Transcript WinDbg for Kernel Debugging(1).

1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg를 이용한 커널 드라이버 디버깅
1. WinDbg 개요
KOREA SYSTEM PROGRAMMER
1st System Kernel Conference
2003.11.8
김
성
현
1
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
목차
강의목적
WinDbg 개요
WinDbg vs SoftICE
WinDbg 화면구성
Call Stack
WinDbg Commands
WinDbg Commands Examples
김
성
현
2
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
강의 목적
No Power Debugging
Easy Debugging!
덤프파일 활용 활성화
블루스크린 발생시 빠른
분석과 정확한 원인 파
악
김
성
현
3
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg 개요
WinDbg 다운로드 URL
http://www.microsoft.com/whdc/ddk/debugging/installx86.msp
지속적으로 업데이트
User 모드, Kernel 모드 디버깅 가능
CDB(Microsoft Console Debugger)
KD(Microsoft Kernel Debugger, I386KD, IA64KD)
Live 디버깅
응용프로그램 로컬, 네트웍 디버깅 가능
커널, 드라이버 시리얼 디버깅 가능
덤프 디버깅
Crash dump 분석
분석에 용이한 각종 명령어 제공
김
성
현
4
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg vs SoftICE
장점 / 단점
WinDbg
SoftICE
가격
$0
$???
덤프분석
O
X (DriverWorkbench?)
App Debugging
O
O
MS Debug Symbol
Support
O
X (Symbol Retriever,
SoftICE 2.7)
Windows 9x 지원
X
O
Standalone 디버깅
X (APP 디버깅은
가능)
O
수행속도
느림 (APP 디버깅
은 빠름)
빠름
김
성
현
5
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg 화면구성
김
성
현
6
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg File Menu
Open Executable – 응용프로그램을
디버거가 실행시키면서 디버깅
Attatch to a Process – 이미 실행중
인 프로세스를 디버깅( ex. 서비스 )
Open Crash Dump – 덤프파일 디버
깅 ( 유저덤프, 커널덤프 모두 가능 )
Connect to Remote Session – tcp,
serial, 1394, npipe 등을 이용하여
리모트 디버깅 가능
Kenel Debug – serial 연결된 시스템
의 커널 디버깅 ( 1394 가능 )
Symbol File Path …
Source File Path …
Image File Path …
김
성
현
7
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg View Menu
Command
Watch
Locals
Registers
Memory
Call Stack
Disassembly
Scratch Pad
Process and Threads
김
성
현
8
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Debug Menu
Go – F5
Break – Ctrl + Break
Step Into – F11 or F8
Step Over – F10
Step Out – Shift + F11
김
성
현
9
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
WinDbg Call Stack Window
Args – 함수 인자
Func info – 함수 추가 정보
Source – 소스파일과 라인 표시
Addrs – 리턴 주소 ( RetAddr )
Headings – ChildEBP RetAddr Args to Child
Frame Nums – 라인에 번호 붙이기
Arg types – 함수 인자 타입
김
성
현
10
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
콜스택 분석
문제 지점을 찾아내는 기본적인 정보
함수의 호출순서 파악
함수인자의 전달 파악
자동 BackTrace – 디버거가 자동으로 수행
수동 BackTrace – 디버거가 못하는 경우 수동으로
함수의 호출 순서를 찾아내야 함
김
성
현
11
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
호출규약 ( Calling Convention )
호출규약
인자저장방향
스택복구
비고
_cdecl
마지막부터 저장
호출한 함수에서
C, C++
_stdcall
마지막부터 저장
호출된 함수에서
Kernel, VB
_fastcall
ECX, EDX, 마지막부터
호출된 함수에서
Delphi
this
ECX(this), 마지막부터
호출한 함수에서
C++
naked
마지막부터
호출한 함수에서
int _cdecl CFunc(int a, int b);
calling function
called function
-----------------------------push b
_CFunc PROC NEAR (ebp+8, ebp+c)
push a
.
call _CFunc
RET
add esp,8
_CFunc ENDP
김
성
현
12
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
호출규약 ( Calling Convention )
int _stdcall StdFunc(int a, int b);
calling function
called function
-------------------------push b
_StdFunc@8 PROC NEAR (ebp+8, ebp+c)
push a
.
call _StdFunc@8
RET 8
.
