首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[求助][栈溢出导致访问违例,但不crash],内核查看发现svchost 出问题了 求思路
发表于: 2012-11-16 19:25 8745

[求助][栈溢出导致访问违例,但不crash],内核查看发现svchost 出问题了 求思路

levizhou 活跃值
1
2012-11-16 19:25
8745
os: windows server 2008 r2 x64
程序是32位的

==============================================
问题描述:
我们的一个程序调用memcpy时,size计算错误,将栈冲毁,最终会向非法页面写数据,触发异常,最终程序崩溃

这些都没问题,本来应该100%重现的问题,终于有一天出了“异常”

在一台VM上,本该崩溃的程序表现出无限的生命力,但是某些行为异常。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
0:080:x86> kv fff
  Memory  ChildEBP RetAddr  Args to Child             
          15b6f870 15268882 15b6f970 15f02d68 fffffffe msvcr90!memcpy+0x5a
WARNING: Stack unwind information not available. Following frames may be wrong.
       88 15b6f8f8 15268d79 04d07470 15b6f970 00000008 ExcepApp+0x78882
       34 15b6f92c 1526cb07 04d07470 15b6f970 00000008 ExcepApp+0x78d79
      270 15b6fb9c 00000000 1636f520 5c3bd1f5 8000003a ExcepApp+0x7cb07
 
0:080:x86> r
eax=15f02d66 ebx=04cc2560 ecx=3ffffe5b edx=00000002 esi=15f033f8 edi=15b70000
eip=74cbae7a esp=15b6f868 ebp=15b6f870 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
msvcr90!memcpy+0x5a:
74cbae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:080:x86> dd edi L4
15b70000  ???????? ???????? ???????? ????????
0:080:x86> dd edi-4 L4
15b6fffc  00000000 ???????? ???????? ????????


