前两天用windbg分析的一个应用程序安装过程中hang住,无法完成, 和大家分享一下,顺便希望能够换取邀请码。
解决的过程比较曲折, 当然也花了很多时间去研究,最后从安装文件生成的log file看出,安装在即将进行某一项操作时停止了,安装程序要调用一个自身的程序来对系统进行清理,这个过程首先由msi安装工具初始化之后再调用该程序,经过分析发现安装停止时该程序并不在进程列表中,但是里面多了一个
msie1a7.tmp, 分析发现每次问题重现,都会出现一个类似的临时进程,所以着手对该进程进行了分析:
lkd> !process 0 2 msie1a7.tmp
PROCESS 87810d40 SessionId: 1 Cid: 13d4 Peb: 7ffdf000 ParentCid: 1624
DirBase: cea9d7e0 ObjectTable: 890bb130 HandleCount: 126.
Image: MSIE1A7.tmp
THREAD 8710b030 Cid 13d4.0568 Teb: 7ffde000 Win32Thread: ffa51538 WAIT: (UserRequest) UserMode Non-Alertable
86dd8cf8 Thread
8682d5a0 Semaphore Limit 0x1
THREAD 8780a620 Cid 13d4.13dc Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
875950b0 NotificationEvent
86e09490 NotificationEvent
THREAD 873244e8 Cid 13d4.137c Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
871ebc80 SynchronizationTimer
870e8030 SynchronizationTimer
86f27f68 SynchronizationTimer
THREAD
86dd8cf8 Cid 13d4.1358 Teb: 7ffd8000 Win32Thread:fe6e1bc0 WAIT: (
WrLpcReply) UserMode Non-Alertable
86dd8f2c Semaphore Limit 0x1
THREAD 86a906f0 Cid 13d4.1350 Teb: 7ffd7000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
86eb7170 Semaphore Limit 0x7fffffff
THREAD 86d92d48 Cid 13d4.13e8 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable
8634ccf8 QueueObject
经过研究发现线程 86dd8cf8 肯能对我们的帮助最大(其实就是分析了其他线程,但是没有得到有用的结果):
lkd> !thread 86dd8cf8
THREAD 86dd8cf8 Cid 13d4.1358 Teb: 7ffd8000 Win32Thread: fe6e1bc0 WAIT: (WrLpcReply) UserMode Non-Alertable
86dd8f2c Semaphore Limit 0x1
Waiting for reply to
ALPC Message8897ae78 : queued at port 855a1e48 : owned by process 85581d40
Not impersonating
DeviceMap 95f9f640
Owning Process 87810d40 Image: MSIE1A7.tmp
Attached Process N/A Image: N/A
Wait Start TickCount 222754 Ticks: 5148713 (0:22:18:40.437)
Context Switch Count 59
UserTime 00:00:00.015
KernelTime 00:00:00.062
Win32 Start Address 0x6502c3e0
Stack Init a15cbfd0 Current a15cbad0 Base a15cc000 Limit a15c9000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
让我们来看看是谁在占用着 8897ae78:
lkd> !alpc /m 8897ae78
Message @ 8897ae78
MessageID : 0x00AC (172)
CallbackID : 0x319A4 (203172)
SequenceNumber : 0x00000004 (4)
Type : LPC_REQUEST
DataLength : 0x00C8 (200)
TotalLength : 0x00E0 (224)
Canceled : No
Release : No
ReplyWaitReply : No
Continuation : Yes
OwnerPort : 8785f038 [ALPC_CLIENT_COMMUNICATION_PORT]
WaitingThread : 86dd8cf8
QueueType : ALPC_MSGQUEUE_PENDING
QueuePort : 855a1e48 [ALPC_CONNECTION_PORT]
QueuePortOwnerProcess :
85581d40 (IssueApplication)
ServerThread :
86fa0d48
QuotaCharged : No
CancelQueuePort : 00000000
CancelSequencePort : 00000000
CancelSequenceNumber : 0x00000000 (0)
ClientContext : 002d1a68
ServerContext : 00000000
PortContext : 0023b938
CancelPortContext : 00000000
SecurityData : 00000000
View : 00000000
最后我们在看看86fa0d48是哪个进程里面的:
lkd> !thread 86fa0d48
THREAD
86fa0d48 Cid 10b8.0da0 Teb: 7ffd4000 Win32Thread: fe959008 WAIT: (UserRequest) UserMode Non-Alertable
872a3cc8 NotificationEvent
Not impersonating
DeviceMap 8c4050a8
Owning Process 85581d40 Image:
IssueApplication.exe
Attached Process N/A Image: N/A
Wait Start TickCount 5372828 Ticks: 9932 (0:00:02:34.940)
Context Switch Count 1114
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x7713d63e)
Stack Init a077bfd0 Current a077bbc8 Base a077c000 Limit a0779000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
最后我们发现是IssueApplication.exe占用了安装进程里面需要的一个kernel 级的句柄,并且IssueApplication.exe自身也存在hang,所以无法释放给句柄。
最后我们用windbg attach到IssueApplication.exe上用,!analyze -hang -v 命令分析,直到原来IssueApplication.exe里面某个线程创建了一个event,CreateEvent(...), 另一个线程调用了WaitForSingleObject(...)等待该创建出来的event,但是SetEvent(...)的动作由于某些原因不会被执行并最终导致了安装程序无法正常运行。
IssueApplication.exe的分析由于种种原因就不给大家看了, 很简单 !analyze -hang 之后就知道在的那个handle,之后分析代码,得出了最终的结论。
谢谢,不知道能不能换取一邀请码,哈哈
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法