首页
社区
课程
招聘
hook ZwOpenProcess函数,蓝屏
发表于: 2010-1-18 13:09 6568

hook ZwOpenProcess函数,蓝屏

2010-1-18 13:09
6568
hook  ZwOpenProcess函数,记录调用此函数的进程,和被打开的进程,或线程。总是蓝屏
特别是调用此函数的进程是VMwareService.e进程时。请大家帮忙看看原因。
NTSTATUS NewZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId )
{
	NTSTATUS  status;
	CHAR    name[MAXPROCNAMELEN];
	PFILE_OBJECT  pFile;
	PCHAR ProcessName;
	PCHAR  processname_temp;
	ANSI_STRING  processname_ansi;
	PEPROCESS Process;
	PETHREAD  Thread;

	status = ((ZWOPENPROCESS)OldZwOpenProcess)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);

	ProcessName = [COLOR="Red"]ExAllocateFromPagedLookasideList[/COLOR](&FullPathLookaside);        
	//processname_temp = ExAllocatePool(PagedPool,MAXPROCNAMELEN);

	if (ARGUMENT_PRESENT(ClientId)&&ARGUMENT_PRESENT(ObjectAttributes->ObjectName))
     return  STATUS_INVALID_PARAMETER_MIX;

	if (!ARGUMENT_PRESENT(ClientId))
	{
		RtlUnicodeStringToAnsiString(&processname_ansi,ObjectAttributes->ObjectName,1);
		strncpy(ProcessName,processname_ansi.Buffer,strlen(processname_ansi.Length));
		RtlFreeAnsiString(&processname_ansi);
	}
	else
	{	
		status = PsLookupProcessByProcessId(ClientId->UniqueProcess,&Process);
		
		processname_temp = (PCHAR)((char *)Process + ProcessNameOffset);	
		strncpy(ProcessName,processname_temp,MAXPROCNAMELEN-1);
		if (ClientId->UniqueThread)
		sprintf( ProcessName + strlen(ProcessName), ":%d",ClientId->UniqueThread);
		ObDereferenceObject(Process);
		//ExFreePool(processname_temp);		
	}
	
	
	LogRecord("%s\tZwOpenProcess\t%s\t%s",GetProcess(name),ProcessName,ErrorString(status));

	if (ProcessName) [COLOR="red"]ExFreeToPagedLookasideList[/COLOR](&FullPathLookaside,ProcessName);	
	
	return status;

}

windbg分析dump文件结果
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 812106cc, Address of the block of pool being deallocated

Debugging Details:
------------------

BUGCHECK_STR:  0xc2_7

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  VMwareService.e

LAST_CONTROL_TRANSFER:  from 804f8bad to 80528bec

STACK_TEXT:  
f0c24820 804f8bad 00000003 f0c24b7c 00000000 nt!RtlpBreakWithStatusInstruction
f0c2486c 804f979a 00000003 f0c24d64 812106c4 nt!KiBugCheckDebugBreak+0x19
f0c24c4c 804f9cc5 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f0c24c6c 80545b06 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f0c24cbc 80545ef7 812106cc 00000000 f0c24cd8 nt!ExFreePoolWithTag+0x2a0
f0c24ccc f050fe11 812106cc f0c24d4c f050fd3c nt!ExFreePool+0xf
f0c24cd8 f050fd3c f0510fc0 812106cc 815db258 detect!ExFreeToPagedLookasideList+0x41 [e:\winddk\7600.16385.0\inc\ddk\wdm.h @ 17328]
f0c24d4c 8053e648 00b8fc5c 00000400 00b8fc2c detect!NewZwOpenProcess+0x17c [f:\detect\detect.c @ 549]
f0c24d4c 7c92e514 00b8fc5c 00000400 00b8fc2c nt!KiFastCallEntry+0xf8
00b8fc0c 7c92d60a 7c830a32 00b8fc5c 00000400 ntdll!KiFastSystemCallRet
00b8fc10 7c830a32 00b8fc5c 00000400 00b8fc2c ntdll!NtOpenProcess+0xc
00b8fc4c 0040a411 00000400 00000000 00078000 kernel32!OpenProcess+0x49
WARNING: Stack unwind information not available. Following frames may be wrong.
00b8fc90 0040a6a8 00000001 00b900c0 00b91d08 VMwareService+0xa411
00b8fccc 0040a974 00000001 00b91d08 00479c1c VMwareService+0xa6a8
00b8fcf8 0040aa05 00b8ff54 00409c9b 00b8fed4 VMwareService+0xa974
00b8fd00 00409c9b 00b8fed4 646e7963 64652d79 VMwareService+0xaa05
00b8ff54 00406eb8 00000000 003b6968 00401400 VMwareService+0x9c9b
00b8ff6c 004022d8 003b6ef8 00b8ff88 00000000 VMwareService+0x6eb8
00b8ff98 0040e4de 00158b78 77dc354b 00000001 VMwareService+0x22d8
00b8ffb4 7c80b729 00158b78 00000000 0012e814 VMwareService+0xe4de
00b8ffec 00000000 77dc3539 00158b78 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND:  kb

FOLLOWUP_IP:
detect!ExFreeToPagedLookasideList+41 [e:\winddk\7600.16385.0\inc\ddk\wdm.h @ 17328]
f050fe11 eb0c            jmp     detect!ExFreeToPagedLookasideList+0x4f (f050fe1f)

FAULTING_SOURCE_CODE:  
17324:     if (ExQueryDepthSList(&Lookaside->L.ListHead) >= Lookaside->L.Depth) {
17325:         Lookaside->L.FreeMisses += 1;
17326:         (Lookaside->L.Free)(Entry);
17327:
>17328:     } else {
17329:         InterlockedPushEntrySList(&Lookaside->L.ListHead,
17330:                                   (PSLIST_ENTRY)Entry);
17331:     }
17332:
17333:     return;

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  detect!ExFreeToPagedLookasideList+41

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: detect

IMAGE_NAME:  detect.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4b53e174

FAILURE_BUCKET_ID:  0xc2_7_detect!ExFreeToPagedLookasideList+41

BUCKET_ID:  0xc2_7_detect!ExFreeToPagedLookasideList+41

Followup: MachineOwner

----------------------------------------------------------------------
是后面ExFreeToPagedLookasideList引发的蓝屏,我觉得,但是不知道有什么地方不对,除了这里,在driverentry 中初始化了,在unload中删除,别的还需要什么操作,对于pagedlookasidelist。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 42
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
看不懂,帮你顶上去
2010-1-19 01:20
0
雪    币: 212
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
好长时间了,来看还是没有人愿意帮我看一眼啊,错误的地方挺明显的,两处:
1. strncpy(ProcessName,processname_ansi.Buffer,strlen(processname_ansi.Length));
应该是 strlen(processname_ansi.buffer),写错了
2. strncpy(ProcessName,processname_temp,MAXPROCNAMELEN-1);
    if (ClientId->UniqueThread)
    sprintf( ProcessName + strlen(ProcessName), ":%d",ClientId->UniqueThread);
这里不能用strlen(ProcessName),因为字符串函数是以'\0'作为结束符确定长度,但是上一步中这个字符串是通过strncpy复制过来的,没有结束符。

VMwareService.e会引起蓝屏,别的没有蓝,可能是因为processname超过了16个字符的长度,strlen的调用引发的蓝屏。

这种蓝屏都不是链表操作有误引发的,多数是缓冲区应用中被破坏了,所以释放的时候蓝屏,如strcpy,strncpy等函数要很小心使用,注意附加结束符
2010-4-21 15:53
0
游客
登录 | 注册 方可回帖
返回
//