首页
社区
课程
招聘
[原创]用户模式APC蓝屏分析报告
发表于: 2009-1-13 17:17 18890

[原创]用户模式APC蓝屏分析报告

2009-1-13 17:17
18890

关键词:APC,蓝屏,QueueUserAPC,ZwQueueApcThread,漏洞

曾在看雪上看到一篇 【囧】Ring3下把Windows XP SP2 弄蓝了…… 的帖子。
出于好奇,改了段QueueUserAPC的Delphi的代码(见该贴的5楼),结果SP3下也蓝屏了:



也许是太简单了,苦等不见高手回复。正好在学漏洞分析这门课,就拿这个问题来练手了
最后分析发现,其实这个蓝屏原因很简单——QueueUserAPC的调用上范了初级错误,APC插csrss后执行出错,导致csrss被OS中止掉了。

虽然简单,不过重要的是分析过程,所以在这里记录一下。分析中难免有错,高手飘过...

-------------------------------------------------------------------------------------------------

由于出问题的API是QueueUserAPC,于是尝试着用OllyDbg跟入检查原因。可以看到,QueueUserAPC实际是通过调用ntdll!ZwQueueApcThread实现的。不过ZwQueueApcThread没办法进一步跟进去:

7C92E23D >  B8 B4000000     MOV EAX,0B4             ; ZwQueueApcThread
7C92E242    BA 0003FE7F     MOV EDX,7FFE0300
7C92E247    FF12            CALL DWORD PTR DS:[EDX] ; ntdll.KiFastSystemCall
7C92E249    C2 1400         RETN 14
SS:
0012FF30   7C834174  返回到 kernel32.7C834174 来自 ntdll.ZwQueueApcThread

7C92EB8B >  8BD4            MOV EDX,ESP		        ; ntdll.KiFastSystemCall
7C92EB8D    0F34            SYSENTER
ntdll!RtlQueueWorkItem+0x2b5
ntdll!RtlDowncaseUnicodeString+0x75

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 7
支持
分享
最新回复 (14)
雪    币: 296
活跃值: (89)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
2
这是注入CSRSS并且LoadLibraryA一个显示对话框的DLL引起的蓝屏截图,相关代码见此楼附件:



同样的使用WinDbg分析,可以得到如下信息:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f0006c74, 0, bf838c27, 0}

Probably caused by : memory_corruption

Followup: memory_corruption
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f0006c74, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf838c27, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------
READ_ADDRESS: f0006c74

FAULTING_IP:
win32k!NtUserGetDCEx+2c
bf838c27 8b7108 mov esi,dword ptr [ecx+8]

MM_INTERNAL_CODE: 0
DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: bf800000 win32k

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x50

PROCESS_NAME: csrss.exe

TRAP_FRAME: f9c7ccd8 -- (.trap 0xfffffffff9c7ccd8)
ErrCode = 00000000
eax=e14254c0 ebx=bf838c46 ecx=f0006c6c edx=0055ee64 esi=0055ee70 edi=f9c7cd64
eip=bf838c27 esp=f9c7cd4c ebp=f9c7cd50 iopl=0 vif nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00090246
win32k!NtUserGetDCEx+0x2c:
0008:bf838c27 8b7108 mov esi,dword ptr [ecx+8] ds:0023:f0006c74=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 805256fb to 805349ae