上面是用户态调试时,问题线程的分析数据,可以肯定的是该线程已经触发了异常,应该是进入异常分发阶段了

然后用LiveKD抓了个内核dump
得到结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
0: kd> !thread fffffa800694fb60
THREAD fffffa800694fb60  Cid 0a0c.14dc  Teb: 000000007ee81000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
FreezeCount 1
    fffffa800694fe38  Semaphore Limit 0x2
Waiting for reply to ALPC Message fffff8a00d7492c0 : queued at port fffffa8007e79090 : owned by process fffffa8007b82b30
Not impersonating
DeviceMap                 fffff8a000006110
Owning Process            fffffa8005e05b30       Image:         AppName.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      16200644       Ticks: 80631 (0:00:20:59.859)
Context Switch Count      273333            
UserTime                  00:00:56.593
KernelTime                00:00:04.593
Win32 Start Address 0x0000000074ca345e
Stack Init fffff8800540ddb0 Current fffff8800540c200
Base fffff8800540e000 Limit fffff88005408000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0540c240 fffff800`01688f92 : fffffa80`0694fb60 fffffa80`0694fb60 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a
fffff880`0540c380 fffff800`0168b7af : 00000000`00000000 00000002`00000000 fffffa80`00000000 fffff800`016864da : nt!KiCommitThreadWait+0x1d2
fffff880`0540c410 fffff800`01676734 : 00000000`00000000 00000000`00000005 00000000`00000000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`0540c4b0 fffff800`016773b1 : fffffa80`0694fb60 fffffa80`0694fbb0 00000000`001fffff fffffa80`00000000 : nt!KiSuspendThread+0x54
fffff880`0540c4f0 fffff800`0168919d : fffffa80`0694fb60 00000000`00000000 fffff800`016766e0 00000000`00000000 : nt!KiDeliverApc+0x201
fffff880`0540c570 fffff800`0168b7af : 00000000`00000000 fffffa80`0694fb60 fffffa80`00000000 fffff800`0168a03a : nt!KiCommitThreadWait+0x3dd
fffff880`0540c600 fffff800`016a5d4f : 00000000`00000000 00000000`00000011 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`0540c6a0 fffff800`01993506 : fffffa80`06b938c8 fffffa80`0694ff20 fffff8a0`0c91f901 00000000`00000000 : nt!AlpcpSignalAndWait+0x8f
fffff880`0540c750 fffff800`01992c00 : 00000000`00000000 fffff880`0540ccf0 00000000`00000000 fffffa80`03da3000 : nt!AlpcpReceiveSynchronousReply+0x46
fffff880`0540c7b0 fffff800`019909fb : fffffa80`08d3bbb0 fffff800`00120000 fffff880`0540ccf0 fffff880`0540cc00 : nt!AlpcpProcessSynchronousRequest+0x33d
fffff880`0540c8f0 fffff800`01682f93 : fffffa80`0694fb60 fffff880`0540ca90 00000000`00000000 00000000`00000000 : nt!NtAlpcSendWaitReceivePort+0x1ab
fffff880`0540c9a0 fffff800`0167f530 : fffff800`01a717b6 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0540ca10)
fffff880`0540cba8 fffff800`01a717b6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
fffff880`0540cbb0 fffff800`019c5981 : 00000000`80010001 fffffa80`04cbc780 00000000`00000000 00000000`00000000 : nt!DbgkpSendErrorMessage+0x266
fffff880`0540ccd0 fffff800`016cf6bc : fffff880`0540da00 fffff880`0540d340 fffff880`0540dc20 00000000`00000002 : nt! ?? ::NNGAKEGL::`string'+0x35d28
fffff880`0540ce10 fffff800`016d19ac : fffff880`0540da00 fffff880`0540da00 fffff880`0540dc20 fffff880`0540d4e0 : nt! ?? ::FNODOBFM::`string'+0x49961
fffff880`0540d4b0 fffff800`016859fb : fffff880`0540da00 fffffa80`0694fb60 00000000`754f867b 00000000`00000000 : nt!KiRaiseException+0x1b4
fffff880`0540dae0 fffff800`01682f93 : 00000000`00000001 fffffa80`0694fb60 00000000`00369e01 00000000`7ee81000 : nt!NtRaiseException+0x7b
fffff880`0540dc20 00000000`754fc9f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0540dc20)
00000000`14c0e120 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x754fc9f1
 
0: kd> !alpc /m fffff8a00d7492c0
 
Message @ fffff8a00d7492c0
  MessageID             : 0x0584 (1412)
  CallbackID            : 0x240B6D1 (37795537)
  SequenceNumber        : 0x00000001 (1)
  Type                  : LPC_EXCEPTION
  DataLength            : 0x00E8 (232)
  TotalLength           : 0x0110 (272)
  Canceled              : No
  Release               : No
  ReplyWaitReply        : No
  Continuation          : Yes
  OwnerPort             : fffffa8008d3bbb0 [ALPC_CLIENT_COMMUNICATION_PORT]
  WaitingThread         : fffffa800694fb60
  QueueType             : ALPC_MSGQUEUE_PENDING
  QueuePort             : fffffa8007e79090 [ALPC_CONNECTION_PORT]
  QueuePortOwnerProcess : fffffa8007b82b30 (svchost.exe)
  ServerThread          : fffffa8006b937c0
  QuotaCharged          : No
  CancelQueuePort       : 0000000000000000
  CancelSequencePort    : 0000000000000000
  CancelSequenceNumber  : 0x00000000 (0)
  ClientContext         : 0000000000000000
  ServerContext         : 0000000000000000
  PortContext           : d8000000000f5c76
  CancelPortContext     : 0000000000000000
  SecurityData          : 0000000000000000
  View                  : 0000000000000000
 
