driver verifier查找隐藏的内存泄露BUG

来源：互联网发布：电商源码编辑：程序博客网时间：2024/05/22 00:02

verifier是微软提供的驱动测试工具，可以用来识别内存损坏、错误处理的 I/O 请求包 (IRP)、无效的直接内存访问 (DMA) 缓冲区占用、可能的死锁以及低资源模拟等情况。在开始菜单->运行中输入 verifier后，可以弹出如下菜单：

选择默认选项Create standard settings并点击下一步后，出现如下菜单：

选择Automatically select unsigned 并点击下一步后，出现可进行检查的驱动：

点击完成按钮，并重启后verifier便对驱动进行检查。也可以配置verifier对驱动进行更详细地检查(选择Create custom settings->Select individual settings from a full list):

本文要介绍的是使用verifier对驱动内存泄露的检查。做法比较简单，加载驱动并挂verifier后，卸载驱动，若没蓝屏说明驱动没有内存泄露，蓝屏了说明有内存泄露。
测试代码在DriverEntry中申请一块内存并且不做释放，代码如下：

代码:

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryString){  NTSTATUS Status = STATUS_SUCCESS;  UNICODE_STRING ustrLinkName;  UNICODE_STRING ustrDevName;      PDEVICE_OBJECT DeviceObject;  PVOID pTest;    pTest = ExAllocatePoolWithTag(NonPagedPool, 2000, 'a');    DbgPrint("[ObCallback] DriverEntry: %wZ\n",RegistryString);// Create dispatch points for device control, create, close.  DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;  DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;  DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;  DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;  DriverObject->DriverUnload = DriverUnload;  //  RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);  Status = IoCreateDevice(DriverObject,               0,              &ustrDevName,               FILE_DEVICE_UNKNOWN,              0,              FALSE,              &DeviceObject              );  DbgPrint("[ObCallback] Device Name: %wZ\n",&ustrDevName);  if(!NT_SUCCESS(Status)){    DbgPrint("[ObCallback] IoCreateDevice = 0x%x\n", Status);    return Status;  }  RtlInitUnicodeString(&ustrLinkName, LINK_NAME);  Status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);    if(!NT_SUCCESS(Status)){    DbgPrint("[ObCallback] IoCreateSymbolicLink = 0x%x\n", Status);    IoDeleteDevice(DeviceObject);      return Status;  }  DeviceObject->Flags |= DO_BUFFERED_IO;  DbgPrint("[ObCallback] SymbolicLink: %wZ\n",&ustrLinkName);  return STATUS_SUCCESS;}

编译生成文件后，并在verifier中选择此驱动并重启：

然后用驱动加载工具加载此驱动，并点击安装、启动按钮，随后点击卸载按钮后，果然蓝屏了：

Windbg.exe加载此蓝屏dump，信息如下:

代码:

kd> !analyze -v********************************************************************************                                                                             **                        Bugcheck Analysis                                    **                                                                             ********************************************************************************DRIVER_VERIFIER_DETECTED_VIOLATION (c4)A device driver attempting to corrupt the system has been caught.  This isbecause the driver was specified in the registry as being suspect (by theadministrator) and the kernel has enabled substantial checking of this driver.If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA willbe among the most commonly seen crashes.Arguments:Arg1: 00000060, A driver has forgotten to free its pool allocations prior to unloading.Arg2: 00000000, paged bytesArg3: 000007d0, nonpaged bytes,Arg4: 00000001, total # of (paged+nonpaged) allocations that weren't freed.  To get the name of the driver at fault, type  dp ViBadDriver l1; dS @$p  Then type !verifier 3 drivername.sys for info on the allocations  that were leaked that caused the bugcheck.Debugging Details:------------------Unable to map view of image fileBUGCHECK_STR:  0xc4_60IMAGE_NAME:  ObCallback.sysDEBUG_FLR_IMAGE_TIMESTAMP:  53578229MODULE_NAME: ObCallbackFAULTING_MODULE: f885f000 ObCallbackDEFAULT_BUCKET_ID:  DRIVER_FAULTPROCESS_NAME:  services.exeLAST_CONTROL_TRANSFER:  from 80650d0c to 804f9cdbSTACK_TEXT:  ef52cacc 80650d0c 000000c4 00000060 00000000 nt!KeBugCheckEx+0x1bef52caf4 805a45b5 819ce270 81d2b740 81d2b768 nt!MiVerifyingDriverUnloading+0x12aef52cb20 80579c88 819ce270 81d2b750 ef52cb4c nt!MmUnloadSystemImage+0x183ef52cb30 805b1cf4 81d2b768 81d2b750 00000000 nt!IopDeleteDriver+0x32ef52cb4c 80523cb5 81d2b768 00000000 ef52cc30 nt!ObpRemoveObjectRoutine+0xe0ef52cb70 804f57c2 ef52cc30 ef52ccac efc94902 nt!ObfDereferenceObject+0x5fef52cc14 8057a937 ef52cd0c 00000000 ef52cc30 nt!IopUnloadDriver+0x28aef52cc24 8053e854 ef52cd0c ef52cd48 80500255 nt!NtUnloadDriver+0xfef52cc24 80500255 ef52cd0c ef52cd48 80500255 nt!KiSystemServicePostCallef52cca0 804f5629 ef52cd0c ef52cd64 00d3f868 nt!ZwUnloadDriver+0x11ef52cd48 8057a937 00d3f870 00000000 ef52cd64 nt!IopUnloadDriver+0xf1ef52cd58 8053e854 00d3f870 00d3f878 7c92e514 nt!NtUnloadDriver+0xfef52cd58 7c92e514 00d3f870 00d3f878 7c92e514 nt!KiSystemServicePostCallWARNING: Frame IP not in any known module. Following frames may be wrong.00d3f878 00000000 00000000 00000000 00000000 0x7c92e514STACK_COMMAND:  kbFOLLOWUP_NAME:  MachineOwnerFAILURE_BUCKET_ID:  0xc4_60_VRF_IMAGE_ObCallback.sys_RECENTBUCKET_ID:  0xc4_60_VRF_IMAGE_ObCallback.sys_RECENTFollowup: MachineOwner

