WinDbg 를 이용한 커널 드라이버 디버깅 1. WinDbg 개요

1

1st S y s t e m K e r n e l C o n f e r e n c e www.syskon.co.kr

WinDbg 를 이용한 커널 드라이버 디버깅김 성 현

WinDbg 를 이용한 커널 드라이버 디버깅

1. WinDbg 개요

KOREA SYSTEM PROGRAMMER1st System Kernel Conference

2003.11.8

2



목차목차

강의목적WinDbg 개요WinDbg vs SoftICEWinDbg 화면구성Call StackWinDbg CommandsWinDbg Commands Examples

3



강의 목적강의 목적

No Power DebuggingEasy Debugging!덤프파일 활용 활성화블루스크린 발생시 빠른 분석과 정확한 원인 파악

4



WinDbg WinDbg 개요개요

WinDbg 다운로드 URLhttp://www.microsoft.com/whdc/ddk/debugging/installx86.msp지속적으로 업데이트

User 모드 , Kernel 모드 디버깅 가능CDB(Microsoft Console Debugger)KD(Microsoft Kernel Debugger, I386KD, IA64KD)

Live 디버깅응용프로그램 로컬 , 네트웍 디버깅 가능커널 , 드라이버 시리얼 디버깅 가능

덤프 디버깅Crash dump 분석분석에 용이한 각종 명령어 제공

5



WinDbg vs SoftICEWinDbg vs SoftICE

장점 / 단점 WinDbg SoftICE가격 $0 $???

덤프분석 O X (DriverWorkbench?)

App Debugging O O

MS Debug Symbol Support

O X (Symbol Retriever, SoftICE 2.7)

Windows 9x 지원 X O

Standalone 디버깅 X (APP 디버깅은 가능 )

O

수행속도 느림 (APP 디버깅은 빠름 )

빠름

6



WinDbg WinDbg 화면구성화면구성

7



WinDbg File MenuWinDbg File Menu

Open Executable – 응용프로그램을 디버거가 실행시키면서 디버깅Attatch to a Process – 이미 실행중인 프로세스를 디버깅 ( ex. 서비스 )Open Crash Dump – 덤프파일 디버깅 ( 유저덤프 , 커널덤프 모두 가능 )Connect to Remote Session – tcp, serial, 1394, npipe 등을 이용하여 리모트 디버깅 가능Kenel Debug – serial 연결된 시스템의 커널 디버깅 ( 1394 가능 )Symbol File Path …Source File Path …Image File Path …

8



WinDbg View MenuWinDbg View Menu

CommandWatchLocalsRegistersMemoryCall StackDisassemblyScratch PadProcess and Threads

9



WinDbg Debug MenuWinDbg Debug Menu

Go – F5Break – Ctrl + BreakStep Into – F11 or F8Step Over – F10Step Out – Shift + F11

10



Call StackCall Stack

WinDbg Call Stack WindowArgs – 함수 인자Func info – 함수 추가 정보Source – 소스파일과 라인 표시Addrs – 리턴 주소 ( RetAddr )Headings – ChildEBP RetAddr Args to ChildFrame Nums – 라인에 번호 붙이기Arg types – 함수 인자 타입

11




콜스택 분석문제 지점을 찾아내는 기본적인 정보함수의 호출순서 파악함수인자의 전달 파악자동 BackTrace – 디버거가 자동으로 수행수동 BackTrace – 디버거가 못하는 경우 수동으로

함수의 호출 순서를 찾아내야 함

12




호출규약 ( Calling Convention )

int _cdecl CFunc(int a, int b); calling function called function -------------- ----------------- push b _CFunc PROC NEAR (ebp+8, ebp+c) push a . call _CFunc RET add esp,8 _CFunc ENDP