0: kd> .thread fffffa8006b937c0
Implicit thread is now fffffa80`06b937c0
0: kd> !thread fffffa8006b937c0
THREAD fffffa8006b937c0  Cid 1e8c.220c  Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
    fffffa8006b93b80  Semaphore Limit 0x1
Not impersonating
DeviceMap                 fffff8a000006110
Owning Process            fffffa8007b82b30       Image:         svchost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      16312516    
Context Switch Count      1755            
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x000007feefe94c88
Stack Init fffff88007af2db0 Current fffff88007af2750
Base fffff88007af3000 Limit fffff88007aed000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`07af2790 fffff800`01688f92 : fffffa80`06b937c0 fffffa80`06b937c0 00000000`00000000 fffff8a0`00000001 : nt!KiSwapContext+0x7a
fffff880`07af28d0 fffff800`0168b7af : 00000000`00000000 fffff800`016cf8dc 00000000`000000c4 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
fffff880`07af2960 fffff800`0198fc19 : 00000000`00000000 00000000`00000010 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`07af2a00 fffff800`0198f69c : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!AlpcpReceiveMessagePort+0x189
fffff880`07af2a60 fffff800`01990a36 : fffffa80`07e79090 00000000`00000000 00000000`00000000 fffffa80`07e79090 : nt!AlpcpReceiveMessage+0x2d9
fffff880`07af2b00 fffff800`01682f93 : fffffa80`06b937c0 fffff880`07af2ca0 00000000`00c1f048 fffff880`07af2ca0 : nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`07af2bb0 00000000`77bf1b6a : 00364bfb`002cf47b 00364bfc`002cf47c 00364c02`002cf482 00364c1a`002cf49a : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07af2c20)
00000000`00c1f028 00364bfb`002cf47b : 00364bfc`002cf47c 00364c02`002cf482 00364c1a`002cf49a 00364c28`002cf4a8 : ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`00c1f030 00364bfc`002cf47c : 00364c02`002cf482 00364c1a`002cf49a 00364c28`002cf4a8 00364c32`002cf4b2 : 0x364bfb`002cf47b
00000000`00c1f038 00364c02`002cf482 : 00364c1a`002cf49a 00364c28`002cf4a8 00364c32`002cf4b2 00364afc`002cf4c4 : 0x364bfc`002cf47c
00000000`00c1f040 00364c1a`002cf49a : 00364c28`002cf4a8 00364c32`002cf4b2 00364afc`002cf4c4 00364b06`002cf4ce : 0x364c02`002cf482
00000000`00c1f048 00364c28`002cf4a8 : 00364c32`002cf4b2 00364afc`002cf4c4 00364b06`002cf4ce 00364b1a`002cf4e2 : 0x364c1a`002cf49a
00000000`00c1f050 00364c32`002cf4b2 : 00364afc`002cf4c4 00364b06`002cf4ce 00364b1a`002cf4e2 00364b24`002cf4ec : 0x364c28`002cf4a8
00000000`00c1f058 00364afc`002cf4c4 : 00364b06`002cf4ce 00364b1a`002cf4e2 00364b24`002cf4ec 00364b44`002cf50c : 0x364c32`002cf4b2
00000000`00c1f060 00364b06`002cf4ce : 00364b1a`002cf4e2 00364b24`002cf4ec 00364b44`002cf50c 00364b4f`002cf517 : 0x364afc`002cf4c4
00000000`00c1f068 00364b1a`002cf4e2 : 00364b24`002cf4ec 00364b44`002cf50c 00364b4f`002cf517 00364b56`002cf51e : 0x364b06`002cf4ce
00000000`00c1f070 00364b24`002cf4ec : 00364b44`002cf50c 00364b4f`002cf517 00364b56`002cf51e 00364b5d`002cf525 : 0x364b1a`002cf4e2