_StdFunc@8 ENDP
int _fastcall FastFunc(int a, int b);
calling function
called function
------------------------mov edx, b
@FastFunc@8 PROC NEAR (ecx, edx)
mov ecx, a
.
call @FastFunc@8
RET 8
.
@FastFunc@8 ENDP
김
성
현
13
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
콜스택 구성
calling function
-------------push b
called function
------------_StdFunc@8 PROC NEAR
mov eax, [ebp+8]
var 2
var 1
ebp
mov [ebp-4], eax
ret
push a
push ebp
call _StdFunc@8
mov ebp, esp
.
sub esp, 8
.
RET 8
_StdFunc@8 ENDP
김
성
현
Stack
…
…
14
a
b
…
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
01 f2569cf0 805522ba 00caadfc c0110080 00caad9c
nt!IoCreateFile+0x36
NTKERNELAPI NTSTATUS IoCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG Disposition,
IN ULONG CreateOptions,
… );
김
성
현
15
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Call Stack
nt!NtCreateFile
805522ac ff7510
push dword ptr [ebp+0x10]
805522af ff750c
push dword ptr [ebp+0xc]
805522b2 ff7508
push dword ptr [ebp+0x8]
805522b5 e8c0ebffff
call nt!IoCreateFile (80550e7a)
805522ba 5d
pop
ebp
(01 f2569cf0 805522ba 00caadfc c0110080 00caad9c nt!IoCreateFile )
Stack
f2569cf0 : f2569d30 805522ba 00caadfc c0110080
f2569d00 : 00caad9c 00caadd4 00000000 00000000
nt!IoCreateFile:
80550e7a 55
80550e7b 8bec
80550e7d 6a00
80550e7f 6a00
80550e81 ff753c
80550e84 ff7538
김
성
현
push ebp
mov
ebp,esp
push 0x0
push 0x0
push dword ptr [ebp+0x3c]
push dword ptr [ebp+0x38]
16
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Command Prompt
Uniprocessor - kd>
Multiprocessor - 0: kd>
Mode 구분 command
유저모드 디버깅 전용
커널모드 디버깅 전용
Target 구분 command
Live 디버깅 전용
Dump 디버깅 전용
Platform 구분 command
X86, IA-64, AMD64
김
성
현
17
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Command Help의 Environment
Modes
Targets
User mode, kernel mode
Live debugging only
Platforms
User mode: all
Kernel mode: x86 only
Command 종류
일반 command ( 일반적인 debugger command )
Meta-command ( . 로 시작하는 command )
Extension command ( ! 로 시작하는 command )
김
성
현
18
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
일반 Commands
A(Assemble), U(Unassemble)
BL(Breakpoint List) , BC(Breakpoint Clear)
BD(Breakpoint Disable), BE(Breakpoint Enable)
BA(Break on Access)
BP, BU(Set Breakpoint)
D, DA, DB, DW, DD(Display Memory)
Dds(Display Words and Symbols)
DL(Display Linked List) LIST_ENTRY or SINGLE_LIST_…
DS, Ds(Display String)
DT(Display Type)
DV(Display Local Variable)
K, KB, KD, KP, KV (Display Stack Backtrace)
김
성
현
19
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
일반 Commands cont.
E, EA, EB, Ed, EW, EU(Enter Values)
S(Search Memory)
R(Register)
LD(Load Symbol)
LM(List Loaded Symbols)
LN(List Nearest Symbols)
G(Go), P(Step), PC(Step to Next Call)
T(Trace), TB(Trace to Next Branch), TC(Trace to Next Call)
WT(Trace and Watch Data)
X(Examine Symbols)
김
성
현
20
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
BA (Break on Access)
Sets a data breakpoint, which will be triggered when the specified memory is
accessed.
Kernel-Mode Syntax
ba[ID] Access Size [/p EProcess | /t EThread] [Address [Passes]]
["CommandString"]
Access - The type of access which will satisfy the breakpoint:
e (execute), r (read/write), w (write), i (i/o) (Windows XP and Windows .NET
Server only, kernel-mode only, x86 only) Breaks into the debugger when
the I/O port at the specified Address is accessed.
Size - 1, 2, 4
Passes – The numnber of times the breakpoint is to be passed.