STACK_TEXT:
f9c7cc74 805256fb 00000050 f0006c74 00000000 nt!KeBugCheckEx+0x1b
f9c7ccc0 804e2ff1 00000000 f0006c74 00000000 nt!MmAccessFault+0x6f5
f9c7ccc0 bf838c27 00000000 f0006c74 00000000 nt!KiTrap0E+0xcc
f9c7cd50 804e006b 00000000 00000000 00000003 win32k!NtUserGetDCEx+0x2c
f9c7cd50 7c92eb94 00000000 00000000 00000003 nt!KiFastCallEntry+0xf8
0055ee58 77d1f229 77d3b22a 00000000 00000000 ntdll!KiFastSystemCallRet
0055f110 77d3b12b 0055f26c 0055f340 0174fb14 USER32!NtUserGetDCEx+0xc
0055f260 77d65fdf 0055f26c 00000028 00000000 USER32!MessageBoxWorker+0x2ba
0055f2b8 77d50574 00000000 0174a1ac 0174a1a8 USER32!MessageBoxTimeoutW+0x7a
0055f2d8 77d6615b 00000000 0174a1ac 0174a1a8 USER32!MessageBoxExW+0x1b
0055f2f4 0174a19f 00000000 0174a1ac 0174a1a8 USER32!MessageBoxW+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
0055f350 7c9211a7 01740000 00000001 00000000 32+0xa19f
0055f370 7c93cbab 0174b158 01740000 00000001 ntdll!LdrpCallInitRoutine+0x14
0055f478 7c936178 00000000 c0150008 00000000 ntdll!LdrpRunInitializeRoutines+0x344
0055f724 7c9362da 00000000 00163910 0055fa18 ntdll!LdrpLoadDll+0x3e5
0055f9cc 7c801bb9 00163910 0055fa18 0055f9f8 ntdll!LdrLoadDll+0x230
0055fa34 7c801d6e 7ffdcc00 00000000 00000000 KERNEL32!LoadLibraryExW+0x18e
0055fa48 7c801da4 016e0000 00000000 00000000 KERNEL32!LoadLibraryExA+0x1f
0055fa64 7c8341cc 016e0000 0055fac0 00000000 KERNEL32!LoadLibraryA+0x94

0055faac 7c92eac7 7c801d77 016e0000 00000000 KERNEL32!BaseDispatchAPC+0x50
0055fff4 00000000 00000000 000000c8 0000012a ntdll!KiUserApcDispatcher+0x7


STACK_COMMAND: kb

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------

kd> lmvm win32k
start end module name
bf800000 bf9c0200 win32k (pdb symbols) D:\Program Files\Symbols\win32k.pdb\D48935A134F249CDA985C45051FBF0462\win32k.pdb
Loaded symbol image file: win32k.sys
Image path: \SystemRoot\System32\win32k.sys
Image name: win32k.sys
Timestamp: Wed Aug 04 14:17:30 2004 (41107F7A)
CheckSum: 001C663B
ImageSize: 001C0200
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0804.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: win32k.sys
OriginalFilename: win32k.sys
ProductVersion: 5.1.2600.2180
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileDescription: Multi-User Win32 Driver
LegalCopyright: (C) Microsoft Corporation. All rights reserved.


可见这个BSOD是由于内存访问违规引起的。由于win32k.sys中的这条指令,读取了0xf0006c74的内容,而0xf0006c74不再内存中,于是引起了蓝屏。
0008:bf838c27 8b7108   mov esi,dword ptr [ecx+8]      ; ds:0023:f0006c74=????????

回想这个蓝屏发生的原因,由于LoadLibrary了一个cmdShell到csrss.exe的第二个线程中,结果就出现了这个蓝屏。查看蓝屏前的堆栈,可以看到这样三行:
0055fa34 7c801d6e 7ffdcc00 00000000 00000000 KERNEL32!LoadLibraryExW+0x18e
0055fa48 7c801da4 016e0000 00000000 00000000 KERNEL32!LoadLibraryExA+0x1f
0055fa64 7c8341cc 016e0000 0055fac0 00000000 KERNEL32!LoadLibraryA+0x94
这说明了LoadLibraryA确实被执行了。也就是说如果我们写一段ShellCode到CSRSS中,就可以利用CSRSS的权限作我们想做的事情。至于注入CSRSS所需要的权限,例如管理员、SeDebugPrivilege等,参见其他注入教程中关于OpenThread和OpenProcess的部分。

---------------------------------------------------------------------------------------

附件 APC_src.rar 说明
\APC注入_D2009\AnyAPC_Boom.rar              里面是APC注入的主程序,用法见源码目录下的readme.txt
\注射用DLL\多线程cmdshell\s32.dll           改成32.dll丢到Windows安装目录中,注入后监听3820端口,可以Telnet试

相关的程序源码都在里面,自己看吧。另外,建议先扫一遍毒再运行
上传的附件:
2009-1-13 17:18
0
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
3
第一个蓝屏是CRITICAL_OBJECT_TERMINATION~CRITICAL process退出~

第二个蓝屏除非你触发了0DAY~
什么叫“这也说明了利用APC可以执行任意地址的代码,而不是固定的在某个位置崩溃。“
这纯粹是搞笑嘛
2009-1-13 18:09
0
雪    币: 296
活跃值: (89)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
4
我那句“这也说明了利用APC可以执行任意地址的代码,而不是固定的在某个位置崩溃。”是复制出来的,放这里确实点歧义 。