00000000`00c1f078 00364b44`002cf50c : 00364b4f`002cf517 00364b56`002cf51e 00364b5d`002cf525 00364b67`002cf52f : 0x364b24`002cf4ec
00000000`00c1f080 00364b4f`002cf517 : 00364b56`002cf51e 00364b5d`002cf525 00364b67`002cf52f 00364b6c`002cf534 : 0x364b44`002cf50c
00000000`00c1f088 00364b56`002cf51e : 00364b5d`002cf525 00364b67`002cf52f 00364b6c`002cf534 00364b72`002cf53a : 0x364b4f`002cf517
00000000`00c1f090 00364b5d`002cf525 : 00364b67`002cf52f 00364b6c`002cf534 00364b72`002cf53a 0035797c`002cf548 : 0x364b56`002cf51e
00000000`00c1f098 00364b67`002cf52f : 00364b6c`002cf534 00364b72`002cf53a 0035797c`002cf548 0039a8d0`002cf560 : 0x364b5d`002cf525
00000000`00c1f0a0 00364b6c`002cf534 : 00364b72`002cf53a 0035797c`002cf548 0039a8d0`002cf560 0039a8d8`002cf568 : 0x364b67`002cf52f
00000000`00c1f0a8 00364b72`002cf53a : 0035797c`002cf548 0039a8d0`002cf560 0039a8d8`002cf568 0039a8de`002cf56e : 0x364b6c`002cf534
00000000`00c1f0b0 0035797c`002cf548 : 0039a8d0`002cf560 0039a8d8`002cf568 0039a8de`002cf56e 0039a8e6`002cf576 : 0x364b72`002cf53a
00000000`00c1f0b8 0039a8d0`002cf560 : 0039a8d8`002cf568 0039a8de`002cf56e 0039a8e6`002cf576 0039a8ec`002cf57c : 0x35797c`002cf548
00000000`00c1f0c0 0039a8d8`002cf568 : 0039a8de`002cf56e 0039a8e6`002cf576 0039a8ec`002cf57c 0039a8f4`002cf584 : 0x39a8d0`002cf560
00000000`00c1f0c8 0039a8de`002cf56e : 0039a8e6`002cf576 0039a8ec`002cf57c 0039a8f4`002cf584 0039a8fa`002cf58a : 0x39a8d8`002cf568
00000000`00c1f0d0 0039a8e6`002cf576 : 0039a8ec`002cf57c 0039a8f4`002cf584 0039a8fa`002cf58a 0039a902`002cf592 : 0x39a8de`002cf56e
00000000`00c1f0d8 0039a8ec`002cf57c : 0039a8f4`002cf584 0039a8fa`002cf58a 0039a902`002cf592 0039a908`002cf598 : 0x39a8e6`002cf576
00000000`00c1f0e0 0039a8f4`002cf584 : 0039a8fa`002cf58a 0039a902`002cf592 0039a908`002cf598 0039a911`002cf5a1 : 0x39a8ec`002cf57c
00000000`00c1f0e8 0039a8fa`002cf58a : 0039a902`002cf592 0039a908`002cf598 0039a911`002cf5a1 0039a919`002cf5a9 : 0x39a8f4`002cf584
00000000`00c1f0f0 0039a902`002cf592 : 0039a908`002cf598 0039a911`002cf5a1 0039a919`002cf5a9 0039a920`002cf5af : 0x39a8fa`002cf58a
00000000`00c1f0f8 0039a908`002cf598 : 0039a911`002cf5a1 0039a919`002cf5a9 0039a920`002cf5af 0039a925`002cf5b4 : 0x39a902`002cf592
00000000`00c1f100 0039a911`002cf5a1 : 0039a919`002cf5a9 0039a920`002cf5af 0039a925`002cf5b4 0039a92f`002cf5be : 0x39a908`002cf598
00000000`00c1f108 0039a919`002cf5a9 : 0039a920`002cf5af 0039a925`002cf5b4 0039a92f`002cf5be 0039a93c`002cf5cb : 0x39a911`002cf5a1
00000000`00c1f110 0039a920`002cf5af : 0039a925`002cf5b4 0039a92f`002cf5be 0039a93c`002cf5cb 0039a955`002cf5e4 : 0x39a919`002cf5a9
00000000`00c1f118 0039a925`002cf5b4 : 0039a92f`002cf5be 0039a93c`002cf5cb 0039a955`002cf5e4 0039a95e`002cf5ed : 0x39a920`002cf5af
00000000`00c1f120 0039a92f`002cf5be : 0039a93c`002cf5cb 0039a955`002cf5e4 0039a95e`002cf5ed 0039a969`002cf5f8 : 0x39a925`002cf5b4
00000000`00c1f128 0039a93c`002cf5cb : 0039a955`002cf5e4 0039a95e`002cf5ed 0039a969`002cf5f8 0039a96d`002cf5fc : 0x39a92f`002cf5be
 