Environment
Modes
User mode, kernel mode
Targets
Live debugging only
Platform
all
김
성
현
21
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands Example
kd> u IoCreateFile
nt!IoCreateFile:
80550e7a 55
push ebp
80550e7b 8bec
mov
ebp,esp
80550e7d 6a00
push 0x0
80550e7f 6a00
push 0x0
80550e81 ff753c
push dword ptr [ebp+0x3c]
80550e84 ff7538
push dword ptr [ebp+0x38]
kd> bp IoCreateFile
kd> bl
0 e 80550e7a
0001 (0001) nt!IoCreateFile
kd> g
Breakpoint 0 hit
nt!IoCreateFile:
80550e7a 55
push ebp
kd> k
ChildEBP RetAddr
f28b1cf0 805522ba nt!IoCreateFile
f28b1d30 8052a421 nt!NtCreateFile+0x2e
f28b1d30 7ffe0304 nt!KiSystemService+0xc4
00bdf0d4 77f5b524 SharedUserData!SystemCallStub+0x4
김
성
현
22
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands Example
kd> kb
ChildEBP RetAddr Args to Child
f28b1cf0 805522ba 00bdf178 c0100080 00bdf118 nt!IoCreateFile
f28b1d30 8052a421 00bdf178 c0100080 00bdf118 nt!NtCreateFile+0x2e
f28b1d30 7ffe0304 00bdf178 c0100080 00bdf118 nt!KiSystemService+0xc4
00bdf0d4 77f5b524 77e37b72 00bdf178 c0100080 SharedUserData!SystemCallStub+0x4
kd> dt _OBJECT_ATTRIBUTES 00bdf118
+0x000 Length
: 0x18
+0x004 RootDirectory : (null)
+0x008 ObjectName
: 0x00bdf158 "\??\PIPE\lsarpc"
+0x00c Attributes
: 0x40
+0x010 SecurityDescriptor : (null)
+0x014 SecurityQualityOfService : 0x00bdf13c
kd> bd 0
kd> bl
0 d 80550e7a
0001 (0001) nt!IoCreateFile
kd> ba w4 00bdf178
kd> bl
0 d 80550e7a
0001 (0001) nt!IoCreateFile
1 e 00bdf178 w 4 0001 (0001)
김
성
현
23
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands Example
kd> g
Breakpoint 1 hit
nt!IopCreateFile+18f:
805504bd 8b4514
mov
eax,[ebp+0x14]
kd> k
ChildEBP RetAddr
f28b1ca8 80550eb0 nt!IopCreateFile+0x18f
f28b1cf0 805522ba nt!IoCreateFile+0x36
f28b1d30 8052a421 nt!NtCreateFile+0x2e
kd> dd 00bdf178 L4
00bdf178 00000000 c0000000 00000003 00000000
kd> g
Breakpoint 1 hit
nt!IopCreateFile+442:
80550770 8b4b0c
mov
ecx,[ebx+0xc]
kd> k
f28b1ca8 80550eb0 nt!IopCreateFile+0x442
f28b1cf0 805522ba nt!IoCreateFile+0x36
f28b1d30 8052a421 nt!NtCreateFile+0x2e
kd> dd 00bdf178 L4
00bdf178 00000184 c0000000 00000003 00000000
김
성
현
24
kd> bc 1
kd> bc *
kd> g
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Meta-commands
.bugcheck (Display Bug Check Data)
.cls (Clear Screen)
.ofilter (Filter Target Output)
.enable_unicode (Enable Unicode Display)
.crash (Force System Crash)
.dump (Create Dump File)
.reboot (Reboot Target Computer)
.cxr (Display Context Record)
.exr (Display Exception Record)
.ecxr (Display Exception Context Record)
.trap (Display Trap Frame)
김
성
현
25
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Meta-commands cont.
