-
-
[原创]对编写驱动时需谨慎使用EBX的分析
-
发表于: 2008-3-7 12:26
-
问题简述:
至少在XP SP2中,驱动程序DriverEntry例程和UnLoadedDrive例程中不能随意改动EBX的值,否则
会引起程序执行错误,甚至BSOD.
对于DriverEntry例程:
当DriverEntry例程执行完毕后,返回到系统IopLoadDriver例程中,若在DriverEntry例程中改变
了EBX的值,则会在以下去引起地址访问违例,从而发生BSOD;或没有发生BSOD,但几乎必定会引起程序执行
错误,如虽然提供了卸载例程的驱动,亦无法卸载.
805a3ec0 895da0 mov dword ptr [ebp-60h],ebx
805a3ec3 8b45a0 mov eax,dword ptr [ebp-60h]
805a3ec6 8d448738 lea eax,[edi+eax*4+38h]
kd> u
nt!IopLoadDriver+0x68c:
805a3eca 3918 cmp dword ptr [eax],ebx ;◆◆◆◆◆==BSOD===★★★★★★
805a3ecc 0f84e1430400 je nt!IopLoadDriver+0x690 (805e82b3)
详细流程:
重现在DriverEntry例程中随意改动EBX的值引起BSODD
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: D:\WINDDK\Symbols;d:\WINDOWS\Symbols
Executable search path is: E:\汇编编程\WIN32ASM\SOFT
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_qfe.070227-2300
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055b820
Debug session time: Thu Mar 6 19:33:10.109 2008 (GMT+8)
System Uptime: 0 days 0:03:25.828
Break instruction exception - code 80000003 (first chance)
... ...
kd> t
HellowDDK!DriverEntry+0xee:
faf6f3e7 68f2f6f6fa push offset HellowDDK!szMsgDispathM (faf6f6f2)
kd> u
HellowDDK!DriverEntry+0xee [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 157]:
faf6f3e7 68f2f6f6fa push offset HellowDDK!szMsgDispathM (faf6f6f2)
faf6f3ec e817010000 call HellowDDK!DbgPrint (faf6f508)
faf6f3f1 83c404 add esp,4
faf6f3f4 8b4508 mov eax,dword ptr [ebp+8]
faf6f3f7 c740388ef4f6fa mov dword ptr [eax+38h],offset HellowDDK!CalledIofCompleteRequest (faf6f48e)
faf6f3fe c7403a8ef4f6fa mov dword ptr [eax+3Ah],offset HellowDDK!CalledIofCompleteRequest (faf6f48e)
faf6f405 c74046a9f4f6fa mov dword ptr [eax+46h],offset HellowDDK!CalledDeviceControl (faf6f4a9)
faf6f40c c740342cf4f6fa mov dword ptr [eax+34h],offset HellowDDK!UnLoadedDrive (faf6f42c)
kd> u
HellowDDK!DriverEntry+0x11a [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 168]:
faf6f413 e8a9000000 call HellowDDK!DebugShowRegisterInformation (faf6f4c1)
faf6f418 6840f6f6fa push offset HellowDDK!szMsgRun (faf6f640)
faf6f41d e8e6000000 call HellowDDK!DbgPrint (faf6f508)
faf6f422 83c404 add esp,4
faf6f425 8b45fc mov eax,dword ptr [ebp-4]
faf6f428 c9 leave
faf6f429 c20800 ret 8
HellowDDK!UnLoadedDrive [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 177]:
faf6f42c 55 push ebp
kd> g faf6f429
Hellow Msg: The Driver is Dispathing Major Function !
Hellow Msg: The Code's Curent Address EIP = FAF6F413, More Information:
Hellow Msg: EAX = 811AE7E0 ECX = 80500073 EDX = 00000037 EBX = FAE3482B
Hellow Msg: ESP = F823BC60 EBP = F823BC7C ESI = E10A08CC EDI = 811AE7E0
Hellow Msg: The Driver is Runing !