WinDbg不熟,不过这两个蓝屏大致还是知道原因:
第一个蓝屏说的 关键进程 就是CSRSS,因为插入了错误的APC回调地址到CSRSS中,导致CSRSS.exe执行非法操作被终止。(这个道理很简单,比如在CSRSS中创建一个远程线程,开始地址随便设个不能正确执行的地方,一样会引发这种蓝屏)
第二个蓝屏是向CSRSS中LoadLibraryA一个命令行Shell的DLL引发的(可以看堆栈中我加粗的三行,说明LoadLibrary执行过了),虽然不知道为什么会蓝,不过肯定不是0Day。这个代码我整理一下稍后上传,今天下午有点事出去了。

不知道这两点我说的对不?

关于第二个蓝屏,carsh dump分析中可以看到:
STACK_TEXT:
f9c7cc74 805256fb 00000050 f0006c74 00000000 nt!KeBugCheckEx+0x1b
f9c7ccc0 804e2ff1 00000000 f0006c74 00000000 nt!MmAccessFault+0x6f5
f9c7ccc0 bf838c27 00000000 f0006c74 00000000 nt!KiTrap0E+0xcc
f9c7cd50 804e006b 00000000 00000000 00000003 win32k!NtUserGetDCEx+0x2c
f9c7cd50 7c92eb94 00000000 00000000 00000003 nt!KiFastCallEntry+0xf8
0055ee58 77d1f229 77d3b22a 00000000 00000000 ntdll!KiFastSystemCallRet
0055f110 77d3b12b 0055f26c 0055f340 0174fb14 USER32!NtUserGetDCEx+0xc
0055f260 77d65fdf 0055f26c 00000028 00000000 USER32!MessageBoxWorker+0x2ba
0055f2b8 77d50574 00000000 0174a1ac 0174a1a8 USER32!MessageBoxTimeoutW+0x7a
0055f2d8 77d6615b 00000000 0174a1ac 0174a1a8 USER32!MessageBoxExW+0x1b
0055f2f4 0174a19f 00000000 0174a1ac 0174a1a8 USER32!MessageBoxW+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
0055f350 7c9211a7 01740000 00000001 00000000 32+0xa19f
0055f370 7c93cbab 0174b158 01740000 00000001 ntdll!LdrpCallInitRoutine+0x14
0055f478 7c936178 00000000 c0150008 00000000 ntdll!LdrpRunInitializeRoutines+0x344
0055f724 7c9362da 00000000 00163910 0055fa18 ntdll!LdrpLoadDll+0x3e5
0055f9cc 7c801bb9 00163910 0055fa18 0055f9f8 ntdll!LdrLoadDll+0x230
0055fa34 7c801d6e 7ffdcc00 00000000 00000000 KERNEL32!LoadLibraryExW+0x18e
0055fa48 7c801da4 016e0000 00000000 00000000 KERNEL32!LoadLibraryExA+0x1f
0055fa64 7c8341cc 016e0000 0055fac0 00000000 KERNEL32!LoadLibraryA+0x94

0055faac 7c92eac7 7c801d77 016e0000 00000000 KERNEL32!BaseDispatchAPC+0x50
0055fff4 00000000 00000000 000000c8 0000012a ntdll!KiUserApcDispatcher+0x7

可以看出APC是这样执行的:
KiUserApcDispatcher -> 处理APC队列(由于回调地址设的是LoadLibraryA,所以接着是LoadLibraryA)
LoadLibraryA -> 加载DLL名字是就是32.dll,看到这个也不要奇怪 0055f350 7c9211a7 01740000 00000001 00000000 32+0xa19f
MessageBoxW -> 暂时没找出调用这个的原因,不过由于DLL是Delphi 2009写的,应该是自动调用的什么提示功能,反正没有正确执行DLL_Main
NtUserGetDCEx -> (这里就是纯猜测了)像是为了取DC然后绘制对话框,用于显示MessageBox
2009-1-13 22:39
0
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
5
csrss.exe是RING3进程,除非内核有漏洞,否则是不可能触发蓝屏的

常识啊!

