1 / 35

WinDbg 를 이용한 커널 드라이버 디버깅 1. WinDbg 개요

WinDbg 를 이용한 커널 드라이버 디버깅 1. WinDbg 개요. KOREA SYSTEM PROGRAMMER 1 st System Kernel Conference 2003.11.8. 목차. 강의목적 WinDbg 개요 WinDbg vs SoftICE WinDbg 화면구성 Call Stack WinDbg Commands WinDbg Commands Examples. 강의 목적. No Power Debugging Easy Debugging! 덤프파일 활용 활성화

shiro
Download Presentation

WinDbg 를 이용한 커널 드라이버 디버깅 1. WinDbg 개요

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WinDbg를 이용한 커널 드라이버 디버깅1. WinDbg 개요 KOREA SYSTEM PROGRAMMER 1st System Kernel Conference 2003.11.8

  2. 목차 • 강의목적 • WinDbg 개요 • WinDbg vs SoftICE • WinDbg 화면구성 • Call Stack • WinDbg Commands • WinDbg Commands Examples

  3. 강의 목적 • No Power Debugging • Easy Debugging! • 덤프파일 활용 활성화 • 블루스크린 발생시 빠른 분석과 정확한 원인 파악

  4. WinDbg 개요 • WinDbg 다운로드 URL • http://www.microsoft.com/whdc/ddk/debugging/installx86.msp • 지속적으로 업데이트 • User 모드, Kernel 모드 디버깅 가능 • CDB(Microsoft Console Debugger) • KD(Microsoft Kernel Debugger, I386KD, IA64KD) • Live 디버깅 응용프로그램 로컬, 네트웍 디버깅 가능 커널, 드라이버 시리얼 디버깅 가능 • 덤프 디버깅 • Crash dump 분석 • 분석에 용이한 각종 명령어 제공

  5. WinDbg vs SoftICE

  6. WinDbg 화면구성

  7. WinDbg File Menu • Open Executable –응용프로그램을 디버거가 실행시키면서 디버깅 • Attatch to a Process –이미 실행중인 프로세스를 디버깅( ex. 서비스 ) • Open Crash Dump –덤프파일 디버깅 ( 유저덤프, 커널덤프 모두 가능 ) • Connect to Remote Session – tcp, serial, 1394, npipe 등을 이용하여 리모트 디버깅 가능 • Kenel Debug – serial 연결된 시스템의 커널 디버깅 ( 1394 가능 ) • Symbol File Path … • Source File Path … • Image File Path …

  8. WinDbg View Menu • Command • Watch • Locals • Registers • Memory • Call Stack • Disassembly • Scratch Pad • Process and Threads

  9. WinDbg Debug Menu • Go – F5 • Break – Ctrl + Break • Step Into – F11 or F8 • Step Over – F10 • Step Out – Shift + F11

  10. Call Stack • WinDbg Call Stack Window • Args –함수 인자 • Func info –함수 추가 정보 • Source –소스파일과 라인 표시 • Addrs –리턴 주소 ( RetAddr ) • Headings – ChildEBP RetAddr Args to Child • Frame Nums –라인에 번호 붙이기 • Arg types –함수 인자 타입

  11. Call Stack • 콜스택 분석 • 문제 지점을 찾아내는 기본적인 정보 • 함수의 호출순서 파악 • 함수인자의 전달 파악 • 자동 BackTrace –디버거가 자동으로 수행 • 수동 BackTrace –디버거가 못하는 경우 수동으로 함수의 호출 순서를 찾아내야 함

  12. Call Stack • 호출규약 ( Calling Convention ) int _cdecl CFunc(int a, int b); calling function called function -------------- ----------------- push b _CFunc PROC NEAR (ebp+8, ebp+c) push a . call _CFunc RET add esp,8 _CFunc ENDP

  13. Call Stack • 호출규약 ( Calling Convention ) int _stdcall StdFunc(int a, int b); calling function called function -------------- ------------- push b _StdFunc@8 PROC NEAR (ebp+8, ebp+c) push a . call _StdFunc@8 RET 8 . _StdFunc@8 ENDP int _fastcall FastFunc(int a, int b); calling function called function ------------- ------------- mov edx, b @FastFunc@8 PROC NEAR (ecx, edx) mov ecx, a . call @FastFunc@8 RET 8 . @FastFunc@8 ENDP