HellowDDK!DriverEntry+0x130:
faf6f429 c20800 ret 8
kd> t
nt!IopLoadDriver+0x66c:
805a3ead 3bc3 cmp eax,ebx
kd> u
nt!IopLoadDriver+0x66c:
805a3ead 3bc3 cmp eax,ebx
805a3eaf 8b8d68ffffff mov ecx,dword ptr [ebp-98h]
805a3eb5 8945ac mov dword ptr [ebp-54h],eax
805a3eb8 8901 mov dword ptr [ecx],eax
805a3eba 0f8ce7430400 jl nt!IopLoadDriver+0x67b (805e82a7)
805a3ec0 895da0 mov dword ptr [ebp-60h],ebx
805a3ec3 8b45a0 mov eax,dword ptr [ebp-60h]
805a3ec6 8d448738 lea eax,[edi+eax*4+38h]
805a3eca 3918 cmp dword ptr [eax],ebx
805a3ecc 0f84e1430400 je nt!IopLoadDriver+0x690 (805e82b3)
kd> G
*** Fatal System Error: 0x0000007e
(0xC0000005,0x805A3ECA,0xF88CABC4,0xF88CA8C0)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 805a3eca, f88cabc4, f88ca8c0}
Probably caused by : ntoskrnl.exe ( nt!IopLoadDriver+68c )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
804e4592 cc int 3
kd> !ANALYZE -V
Unknown option '-V'
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 805a3eca, f88cabc4, f88ca8c0}
Probably caused by : ntoskrnl.exe ( nt!IopLoadDriver+68c )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3eca, The address that the exception occurred at
Arg3: f88cabc4, Exception Record Address
Arg4: f88ca8c0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
nt!IopLoadDriver+68c
805a3eca 3918 cmp dword ptr [eax],ebx
EXCEPTION_RECORD: f88cabc4 -- (.exr 0xfffffffff88cabc4)
ExceptionAddress: 805a3eca (nt!IopLoadDriver+0x0000068c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 6ca7bff4
Attempt to read from address 6ca7bff4
CONTEXT: f88ca8c0 -- (.cxr 0xfffffffff88ca8c0)
eax=6ca7bff4 ebx=fae3482b ecx=f88cad70 edx=00000024 esi=e15ea23c edi=811a9f10
eip=805a3eca esp=f88cac8c ebp=f88cad4c iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
nt!IopLoadDriver+0x68c:
805a3eca 3918 cmp dword ptr [eax],ebx ds:0023:6ca7bff4=????????
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
READ_ADDRESS: 6ca7bff4
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from 805a4182 to 805a3eca
STACK_TEXT:
f88cad4c 805a4182 0000046c 00000001 00000000 nt!IopLoadDriver+0x68c
f88cad74 804e526b 0000046c 00000000 ffa9a640 nt!IopLoadUnloadDriver+0x45
f88cadac 8057dfce f88cecf4 00000000 00000000 nt!ExpWorkerThread+0x100
f88caddc 804f98fa 804e5196 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!IopLoadDriver+68c
805a3eca 3918 cmp dword ptr [eax],ebx
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!IopLoadDriver+68c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e55172
STACK_COMMAND: .cxr 0xfffffffff88ca8c0 ; kb
FAILURE_BUCKET_ID: 0x7E_nt!IopLoadDriver+68c
BUCKET_ID: 0x7E_nt!IopLoadDriver+68c
Followup: MachineOwner
---------
kd> u
nt!IopLoadDriver+0x68c:
805a3eca 3918 cmp dword ptr [eax],ebx
805a3ecc 0f84e1430400 je nt!IopLoadDriver+0x690 (805e82b3)
对于UnloadDriver例程:
当不随意改EBX(这里是先保存在结束前将其恢复原值),程序正常执行
eax=00000000 ebx=00000000 ecx=80500073 edx=00000024 esi=f88e2b84 edi=f88e2b84
eip=faf1249c esp=fac9ed4c ebp=fac9ed58 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00200296
faf1249c c9 leave
kd> t
faf1249d c20400 ret 4
kd> t
nt!IopLoadUnloadDriver+0x19:
805e82fc 33ff xor edi,edi
当随意改EBX,程序提前返回,无法正常执行,引起BSOD
kd> g fae69496
Hellow Msg: The Code's Curent Address EIP = FAE6947E, More Information:
Hellow Msg: EAX = 00000000 ECX = 00000000 EDX = 80562ED8 EBX = FAE6982B
Hellow Msg: ESP = F8236D48 EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
Hellow Msg: The Driver is Unload !
Hellow Msg: The Code's Curent Address EIP = FAE69491, More Information:
Hellow Msg: EAX = 00000000 ECX = 80500073 EDX = 00000024 EBX = FAE6982B
Hellow Msg: ESP = F8236D4C EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
HellowDDK!UnLoadedDrive+0x6e:
fae69496 c9 leave
faf12497 c20400 ret 4 ;<---------次条指令被跳过(在堆栈平衡绝对正确的情况下)
kd> t
nt!IopLoadUnloadDriver+0x19:
805e82fc 33ff xor edi,edi
详细流程:
重现在UnLoadedDrive例程中随意改动EBX的值引起BSODD
kd> u
HellowDDK!UnLoadedDrive+0x42 [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 196]:
fae6946a 83c404 add esp,4
fae6946d 8b4508 mov eax,dword ptr [ebp+8]
fae69470 83780400 cmp dword ptr [eax+4],0
fae69474 7408 je HellowDDK!UnLoadedDrive+0x56 (fae6947e)
fae69476 ff7004 push dword ptr [eax+4]
fae69479 e884000000 call HellowDDK!IoDeleteDevice (fae69502)
fae6947e e84a000000 call HellowDDK!DebugShowRegisterInformation (fae694cd)
fae69483 686596e6fa push offset HellowDDK!szMsgUnload (fae69665)
kd> u
HellowDDK!UnLoadedDrive+0x60 [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 207]:
fae69488 e887000000 call HellowDDK!DbgPrint (fae69514)
fae6948d 83c404 add esp,4
fae69490 58 pop eax
fae69491 e837000000 call HellowDDK!DebugShowRegisterInformation (fae694cd)
fae69496 c9 leave
fae69497 c20400 ret 4
HellowDDK!CalledIofCompleteRequest [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 214]:
fae6949a 55 push ebp
fae6949b 8bec mov ebp,esp
kd> g fae69496
Hellow Msg: The Code's Curent Address EIP = FAE6947E, More Information:
Hellow Msg: EAX = 00000000 ECX = 00000000 EDX = 80562ED8 EBX = FAE6982B
Hellow Msg: ESP = F8236D48 EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
Hellow Msg: The Driver is Unload !