临界进程/线程是一个例外,这是系统主动蓝的,也不可能是CSRSS调用引发的
2009-1-13 23:41
0
雪    币: 296
活跃值: (89)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
6
临界进程/线程没接触过,我内核这块只能算是触及了点皮毛。
csrss是ring3,不过当csrss被结束时,依然会蓝屏(也就是第一种蓝屏——关键进程被结束)。

这是今天早上对csrss的第二个线程插入APC引发蓝屏的dump分析,回调地址随便设的一个0x80008000,参数设的是0x0F0F0F0F。

符号库有些不全,将就看看吧
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\Program Files\Debugging Tools for Windows\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*C:\MaxDOS\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055bb20
Debug session time: Wed Jan 14 09:44:26.114 2009 (GMT+8)
System Uptime: 2 days 22:34:08.298
Loading Kernel Symbols
.....................................................................................................
Loading User Symbols
..............
Loading unloaded module list
..................................................*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F4, {3, 80d33da0, 80d33f14, 805fb7a8}

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
Probably caused by : memory_corruption

Followup: memory_corruption
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 80d33da0, Terminating object
Arg3: 80d33f14, Process image file name
Arg4: 805fb7a8, Explanatory message (ascii)

Debugging Details:
------------------

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

PROCESS_OBJECT: 80d33da0

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: 4a680000 csrss

PROCESS_NAME: csrss.exe

EXCEPTION_RECORD: f8a3d9d8 -- (.exr 0xfffffffff8a3d9d8)
ExceptionAddress: 80008000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 80008000
Attempt to read from address 80008000

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

DEFAULT_BUCKET_ID: CODE_CORRUPTION

ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

READ_ADDRESS: 80008000

FAILED_INSTRUCTION_ADDRESS:
+ffffffff80008000
80008000 0000 add byte ptr [eax],al


BUGCHECK_STR: 0xF4_C0000005

STACK_TEXT:
f8a3d520 8062da73 000000f4 00000003 80d33da0 nt!KeBugCheckEx+0x1b
f8a3d544 805fb766 805fb7a8 80d33da0 80d33f14 nt!PspCatchCriticalBreak+0x75
f8a3d574 804e006b 80d33fe8 c0000005 f8a3d9b0 nt!NtTerminateProcess+0x7d
f8a3d574 804df310 80d33fe8 c0000005 f8a3d9b0 nt!KiFastCallEntry+0xf8
f8a3d5f4 8051ee95 ffffffff c0000005 f8a3d9f4 nt!ZwTerminateProcess+0x11
f8a3d9b0 804fdbfe f8a3d9d8 00000000 f8a3dd64 nt!KiDispatchException+0x3a0
f8a3dd34 804e397d 0055f780 0055f79c 00000000 nt!KiRaiseException+0x175
f8a3dd50 804e006b 0055f780 0055f79c 00000000 nt!NtRaiseException+0x31
f8a3dd50 80008000 0055f780 0055f79c 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0055fa64 7c8341cc 0f0f0f0f 0055fac0 00000000 0x80008000
0055faac 7c92eac7 80008000 0f0f0f0f 00000000 KERNEL32!BaseDispatchAPC+0x50
0055fff4 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7


STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804da0c9-804da0cd 5 bytes - nt!KiXMMIZeroPage+30
[ fa f7 80 0c 02:e9 71 b3 65 7f ]
804da10c - nt!KiXMMIZeroPage+73 (+0x43)
[ fb:90 ]
804da112-804da115 4 bytes - nt!KiXMMIZeroPage+79 (+0x06)
[ 57 ff ff ff:c5 cd 69 7f ]
804da545-804da54a 6 bytes - nt!ExAcquireResourceSharedLite+10 (+0x433)
[ fa 8b 75 08 33 db:e9 fb c9 69 7f cc ]
804da564 - nt!ExAcquireResourceSharedLite+98 (+0x1f)
[ fb:90 ]
804da569-804da570 8 bytes - nt!ExAcquireResourceSharedLite+b8 (+0x05)
[ c2 08 00 90 90 90 90 90:e9 21 ac 65 7f c2 08 00 ]
804dcb82 - nt!ExReleaseResourceLite+ba (+0x2619)
[ 99:3f ]
804dcb94 - nt!ExReleaseResourceLite+c8 (+0x12)
[ 87:2d ]
804dcba0 - nt!ExReleaseResourceLite+d0 (+0x0c)
[ 7e:24 ]
804dcbc5-804dcbcd 9 bytes - nt!ExReleaseResourceLite+f5 (+0x25)
[ 90 90 90 90 90 90 90 90:e9 24 86 65 7f 5f 5e 5b ]
804dcbd5-804dcbda 6 bytes - nt!ExReleaseResourceLite+5 (+0x10)
[ 64 a1 24 01 00 00:e9 4c a3 69 7f cc ]
804dcbe8 - nt!ExReleaseResourceLite+18 (+0x13)
[ 36:dc ]
804dcbf9 - nt!ExReleaseResourceLite+29 (+0x11)
[ 25:cb ]
804dcc16-804dcc1a 5 bytes - nt!ExReleaseResourceLite+75 (+0x1d)
[ 66 81 e2 7f ff:e9 f9 a2 69 7f ]
804dfff2-804dfff8 7 bytes - nt!KiFastCallEntry+7f (+0x33dc)
[ c7 45 08 00 0d db ba:e9 ee 6e 69 7f cc cc ]
804e007c-804e0080 5 bytes - nt!KiServiceExit (+0x8a)
[ fa f7 45 70 00:e9 24 51 65 7f ]
804e016b-804e016d 3 bytes - nt!KiSystemCallExitBranch+2 (+0xef)
[ 5a 59 9d:c8 02 04 ]
804e08fb-804e08ff 5 bytes - nt!KiExceptionExit (+0x790)
[ fa f7 45 70 00:e9 04 49 65 7f ]
804e2fc9-804e2fce 6 bytes - nt!KiTrap0E+a4 (+0x26ce)
[ fb f7 45 70 00 02:90 e9 68 22 65 7f ]
804e44b4-804e44b8 5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x14eb)
[ fa 8b 01 89 02:e9 db 29 69 7f ]
804e44d1-804e44d6 6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)
[ fa 8b 41 04 89 0a:e9 e1 29 69 7f cc ]
804e44f2-804e44f6 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)
[ fa 8b 01 3b c1:e9 75 29 69 7f ]
804e4874-804e4878 5 bytes - nt!KeUpdateSystemTime+137 (+0x382)
[ fa ff 15 dc 85:e9 b0 0a 65 7f ]
804e4886-804e488a 5 bytes - nt!KeUpdateSystemTime+149 (+0x12)
[ fa ff 15 dc 85:e9 98 0b 65 7f ]
804e4b4c-804e4b50 5 bytes - nt!ExAcquireResourceExclusiveLite+7 (+0x2c6)
[ 64 a1 24 01 00:e9 03 06 65 7f ]
804e4b6d-804e4b71 5 bytes - nt!ExAcquireResourceExclusiveLite+47 (+0x21)
[ 89 46 1c 66 89:e9 00 06 65 7f ]
804ea175-804ea17a 6 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x5608)
[ fa 8b 75 08 33 db:e9 bc cd 68 7f cc ]
804ea194 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f)
[ fb:90 ]
804ea199-804ea1a0 8 bytes - nt!ExAcquireSharedWaitForExclusive+ef (+0x05)
[ c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00 ]
804ee809-804ee80f 7 bytes - nt!CcGetActiveVacb+5 (+0x4670)
[ fa 8b 45 08 8b 48 48:e9 46 87 68 7f cc cc ]
804f01dc-804f01e3 8 bytes - nt!CcSetActiveVacb+7 (+0x19d3)
[ fa 8b 45 08 83 78 48 00:e9 c8 6d 68 7f cc cc cc ]
804f01ff-804f020c 14 bytes - nt!CcSetActiveVacb+a3 (+0x23)
[ 8b 0a 89 48 48 89 58 50:e9 95 6d 68 7f e9 84 6d ]
804f1c70-804f1c74 5 bytes - nt!ExAcquireSharedStarveExclusive+7 (+0x1a71)
[ 64 a1 24 01 00:e9 4e 36 64 7f ]
161 errors : !nt (804da0c9-804f1c74)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------

