-
-
[原创]driver verifier查找隐藏的内存泄露BUG
-
发表于: 2014-4-24 10:14
-
verifier是微软提供的驱动测试工具,可以用来识别内存损坏、错误处理的 I/O 请求包 (IRP)、无效的直接内存访问 (DMA) 缓冲区占用、可能的死锁以及低资源模拟等情况。在开始菜单->运行中输入 verifier后,可以弹出如下菜单:
选择默认选项Create standard settings并点击下一步后,出现如下菜单:
选择Automatically select unsigned 并点击下一步后,出现可进行检查的驱动:
点击完成按钮,并重启后verifier便对驱动进行检查。也可以配置verifier对驱动进行更详细地检查(选择Create custom settings->Select individual settings from a full list):
本文要介绍的是使用verifier对驱动内存泄露的检查。做法比较简单,加载驱动并挂verifier后,卸载驱动,若没蓝屏说明驱动没有内存泄露,蓝屏了说明有内存泄露。
测试代码在DriverEntry中申请一块内存并且不做释放,代码如下:
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryString)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT DeviceObject;
PVOID pTest;
pTest = [COLOR="Red"]ExAllocatePoolWithTag(NonPagedPool, 2000, 'a');
DbgPrint("[ObCallback] DriverEntry: %wZ\n",RegistryString);
// Create dispatch points for device control, create, close.
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
DriverObject->DriverUnload = DriverUnload;
//
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
Status = IoCreateDevice(DriverObject,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&DeviceObject
);
DbgPrint("[ObCallback] Device Name: %wZ\n",&ustrDevName);
if(!NT_SUCCESS(Status)){
DbgPrint("[ObCallback] IoCreateDevice = 0x%x\n", Status);
return Status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
Status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(Status)){
DbgPrint("[ObCallback] IoCreateSymbolicLink = 0x%x\n", Status);
IoDeleteDevice(DeviceObject);
return Status;
}
DeviceObject->Flags |= DO_BUFFERED_IO;
DbgPrint("[ObCallback] SymbolicLink: %wZ\n",&ustrLinkName);
return STATUS_SUCCESS;
}
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_VERIFIER_DETECTED_VIOLATION (c4) A device driver attempting to corrupt the system has been caught. This is because the driver was specified in the registry as being suspect (by the administrator) and the kernel has enabled substantial checking of this driver. If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will be among the most commonly seen crashes. Arguments: Arg1: 00000060, A driver has forgotten to free its pool allocations prior to unloading. Arg2: 00000000, paged bytes Arg3: 000007d0, nonpaged bytes, Arg4: 00000001, total # of (paged+nonpaged) allocations that weren't freed. To get the name of the driver at fault, type dp ViBadDriver l1; dS @$p Then type [COLOR="red"]!verifier 3 drivername.sys for info on the allocations that were leaked that caused the bugcheck. Debugging Details: ------------------ Unable to map view of image file BUGCHECK_STR: 0xc4_60 IMAGE_NAME: ObCallback.sys DEBUG_FLR_IMAGE_TIMESTAMP: 53578229 MODULE_NAME: ObCallback FAULTING_MODULE: f885f000 ObCallback DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: services.exe LAST_CONTROL_TRANSFER: from 80650d0c to 804f9cdb STACK_TEXT: ef52cacc 80650d0c 000000c4 00000060 00000000 nt!KeBugCheckEx+0x1b ef52caf4 805a45b5 819ce270 81d2b740 81d2b768 nt!MiVerifyingDriverUnloading+0x12a ef52cb20 80579c88 819ce270 81d2b750 ef52cb4c nt!MmUnloadSystemImage+0x183 ef52cb30 805b1cf4 81d2b768 81d2b750 00000000 nt!IopDeleteDriver+0x32 ef52cb4c 80523cb5 81d2b768 00000000 ef52cc30 nt!ObpRemoveObjectRoutine+0xe0 ef52cb70 804f57c2 ef52cc30 ef52ccac efc94902 nt!ObfDereferenceObject+0x5f ef52cc14 8057a937 ef52cd0c 00000000 ef52cc30 nt!IopUnloadDriver+0x28a ef52cc24 8053e854 ef52cd0c ef52cd48 80500255 nt!NtUnloadDriver+0xf ef52cc24 80500255 ef52cd0c ef52cd48 80500255 nt!KiSystemServicePostCall ef52cca0 804f5629 ef52cd0c ef52cd64 00d3f868 nt!ZwUnloadDriver+0x11 ef52cd48 8057a937 00d3f870 00000000 ef52cd64 nt!IopUnloadDriver+0xf1 ef52cd58 8053e854 00d3f870 00d3f878 7c92e514 nt!NtUnloadDriver+0xf ef52cd58 7c92e514 00d3f870 00d3f878 7c92e514 nt!KiSystemServicePostCall WARNING: Frame IP not in any known module. Following frames may be wrong. 00d3f878 00000000 00000000 00000000 00000000 0x7c92e514 STACK_COMMAND: kb FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: 0xc4_60_VRF_IMAGE_ObCallback.sys_RECENT BUCKET_ID: 0xc4_60_VRF_IMAGE_ObCallback.sys_RECENT Followup: MachineOwner
kd> [COLOR="red"]!verifier 3 ObCallback.sys Verify Level ff ... enabled options are: Special pool Special irql Inject random low-resource API failures All pool allocations checked on unload Io subsystem checking enabled Deadlock detection enabled Enhanced Io checking enabled DMA checking enabled Summary of All Verifier Statistics RaiseIrqls 0x0 AcquireSpinLocks 0x0 Synch Executions 0x0 Trims 0x0 Pool Allocations Attempted 0x1 Pool Allocations Succeeded 0x1 Pool Allocations Succeeded SpecialPool 0x1 Pool Allocations With NO TAG 0x0 Pool Allocations Failed 0x0 Resource Allocations Failed Deliberately 0x0 Current paged pool allocations 0x0 for 00000000 bytes Peak paged pool allocations 0x0 for 00000000 bytes Current nonpaged pool allocations 0x1 for 000007D0 bytes Peak nonpaged pool allocations 0x1 for 000007D0 bytes Driver Verification List Entry State NonPagedPool PagedPool Module 81f95f00 Loaded 000007d0 00000000 ObCallback.sys Current Pool Allocations 00000001 00000000 Current Pool Bytes 000007d0 00000000 Peak Pool Allocations 00000001 00000000 Peak Pool Bytes 000007d0 00000000 PoolAddress SizeInBytes Tag CallersAddress 829e0830 0x000007d0 a... [COLOR="red"]f8860129
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
