driver verifier查找隐藏的内存泄露BUG
来源:互联网 发布:电商源码 编辑:程序博客网 时间:2024/05/22 00:02
verifier是微软提供的驱动测试工具,可以用来识别内存损坏、错误处理的 I/O 请求包 (IRP)、无效的直接内存访问 (DMA) 缓冲区占用、可能的死锁以及低资源模拟等情况。在开始菜单->运行中输入 verifier后,可以弹出如下菜单:
选择默认选项Create standard settings并点击下一步后,出现如下菜单:
选择Automatically select unsigned 并点击下一步后,出现可进行检查的驱动:
点击完成按钮,并重启后verifier便对驱动进行检查。也可以配置verifier对驱动进行更详细地检查(选择Create custom settings->Select individual settings from a full list):
本文要介绍的是使用verifier对驱动内存泄露的检查。做法比较简单,加载驱动并挂verifier后,卸载驱动,若没蓝屏说明驱动没有内存泄露,蓝屏了说明有内存泄露。
测试代码在DriverEntry中申请一块内存并且不做释放,代码如下:
编译生成文件后,并在verifier中选择此驱动并重启:
然后用驱动加载工具加载此驱动,并点击安装、启动按钮,随后点击卸载按钮后,果然蓝屏了:
Windbg.exe加载此蓝屏dump,信息如下:
键入!verifier 3 ObCallback.sys命令:
f8860129便是内存泄露地址的下一句汇编地址,反汇编上一句(call调用)汇编地址:
f8860123地址处便是内存泄露的地方。查看call dword ptr [ObCallback+0x201c (f886101c)]中的f886101c的内容,并反汇编:
对应的函数是VerifierAllocatePoolWithTag,源代码其实是ExAllocatePoolWithTag。因为driver verifier Hook了驱动的输入表,把ExAllocatePoolWithTag函数替换为verifier 的VerifierAllocatePoolWithTag函数。
所以用上文所述的方法可以查找隐藏的内存泄露。
选择默认选项Create standard settings并点击下一步后,出现如下菜单:
选择Automatically select unsigned 并点击下一步后,出现可进行检查的驱动:
点击完成按钮,并重启后verifier便对驱动进行检查。也可以配置verifier对驱动进行更详细地检查(选择Create custom settings->Select individual settings from a full list):
本文要介绍的是使用verifier对驱动内存泄露的检查。做法比较简单,加载驱动并挂verifier后,卸载驱动,若没蓝屏说明驱动没有内存泄露,蓝屏了说明有内存泄露。
测试代码在DriverEntry中申请一块内存并且不做释放,代码如下:
代码:
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryString){ NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING ustrLinkName; UNICODE_STRING ustrDevName; PDEVICE_OBJECT DeviceObject; PVOID pTest; pTest = ExAllocatePoolWithTag(NonPagedPool, 2000, 'a'); DbgPrint("[ObCallback] DriverEntry: %wZ\n",RegistryString);// Create dispatch points for device control, create, close. DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl; DriverObject->DriverUnload = DriverUnload; // RtlInitUnicodeString(&ustrDevName, DEVICE_NAME); Status = IoCreateDevice(DriverObject, 0, &ustrDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject ); DbgPrint("[ObCallback] Device Name: %wZ\n",&ustrDevName); if(!NT_SUCCESS(Status)){ DbgPrint("[ObCallback] IoCreateDevice = 0x%x\n", Status); return Status; } RtlInitUnicodeString(&ustrLinkName, LINK_NAME); Status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName); if(!NT_SUCCESS(Status)){ DbgPrint("[ObCallback] IoCreateSymbolicLink = 0x%x\n", Status); IoDeleteDevice(DeviceObject); return Status; } DeviceObject->Flags |= DO_BUFFERED_IO; DbgPrint("[ObCallback] SymbolicLink: %wZ\n",&ustrLinkName); return STATUS_SUCCESS;}
编译生成文件后,并在verifier中选择此驱动并重启:
然后用驱动加载工具加载此驱动,并点击安装、启动按钮,随后点击卸载按钮后,果然蓝屏了:
Windbg.exe加载此蓝屏dump,信息如下:
代码:
kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************DRIVER_VERIFIER_DETECTED_VIOLATION (c4)A device driver attempting to corrupt the system has been caught. This isbecause the driver was specified in the registry as being suspect (by theadministrator) and the kernel has enabled substantial checking of this driver.If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA willbe among the most commonly seen crashes.Arguments:Arg1: 00000060, A driver has forgotten to free its pool allocations prior to unloading.Arg2: 00000000, paged bytesArg3: 000007d0, nonpaged bytes,Arg4: 00000001, total # of (paged+nonpaged) allocations that weren't freed. To get the name of the driver at fault, type dp ViBadDriver l1; dS @$p Then type !verifier 3 drivername.sys for info on the allocations that were leaked that caused the bugcheck.Debugging Details:------------------Unable to map view of image fileBUGCHECK_STR: 0xc4_60IMAGE_NAME: ObCallback.sysDEBUG_FLR_IMAGE_TIMESTAMP: 53578229MODULE_NAME: ObCallbackFAULTING_MODULE: f885f000 ObCallbackDEFAULT_BUCKET_ID: DRIVER_FAULTPROCESS_NAME: services.exeLAST_CONTROL_TRANSFER: from 80650d0c to 804f9cdbSTACK_TEXT: ef52cacc 80650d0c 000000c4 00000060 00000000 nt!KeBugCheckEx+0x1bef52caf4 805a45b5 819ce270 81d2b740 81d2b768 nt!MiVerifyingDriverUnloading+0x12aef52cb20 80579c88 819ce270 81d2b750 ef52cb4c nt!MmUnloadSystemImage+0x183ef52cb30 805b1cf4 81d2b768 81d2b750 00000000 nt!IopDeleteDriver+0x32ef52cb4c 80523cb5 81d2b768 00000000 ef52cc30 nt!ObpRemoveObjectRoutine+0xe0ef52cb70 804f57c2 ef52cc30 ef52ccac efc94902 nt!ObfDereferenceObject+0x5fef52cc14 8057a937 ef52cd0c 00000000 ef52cc30 nt!IopUnloadDriver+0x28aef52cc24 8053e854 ef52cd0c ef52cd48 80500255 nt!NtUnloadDriver+0xfef52cc24 80500255 ef52cd0c ef52cd48 80500255 nt!KiSystemServicePostCallef52cca0 804f5629 ef52cd0c ef52cd64 00d3f868 nt!ZwUnloadDriver+0x11ef52cd48 8057a937 00d3f870 00000000 ef52cd64 nt!IopUnloadDriver+0xf1ef52cd58 8053e854 00d3f870 00d3f878 7c92e514 nt!NtUnloadDriver+0xfef52cd58 7c92e514 00d3f870 00d3f878 7c92e514 nt!KiSystemServicePostCallWARNING: Frame IP not in any known module. Following frames may be wrong.00d3f878 00000000 00000000 00000000 00000000 0x7c92e514STACK_COMMAND: kbFOLLOWUP_NAME: MachineOwnerFAILURE_BUCKET_ID: 0xc4_60_VRF_IMAGE_ObCallback.sys_RECENTBUCKET_ID: 0xc4_60_VRF_IMAGE_ObCallback.sys_RECENTFollowup: MachineOwner
代码:
kd> !verifier 3 ObCallback.sysVerify Level ff ... enabled options are: Special pool Special irql Inject random low-resource API failures All pool allocations checked on unload Io subsystem checking enabled Deadlock detection enabled Enhanced Io checking enabled DMA checking enabledSummary of All Verifier StatisticsRaiseIrqls 0x0AcquireSpinLocks 0x0Synch Executions 0x0Trims 0x0Pool Allocations Attempted 0x1Pool Allocations Succeeded 0x1Pool Allocations