kd> lmvm csrss
start end module name
4a680000 4a685000 csrss (pdb symbols) C:\MaxDOS\Symbols\csrss.pdb\D71FC46DDC57401BBA700BD8668D35CC1\csrss.pdb
Loaded symbol image file: csrss.exe
Mapped memory image file: C:\MaxDOS\Symbols\csrss.exe\41107C1F5000\csrss.exe
Image path: \??\C:\WINDOWS\system32\csrss.exe
Image name: csrss.exe
Timestamp: Wed Aug 04 14:03:11 2004 (41107C1F)
CheckSum: 00010CBF
ImageSize: 00005000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
kd> !process ffffffff80d33da0 3
PROCESS 80d33da0 SessionId: 0 Cid: 017c Peb: 7ffd8000 ParentCid: 0140
DirBase: 06a2e000 ObjectTable: e14da530 HandleCount: 323.
Image: csrss.exe
VadRoot ffaa2e20 Vads 105 Clone 0 Private 382. Modified 2317. Locked 0.
DeviceMap e1004940
Token e14da600
ElapsedTime 23 Days 21:52:37.557
UserTime 00:00:04.476
KernelTime 01:19:13.094
QuotaPoolUsage[PagedPool] 79504
QuotaPoolUsage[NonPagedPool] 5112
Working Set Sizes (now,min,max) (1116, 50, 345) (4464KB, 200KB, 1380KB)
PeakWorkingSetSize 1421
VirtualSize 64 Mb
PeakVirtualSize 65 Mb
PageFaultCount 3623369
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 572

THREAD 80cf0da8 Cid 017c.018c Teb: 7ffde000 Win32Thread: e1c84598 WAIT: (WrLpcReply) UserMode Non-Alertable
80cf0f9c Semaphore Limit 0x1

THREAD 80cde5b0 Cid 017c.0190 Teb: 7ffdd000 Win32Thread: e1b10008 RUNNING on processor 0
THREAD 80d38da8 Cid 017c.0194 Teb: 7ffdc000 Win32Thread: e15323e0 WAIT: (WrLpcReceive) UserMode Non-Alertable
80da06f0 Semaphore Limit 0x7fffffff

THREAD 80d22da8 Cid 017c.0198 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
80da2238 Semaphore Limit 0x7fffffff

THREAD 80d32258 Cid 017c.01a4 Teb: 7ffda000 Win32Thread: e1660398 WAIT: (WrLpcReceive) UserMode Non-Alertable
80da06f0 Semaphore Limit 0x7fffffff

THREAD 80d10da8 Cid 017c.01a8 Teb: 7ffd9000 Win32Thread: e15bf618 WAIT: (WrUserRequest) KernelMode Alertable
ffbae888 SynchronizationEvent
80cc5e50 SynchronizationEvent
80daa078 NotificationTimer
80ce6cb8 SynchronizationEvent
80561a40 NotificationEvent
80d25bc0 SynchronizationEvent
80daa048 SynchronizationTimer

THREAD 80db2508 Cid 017c.01ac Teb: 7ffd7000 Win32Thread: e15c1658 WAIT: (WrUserRequest) UserMode Non-Alertable
80ce56f8 SynchronizationEvent
80cf43c8 SynchronizationEvent
ffb9fcd0 SynchronizationEvent

THREAD 80d341b8 Cid 017c.0224 Teb: 7ffd6000 Win32Thread: e16747b0 WAIT: (WrUserRequest) UserMode Non-Alertable
ffb7b128 SynchronizationEvent
80d23190 SynchronizationEvent

THREAD ffa57020 Cid 017c.00b4 Teb: 7ffd5000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
ffa57bc4 NotificationEvent

THREAD 80cda588 Cid 017c.00e0 Teb: 7ffd4000 Win32Thread: e1483870 WAIT: (WrLpcReceive) UserMode Non-Alertable
80da06f0 Semaphore Limit 0x7fffffff

THREAD 80cd2370 Cid 017c.046c Teb: 7ffd3000 Win32Thread: e106e008 WAIT: (WrUserRequest) UserMode Non-Alertable
80ddd1c0 SynchronizationEvent