Hellow Msg: The Code's Curent Address EIP = FAE69491, More Information:
Hellow Msg: EAX = 00000000 ECX = 80500073 EDX = 00000024 EBX = FAE6982B
Hellow Msg: ESP = F8236D4C EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
HellowDDK!UnLoadedDrive+0x6e:
fae69496 c9 leave
faf12497 c20400 ret 4
kd> t
nt!IopLoadUnloadDriver+0x19:
805e82fc 33ff xor edi,edi
kd> g
*** Fatal System Error: 0x000000e1
(0x805A4141,0x00000002,0xF8A0EB84,0xF8A0EB84)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..........................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck E1, {805a4141, 2, f8a0eb84, f8a0eb84}
Probably caused by : ntoskrnl.exe ( nt!IopLoadUnloadDriver+0 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
804e4592 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
WORKER_THREAD_RETURNED_AT_BAD_IRQL (e1)
Arguments:
Arg1: 805a4141, address of worker routine (do ln on this to find guilty driver)
Arg2: 00000002, IRQL returned at (should have been 0, but isn't).
Arg3: f8a0eb84, workitem parameter
Arg4: f8a0eb84, workitem address
Debugging Details:
------------------
FAULTING_IP:
nt!IopLoadUnloadDriver+0
805a4141 8bff mov edi,edi
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xE1
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 8053366f to 804e4592
STACK_TEXT:
f8256918 8053366f 00000003 f8256c74 00000000 nt!RtlpBreakWithStatusInstruction
f8256964 80534146 00000003 f8a0eb84 805628dc nt!KiBugCheckDebugBreak+0x19
f8256d44 80534736 000000e1 805a4141 00000002 nt!KeBugCheck2+0x574
f8256d64 80528cb0 000000e1 805a4141 00000002 nt!KeBugCheckEx+0x1b
f8256dac 8057dfce f8a0eb84 00000000 00000000 nt!ExpWorkerThread+0x1e6
f8256ddc 804f98fa 804e5196 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!IopLoadUnloadDriver+0
805a4141 8bff mov edi,edi
SYMBOL_NAME: nt!IopLoadUnloadDriver+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e55172
FAILURE_BUCKET_ID: 0xE1_nt!IopLoadUnloadDriver+0
BUCKET_ID: 0xE1_nt!IopLoadUnloadDriver+0
Followup: MachineOwner
---------
解决方案:
鉴于以上原因,我们在驱动程序DriverEntry例程和UnLoadedDrive例程中不要随意改动EBX的
值, 即使必须要改变EBX的值,也应该先将其原值储存后再随意处理EBX,并且一定要在执行完毕前恢复
其值.
另外,对于其他主功能分发例程没有进行测试,通过查看一些逆过的驱动,也发现程序中使用EBX
的情况很少见,有的完全没有使用EBX,故而估计对于EBX寄存器的修改还得遵循以上处理方法(具体情况
还需自己亲自测试). 如果了解这个问题,就能减少些驱动时出现一些莫名其妙的错误.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
All arguments are widened to 32 bits when they are passed. Return values are also widened to 32 bits and returned in the EAX register, except for 8-byte structures, which are returned in the EDX:EAX register pair. Larger structures are returned in the EAX register as pointers to hidden return structures. Parameters are pushed onto the stack from right to left. Structures that are not PODs will not be returned in registers.
The compiler generates prolog and epilog code to save and restore the ESI, EDI, EBX, and EBP registers, if they are used in the function 驱动C用的多点,显然C编译器一般会由于优化避免使用需要 Restore的regs.如果非要使用,自然会被保护.以上文字引自MSDN. 既然是__stdcall调用规则,本来就不能够动EBX......所以我发现最近火星人不少.  打开防忽悠模式ing.....楼下的几位看来不只是海王星人的问题. 防忽悠 防忽悠 防忽悠 防忽悠 防忽悠 防忽悠 防忽悠 不要忽悠我. 
|
|
|
我是最近对驱动开始赶兴趣,看了些KMD教程,就在学写过程中发现的这个问题,每想到竟然成了火星人
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
好象在《罗》书中提到过,WIN回调函数需要保护 EBX,ESI,EDI。原来在驱动中DriverEntry例程和UnLoadedDrive例程也是系统的回调函数(原来我还认为只是一种人口代码,不属于系统回调),也必须保存环境,那的确是我学业不精所制。只要能有收获,只要骂的有道理,被骂也值得。学业有先后而已。
|
|
|
学习,
 ,出来混,难免被误解。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
看得天花乱坠……
|
|
|
|
|
|
|