호출규약 인자저장방향 스택복구 비고_cdecl 마지막부터 저장 호출한 함수에서 C, C++

_stdcall 마지막부터 저장 호출된 함수에서 Kernel, VB

_fastcall ECX, EDX, 마지막부터

호출된 함수에서 Delphi

this ECX(this), 마지막부터

호출한 함수에서 C++

naked 마지막부터 호출한 함수에서

13




호출규약 ( Calling Convention ) int _stdcall StdFunc(int a, int b);

calling function called function -------------- ------------- push b _StdFunc@8 PROC NEAR (ebp+8, ebp+c) push a . call _StdFunc@8 RET 8 . _StdFunc@8 ENDP

int _fastcall FastFunc(int a, int b); calling function called function ------------- ------------- mov edx, b @FastFunc@8 PROC NEAR (ecx, edx) mov ecx, a . call @FastFunc@8 RET 8 . @FastFunc@8 ENDP

14




콜스택 구성 calling function called function

-------------- -------------

push b _StdFunc@8 PROC NEAR

push a push ebp

call _StdFunc@8 mov ebp, esp

. sub esp, 8

mov eax, [ebp+8]

mov [ebp-4], eax

.

RET 8

_StdFunc@8 ENDP

Stack

…

…

…

b

a

ret

var 1var 2

ebp

15




01 f2569cf0 805522ba 00caadfc c0110080 00caad9c nt!IoCreateFile+0x36

NTKERNELAPI NTSTATUS IoCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG Disposition, IN ULONG CreateOptions,

… );

16



Call StackCall Stacknt!NtCreateFile805522ac ff7510 push dword ptr [ebp+0x10]805522af ff750c push dword ptr [ebp+0xc]805522b2 ff7508 push dword ptr [ebp+0x8]805522b5 e8c0ebffff call nt!IoCreateFile (80550e7a)805522ba 5d pop ebp(01 f2569cf0 805522ba 00caadfc c0110080 00caad9c nt!IoCreateFile )Stackf2569cf0 : f2569d30 805522ba 00caadfc c0110080f2569d00 : 00caad9c 00caadd4 00000000 00000000

nt!IoCreateFile:80550e7a 55 push ebp80550e7b 8bec mov ebp,esp80550e7d 6a00 push 0x080550e7f 6a00 push 0x080550e81 ff753c push dword ptr [ebp+0x3c]80550e84 ff7538 push dword ptr [ebp+0x38]

17



WinDbg CommandsWinDbg Commands

Command PromptUniprocessor - kd>Multiprocessor - 0: kd>

Mode 구분 command유저모드 디버깅 전용커널모드 디버깅 전용

Target 구분 commandLive 디버깅 전용Dump 디버깅 전용

Platform 구분 commandX86, IA-64, AMD64

18




Command Help 의 Environment

Command 종류일반 command ( 일반적인 debugger

command )Meta-command ( . 로 시작하는 command )Extension command ( ! 로 시작하는 command )

Modes User mode, kernel mode

Targets Live debugging only

Platforms User mode: allKernel mode: x86 only

19




일반 CommandsA(Assemble), U(Unassemble)BL(Breakpoint List) , BC(Breakpoint Clear) BD(Breakpoint Disable), BE(Breakpoint Enable)BA(Break on Access)BP, BU(Set Breakpoint)

D, DA, DB, DW, DD(Display Memory)Dds(Display Words and Symbols)DL(Display Linked List) LIST_ENTRY or SINGLE_LIST_…DS, Ds(Display String)DT(Display Type)DV(Display Local Variable)K, KB, KD, KP, KV (Display Stack Backtrace)

20




일반 Commands cont.E, EA, EB, Ed, EW, EU(Enter Values)S(Search Memory)R(Register)

LD(Load Symbol)LM(List Loaded Symbols)LN(List Nearest Symbols)

G(Go), P(Step), PC(Step to Next Call)T(Trace), TB(Trace to Next Branch), TC(Trace to Next

Call)

WT(Trace and Watch Data)X(Examine Symbols)

21




BA (Break on Access)Sets a data breakpoint, which will be triggered when the specified memory is access

ed.Kernel-Mode Syntaxba[ID] Access Size [/p EProcess | /t EThread] [Address [Passes]] ["CommandString"]Access - The type of access which will satisfy the breakpoint:

e (execute), r (read/write), w (write), i (i/o) (Windows XP and Windows .NET Server only, kernel-mode only, x86 only) Breaks into the debugger when the I/O port at the specified Address is accessed.

