f • 0013f870 0000000a • 0013f874 0013f884  push current ebp to stack, set new ebp as esp Stack Frame - 1 • 0013f878 7c1746cc MFC71!_AfxDispatchCmdMsg+0x3d [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 89] • 0013f87c 00403444 Simple_App_Crash3!CSimpleAppCrash3Dlg::messageMap • 0013f880 0013fe74 • 0013f884 0013f8b4  push current ebp to stack, set new ebp as esp Stack Frame - 2 • 0013f888 7c171915 MFC71!CCmdTarget::OnCmdMsg+0x10a [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 396] • 0013f88c 0013fe74 • 0013f890 000003e8 • 0013f894 00000000 • 0013f898 00401580 Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154] • 0013f89c 00000000 • 0013f8a0 00000035 • 0013f8a4 00000000 • 0013f8a8 0013fe74 • 0013f8ac 000003e8 • 0013f8b0 00000000 • 0013f8b4 0013f8d8  push current ebp to stack, set new ebp as esp, Stack Frame - 3 • 0013f8b8 7c14db36 MFC71!CDialog::OnCmdMsg+0x1b [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcdlgcore.cpp @ 88] • 0013f8bc 000003e8 • 0013f8c0 00000000 • 0013f8c4 00000000 • 0013f8c8 00000000 • 0013f8cc 000003e8 • 0013f8d0 0013fe74 • 0013f8d4 00000000 • 0013f8d8 0013f928 • 0013f8dc 7c175cd8 MFC71!CWnd::OnCommand+0x51 [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcwincore.cpp @ 2549]
Story 2 – Stack Overflow • WinDBG commands to demo. – dds – dbs – !thread – !irp – lmv – dt – du – .trap – .frame n – dv
Story 3 – Kernel mode Deadlock • Windbg commands to demo – !locks – !thread – !handle – kb – !irql – !irpfind – ~ <processor> – !devobj – !stacks
Story 4 – Kernel Pool leak • What is pool tags • WinDBG commands to demo. – !poolused 2 – !poolused 4 – !vm
Q&A

Recomendados

Windows kernel debugging session 2
Windows kernel debugging session 2Windows kernel debugging session 2
Windows kernel debugging session 2
Sisimon Soman
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Gavin Guo
 
Dev ops
Dev opsDev ops
Dev ops
Tom Hall
 
Puppet
PuppetPuppet
Puppet
Łukasz Jagiełło
 
Haproxy - zastosowania
Haproxy - zastosowaniaHaproxy - zastosowania
Haproxy - zastosowania
Łukasz Jagiełło
 
Jvm的最小使用内存测试
Jvm的最小使用内存测试Jvm的最小使用内存测试
Jvm的最小使用内存测试
Zianed Hou
 
CAN in linux
CAN in linuxCAN in linux
CAN in linux
Jabez Winston
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debugging
Marian Marinov
 

Recomendados

Windows kernel debugging session 2
Windows kernel debugging session 2Windows kernel debugging session 2
Windows kernel debugging session 2
Sisimon Soman
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Gavin Guo
 
Dev ops
Dev opsDev ops
Dev ops
Tom Hall
 
Puppet
PuppetPuppet
Puppet
Łukasz Jagiełło
 
Haproxy - zastosowania
Haproxy - zastosowaniaHaproxy - zastosowania
Haproxy - zastosowania
Łukasz Jagiełło
 
Jvm的最小使用内存测试
Jvm的最小使用内存测试Jvm的最小使用内存测试
Jvm的最小使用内存测试
Zianed Hou
 
CAN in linux
CAN in linuxCAN in linux
CAN in linux
Jabez Winston
 
Tools used for debugging
Tools used for debuggingTools used for debugging
Tools used for debugging
Marian Marinov
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
Yuya Takei
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
Raleigh ISSA
 
Perl dancer
Perl dancerPerl dancer
Perl dancer
Marian Marinov
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkg
Kenny (netman)
 
Advanced Replication
Advanced ReplicationAdvanced Replication
Advanced Replication
MongoDB
 
Chap 19 web
Chap 19 webChap 19 web
Chap 19 web
Kenny (netman)
 
A3 sec -_msr_2.0
A3 sec -_msr_2.0A3 sec -_msr_2.0
A3 sec -_msr_2.0
a3sec
 
Pres
PresPres
Pres
Zeus G
 
One key sheard site to site open vpn
One key sheard site to site open vpnOne key sheard site to site open vpn
One key sheard site to site open vpn
Chanaka Lasantha
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation reading
Kenny (netman)
 
