问题简述:
至少在XP SP2中,驱动程序DriverEntry例程和UnLoadedDrive例程中不能随意改动EBX的值,否则
会引起程序执行错误,甚至BSOD.
对于DriverEntry例程:
当DriverEntry例程执行完毕后,返回到系统IopLoadDriver例程中,若在DriverEntry例程中改变
了EBX的值,则会在以下去引起地址访问违例,从而发生BSOD;或没有发生BSOD,但几乎必定会引起程序执行
错误,如虽然提供了卸载例程的驱动,亦无法卸载.
805a3ec0 895da0 mov dword ptr [ebp-60h],ebx
805a3ec3 8b45a0 mov eax,dword ptr [ebp-60h]
805a3ec6 8d448738 lea eax,[edi+eax*4+38h]
kd> u
nt!IopLoadDriver+0x68c:
805a3eca 3918 cmp dword ptr [eax],ebx ;◆◆◆◆◆==BSOD===★★★★★★
805a3ecc 0f84e1430400 je nt!IopLoadDriver+0x690 (805e82b3)
详细流程:
重现在DriverEntry例程中随意改动EBX的值引起BSODD
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: D:\WINDDK\Symbols;d:\WINDOWS\Symbols
Executable search path is: E:\汇编编程\WIN32ASM\SOFT
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_qfe.070227-2300
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055b820
Debug session time: Thu Mar 6 19:33:10.109 2008 (GMT+8)
System Uptime: 0 days 0:03:25.828
Break instruction exception - code 80000003 (first chance)
... ...
kd> t
HellowDDK!DriverEntry+0xee:
faf6f3e7 68f2f6f6fa push offset HellowDDK!szMsgDispathM (faf6f6f2)
kd> u
HellowDDK!DriverEntry+0xee [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 157]:
faf6f3e7 68f2f6f6fa push offset HellowDDK!szMsgDispathM (faf6f6f2)
faf6f3ec e817010000 call HellowDDK!DbgPrint (faf6f508)
faf6f3f1 83c404 add esp,4
faf6f3f4 8b4508 mov eax,dword ptr [ebp+8]
faf6f3f7 c740388ef4f6fa mov dword ptr [eax+38h],offset HellowDDK!CalledIofCompleteRequest (faf6f48e)
faf6f3fe c7403a8ef4f6fa mov dword ptr [eax+3Ah],offset HellowDDK!CalledIofCompleteRequest (faf6f48e)
faf6f405 c74046a9f4f6fa mov dword ptr [eax+46h],offset HellowDDK!CalledDeviceControl (faf6f4a9)
faf6f40c c740342cf4f6fa mov dword ptr [eax+34h],offset HellowDDK!UnLoadedDrive (faf6f42c)
kd> u
HellowDDK!DriverEntry+0x11a [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 168]:
faf6f413 e8a9000000 call HellowDDK!DebugShowRegisterInformation (faf6f4c1)
faf6f418 6840f6f6fa push offset HellowDDK!szMsgRun (faf6f640)
faf6f41d e8e6000000 call HellowDDK!DbgPrint (faf6f508)
faf6f422 83c404 add esp,4
faf6f425 8b45fc mov eax,dword ptr [ebp-4]
faf6f428 c9 leave
faf6f429 c20800 ret 8
HellowDDK!UnLoadedDrive [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 177]:
faf6f42c 55 push ebp
kd> g faf6f429
Hellow Msg: The Driver is Dispathing Major Function !
Hellow Msg: The Code's Curent Address EIP = FAF6F413, More Information:
Hellow Msg: EAX = 811AE7E0 ECX = 80500073 EDX = 00000037 EBX = FAE3482B
Hellow Msg: ESP = F823BC60 EBP = F823BC7C ESI = E10A08CC EDI = 811AE7E0
Hellow Msg: The Driver is Runing !