Size - 1, 2, 4Passes – The numnber of times the breakpoint is to be passed.Environment

Modes User mode, kernel mode

Targets Live debugging only

Platform all

22



WinDbg Commands ExampleWinDbg Commands Examplekd> u IoCreateFilent!IoCreateFile:80550e7a 55 push ebp80550e7b 8bec mov ebp,esp80550e7d 6a00 push 0x080550e7f 6a00 push 0x080550e81 ff753c push dword ptr [ebp+0x3c]80550e84 ff7538 push dword ptr [ebp+0x38]kd> bp IoCreateFilekd> bl 0 e 80550e7a 0001 (0001) nt!IoCreateFile kd> gBreakpoint 0 hitnt!IoCreateFile:80550e7a 55 push ebpkd> kChildEBP RetAddr f28b1cf0 805522ba nt!IoCreateFilef28b1d30 8052a421 nt!NtCreateFile+0x2ef28b1d30 7ffe0304 nt!KiSystemService+0xc400bdf0d4 77f5b524 SharedUserData!SystemCallStub+0x4

23



WinDbg Commands ExampleWinDbg Commands Examplekd> kbChildEBP RetAddr Args to Child f28b1cf0 805522ba 00bdf178 c0100080 00bdf118 nt!IoCreateFilef28b1d30 8052a421 00bdf178 c0100080 00bdf118 nt!NtCreateFile+0x2ef28b1d30 7ffe0304 00bdf178 c0100080 00bdf118 nt!KiSystemService+0xc400bdf0d4 77f5b524 77e37b72 00bdf178 c0100080 SharedUserData!SystemCallStub+0x4kd> dt _OBJECT_ATTRIBUTES 00bdf118 +0x000 Length : 0x18 +0x004 RootDirectory : (null) +0x008 ObjectName : 0x00bdf158 "\??\PIPE\lsarpc" +0x00c Attributes : 0x40 +0x010 SecurityDescriptor : (null) +0x014 SecurityQualityOfService : 0x00bdf13c kd> bd 0kd> bl 0 d 80550e7a 0001 (0001) nt!IoCreateFile kd> ba w4 00bdf178kd> bl 0 d 80550e7a 0001 (0001) nt!IoCreateFile 1 e 00bdf178 w 4 0001 (0001)

24



WinDbg Commands ExampleWinDbg Commands Examplekd> gBreakpoint 1 hitnt!IopCreateFile+18f:805504bd 8b4514 mov eax,[ebp+0x14]kd> kChildEBP RetAddr f28b1ca8 80550eb0 nt!IopCreateFile+0x18ff28b1cf0 805522ba nt!IoCreateFile+0x36f28b1d30 8052a421 nt!NtCreateFile+0x2ekd> dd 00bdf178 L400bdf178 00000000 c0000000 00000003 00000000kd> gBreakpoint 1 hitnt!IopCreateFile+442:80550770 8b4b0c mov ecx,[ebx+0xc]kd> kf28b1ca8 80550eb0 nt!IopCreateFile+0x442f28b1cf0 805522ba nt!IoCreateFile+0x36f28b1d30 8052a421 nt!NtCreateFile+0x2ekd> dd 00bdf178 L400bdf178 00000184 c0000000 00000003 00000000

kd> bc 1kd> bc *kd> g

25



WinDbg CommandsWinDbg CommandsMeta-commands.bugcheck (Display Bug Check Data).cls (Clear Screen).ofilter (Filter Target Output).enable_unicode (Enable Unicode Display)

.crash (Force System Crash)

.dump (Create Dump File)

.reboot (Reboot Target Computer)

.cxr (Display Context Record)

.exr (Display Exception Record)

.ecxr (Display Exception Context Record)

.trap (Display Trap Frame)

26



WinDbg CommandsWinDbg CommandsMeta-commands cont..exepath (Set Executable Path).srcpath (Set Source Path).sympath (Set Symbol Path).symfix (Set Symbol Store Path).reload (Reload Module)

.context (Set User-Mode Address Context)

.process (Set Process Context)