Succeeded SpecialPool 0x1Pool Allocations With NO TAG 0x0Pool Allocations Failed 0x0Resource Allocations Failed Deliberately 0x0Current paged pool allocations 0x0 for 00000000 bytesPeak paged pool allocations 0x0 for 00000000 bytesCurrent nonpaged pool allocations 0x1 for 000007D0 bytesPeak nonpaged pool allocations 0x1 for 000007D0 bytesDriver Verification ListEntry State NonPagedPool PagedPool Module81f95f00 Loaded 000007d0 00000000 ObCallback.sysCurrent Pool Allocations 00000001 00000000Current Pool Bytes 000007d0 00000000Peak Pool Allocations 00000001 00000000Peak Pool Bytes 000007d0 00000000PoolAddress SizeInBytes Tag CallersAddress829e0830 0x000007d0 a... f8860129
代码:
kd> u f8860129-6ObCallback+0x1123:f8860123 ff151c1086f8 call dword ptr [ObCallback+0x201c (f886101c)]f8860129 ff750c push dword ptr [ebp+0Ch]f886012c 68420386f8 push offset ObCallback+0x1342 (f8860342)f8860131 e8d2000000 call ObCallback+0x1208 (f8860208)f8860136 8b7508 mov esi,dword ptr [ebp+8]f8860139 8b3d0c1086f8 mov edi,dword ptr [ObCallback+0x200c (f886100c)]f886013f 59 pop ecxf8860140 59 pop ecxkd> ObCallback+0x1123:f8860123 ff151c1086f8 call dword ptr [ObCallback+0x201c (f886101c)]f8860129 ff750c push dword ptr [ebp+0Ch]f886012c 68420386f8 push offset ObCallback+0x1342 (f8860342)f8860131 e8d2000000 call ObCallback+0x1208 (f8860208)f8860136 8b7508 mov esi,dword ptr [ebp+8]f8860139 8b3d0c1086f8 mov edi,dword ptr [ObCallback+0x200c (f886100c)]f886013f 59 pop ecxf8860140 59 pop ecx
代码:
kd> dd f886101c l1f886101c 80651a68kd> u 80651a68nt!VerifierAllocatePoolWithTag:80651a68 8bff mov edi,edi80651a6a 55 push ebp80651a6b 8bec mov ebp,esp80651a6d 51 push ecx80651a6e 51 push ecx80651a6f 8d45f8 lea eax,[ebp-8]80651a72 50 push eax80651a73 8d45fc lea eax,[ebp-4]
所以用上文所述的方法可以查找隐藏的内存泄露。
0 0
- driver verifier查找隐藏的内存泄露BUG
- driver verifier查找隐藏的内存泄露BUG
- linux下内存泄露查找、BUG调试
- linux下内存泄露查找、BUG调试
- Wince内存泄露检测工具Application Verifier的使用和如何快速定位泄露语句(一)
- Wince内存泄露检测工具Application Verifier的使用和如何快速定位泄露语句(二)
- ConcurrentQueue的内存泄露BUG
- 查找内存泄露的方法
- 查找内存泄露的工具
- 内存泄露的查找办法
- 查找内存泄露的方法
- 对于内存泄露的查找
- 原创: WINCE 内存泄露的检查(2) 使用Application Verifier (AppVerifier)检查资源泄漏
- bug之类定义导致的内存泄露
- 内存泄露,编程中最难定位的bug
- appium的一个内存泄露bug
- Windows 8以后的Windows操作系统关闭Driver Verifier的方法(disable Driver Verifier)
- 查找一个隐藏很深的bug
- MongoDB---出现no write has been done on this connection解决方案
- HDU 4417 —— Super Mario(树状数组,离散化,离线处理)
- Android-SurfaceView与SurfaceHolder对象
- Mybatis添加Ehcache支持
- MinGW的问题与使用
- driver verifier查找隐藏的内存泄露BUG
- soa部署项目,启动时报错:No credential mapper entry found for password indirection user
- ListView布局 采用SimpleAdapter
- 寄宿WCF服务
- 字符驱动程序设计学习笔记4-2
- Python 3.3 (2)
- java中的volatile和transient关键字
- Windows下Qt 5.2 for Android开发入门
- 苹果iMessage垃圾信息泛滥:运营商难涉及