Asd
AsdAsd
Asd
Luca Righetti
 
Performance tuning
Performance tuningPerformance tuning
Performance tuning
Jon Haddad
 
Ansible - simple it automation
Ansible - simple it automationAnsible - simple it automation
Ansible - simple it automation
Larry Nung
 
The Magic of Hot Streaming Replication, Bruce Momjian
The Magic of Hot Streaming Replication, Bruce MomjianThe Magic of Hot Streaming Replication, Bruce Momjian
The Magic of Hot Streaming Replication, Bruce Momjian
Fuenteovejuna
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
yang bingwu
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
Michal Sedlak
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
HP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan Baljevic
HP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan BaljevicHP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan Baljevic
HP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan Baljevic
Circling Cycle
 
Go Replicator
Go ReplicatorGo Replicator
Go Replicator
Joshua Drake
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
Sisimon Soman
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internals
Sisimon Soman
 
Windows io manager
Windows io managerWindows io manager
Windows io manager
Sisimon Soman
 

Mais conteúdo relacionado

Mais procurados

A3 sec -_msr_2.0
A3 sec -_msr_2.0A3 sec -_msr_2.0
A3 sec -_msr_2.0
a3sec
 
The Magic of Hot Streaming Replication, Bruce Momjian
The Magic of Hot Streaming Replication, Bruce MomjianThe Magic of Hot Streaming Replication, Bruce Momjian
The Magic of Hot Streaming Replication, Bruce Momjian
Fuenteovejuna
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 

Mais procurados (19)

PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Perl dancer
Perl dancerPerl dancer
Perl dancer
 
Linux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkgLinux fundamental - Chap 09 pkg
Linux fundamental - Chap 09 pkg
 
Advanced Replication
Advanced ReplicationAdvanced Replication
Advanced Replication
 
Chap 19 web
Chap 19 webChap 19 web
Chap 19 web
 
A3 sec -_msr_2.0
A3 sec -_msr_2.0A3 sec -_msr_2.0
A3 sec -_msr_2.0
 
Pres
PresPres
Pres
 
One key sheard site to site open vpn
One key sheard site to site open vpnOne key sheard site to site open vpn
One key sheard site to site open vpn
 
Importance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation readingImportance of linux system fundamental in technical documentation reading
Importance of linux system fundamental in technical documentation reading
 
Asd
AsdAsd
Asd
 
Performance tuning
Performance tuningPerformance tuning
Performance tuning
 
Ansible - simple it automation
Ansible - simple it automationAnsible - simple it automation
Ansible - simple it automation
 
The Magic of Hot Streaming Replication, Bruce Momjian
The Magic of Hot Streaming Replication, Bruce MomjianThe Magic of Hot Streaming Replication, Bruce Momjian
The Magic of Hot Streaming Replication, Bruce Momjian
 
A little systemtap
A little systemtapA little systemtap
A little systemtap
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
HP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan Baljevic
HP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan BaljevicHP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan Baljevic
HP-UX 11iv3 How to Change Root Volume Group Name vg00 by Dusan Baljevic
 
Go Replicator
Go ReplicatorGo Replicator
Go Replicator
 

Destaque

Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
Sisimon Soman
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internals
Sisimon Soman
 
Learnin 1227673343410157-9
Learnin 1227673343410157-9Learnin 1227673343410157-9
Learnin 1227673343410157-9
josepascoal
 
Netcloud Breakfast Event Mai 2011
Netcloud Breakfast Event Mai 2011Netcloud Breakfast Event Mai 2011
Netcloud Breakfast Event Mai 2011
Null00
 
Yusuf Chambers - An Analysis of Modern Day Britian
Yusuf Chambers - An Analysis of Modern Day BritianYusuf Chambers - An Analysis of Modern Day Britian
Yusuf Chambers - An Analysis of Modern Day Britian
ierauk
 

Destaque (12)

Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
Windows memory manager internals
Windows memory manager internalsWindows memory manager internals
Windows memory manager internals
 
Windows io manager
Windows io managerWindows io manager
Windows io manager
 
Learnin 1227673343410157-9
Learnin 1227673343410157-9Learnin 1227673343410157-9
Learnin 1227673343410157-9
 
Astúries
AstúriesAstúries
Astúries
 
Revolució electrònica
Revolució electrònicaRevolució electrònica
Revolució electrònica
 
Slavery
SlaverySlavery
Slavery
 
Astúries
AstúriesAstúries
Astúries
 
Exemplo slideshare
Exemplo slideshareExemplo slideshare
Exemplo slideshare
 
Astúries
AstúriesAstúries
Astúries
 
Netcloud Breakfast Event Mai 2011
Netcloud Breakfast Event Mai 2011Netcloud Breakfast Event Mai 2011
Netcloud Breakfast Event Mai 2011
 