.exepath (Set Executable Path)
.srcpath (Set Source Path)
.sympath (Set Symbol Path)
.symfix (Set Symbol Store Path)
.reload (Reload Module)
.context (Set User-Mode Address Context)
.process (Set Process Context)
.thread (Set Register Context)
.tss (Display Task State Segment)
.load (Load Extension DLL)
.unload (Unload Extension DLL)
김
성
현
26
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Debugger Extension DLLs
Default Extensions - Kdextx86.dll, kdex2x86.dll, kdexts.dll
NDIS Extensions – ndiskd.dll
Graphics Driver Extensions – gdikdx.dll
Custom Extension DLL - 직접 작성 가능
Debugger extension commands
!analyze - displays information about the current bug check
!cpuid - displays information about the processors on the system
!error - decodes and displays information about an error value
!gle - displays the last error value for the current thread
!obja - displays the attributes of an object in the object manager
!peb - displays a formatted view of the information in the process
environment block (PEB)
!teb - displays a formatted view of the information in the thread
environment block (TEB)
!token - displays a formatted view of a security token object
김
성
현
27
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Kernel-Mode Extension Commands
!process - displays information about the specified process or all
!stacks - displays information about the current kernel stacks
!thread - displays summary information about a thread
!zombies - displays all dead ("zombie") processes or threads
!drivers - displays a list of all drivers loaded
!devnode - displays information about a node in the device tree
!devobj - displays detailed information about a DEVICE_OBJECT
!devstack - displays a formatted view of the device stack
!drvobj - displays detailed information about a DRIVER_OBJECT
!object - displays information about a system object
!irp - displays information about an I/O request packet (IRP)
!irpfind - displays information about all I/O request packets (IRP)
!apc - displays the contents of one or more asynchronous
procedure calls (APCs)
김
성
현
28
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
WinDbg Commands
Kernel-Mode Extension Commands cont.
!exqueue - displays information about a specific pool allocation
!pool - displays information about a specific pool allocation
!poolfind - finds all instances of a specific pool tag
!poolused - memory use summaries
!poolval - analyzes the headers for a pool page
!pcr - displays the current status of the Processor Control Region
!prcb - displays the processor control block (PRCB).
!srb - displays information about a SCSI Request Block (SRB)
!vpb - displays a volume parameter block (VPB)
!deadlock - displays information about deadlocks
!locks - displays information about kernel ERESOURCE locks
!verifier - displays the status of Driver Verifier and its actions
김
성
현
29
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Extension Commands Example
kd> bp IofCallDriver
kd> bl
0 e 804e8188
0001 (0001) nt!IofCallDriver
#define IoCallDriver(a,b)
IofCallDriver(a,b)
\
NTKERNELAPI NTSTATUS FASTCALL
IofCallDriver(
IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp );
kd> g
Breakpoint 0 hit
nt!IofCallDriver:
804e8188 ff2580875380
jmp
dword ptr [nt!pIofCallDriver (80538780)]
kd> kb
ChildEBP RetAddr Args to Child
f2575c44 8055887c 810d9c90 0012f99c 816bc008 nt!IofCallDriver
f2575c58 805595a7 815d2ec8 816bc008 810d9c90 nt!IopSynchronousServiceTail+0x5e
f2575d00 80552468 0000074c 00000750 00000000 nt!IopXxxControlFile+0x5a5
f2575d34 8052a421 0000074c 00000750 00000000 nt!NtDeviceIoControlFile+0x28
f2575d34 7ffe0304 0000074c 00000750 00000000 nt!KiSystemService+0xc4
kd> !object ecx
Object: 815d2ec8 Type: (81795ad0) Device
ObjectHeader: 815d2eb0
HandleCount: 0 PointerCount: 3
Directory Object: e1006588 Name: Afd
김
성
현
30
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Extension Commands Example
kd> !devobj ecx
Device object (815d2ec8) is for:
Afd \Driver\AFD DriverObject 815fa040
Current Irp 00000000 RefCount 61 Type 00000011 Flags 00000050
Dacl e1299a5c DevExt 00000000 DevObjExt 815d2f80
ExtensionFlags (0000000000)
+0x028 DeviceExtension : (null)
Device queue is not busy.