  14. Call Stack • 콜스택 구성 calling function called function -------------- ------------- push b _StdFunc@8 PROC NEAR push a push ebp call _StdFunc@8 mov ebp, esp . sub esp, 8 mov eax, [ebp+8] mov [ebp-4], eax . RET 8 _StdFunc@8 ENDP var 2 var 1 ebp ret a b

  15. Call Stack • 01 f2569cf0 805522ba 00caadfc c0110080 00caad9c nt!IoCreateFile+0x36 • NTKERNELAPI NTSTATUS IoCreateFile( • OUT PHANDLEFileHandle, • IN ACCESS_MASK DesiredAccess, • IN POBJECT_ATTRIBUTES ObjectAttributes, • OUT PIO_STATUS_BLOCK IoStatusBlock, • IN PLARGE_INTEGER AllocationSize OPTIONAL, • IN ULONG FileAttributes, • IN ULONG ShareAccess, • IN ULONG Disposition, • IN ULONG CreateOptions, • … );

  16. Call Stack nt!NtCreateFile 805522ac ff7510 push dword ptr [ebp+0x10] 805522af ff750c push dword ptr [ebp+0xc] 805522b2 ff7508 push dword ptr [ebp+0x8] 805522b5 e8c0ebffff call nt!IoCreateFile (80550e7a) 805522ba 5d pop ebp (01 f2569cf0 805522ba 00caadfc c0110080 00caad9c nt!IoCreateFile ) Stack f2569cf0 : f2569d30 805522ba 00caadfc c0110080 f2569d00 : 00caad9c 00caadd4 00000000 00000000 nt!IoCreateFile: 80550e7a 55 push ebp 80550e7b 8bec mov ebp,esp 80550e7d 6a00 push 0x0 80550e7f 6a00 push 0x0 80550e81 ff753c push dword ptr [ebp+0x3c] 80550e84 ff7538 push dword ptr [ebp+0x38]

  17. WinDbg Commands • Command Prompt Uniprocessor - kd> Multiprocessor - 0: kd> • Mode 구분 command • 유저모드 디버깅 전용 • 커널모드 디버깅 전용 • Target 구분 command • Live 디버깅 전용 • Dump 디버깅 전용 • Platform 구분 command X86, IA-64, AMD64

  18. WinDbg Commands • Command Help의 Environment • Command 종류 • 일반 command ( 일반적인 debugger command ) • Meta-command ( . 로 시작하는 command ) • Extension command ( ! 로 시작하는 command )

  19. WinDbg Commands • 일반 Commands • A(Assemble), U(Unassemble) • BL(Breakpoint List) , BC(Breakpoint Clear) • BD(Breakpoint Disable), BE(Breakpoint Enable) • BA(Break on Access) • BP, BU(Set Breakpoint) • D, DA, DB, DW, DD(Display Memory) • Dds(Display Words and Symbols) • DL(Display Linked List) LIST_ENTRY or SINGLE_LIST_… • DS, Ds(Display String) • DT(Display Type) • DV(Display Local Variable) • K, KB, KD, KP, KV (Display Stack Backtrace)

  20. WinDbg Commands • 일반 Commands cont. • E, EA, EB, Ed, EW, EU(Enter Values) S(Search Memory) R(Register) LD(Load Symbol) LM(List Loaded Symbols) LN(List Nearest Symbols) • G(Go), P(Step), PC(Step to Next Call) T(Trace), TB(Trace to Next Branch), TC(Trace to Next Call) WT(Trace and Watch Data) X(Examine Symbols)

  21. WinDbg Commands BA (Break on Access) Sets a data breakpoint, which will be triggered when the specified memory is accessed. Kernel-Mode Syntax ba[ID] AccessSize [/p EProcess | /t EThread] [Address [Passes]] ["CommandString"] Access - The type of access which will satisfy the breakpoint: • e (execute), r (read/write), w (write), i (i/o) (WindowsXP and Windows .NET Server only, kernel-mode only, x86 only) Breaks into the debugger when the I/O port at the specified Address is accessed. Size - 1, 2, 4 Passes – The numnber of times the breakpoint is to be passed. Environment