键入!verifier 3 ObCallback.sys命令:

代码:

kd> !verifier 3 ObCallback.sysVerify Level ff ... enabled options are:  Special pool  Special irql  Inject random low-resource API failures  All pool allocations checked on unload  Io subsystem checking enabled  Deadlock detection enabled  Enhanced Io checking enabled  DMA checking enabledSummary of All Verifier StatisticsRaiseIrqls                             0x0AcquireSpinLocks                       0x0Synch Executions                       0x0Trims                                  0x0Pool Allocations Attempted             0x1Pool Allocations Succeeded             0x1Pool Allocations Succeeded SpecialPool 0x1Pool Allocations With NO TAG           0x0Pool Allocations Failed                0x0Resource Allocations Failed Deliberately   0x0Current paged pool allocations         0x0 for 00000000 bytesPeak paged pool allocations            0x0 for 00000000 bytesCurrent nonpaged pool allocations      0x1 for 000007D0 bytesPeak nonpaged pool allocations         0x1 for 000007D0 bytesDriver Verification ListEntry     State           NonPagedPool   PagedPool   Module81f95f00 Loaded           000007d0       00000000    ObCallback.sysCurrent Pool Allocations  00000001    00000000Current Pool Bytes        000007d0    00000000Peak Pool Allocations     00000001    00000000Peak Pool Bytes           000007d0    00000000PoolAddress  SizeInBytes    Tag       CallersAddress829e0830     0x000007d0     a...      f8860129

f8860129便是内存泄露地址的下一句汇编地址，反汇编上一句(call调用)汇编地址：

代码:

kd> u f8860129-6ObCallback+0x1123:f8860123 ff151c1086f8    call    dword ptr [ObCallback+0x201c (f886101c)]f8860129 ff750c          push    dword ptr [ebp+0Ch]f886012c 68420386f8      push    offset ObCallback+0x1342 (f8860342)f8860131 e8d2000000      call    ObCallback+0x1208 (f8860208)f8860136 8b7508          mov     esi,dword ptr [ebp+8]f8860139 8b3d0c1086f8    mov     edi,dword ptr [ObCallback+0x200c (f886100c)]f886013f 59              pop     ecxf8860140 59              pop     ecxkd> ObCallback+0x1123:f8860123 ff151c1086f8    call    dword ptr [ObCallback+0x201c (f886101c)]f8860129 ff750c          push    dword ptr [ebp+0Ch]f886012c 68420386f8      push    offset ObCallback+0x1342 (f8860342)f8860131 e8d2000000      call    ObCallback+0x1208 (f8860208)f8860136 8b7508          mov     esi,dword ptr [ebp+8]f8860139 8b3d0c1086f8    mov     edi,dword ptr [ObCallback+0x200c (f886100c)]f886013f 59              pop     ecxf8860140 59              pop     ecx

f8860123地址处便是内存泄露的地方。查看call dword ptr [ObCallback+0x201c (f886101c)]中的f886101c的内容，并反汇编：

代码:

kd> dd f886101c  l1f886101c  80651a68kd> u 80651a68nt!VerifierAllocatePoolWithTag:80651a68 8bff            mov     edi,edi80651a6a 55              push    ebp80651a6b 8bec            mov     ebp,esp80651a6d 51              push    ecx80651a6e 51              push    ecx80651a6f 8d45f8          lea     eax,[ebp-8]80651a72 50              push    eax80651a73 8d45fc          lea     eax,[ebp-4]

对应的函数是VerifierAllocatePoolWithTag，源代码其实是ExAllocatePoolWithTag。因为driver verifier Hook了驱动的输入表，把ExAllocatePoolWithTag函数替换为verifier 的VerifierAllocatePoolWithTag函数。
所以用上文所述的方法可以查找隐藏的内存泄露。

0 0