大概能看到这里,后面就不知道如何看了, 该svchost共有5个线程,还有一个类似上面那个,不知道在做什么,感觉栈已经快用光了
0: kd> !process fffffa8007b82b30
PROCESS fffffa8007b82b30
    SessionId: 0  Cid: 1e8c    Peb: 7fffffda000  ParentCid: 01ec
    DirBase: 76373000  ObjectTable: fffff8a005c89110  HandleCount:  85.
    Image: svchost.exe
    VadRoot fffffa800532bef0 Vads 59 Clone 0 Private 316. Modified 0. Locked 0.
    DeviceMap fffff8a000006110
    Token                             fffff8a00c08ea40
    ElapsedTime                       1 Day 03:52:52.918
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (1008, 50, 345) (4032KB, 200KB, 1380KB)
    PeakWorkingSetSize                1033
    VirtualSize                       42 Mb
    PeakVirtualSize                   43 Mb
    PageFaultCount                    1064
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      396
 
        THREAD fffffa800854d060  Cid 1e8c.119c  Teb: 000007fffffde000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            fffffa8008022d50  SynchronizationEvent
        Not impersonating
        DeviceMap                 fffff8a000006110
        Owning Process            fffffa8007b82b30       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      10895488       Ticks: 5385787 (0:23:22:32.921)
        Context Switch Count      16            
        UserTime                  00:00:00.000
        KernelTime                00:00:00.015
        Win32 Start Address 0x00000000ff74246c
        Stack Init fffff8800782cdb0 Current fffff8800782c900
        Base fffff8800782d000 Limit fffff88007827000 Call 0
        Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
        Kernel stack not resident.
        Child-SP          RetAddr           Call Site
        fffff880`0782c940 fffff800`01688f92 nt!KiSwapContext+0x7a
        fffff880`0782ca80 fffff800`0168b7af nt!KiCommitThreadWait+0x1d2
        fffff880`0782cb10 fffff800`01979b2e nt!KeWaitForSingleObject+0x19f
        fffff880`0782cbb0 fffff800`01682f93 nt!NtWaitForSingleObject+0xde
        fffff880`0782cc20 00000000`77bf135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0782cc20)
        00000000`000ff918 00000000`00000000 ntdll!NtWaitForSingleObject+0xa
 
        THREAD fffffa8007c83060  Cid 1e8c.23e8  Teb: 000007fffffd8000 Win32Thread: fffff900c224c010 WAIT: (UserRequest) UserMode Non-Alertable
            fffffa8006d94b30  ProcessObject
        Not impersonating
        DeviceMap                 fffff8a000006110
        Owning Process            fffffa8007b82b30       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      9857430        Ticks: 6423845 (1:03:52:52.578)
        Context Switch Count      275                 LargeStack
        UserTime                  00:00:00.000
        KernelTime                00:00:00.046
        Win32 Start Address ntdll!TppWorkerThread (0x0000000077bbfbc0)
        Stack Init fffff88007c84db0 Current fffff88007c84900
        Base fffff88007c85000 Limit fffff88007c7c000 Call 0
        Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
        Kernel stack not resident.
        Child-SP          RetAddr           Call Site
        fffff880`07c84940 fffff800`01688f92 nt!KiSwapContext+0x7a
        fffff880`07c84a80 fffff800`0168b7af nt!KiCommitThreadWait+0x1d2
        fffff880`07c84b10 fffff800`01979b2e nt!KeWaitForSingleObject+0x19f
        fffff880`07c84bb0 fffff800`01682f93 nt!NtWaitForSingleObject+0xde
        fffff880`07c84c20 00000000`77bf135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07c84c20)
        00000000`005aec18 0013ec00`0013eea1 ntdll!NtWaitForSingleObject+0xa
        00000000`005aec20 00000000`0013e6e0 0x13ec00`0013eea1
        00000000`005aec28 00000000`00000000 0x13e6e0
 