  22. WinDbg Commands Example kd> u IoCreateFile nt!IoCreateFile: 80550e7a 55 push ebp 80550e7b 8bec mov ebp,esp 80550e7d 6a00 push 0x0 80550e7f 6a00 push 0x0 80550e81 ff753c push dword ptr [ebp+0x3c] 80550e84 ff7538 push dword ptr [ebp+0x38] kd> bp IoCreateFile kd> bl 0 e 80550e7a 0001 (0001) nt!IoCreateFile kd> g Breakpoint 0 hit nt!IoCreateFile: 80550e7a 55 push ebp kd> k ChildEBP RetAddr f28b1cf0 805522ba nt!IoCreateFile f28b1d30 8052a421 nt!NtCreateFile+0x2e f28b1d30 7ffe0304 nt!KiSystemService+0xc4 00bdf0d4 77f5b524 SharedUserData!SystemCallStub+0x4

  23. WinDbg Commands Example kd> kb ChildEBP RetAddr Args to Child f28b1cf0 805522ba 00bdf178 c0100080 00bdf118 nt!IoCreateFile f28b1d30 8052a421 00bdf178 c0100080 00bdf118 nt!NtCreateFile+0x2e f28b1d30 7ffe0304 00bdf178 c0100080 00bdf118 nt!KiSystemService+0xc4 00bdf0d4 77f5b524 77e37b72 00bdf178 c0100080 SharedUserData!SystemCallStub+0x4 kd> dt _OBJECT_ATTRIBUTES 00bdf118 +0x000 Length : 0x18 +0x004 RootDirectory : (null) +0x008 ObjectName : 0x00bdf158 "\??\PIPE\lsarpc" +0x00c Attributes : 0x40 +0x010 SecurityDescriptor : (null) +0x014 SecurityQualityOfService : 0x00bdf13c kd> bd 0 kd> bl 0 d 80550e7a 0001 (0001) nt!IoCreateFile kd> ba w4 00bdf178 kd> bl 0 d 80550e7a 0001 (0001) nt!IoCreateFile 1 e 00bdf178 w 4 0001 (0001)

  24. WinDbg Commands Example kd> g Breakpoint 1 hit nt!IopCreateFile+18f: 805504bd 8b4514 mov eax,[ebp+0x14] kd> k ChildEBP RetAddr f28b1ca8 80550eb0 nt!IopCreateFile+0x18f f28b1cf0 805522ba nt!IoCreateFile+0x36 f28b1d30 8052a421 nt!NtCreateFile+0x2e kd> dd 00bdf178 L4 00bdf178 00000000 c0000000 00000003 00000000 kd> g Breakpoint 1 hit nt!IopCreateFile+442: 80550770 8b4b0c mov ecx,[ebx+0xc] kd> k f28b1ca8 80550eb0 nt!IopCreateFile+0x442 f28b1cf0 805522ba nt!IoCreateFile+0x36 f28b1d30 8052a421 nt!NtCreateFile+0x2e kd> dd 00bdf178 L4 00bdf178 00000184 c0000000 00000003 00000000 kd> bc 1 kd> bc * kd> g

  25. WinDbg Commands • Meta-commands • .bugcheck (Display Bug Check Data) • .cls (Clear Screen) • .ofilter (Filter Target Output) • .enable_unicode (Enable Unicode Display) • .crash (Force System Crash) • .dump (Create Dump File) • .reboot (Reboot Target Computer) • .cxr (Display Context Record) • .exr (Display Exception Record) • .ecxr (Display Exception Context Record) • .trap (Display Trap Frame)

  26. WinDbg Commands • Meta-commands cont. • .exepath (Set Executable Path) • .srcpath (Set Source Path) • .sympath (Set Symbol Path) • .symfix (Set Symbol Store Path) • .reload (Reload Module) • .context (Set User-Mode Address Context) • .process (Set Process Context) • .thread (Set Register Context) • .tss (Display Task State Segment) • .load (Load Extension DLL) • .unload (Unload Extension DLL)

