1.!analyze -v 명령을 이용해 덤프분석 진행한 모습니다.
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000044, Attempt to free a non-allocated nonpaged pool address
Arg2: 00000000, Starting address
Arg3: 80000000, (reserved)
Arg4: 00000000, 0
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for IsDrv122.sys
Page 10b241 not present in the dump file. Type ".hh dbgerr004" for details : 어떤모듈이 에러인지 나타납니다.
BUGCHECK_STR: 0xc2_44
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8085c453 to 80827c83
STACK_TEXT: 아래부터 스택 상황을 보여줍니다
bafd78ec 8085c453 000000c2 00000044 00000000 nt!KeBugCheckEx+0x1b
bafd7918 80892541 00000000 04000000 00000000 nt!MmGetSizeOfBigPoolAllocation+0x203
bafd7970 80892b6f 20474942 00000000 bafd7a34 nt!ExFreePoolWithTag+0x1fd
bafd7980 910996f2 00000000 bafd7c48 e577374a nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong. : 위 오류에 대한 스택입니다.
bafd7a34 91085d8b 8b10af38 e577374a 00000000 IsDrv122+0x156f2
bafd7c88 808f6e8d 8b10af38 8bfc6000 00000000 IsDrv122+0x1d8b
bafd7d58 808f6fa3 80002ec4 00000001 00000000 nt!IopLoadDriver+0x689
bafd7d80 80880475 80002ec4 00000000 8f325b40 nt!IopLoadUnloadDriver+0x45
bafd7dac 80949c5a 909bfcf4 00000000 00000000 nt!ExpWorkerThread+0xeb
bafd7ddc 8088e0c2 8088038a 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb kb 이 명령어를 command 창에 입력하란 얘기네요.
FOLLOWUP_IP:
IsDrv122+156f2
910996f2 8b74240c mov esi,dword ptr [esp+0Ch]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: IsDrv122+156f2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: IsDrv122
IMAGE_NAME: IsDrv122.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 46919405
FAILURE_BUCKET_ID: 0xc2_44_IsDrv122+156f2
BUCKET_ID: 0xc2_44_IsDrv122+156f2
Followup: MachineOwner
---------
6: kd> kb kb 명령 입력한 상태인데 위 내용과 별차이 없습니다.
ChildEBP RetAddr Args to Child
bafd78ec 8085c453 000000c2 00000044 00000000 nt!KeBugCheckEx+0x1b
bafd7918 80892541 00000000 04000000 00000000 nt!MmGetSizeOfBigPoolAllocation+0x203
bafd7970 80892b6f 20474942 00000000 bafd7a34 nt!ExFreePoolWithTag+0x1fd
bafd7980 910996f2 00000000 bafd7c48 e577374a nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
bafd7a34 91085d8b 8b10af38 e577374a 00000000 IsDrv122+0x156f2
bafd7c88 808f6e8d 8b10af38 8bfc6000 00000000 IsDrv122+0x1d8b
bafd7d58 808f6fa3 80002ec4 00000001 00000000 nt!IopLoadDriver+0x689
bafd7d80 80880475 80002ec4 00000000 8f325b40 nt!IopLoadUnloadDriver+0x45
bafd7dac 80949c5a 909bfcf4 00000000 00000000 nt!ExpWorkerThread+0xeb
bafd7ddc 8088e0c2 8088038a 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
6: kd> kn 문제가 있는 스텍 프래임으로 가겠습니다.
# ChildEBP RetAddr
00 bafd78ec 8085c453 nt!KeBugCheckEx+0x1b
01 bafd7918 80892541 nt!MmGetSizeOfBigPoolAllocation+0x203
02 bafd7970 80892b6f nt!ExFreePoolWithTag+0x1fd
03 bafd7980 910996f2 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
04 bafd7a34 91085d8b IsDrv122+0x156f2
05 bafd7c88 808f6e8d IsDrv122+0x1d8b
06 bafd7d58 808f6fa3 nt!IopLoadDriver+0x689
07 bafd7d80 80880475 nt!IopLoadUnloadDriver+0x45
08 bafd7dac 80949c5a nt!ExpWorkerThread+0xeb
09 bafd7ddc 8088e0c2 nt!PspSystemThreadStartup+0x2e
0a 00000000 00000000 nt!KiThreadStartup+0x16
6: kd> lmvm IsDrv122 여러가지 옵션들을 통해서 어디에 위치하고 있는지 등등을 확인할 수 있습니다.
start end module name
91084000 910b7b80 IsDrv122 (no symbols)
Loaded symbol image file: IsDrv122.sys
Image path: \SystemRoot\System32\Drivers\IsDrv122.sys
Image name: IsDrv122.sys
Timestamp: Mon Jul 09 10:48:53 2007 (46919405)
CheckSum: 00038DF2
ImageSize: 00033B80
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
6: kd> !dh 91084000 -f
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
5 number of sections
46919405 time date stamp Mon Jul 09 10:48:53 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
6.00 linker version
17F00 size of code
1B980 size of initialized data
0 size of uninitialized data
1B8A address of entry point
300 base of code
----- new -----
00010000 image base
80 section alignment
80 file alignment
1 subsystem (Native)
5.00 operating system version
5.00 image version
1.10 subsystem version
33B80 size of image
300 size of headers
38DF2 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
0 DLL characteristics
0 [ 0] address [size] of Export Directory
30800 [ 3C] address [size] of Import Directory
0 [ 0] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
31600 [ 21B8] address [size] of Base Relocation Directory
540 [ 1C] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
300 [ 23C] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
Rss Feed