HellowDDK!DriverEntry+0x130:
faf6f429 c20800 ret 8
kd> t
nt!IopLoadDriver+0x66c:
805a3ead 3bc3 cmp eax,ebx
kd> u
nt!IopLoadDriver+0x66c:
805a3ead 3bc3 cmp eax,ebx
805a3eaf 8b8d68ffffff mov ecx,dword ptr [ebp-98h]
805a3eb5 8945ac mov dword ptr [ebp-54h],eax
805a3eb8 8901 mov dword ptr [ecx],eax
805a3eba 0f8ce7430400 jl nt!IopLoadDriver+0x67b (805e82a7)
805a3ec0 895da0 mov dword ptr [ebp-60h],ebx
805a3ec3 8b45a0 mov eax,dword ptr [ebp-60h]
805a3ec6 8d448738 lea eax,[edi+eax*4+38h]
805a3eca 3918 cmp dword ptr [eax],ebx
805a3ecc 0f84e1430400 je nt!IopLoadDriver+0x690 (805e82b3)
kd> G
*** Fatal System Error: 0x0000007e
(0xC0000005,0x805A3ECA,0xF88CABC4,0xF88CA8C0)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 805a3eca, f88cabc4, f88ca8c0}
Probably caused by : ntoskrnl.exe ( nt!IopLoadDriver+68c )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
804e4592 cc int 3
kd> !ANALYZE -V
Unknown option '-V'
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {c0000005, 805a3eca, f88cabc4, f88ca8c0}
Probably caused by : ntoskrnl.exe ( nt!IopLoadDriver+68c )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805a3eca, The address that the exception occurred at
Arg3: f88cabc4, Exception Record Address
Arg4: f88ca8c0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
nt!IopLoadDriver+68c
805a3eca 3918 cmp dword ptr [eax],ebx
EXCEPTION_RECORD: f88cabc4 -- (.exr 0xfffffffff88cabc4)
ExceptionAddress: 805a3eca (nt!IopLoadDriver+0x0000068c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 6ca7bff4
Attempt to read from address 6ca7bff4
CONTEXT: f88ca8c0 -- (.cxr 0xfffffffff88ca8c0)
eax=6ca7bff4 ebx=fae3482b ecx=f88cad70 edx=00000024 esi=e15ea23c edi=811a9f10
eip=805a3eca esp=f88cac8c ebp=f88cad4c iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
nt!IopLoadDriver+0x68c:
805a3eca 3918 cmp dword ptr [eax],ebx ds:0023:6ca7bff4=????????
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
READ_ADDRESS: 6ca7bff4
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from 805a4182 to 805a3eca
STACK_TEXT:
f88cad4c 805a4182 0000046c 00000001 00000000 nt!IopLoadDriver+0x68c
f88cad74 804e526b 0000046c 00000000 ffa9a640 nt!IopLoadUnloadDriver+0x45
f88cadac 8057dfce f88cecf4 00000000 00000000 nt!ExpWorkerThread+0x100
f88caddc 804f98fa 804e5196 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!IopLoadDriver+68c
805a3eca 3918 cmp dword ptr [eax],ebx
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!IopLoadDriver+68c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e55172
STACK_COMMAND: .cxr 0xfffffffff88ca8c0 ; kb
FAILURE_BUCKET_ID: 0x7E_nt!IopLoadDriver+68c
BUCKET_ID: 0x7E_nt!IopLoadDriver+68c
Followup: MachineOwner
---------
kd> u
nt!IopLoadDriver+0x68c:
805a3eca 3918 cmp dword ptr [eax],ebx
805a3ecc 0f84e1430400 je nt!IopLoadDriver+0x690 (805e82b3)
对于UnloadDriver例程:
当不随意改EBX(这里是先保存在结束前将其恢复原值),程序正常执行
eax=00000000 ebx=00000000 ecx=80500073 edx=00000024 esi=f88e2b84 edi=f88e2b84
eip=faf1249c esp=fac9ed4c ebp=fac9ed58 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00200296
faf1249c c9 leave
kd> t
faf1249d c20400 ret 4
kd> t
nt!IopLoadUnloadDriver+0x19:
805e82fc 33ff xor edi,edi
当随意改EBX,程序提前返回,无法正常执行,引起BSOD
kd> g fae69496
Hellow Msg: The Code's Curent Address EIP = FAE6947E, More Information:
Hellow Msg: EAX = 00000000 ECX = 00000000 EDX = 80562ED8 EBX = FAE6982B
Hellow Msg: ESP = F8236D48 EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
Hellow Msg: The Driver is Unload !