+0x02c DeviceType
: 0x11
kd> dt DEVICE_OBJECT 815d2ec8
+0x030 StackSize
: 4 ''
+0x000 Type
: 3
+0x034 Queue
: __unnamed
+0x002 Size
: 0xb8
+0x05c AlignmentRequirement : 0
+0x004 ReferenceCount : 61
+0x060 DeviceQueue
: _KDEVICE_QUEUE
+0x008 DriverObject
: 0x815fa040
+0x074 Dpc
: _KDPC
+0x00c NextDevice
: (null)
+0x094 ActiveThreadCount : 0
+0x010 AttachedDevice : (null)
+0x098 SecurityDescriptor : 0xe1299a48
+0x014 CurrentIrp
: (null)
+0x09c DeviceLock
: _KEVENT
+0x018 Timer
: (null)
+0x0ac SectorSize
: 0
+0x01c Flags
: 0x50
+0x0ae Spare1
: 0
+0x020 Characteristics : 0
+0x0b0 DeviceObjectExtension : 0x815d2f80
+0x024 Vpb
: (null)
+0x0b4 Reserved
: (null)
+0x028 DeviceExtension : (null)
김
성
현
31
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Extension Commands Example
kd> !devstack ecx
!DevObj !DrvObj
!DevExt ObjectName
> 815d2ec8 \Driver\AFD
00000000 Afd
kd> !drvobj 815fa040
Driver object (815fa040) is for:
+0x024 HardwareDatabase : 0x806488b4
\Driver\AFD
"\REGISTRY\MACHINE\HARDWARE\DESCRIPTI
Driver Extension List: (id , addr)
ON\SYSTEM"
Device Object list:
+0x028 FastIoDispatch : 0xf2aec228
815d2ec8
+0x02c DriverInit
: 0xf2b06952
kd> dt DRIVER_OBJECT 815fa040
afd!DriverEntry+0
+0x000 Type
: 4
+0x002 Size
: 168
+0x030 DriverStartIo
: (null)
+0x004 DeviceObject
: 0x815d2ec8
+0x034 DriverUnload
: 0xf2af0ab7
+0x008 Flags
: 0x12
afd!AfdUnload+0
+0x00c DriverStart
: 0xf2aea000
+0x038 MajorFunction
: [28]
+0x010 DriverSize
: 0x1fe80
0xf2af4e88
afd!AfdDispatch+0
+0x014 DriverSection
: 0x816b2688
+0x018 DriverExtension : 0x815fa0e8
+0x01c DriverName
: _UNICODE_STRING "\Driver\AFD"
김
성
현
32
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Extension Commands Example
kd> !irp edx 2
Irp is active with 4 stacks 5 is current (= 0x816bc108)
No Mdl System buffer = 8167cb18 Thread 812eeba8: Irp is completed.
Flags = 00000070
ThreadListEntry.Flink = 812eedb8
ThreadListEntry.Blink = 812eedb8
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 0012f958
UserEvent = 810d9c48
…
cmd flg cl Device File
Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ e, 0] 0 0 00000000 810d9c90 00000000-00000000
Args: 0000001c 0000001c 00012024 00000000
김
성
현
33
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Extension Commands Example
kd> !pool edx
Pool page 816bc008 region is Nonpaged pool
*816bc000 size: 198 previous size:
0 (Allocated) *Irp
Pooltag Irp : Io, IRP packets
816bc198 size: 10 previous size: 198 (Free)
....
816bc1a8 size: 118 previous size: 10 (Allocated) Ntfi
816bc2c0 size: 118 previous size: 118 (Allocated) Ntfi
…
816bc838 size: 118 previous size: 118 (Allocated) Ntfi
816bc950 size:
8 previous size: 118 (Free)
Ntfi
816bc958 size: 20 previous size:
8 (Allocated) ReTa
816bc978 size: 28 previous size: 20 (Allocated) FSfm
816bc9a0 size: 20 previous size: 28 (Free)
CcSc
816bc9c0 size: 118 previous size: 20 (Allocated) Ntfi
816bcad8 size: 118 previous size: 118 (Allocated) Ntfi
816bcbf0 size: a8 previous size: 118 (Allocated) File (Protected)
kd> db 816bc000
816bc000 00 00 33 0a 49 72 70 20-06 00 90 01 00 00 00 00 ..3.Irp ........
816bc010 70 00 00 00 18 cb 67 81-b8 ed 2e 81 b8 ed 2e 81 p.....g.........
816bc020 00 00 00 00 00 00 00 00-01 00 04 05 00 00 00 0c ................
김
성
현
34
WinDbg를 이용한 커널 드라이버 디버깅
1st
S
y
s
t
e
m
K
e
r
n
e
l
C
o
n
f
e
r
e
n
c
e
w w w . sysko n .co . k r
Q&A
김
성
현
35
WinDbg를 이용한 커널 드라이버 디버깅