  27. WinDbg Commands • Debugger Extension DLLs Default Extensions - Kdextx86.dll, kdex2x86.dll, kdexts.dll NDIS Extensions – ndiskd.dll Graphics Driver Extensions – gdikdx.dll Custom Extension DLL - 직접 작성 가능 • Debugger extension commands • !analyze - displays information about the current bug check • !cpuid - displays information about the processors on the system • !error - decodes and displays information about an error value • !gle - displays the last error value for the current thread • !obja - displays the attributes of an object in the object manager • !peb - displays a formatted view of the information in the process environment block (PEB) • !teb - displays a formatted view of the information in the thread environment block (TEB) • !token - displays a formatted view of a security token object

  28. WinDbg Commands • Kernel-Mode Extension Commands • !process - displays information about the specified process or all • !stacks - displays information about the current kernel stacks • !thread - displays summary information about a thread • !zombies - displays all dead ("zombie") processes or threads • !drivers - displays a list of all drivers loaded • !devnode - displays information about a node in the device tree • !devobj - displays detailed information about a DEVICE_OBJECT • !devstack - displays a formatted view of the device stack • !drvobj - displays detailed information about a DRIVER_OBJECT • !object - displays information about a system object • !irp - displays information about an I/O request packet (IRP) • !irpfind - displays information about all I/O request packets (IRP) • !apc - displays the contents of one or more asynchronous procedure calls (APCs)

  29. WinDbg Commands • Kernel-Mode Extension Commands cont. • !exqueue - displays information about a specific pool allocation • !pool - displays information about a specific pool allocation • !poolfind - finds all instances of a specific pool tag • !poolused - memory use summaries • !poolval - analyzes the headers for a pool page • !pcr - displays the current status of the Processor Control Region • !prcb - displays the processor control block (PRCB). • !srb - displays information about a SCSI Request Block (SRB) • !vpb - displays a volume parameter block (VPB) • !deadlock - displays information about deadlocks • !locks - displays information about kernel ERESOURCE locks • !verifier - displays the status of Driver Verifier and its actions

  30. Extension Commands Example kd> bp IofCallDriver kd> bl 0 e 804e8188 0001 (0001) nt!IofCallDriver kd> g Breakpoint 0 hit nt!IofCallDriver: 804e8188 ff2580875380 jmp dword ptr [nt!pIofCallDriver (80538780)] kd> kb ChildEBP RetAddr Args to Child f2575c44 8055887c 810d9c90 0012f99c 816bc008 nt!IofCallDriver f2575c58 805595a7 815d2ec8 816bc008 810d9c90 nt!IopSynchronousServiceTail+0x5e f2575d00 80552468 0000074c 00000750 00000000 nt!IopXxxControlFile+0x5a5 f2575d34 8052a421 0000074c 00000750 00000000 nt!NtDeviceIoControlFile+0x28 f2575d34 7ffe0304 0000074c 00000750 00000000 nt!KiSystemService+0xc4 kd> !object ecx Object: 815d2ec8 Type: (81795ad0) Device ObjectHeader: 815d2eb0 HandleCount: 0 PointerCount: 3 Directory Object: e1006588 Name: Afd #define IoCallDriver(a,b) \ IofCallDriver(a,b) NTKERNELAPI NTSTATUS FASTCALL IofCallDriver( IN PDEVICE_OBJECT DeviceObject, IN OUT PIRP Irp );