Yusuf Chambers - An Analysis of Modern Day Britian
Yusuf Chambers - An Analysis of Modern Day BritianYusuf Chambers - An Analysis of Modern Day Britian
Yusuf Chambers - An Analysis of Modern Day Britian
 

Semelhante a Windows kernel debugging workshop in florida

Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
Sisimon Soman
 
Varnish @ Velocity Ignite
Varnish @ Velocity IgniteVarnish @ Velocity Ignite
Varnish @ Velocity Ignite
Artur Bergman
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
Chanwoo Choi
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
Accelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACCAccelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACC
Igor Sfiligoi
 

Semelhante a Windows kernel debugging workshop in florida (20)

Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Varnish @ Velocity Ignite
Varnish @ Velocity IgniteVarnish @ Velocity Ignite
Varnish @ Velocity Ignite
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
 
Porting NetBSD to the open source LatticeMico32 CPU
Porting NetBSD to the open source LatticeMico32 CPUPorting NetBSD to the open source LatticeMico32 CPU
Porting NetBSD to the open source LatticeMico32 CPU
 
A Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with MultithreadingA Speculative Technique for Auto-Memoization Processor with Multithreading
A Speculative Technique for Auto-Memoization Processor with Multithreading
 
Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)Linux kernel debugging(PDF format)
Linux kernel debugging(PDF format)
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Accelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACCAccelerating microbiome research with OpenACC
Accelerating microbiome research with OpenACC
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Pclr syllabus 1 month
Pclr syllabus 1 monthPclr syllabus 1 month
Pclr syllabus 1 month
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
The propeller
The propellerThe propeller
The propeller
 

Mais de Sisimon Soman

Storage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkStorage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talk
Sisimon Soman
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
Sisimon Soman
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystem
Sisimon Soman
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
Sisimon Soman
 
Design Patterns By Sisimon Soman
Design Patterns By Sisimon SomanDesign Patterns By Sisimon Soman
Design Patterns By Sisimon Soman
Sisimon Soman
 

Mais de Sisimon Soman (7)

Windows kernel
Windows kernelWindows kernel
Windows kernel
 
Storage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talkStorage virtualization citrix blr wide tech talk
Storage virtualization citrix blr wide tech talk
 
Introduction to windows kernel
Introduction to windows kernelIntroduction to windows kernel
Introduction to windows kernel
 
Windows kernel and memory io subsystem
Windows kernel and memory io subsystemWindows kernel and memory io subsystem
Windows kernel and memory io subsystem
 
VDI storage and storage virtualization
VDI storage and storage virtualizationVDI storage and storage virtualization
VDI storage and storage virtualization
 
COM and DCOM
COM and DCOMCOM and DCOM
COM and DCOM
 
Design Patterns By Sisimon Soman
Design Patterns By Sisimon SomanDesign Patterns By Sisimon Soman
Design Patterns By Sisimon Soman
 