.thread (Set Register Context)

.tss (Display Task State Segment)

.load (Load Extension DLL)

.unload (Unload Extension DLL)

27



WinDbg CommandsWinDbg CommandsDebugger Extension DLLsDefault Extensions - Kdextx86.dll, kdex2x86.dll, kdexts.dllNDIS Extensions – ndiskd.dllGraphics Driver Extensions – gdikdx.dllCustom Extension DLL - 직접 작성 가능

Debugger extension commands!analyze - displays information about the current bug check!cpuid - displays information about the processors on the system!error - decodes and displays information about an error value!gle - displays the last error value for the current thread!obja - displays the attributes of an object in the object manager!peb - displays a formatted view of the information in the process envir

onment block (PEB)!teb - displays a formatted view of the information in the thread environ

ment block (TEB)!token - displays a formatted view of a security token object

28




Kernel-Mode Extension Commands!process - displays information about the specified process or all!stacks - displays information about the current kernel stacks!thread - displays summary information about a thread !zombies - displays all dead ("zombie") processes or threads!drivers - displays a list of all drivers loaded!devnode - displays information about a node in the device tree!devobj - displays detailed information about a DEVICE_OBJECT!devstack - displays a formatted view of the device stack!drvobj - displays detailed information about a DRIVER_OBJECT!object - displays information about a system object!irp - displays information about an I/O request packet (IRP)!irpfind - displays information about all I/O request packets (IRP)!apc - displays the contents of one or more asynchronous procedure ca

lls (APCs)

29




Kernel-Mode Extension Commands cont.!exqueue - displays information about a specific pool allocation!pool - displays information about a specific pool allocation!poolfind - finds all instances of a specific pool tag !poolused - memory use summaries!poolval - analyzes the headers for a pool page !pcr - displays the current status of the Processor Control Region!prcb - displays the processor control block (PRCB).!srb - displays information about a SCSI Request Block (SRB)!vpb - displays a volume parameter block (VPB)!deadlock - displays information about deadlocks !locks - displays information about kernel ERESOURCE locks!verifier - displays the status of Driver Verifier and its actions

30



Extension Commands Extension Commands ExampleExample

kd> bp IofCallDriverkd> bl 0 e 804e8188 0001 (0001) nt!IofCallDriver

kd> gBreakpoint 0 hitnt!IofCallDriver:804e8188 ff2580875380 jmp dword ptr [nt!pIofCallDriver (80538780)]kd> kbChildEBP RetAddr Args to Child f2575c44 8055887c 810d9c90 0012f99c 816bc008 nt!IofCallDriverf2575c58 805595a7 815d2ec8 816bc008 810d9c90 nt!IopSynchronousServiceTail+0x5ef2575d00 80552468 0000074c 00000750 00000000 nt!IopXxxControlFile+0x5a5f2575d34 8052a421 0000074c 00000750 00000000 nt!NtDeviceIoControlFile+0x28f2575d34 7ffe0304 0000074c 00000750 00000000 nt!KiSystemService+0xc4kd> !object ecxObject: 815d2ec8 Type: (81795ad0) Device ObjectHeader: 815d2eb0 HandleCount: 0 PointerCount: 3 Directory Object: e1006588 Name: Afd

#define IoCallDriver(a,b) \#define IoCallDriver(a,b) \ IofCallDriver(a,b)IofCallDriver(a,b)

NTKERNELAPI NTSTATUS FASTCALLNTKERNELAPI NTSTATUS FASTCALLIofCallDriver(IofCallDriver( IN PDEVICE_OBJECT DeviceObject,IN PDEVICE_OBJECT DeviceObject, IN OUT PIRP Irp );IN OUT PIRP Irp );

31




kd> !devobj ecxDevice object (815d2ec8) is for: Afd \Driver\AFD DriverObject 815fa040Current Irp 00000000 RefCount 61 Type 00000011 Flags 00000050Dacl e1299a5c DevExt 00000000 DevObjExt 815d2f80 ExtensionFlags (0000000000) Device queue is not busy.kd> dt DEVICE_OBJECT 815d2ec8 +0x000 Type : 3 +0x002 Size : 0xb8 +0x004 ReferenceCount : 61 +0x008 DriverObject : 0x815fa040 +0x00c NextDevice : (null) +0x010 AttachedDevice : (null) +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x50 +0x020 Characteristics : 0 +0x024 Vpb : (null) +0x028 DeviceExtension : (null)