Hellow Msg: The Code's Curent Address EIP = FAE69491, More Information:
Hellow Msg: EAX = 00000000 ECX = 80500073 EDX = 00000024 EBX = FAE6982B
Hellow Msg: ESP = F8236D4C EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
HellowDDK!UnLoadedDrive+0x6e:
fae69496 c9 leave
faf12497 c20400 ret 4 ;<---------次条指令被跳过(在堆栈平衡绝对正确的情况下)
kd> t
nt!IopLoadUnloadDriver+0x19:
805e82fc 33ff xor edi,edi
详细流程:
重现在UnLoadedDrive例程中随意改动EBX的值引起BSODD
kd> u
HellowDDK!UnLoadedDrive+0x42 [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 196]:
fae6946a 83c404 add esp,4
fae6946d 8b4508 mov eax,dword ptr [ebp+8]
fae69470 83780400 cmp dword ptr [eax+4],0
fae69474 7408 je HellowDDK!UnLoadedDrive+0x56 (fae6947e)
fae69476 ff7004 push dword ptr [eax+4]
fae69479 e884000000 call HellowDDK!IoDeleteDevice (fae69502)
fae6947e e84a000000 call HellowDDK!DebugShowRegisterInformation (fae694cd)
fae69483 686596e6fa push offset HellowDDK!szMsgUnload (fae69665)
kd> u
HellowDDK!UnLoadedDrive+0x60 [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 207]:
fae69488 e887000000 call HellowDDK!DbgPrint (fae69514)
fae6948d 83c404 add esp,4
fae69490 58 pop eax
fae69491 e837000000 call HellowDDK!DebugShowRegisterInformation (fae694cd)
fae69496 c9 leave
fae69497 c20400 ret 4
HellowDDK!CalledIofCompleteRequest [E:\汇编编程\WIN32ASM\SOFT\HellowDDK.asm @ 214]:
fae6949a 55 push ebp
fae6949b 8bec mov ebp,esp
kd> g fae69496
Hellow Msg: The Code's Curent Address EIP = FAE6947E, More Information:
Hellow Msg: EAX = 00000000 ECX = 00000000 EDX = 80562ED8 EBX = FAE6982B
Hellow Msg: ESP = F8236D48 EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
Hellow Msg: The Driver is Unload !
Hellow Msg: The Code's Curent Address EIP = FAE69491, More Information:
Hellow Msg: EAX = 00000000 ECX = 80500073 EDX = 00000024 EBX = FAE6982B
Hellow Msg: ESP = F8236D4C EBP = F8236D58 ESI = F89EEB84 EDI = F89EEB84
HellowDDK!UnLoadedDrive+0x6e:
fae69496 c9 leave
faf12497 c20400 ret 4
kd> t
nt!IopLoadUnloadDriver+0x19:
805e82fc 33ff xor edi,edi
kd> g
*** Fatal System Error: 0x000000e1
(0x805A4141,0x00000002,0xF8A0EB84,0xF8A0EB84)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
..........................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck E1, {805a4141, 2, f8a0eb84, f8a0eb84}
Probably caused by : ntoskrnl.exe ( nt!IopLoadUnloadDriver+0 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
804e4592 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
WORKER_THREAD_RETURNED_AT_BAD_IRQL (e1)
Arguments:
Arg1: 805a4141, address of worker routine (do ln on this to find guilty driver)
Arg2: 00000002, IRQL returned at (should have been 0, but isn't).
Arg3: f8a0eb84, workitem parameter
Arg4: f8a0eb84, workitem address
Debugging Details:
------------------
FAULTING_IP:
nt!IopLoadUnloadDriver+0
805a4141 8bff mov edi,edi
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xE1
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 8053366f to 804e4592
STACK_TEXT:
f8256918 8053366f 00000003 f8256c74 00000000 nt!RtlpBreakWithStatusInstruction
f8256964 80534146 00000003 f8a0eb84 805628dc nt!KiBugCheckDebugBreak+0x19
f8256d44 80534736 000000e1 805a4141 00000002 nt!KeBugCheck2+0x574
f8256d64 80528cb0 000000e1 805a4141 00000002 nt!KeBugCheckEx+0x1b
f8256dac 8057dfce f8a0eb84 00000000 00000000 nt!ExpWorkerThread+0x1e6
f8256ddc 804f98fa 804e5196 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!IopLoadUnloadDriver+0
805a4141 8bff mov edi,edi
SYMBOL_NAME: nt!IopLoadUnloadDriver+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e55172
FAILURE_BUCKET_ID: 0xE1_nt!IopLoadUnloadDriver+0
BUCKET_ID: 0xE1_nt!IopLoadUnloadDriver+0
Followup: MachineOwner
---------
解决方案:
鉴于以上原因,我们在驱动程序DriverEntry例程和UnLoadedDrive例程中不要随意改动EBX的
值, 即使必须要改变EBX的值,也应该先将其原值储存后再随意处理EBX,并且一定要在执行完毕前恢复
其值.
另外,对于其他主功能分发例程没有进行测试,通过查看一些逆过的驱动,也发现程序中使用EBX
的情况很少见,有的完全没有使用EBX,故而估计对于EBX寄存器的修改还得遵循以上处理方法(具体情况
还需自己亲自测试). 如果了解这个问题,就能减少些驱动时出现一些莫名其妙的错误.
- 标 题:对编写驱动时需谨慎使用EBX的分析
- 作 者:HSQ
- 时 间:2008-03-07 12:26
- 链 接:http://bbs.pediy.com/showthread.php?t=60784