THREAD 80cd47c8 Cid 017c.01d4 Teb: 7ff9f000 Win32Thread: e1976d28 WAIT: (WrLpcReceive) UserMode Non-Alertable
80da06f0 Semaphore Limit 0x7fffffff


kd> !apc
*** Enumerating APCs in all processes
Process 80e82830 System
Process 80ce3c08 smss.exe
Process 80d33da0 csrss.exe
Thread 80cf0da8 ApcStateIndex 0 ApcListHead 80cf0de4 [USER]
KAPC @ 80e031c8
Type 12
KernelRoutine 80577b96 nt!PspQueueApcSpecialApc+0
RundownRoutine 00000000 +0
Process 80d0dda0 winlogon.exe
Process 80d07a50 services.exe
Process 80d36a58 lsass.exe
Process ffb57440 svchost.exe
Process 80d22488 svchost.exe
Process ffb5b020 svchost.exe
Process ffb8b750 svchost.exe
Process 80cf6020 svchost.exe
Process 80d3f550 explorer.exe
Process ffb596e0 spoolsv.exe
Process ffaa2a30 vmusrvc.exe
Process ffaa04a0 ctfmon.exe
Process ffa97638 vmsrvc.exe
Process ffa88700 vpcmap.exe
Process ffa4f020 alg.exe
Process 80cd9be8 wuauclt.exe
Process 80ded870 wuauclt.exe
Process 80cc9798 AnyAPC_Boom.exe


这个蓝屏的原因没说错吧,CSRSS因为执行插入的APC回调地址0x80008000的全零地址,访问违规被OS给结束掉了。

对于第二个蓝屏,也就是我发这个报告的原因了。到底是什么引起的,不知道您能不能详细分析一下
为方便测试,传了一个测试包上来,具体见压缩包里的测试说明。
上传的附件:
2009-1-14 10:00
0
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
7
你这个也是因为csrss.exe被结束导致蓝屏的,只要将csrss.exe的临界进程标示去掉,就不会再蓝
但你第二个蓝屏就和临界进程无关了
2009-1-14 11:57
0
雪    币: 255
活跃值: (49)
能力值: ( LV9,RANK:180 )
在线值:
发帖
回帖
粉丝
8
很认真的分析文章 学习
2009-1-14 12:10
0
雪    币: 296
活跃值: (89)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
9
你说的对。
第二个蓝屏我用的DLL好像不是cmdShell,刚才又试了一下,csrss中cmdShell也能加载成功。
根据2楼那个dump的堆栈情况看,应该是压缩包testdll目录下的那个MessageBox的,我再去仔细看看原因。

果然是MessageBox!换了个DLL,这次就不再是关键进程结束了


蓝屏和二楼相同:




PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f000eefb, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf838c27, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

READ_ADDRESS: f000eefb

FAULTING_IP:
win32k!NtUserGetDCEx+2c
bf838c27 8b7108 mov esi,dword ptr [ecx+8]


MM_INTERNAL_CODE: 0

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: bf800000 win32k

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x50

PROCESS_NAME: csrss.exe

TRAP_FRAME: f8f8dcd8 -- (.trap 0xfffffffff8f8dcd8)
ErrCode = 00000000
eax=e1c3cd18 ebx=bf838c46 ecx=f000eef3 edx=0055ee34 esi=0055ee40 edi=f8f8dd64
eip=bf838c27 esp=f8f8dd4c ebp=f8f8dd50 iopl=0 vif nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00090246
win32k!NtUserGetDCEx+0x2c:
0008:bf838c27 8b7108 mov esi,dword ptr [ecx+8] ds:0023:f000eefb=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 805256fb to 805349ae

STACK_TEXT:
f8f8dc74 805256fb 00000050 f000eefb 00000000 nt!KeBugCheckEx+0x1b
f8f8dcc0 804e2ff1 00000000 f000eefb 00000000 nt!MmAccessFault+0x6f5
f8f8dcc0 bf838c27 00000000 f000eefb 00000000 nt!KiTrap0E+0xcc
f8f8dd50 804e006b 00000000 00000000 00000003 win32k!NtUserGetDCEx+0x2c
f8f8dd50 7c92eb94 00000000 00000000 00000003 nt!KiFastCallEntry+0xf8
WARNING: Stack unwind information not available. Following frames may be wrong.
0055f0e0 77d3b12b 0055f23c 00000000 ffffffff ntdll!KiFastSystemCallRet
0055f230 77d65fdf 0055f23c 00000028 00000000 USER32!MessageBoxWorker+0x2ba
0055f288 77d66084 00000000 0016ada8 0017b2e8 USER32!MessageBoxTimeoutW+0x7a
0055f2bc 77d50598 00000000 038b8734 038b8730 USER32!MessageBoxTimeoutA+0x9c
0055f2dc 77d50550 00000000 038b8734 038b8730 USER32!MessageBoxExA+0x1b
0055f2f8 038b8727 00000000 038b8734 038b8730 USER32!MessageBoxA+0x45
0055f350 7c9211a7 038b0000 00000001 00000000 r32+0x8727