        THREAD fffffa80050b29d0  Cid 1e8c.1f04  Teb: 000007fffffd4000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            fffffa8006b11060  SynchronizationTimer
            fffffa8006246550  NotificationEvent
            fffffa8007739890  SynchronizationTimer
            fffffa8006c2b230  SynchronizationTimer
        Not impersonating
        DeviceMap                 fffff8a000006110
        Owning Process            fffffa8007b82b30       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      9863169        Ticks: 6418106 (1:03:51:22.906)
        Context Switch Count      4            
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address ntdll!TppWaiterpThread (0x0000000077bbaec0)
        Stack Init fffff88007a94db0 Current fffff88007a93fc0
        Base fffff88007a95000 Limit fffff88007a8f000 Call 0
        Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
        Kernel stack not resident.
        Child-SP          RetAddr           Call Site
        fffff880`07a94000 fffff800`01688f92 nt!KiSwapContext+0x7a
        fffff880`07a94140 fffff800`016884aa nt!KiCommitThreadWait+0x1d2
        fffff880`07a941d0 fffff800`01979e5f nt!KeWaitForMultipleObjects+0x272
        fffff880`07a94490 fffff800`0197a1ce nt!ObpWaitForMultipleObjects+0x294
        fffff880`07a94960 fffff800`01682f93 nt!NtWaitForMultipleObjects+0xe5
        fffff880`07a94bb0 00000000`77bf18ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07a94c20)
        00000000`00b2f988 000d6e3c`00037503 ntdll!NtWaitForMultipleObjects+0xa
        00000000`00b2f990 000d6e44`0003750b 0xd6e3c`00037503
        00000000`00b2f998 000d6e65`0003752c 0xd6e44`0003750b
        00000000`00b2f9a0 000d6e7d`00037544 0xd6e65`0003752c
        00000000`00b2f9a8 000d6e88`0003754f 0xd6e7d`00037544
        00000000`00b2f9b0 000d6e98`0003755b 0xd6e88`0003754f
        00000000`00b2f9b8 000d6ea6`00037565 0xd6e98`0003755b
        00000000`00b2f9c0 000d6ec7`00037586 0xd6ea6`00037565
        00000000`00b2f9c8 000d6ed0`0003758f 0xd6ec7`00037586
        00000000`00b2f9d0 000d6ed7`00037596 0xd6ed0`0003758f
        00000000`00b2f9d8 000d6ee9`000375a8 0xd6ed7`00037596
        00000000`00b2f9e0 000d6f01`000375c0 0xd6ee9`000375a8
        00000000`00b2f9e8 000d6f16`000375d5 0xd6f01`000375c0
        00000000`00b2f9f0 000d6f37`000375f6 0xd6f16`000375d5
        00000000`00b2f9f8 000d6f46`00037605 0xd6f37`000375f6
        00000000`00b2fa00 000d6f5c`0003761b 0xd6f46`00037605
        00000000`00b2fa08 000d6f64`00037623 0xd6f5c`0003761b
        00000000`00b2fa10 000d6f73`00037632 0xd6f64`00037623
        00000000`00b2fa18 000d6f87`00037646 0xd6f73`00037632
        00000000`00b2fa20 000d6f8a`00037649 0xd6f87`00037646
        00000000`00b2fa28 000d6f96`00037655 0xd6f8a`00037649
        00000000`00b2fa30 000d6f9f`0003765e 0xd6f96`00037655
        00000000`00b2fa38 000d6fa7`00037666 0xd6f9f`0003765e
        00000000`00b2fa40 000d6fa9`00037668 0xd6fa7`00037666
        00000000`00b2fa48 000d6fab`0003766a 0xd6fa9`00037668
        00000000`00b2fa50 000d6fb2`00037671 0xd6fab`0003766a
        00000000`00b2fa58 000d6fba`00037679 0xd6fb2`00037671
        00000000`00b2fa60 000d6fc1`00037680 0xd6fba`00037679
        00000000`00b2fa68 000d6fcc`0003768b 0xd6fc1`00037680
        00000000`00b2fa70 000d6fd4`00037693 0xd6fcc`0003768b
        00000000`00b2fa78 000d6ff5`000376b4 0xd6fd4`00037693
        00000000`00b2fa80 000d7000`000376bf 0xd6ff5`000376b4
        00000000`00b2fa88 000d700d`000376cc 0xd7000`000376bf
        00000000`00b2fa90 000d7011`000376d0 0xd700d`000376cc
 