  31. Extension Commands Example kd> !devobj ecx Device object (815d2ec8) is for: Afd \Driver\AFD DriverObject 815fa040 Current Irp 00000000 RefCount 61 Type 00000011 Flags 00000050 Dacl e1299a5c DevExt 00000000 DevObjExt 815d2f80 ExtensionFlags (0000000000) Device queue is not busy. kd> dt DEVICE_OBJECT 815d2ec8 +0x000 Type : 3 +0x002 Size : 0xb8 +0x004 ReferenceCount : 61 +0x008 DriverObject : 0x815fa040 +0x00c NextDevice : (null) +0x010 AttachedDevice : (null) +0x014 CurrentIrp : (null) +0x018 Timer : (null) +0x01c Flags : 0x50 +0x020 Characteristics : 0 +0x024 Vpb : (null) +0x028 DeviceExtension : (null) +0x028 DeviceExtension : (null) +0x02c DeviceType : 0x11 +0x030 StackSize : 4 '' +0x034 Queue : __unnamed +0x05c AlignmentRequirement : 0 +0x060 DeviceQueue : _KDEVICE_QUEUE +0x074 Dpc : _KDPC +0x094 ActiveThreadCount : 0 +0x098 SecurityDescriptor : 0xe1299a48 +0x09c DeviceLock : _KEVENT +0x0ac SectorSize : 0 +0x0ae Spare1 : 0 +0x0b0 DeviceObjectExtension : 0x815d2f80 +0x0b4 Reserved : (null)

  32. Extension Commands Example kd> !devstack ecx !DevObj !DrvObj !DevExt ObjectName > 815d2ec8 \Driver\AFD 00000000 Afd kd> !drvobj 815fa040 Driver object (815fa040) is for: \Driver\AFD Driver Extension List: (id , addr) Device Object list: 815d2ec8 kd> dt DRIVER_OBJECT 815fa040 +0x000 Type : 4 +0x002 Size : 168 +0x004 DeviceObject : 0x815d2ec8 +0x008 Flags : 0x12 +0x00c DriverStart : 0xf2aea000 +0x010 DriverSize : 0x1fe80 +0x014 DriverSection : 0x816b2688 +0x018 DriverExtension : 0x815fa0e8 +0x01c DriverName : _UNICODE_STRING "\Driver\AFD" +0x024 HardwareDatabase : 0x806488b4 "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" +0x028 FastIoDispatch : 0xf2aec228 +0x02c DriverInit : 0xf2b06952 afd!DriverEntry+0 +0x030 DriverStartIo : (null) +0x034 DriverUnload : 0xf2af0ab7 afd!AfdUnload+0 +0x038 MajorFunction : [28] 0xf2af4e88 afd!AfdDispatch+0

  33. Extension Commands Example kd> !irp edx 2 Irp is active with 4 stacks 5 is current (= 0x816bc108) No Mdl System buffer = 8167cb18 Thread 812eeba8: Irp is completed. Flags = 00000070 ThreadListEntry.Flink = 812eedb8 ThreadListEntry.Blink = 812eedb8 IoStatus.Status = 00000000 IoStatus.Information = 00000000 RequestorMode = 00000001 Cancel = 00 CancelIrql = 0 ApcEnvironment = 00 UserIosb = 0012f958 UserEvent = 810d9c48 … cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ e, 0] 0 0 00000000 810d9c90 00000000-00000000 Args: 0000001c 0000001c 00012024 00000000

  34. Extension Commands Example kd> !pool edx Pool page 816bc008 region is Nonpaged pool *816bc000 size: 198 previous size: 0 (Allocated) *Irp Pooltag Irp : Io, IRP packets 816bc198 size: 10 previous size: 198 (Free) .... 816bc1a8 size: 118 previous size: 10 (Allocated) Ntfi 816bc2c0 size: 118 previous size: 118 (Allocated) Ntfi … 816bc838 size: 118 previous size: 118 (Allocated) Ntfi 816bc950 size: 8 previous size: 118 (Free) Ntfi 816bc958 size: 20 previous size: 8 (Allocated) ReTa 816bc978 size: 28 previous size: 20 (Allocated) FSfm 816bc9a0 size: 20 previous size: 28 (Free) CcSc 816bc9c0 size: 118 previous size: 20 (Allocated) Ntfi 816bcad8 size: 118 previous size: 118 (Allocated) Ntfi 816bcbf0 size: a8 previous size: 118 (Allocated) File (Protected) kd> db 816bc000 816bc000 00 00 33 0a 49 72 70 20-06 00 90 01 00 00 00 00 ..3.Irp ........ 816bc010 70 00 00 00 18 cb 67 81-b8 ed 2e 81 b8 ed 2e 81 p.....g......... 816bc020 00 00 00 00 00 00 00 00-01 00 04 05 00 00 00 0c ................

  35. Q&A

More Related