+0x028 DeviceExtension : (null) +0x02c DeviceType : 0x11 +0x030 StackSize : 4 '' +0x034 Queue : __unnamed +0x05c AlignmentRequirement : 0 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x074 Dpc : _KDPC +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe1299a48 +0x09c DeviceLock : _KEVENT +0x0ac SectorSize : 0 +0x0ae Spare1 : 0 +0x0b0 DeviceObjectExtension : 0x815d2f80 +0x0b4 Reserved : (null)

32




kd> !devstack ecx !DevObj !DrvObj !DevExt ObjectName> 815d2ec8 \Driver\AFD 00000000 Afdkd> !drvobj 815fa040Driver object (815fa040) is for: \Driver\AFDDriver Extension List: (id , addr)Device Object list:815d2ec8 kd> dt DRIVER_OBJECT 815fa040 +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x815d2ec8 +0x008 Flags : 0x12 +0x00c DriverStart : 0xf2aea000 +0x010 DriverSize : 0x1fe80 +0x014 DriverSection : 0x816b2688 +0x018 DriverExtension : 0x815fa0e8 +0x01c DriverName : _UNICODE_STRING "\Driver\AFD"

+0x024 HardwareDatabase : 0x806488b4 "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"

+0x028 FastIoDispatch : 0xf2aec228 +0x02c DriverInit : 0xf2b06952

afd!DriverEntry+0 +0x030 DriverStartIo : (null) +0x034 DriverUnload : 0xf2af0ab7

afd!AfdUnload+0 +0x038 MajorFunction : [28] 0xf2af4

e88 afd!AfdDispatch+0

33




kd> !irp edx 2Irp is active with 4 stacks 5 is current (= 0x816bc108) No Mdl System buffer = 8167cb18 Thread 812eeba8: Irp is completed. Flags = 00000070ThreadListEntry.Flink = 812eedb8ThreadListEntry.Blink = 812eedb8IoStatus.Status = 00000000IoStatus.Information = 00000000RequestorMode = 00000001Cancel = 00CancelIrql = 0ApcEnvironment = 00UserIosb = 0012f958UserEvent = 810d9c48… cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ e, 0] 0 0 00000000 810d9c90 00000000-00000000

Args: 0000001c 0000001c 00012024 00000000

34




kd> !pool edxPool page 816bc008 region is Nonpaged pool*816bc000 size: 198 previous size: 0 (Allocated) *Irp

Pooltag Irp : Io, IRP packets 816bc198 size: 10 previous size: 198 (Free) .... 816bc1a8 size: 118 previous size: 10 (Allocated) Ntfi 816bc2c0 size: 118 previous size: 118 (Allocated) Ntfi … 816bc838 size: 118 previous size: 118 (Allocated) Ntfi 816bc950 size: 8 previous size: 118 (Free) Ntfi 816bc958 size: 20 previous size: 8 (Allocated) ReTa 816bc978 size: 28 previous size: 20 (Allocated) FSfm 816bc9a0 size: 20 previous size: 28 (Free) CcSc 816bc9c0 size: 118 previous size: 20 (Allocated) Ntfi 816bcad8 size: 118 previous size: 118 (Allocated) Ntfi 816bcbf0 size: a8 previous size: 118 (Allocated) File (Protected)kd> db 816bc000816bc000 00 00 33 0a 49 72 70 20-06 00 90 01 00 00 00 00 ..3.Irp ........816bc010 70 00 00 00 18 cb 67 81-b8 ed 2e 81 b8 ed 2e 81 p.....g.........816bc020 00 00 00 00 00 00 00 00-01 00 04 05 00 00 00 0c ................

35



Q&AQ&A

Documents

WinDbg 를 이용한 커널 드라이버 디버깅 1. WinDbg 개요