Windows kernel debugging workshop in florida

  • 1. Windows Kernel Debugging Sisimon Soman
  • 2. Agenda • Introduction to BSOD • Common approaches to analyze Windows crash. • Story 1 – Memory corruption. • Story 2 – Stack Overflow • Story 3 – Deadlock • Story 4 - Memory Leak • Q&A – Bring your dumps to discuss here.
  • 3. Why BSOD • Cause by buggy drivers. • Drivers share address space with Kernel. • Alternate stack to write dumps. • KeBugcheckEx() – Turn off interrupts. – SMB box say all processor I am dying.. – Paint blue screen and write dump to pagefile. • Winlogon role in writing crash dump. • Type of crash dumps.
  • 4. Common approaches to Kernel issue • What bugcheck code says • Which instruction cause crash • How the stack looks at the time of crash • Is third party drivers involved in stack • The IRP which cause the crash. • Is crash or system hung.
  • 5. Story 1– Memory Corruption • Driver Verifier – Heap Corruption – Special pool check (Guard Page) • WinDBG commands to demo. – !analyze –v – kv –u – !pool
  • 6. Pool corruption continued.. Make sure the pool chaining is correct kd> !pool bc00248c – Pool page bc00248c region is Paged session pool – bc002000 size: 90 previous size: 0 (Allocated) Gla@ – bc002090 size: 10 previous size: 90 (Allocated) Glnk – bc0020a0 size: 20 previous size: 10 (Allocated) Vtfd – bc0020c0 size: 8 previous size: 20 (Free) Gtmp – bc0020c8 size: 38 previous size: 8 (Free ) Usqm – bc002100 size: 28 previous size: 38 (Allocated) Gldv – bc002128 size: 58 previous size: 28 (Allocated) GFil – bc002180 size: 198 previous size: 58 (Allocated) Uspi Process: 856b2a58 – bc002318 size: 18 previous size: 198 (Allocated) Uspi Process: 856b4528 – bc002330 size: 90 previous size: 18 (Allocated) Gla@ – bc0023c0 size: c0 previous size: 90 (Allocated) Gla4 – *bc002480 size: 80 previous size: c0 (Allocated) *Usms P
  • 7. Stack Frames in Windows • The purpose of EBP register – Frame Pointer. • Function parameter, local variables in stack and, it’s the same thread stack (one stack per thread). • EBP + offset points to function parameter • EBP – offset points to local variables. • X64 Stack frames.
  • 8. Stack Frames continued.. • 0:000> u Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154]: • 00401580 55 push ebp - First Push EBP to stack • 00401581 8bec mov ebp,esp  Set new ebp as current esp • 00401583 83ec14 sub esp,14h  make enough room for local variable • 00401586 894dec mov dword ptr [ebp-14h],ecx <- Copy the this pointer to stack first element for the current stack frame • 00401589 c745f400000000 mov dword ptr [ebp-0Ch],0  one of the local var to 0 • 00401590 c745fc0a000000 mov dword ptr [ebp-4],0Ah  Another local var to 10 • 00401597 c745f80f000000 mov dword ptr [ebp-8],0Fh  Another local var to 15 • 0040159e cc int 3  Our hard coded break point
  • 9. 0:000> r • eax=00000000 ebx=00000111 ecx=0013fe74 edx=00000000 esi=00403444 edi=00000001 • eip=0040159e esp=0013f860 ebp=0013f874 iopl=0 nv up ei pl nz na pe nc • cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 • Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1+0x1e: • 0040159e cc int 3 • 0:000> dds 0013f860 • 0013f860 0013fe74 • 0013f864 7e41b788 USER32!GetParent+0x59 • 0013f868 00000000 • 0013f86c 0000000f • 0013f870 0000000a • 0013f874 0013f884  push current ebp to stack, set new ebp as esp Stack Frame - 1 • 0013f878 7c1746cc MFC71!_AfxDispatchCmdMsg+0x3d [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 89] • 0013f87c 00403444 Simple_App_Crash3!CSimpleAppCrash3Dlg::messageMap • 0013f880 0013fe74 • 0013f884 0013f8b4  push current ebp to stack, set new ebp as esp Stack Frame - 2 • 0013f888 7c171915 MFC71!CCmdTarget::OnCmdMsg+0x10a [f:vs70builds3077vcmfcatlshipatlmfcsrcmfccmdtarg.cpp @ 396] • 0013f88c 0013fe74 • 0013f890 000003e8 • 0013f894 00000000 • 0013f898 00401580 Simple_App_Crash3!CSimpleAppCrash3Dlg::OnBnClickedButton1 [d:sisimonworking areapresentationswindbgsimple app crash3simple app crash3simple app crash3dlg.cpp @ 154] • 0013f89c 00000000 • 0013f8a0 00000035 • 0013f8a4 00000000 • 0013f8a8 0013fe74 • 0013f8ac 000003e8 • 0013f8b0 00000000 • 0013f8b4 0013f8d8  push current ebp to stack, set new ebp as esp, Stack Frame - 3 • 0013f8b8 7c14db36 MFC71!CDialog::OnCmdMsg+0x1b [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcdlgcore.cpp @ 88] • 0013f8bc 000003e8 • 0013f8c0 00000000 • 0013f8c4 00000000 • 0013f8c8 00000000 • 0013f8cc 000003e8 • 0013f8d0 0013fe74 • 0013f8d4 00000000 • 0013f8d8 0013f928 • 0013f8dc 7c175cd8 MFC71!CWnd::OnCommand+0x51 [f:vs70builds3077vcmfcatlshipatlmfcsrcmfcwincore.cpp @ 2549]
  • 10. Story 2 – Stack Overflow • WinDBG commands to demo. – dds – dbs – !thread – !irp – lmv – dt – du – .trap – .frame n – dv
  • 11. Story 3 – Kernel mode Deadlock • Windbg commands to demo – !locks – !thread – !handle – kb – !irql – !irpfind – ~ <processor> – !devobj – !stacks
  • 12. Story 4 – Kernel Pool leak • What is pool tags • WinDBG commands to demo. – !poolused 2 – !poolused 4 – !vm
  • 13. Q&A