        THREAD fffffa8006b937c0  Cid 1e8c.220c  Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
            fffffa8006b93b80  Semaphore Limit 0x1
        Not impersonating
        DeviceMap                 fffff8a000006110
        Owning Process            fffffa8007b82b30       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      16312516    
        Context Switch Count      1755            
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address 0x000007feefe94c88
        Stack Init fffff88007af2db0 Current fffff88007af2750
        Base fffff88007af3000 Limit fffff88007aed000 Call 0
        Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffff880`07af2790 fffff800`01688f92 nt!KiSwapContext+0x7a
        fffff880`07af28d0 fffff800`0168b7af nt!KiCommitThreadWait+0x1d2
        fffff880`07af2960 fffff800`0198fc19 nt!KeWaitForSingleObject+0x19f
        fffff880`07af2a00 fffff800`0198f69c nt!AlpcpReceiveMessagePort+0x189
        fffff880`07af2a60 fffff800`01990a36 nt!AlpcpReceiveMessage+0x2d9
        fffff880`07af2b00 fffff800`01682f93 nt!NtAlpcSendWaitReceivePort+0x1e6
        fffff880`07af2bb0 00000000`77bf1b6a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07af2c20)
        00000000`00c1f028 00364bfb`002cf47b ntdll!ZwAlpcSendWaitReceivePort+0xa
        00000000`00c1f030 00364bfc`002cf47c 0x364bfb`002cf47b
        00000000`00c1f038 00364c02`002cf482 0x364bfc`002cf47c
        00000000`00c1f040 00364c1a`002cf49a 0x364c02`002cf482
        00000000`00c1f048 00364c28`002cf4a8 0x364c1a`002cf49a
        00000000`00c1f050 00364c32`002cf4b2 0x364c28`002cf4a8
        00000000`00c1f058 00364afc`002cf4c4 0x364c32`002cf4b2
        00000000`00c1f060 00364b06`002cf4ce 0x364afc`002cf4c4
        00000000`00c1f068 00364b1a`002cf4e2 0x364b06`002cf4ce
        00000000`00c1f070 00364b24`002cf4ec 0x364b1a`002cf4e2
        00000000`00c1f078 00364b44`002cf50c 0x364b24`002cf4ec
        00000000`00c1f080 00364b4f`002cf517 0x364b44`002cf50c
        00000000`00c1f088 00364b56`002cf51e 0x364b4f`002cf517
        00000000`00c1f090 00364b5d`002cf525 0x364b56`002cf51e
        00000000`00c1f098 00364b67`002cf52f 0x364b5d`002cf525
        00000000`00c1f0a0 00364b6c`002cf534 0x364b67`002cf52f
        00000000`00c1f0a8 00364b72`002cf53a 0x364b6c`002cf534
        00000000`00c1f0b0 0035797c`002cf548 0x364b72`002cf53a
        00000000`00c1f0b8 0039a8d0`002cf560 0x35797c`002cf548
        00000000`00c1f0c0 0039a8d8`002cf568 0x39a8d0`002cf560
        00000000`00c1f0c8 0039a8de`002cf56e 0x39a8d8`002cf568
        00000000`00c1f0d0 0039a8e6`002cf576 0x39a8de`002cf56e
        00000000`00c1f0d8 0039a8ec`002cf57c 0x39a8e6`002cf576
        00000000`00c1f0e0 0039a8f4`002cf584 0x39a8ec`002cf57c
        00000000`00c1f0e8 0039a8fa`002cf58a 0x39a8f4`002cf584
        00000000`00c1f0f0 0039a902`002cf592 0x39a8fa`002cf58a
        00000000`00c1f0f8 0039a908`002cf598 0x39a902`002cf592
        00000000`00c1f100 0039a911`002cf5a1 0x39a908`002cf598
        00000000`00c1f108 0039a919`002cf5a9 0x39a911`002cf5a1
        00000000`00c1f110 0039a920`002cf5af 0x39a919`002cf5a9
        00000000`00c1f118 0039a925`002cf5b4 0x39a920`002cf5af
        00000000`00c1f120 0039a92f`002cf5be 0x39a925`002cf5b4
        00000000`00c1f128 0039a93c`002cf5cb 0x39a92f`002cf5be
 