0055f370 7c93cbab 038b9134 038b0000 00000001 ntdll!LdrInitializeThunk+0x29
0055f478 7c936178 00000000 c0150008 00000000 ntdll!LdrFindResourceDirectory_U+0x276
0055f724 7c9362da 00000000 00163910 0055fa18 ntdll!RtlValidateUnicodeString+0x506
0055f9cc 7c801bb9 00163910 0055fa18 0055f9f8 ntdll!LdrLoadDll+0x110
0055fa34 7c801d6e 7ffdbc00 00000000 00000000 KERNEL32!LoadLibraryExW+0x18e
0055fa48 7c801da4 038a0000 00000000 00000000 KERNEL32!LoadLibraryExA+0x1f
0055fa64 7c8341cc 038a0000 0055fac0 00000000 KERNEL32!LoadLibraryA+0x94

0055faac 7c92eac7 7c801d77 038a0000 00000000 KERNEL32!BaseDispatchAPC+0x50
0055fff4 00000000 00000000 000000c8 00000110 ntdll!KiUserApcDispatcher+0x7

这样看来,是调用MessageBox导致的,错误位置一样。原因未知


那个r32.dll和源码见附件,就MessageBox然后ExitThread而已。
上传的附件:
2009-1-14 12:59
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
深刻的讨论,坐着学习
2009-1-14 14:30
0
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
11
总有一些发垃圾评论的,看着就恶心!
学习,学习,学习你做个什么声啊!
2009-1-14 16:29
0
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
12
第二个蓝屏貌似的确是win32k的BUG, csrss如果调messagebox就会挂掉~
2009-1-14 16:35
0
雪    币: 296
活跃值: (89)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
13
我觉得是因为CSRSS的线程不属于桌面,这里硬要显示个对话框才蓝掉的。先看堆栈:
STACK_TEXT:
f8f8dc74 805256fb 00000050 f000eefb 00000000 nt!KeBugCheckEx+0x1b
f8f8dcc0 804e2ff1 00000000 f000eefb 00000000 nt!MmAccessFault+0x6f5
f8f8dcc0 bf838c27 00000000 f000eefb 00000000 nt!KiTrap0E+0xcc
f8f8dd50 804e006b 00000000 00000000 00000003 win32k!NtUserGetDCEx+0x2c


加粗的 win32k!NtUserGetDCEx+0x2c 说明了0x804e006b前面的一个Call跳到了NtUserGetDCEx。接着看蓝色部分0xbf838c27,这就是出错位置,所以转到了nt!KiTrap0E进行错误处理。所以大致可以确定是在 NtUserGetDCEx 里出的问题。
看到一篇叫“A Story of Unchecked Assumptions in the Windows Kernel”的文章,里面的第28页说了个有趣的特性:
All threads are part of a desktop Except CSRSS-owned threads
but Microsoft owns that code, and it never calls NtUserGetThreadState or NtUserGetDCEx.

简单讲就是除了CSRSS的线程外都是桌面的一部分,CSRSS不会调用NtUserGetThreadState或者NtUserGetDCEx所以不会有问题
所以只要有线程在CSRSS里访问NtUserGetDCEx就挂了,第二个蓝屏估计是这个原因。

另外该文章的作者也提出了这种代码,我想效果应该差不多。
hCsrss = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwCsrssId);
CreateRemoteThread(hCsrss, NULL, 0, NtUserGetThreadState, 15, 0, NULL);

看来老外早就在做这方面的研究了啊
2009-1-15 09:03
0
雪    币: 8107
活跃值: (1955)
能力值: ( LV8,RANK:122 )
在线值:
发帖
回帖
粉丝
14
不错, 学习了
2009-1-15 17:54
0
雪    币: 239
活跃值: (12)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
15
虽然看不懂。。但是收藏了。。以后学习
谢谢楼主分享
2009-1-15 23:28
0
游客
登录 | 注册 方可回帖
返回
//