        THREAD fffffa8007bbf060  Cid 1e8c.11a0  Teb: 000007fffffd6000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            fffffa8008db8240  QueueObject
        Not impersonating
        DeviceMap                 fffff8a000006110
        Owning Process            fffffa8007b82b30       Image:         svchost.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      16311264    
        Context Switch Count      1269            
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address ntdll!TppWorkerThread (0x0000000077bbfbc0)
        Stack Init fffff88008cb7db0 Current fffff88008cb77c0
        Base fffff88008cb8000 Limit fffff88008cb2000 Call 0
        Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
        Child-SP          RetAddr           Call Site
        fffff880`08cb7800 fffff800`01688f92 nt!KiSwapContext+0x7a
        fffff880`08cb7940 fffff800`0168bff3 nt!KiCommitThreadWait+0x1d2
        fffff880`08cb79d0 fffff800`0196bd07 nt!KeRemoveQueueEx+0x323
        fffff880`08cb7a90 fffff800`0166fbb6 nt!IoRemoveIoCompletion+0x47
        fffff880`08cb7b20 fffff800`01682f93 nt!NtWaitForWorkViaWorkerFactory+0x285
        fffff880`08cb7c20 00000000`77bf2c1a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08cb7c20)
        00000000`0147f5f8 00000000`00000000 ntdll!ZwWaitForWorkViaWorkerFactory+0xa
 
 
0: kd> .thread fffffa8007bbf060
Implicit thread is now fffffa80`07bbf060
0: kd> kv ffff
  Memory  Child-SP          RetAddr           : Args to Child                                                           : Call Site
          fffff880`08cb7800 fffff800`01688f92 : fffffa80`07bbf060 fffffa80`07bbf060 fffffa80`00000000 00000000`00000001 : nt!KiSwapContext+0x7a
      140 fffff880`08cb7940 fffff800`0168bff3 : fffffa80`066d47c8 fffffa80`066d47f1 00000000`000000e0 ffffffff`fffffffb : nt!KiCommitThreadWait+0x1d2
       90 fffff880`08cb79d0 fffff800`0196bd07 : 00000000`77ca4600 fffff800`01bf4b01 fffffa80`06b76101 00000000`00001000 : nt!KeRemoveQueueEx+0x323
       c0 fffff880`08cb7a90 fffff800`0166fbb6 : 00000000`00000000 fffff880`08cb7ba8 fffff880`08cb7bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
       90 fffff880`08cb7b20 fffff800`01682f93 : fffffa80`07bbf060 00000000`77ca45c0 fffff880`00000102 fffffa80`08022d50 : nt!NtWaitForWorkViaWorkerFactory+0x285
      100 fffff880`08cb7c20 00000000`77bf2c1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08cb7c20)
          00000000`0147f5f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForWorkViaWorkerFactory+0xa

如果要分析svchost出了什么问题,还要如何继续分析下去呢?

[注意]看雪招聘,专注安全领域的专业人才平台!

收藏
免费
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》