Skip to content

标题: 用"!analyze -show"查看BugCheck信息

https://scz.617.cn/windows/201711271813.txt

正调试着,来了一个

*** Fatal System Error: 0x00000109 (0xA39FFC6545C9A528,0xB3B708EB9847CB07,0xFFFFF800F472AF34,0x0000000000000001)

然后kd失去响应,Ctrl-B退出后无法重新接入,系统彻底挂了。幸好是个虚拟机快照, 恢复快照后可以看看相关地址到底是啥。

有时只是想简单理解一下发生了什么事,并不真地打算逆转乾坤,比如别人发了一张 BSOD截图,此时可以用"!analyze -show"查看BugCheck信息。

kd> !analyze -show 0x00000109 0xA39FFC6545C9A528 0xB3B708EB9847CB07 0xFFFFF800F472AF34 0x0000000000000001 CRITICAL_STRUCTURE_CORRUPTION (109) This bugcheck is generated when the kernel detects that critical kernel code or data have been corrupted. There are generally three causes for a corruption: 1) A driver has inadvertently or deliberately modified critical kernel code or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx 2) A developer attempted to set a normal kernel breakpoint using a kernel debugger that was not attached when the system was booted. Normal breakpoints, "bp", can only be set if the debugger is attached at boot time. Hardware breakpoints, "ba", can be set at any time. 3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data. Arguments: Arg1: a39ffc6545c9a528, Reserved Arg2: b3b708eb9847cb07, Reserved Arg3: fffff800f472af34, Failure type dependent information Arg4: 0000000000000001, Type of corrupted region, can be 0 : A generic data region 1 : Modification of a function or .pdata 2 : A processor IDT 3 : A processor GDT 4 : Type 1 process list corruption 5 : Type 2 process list corruption 6 : Debug routine modification 7 : Critical MSR modification 8 : Object type 9 : A processor IVT a : Modification of a system service function b : A generic session data region c : Modification of a session function or .pdata d : Modification of an import table e : Modification of a session import table f : Ps Win32 callout modification 10 : Debug switch routine modification 11 : IRP allocator modification 12 : Driver call dispatcher modification 13 : IRP completion dispatcher modification 14 : IRP deallocator modification 15 : A processor control register 16 : Critical floating point control register modification 17 : Local APIC modification 18 : Kernel notification callout modification 19 : Loaded module list modification 1a : Type 3 process list corruption 1b : Type 4 process list corruption 1c : Driver object corruption 1d : Executive callback object modification 1e : Modification of module padding 1f : Modification of a protected process 20 : A generic data region 21 : A page hash mismatch 22 : A session page hash mismatch 23 : Load config directory modification 24 : Inverted function table modification 25 : Session configuration modification 26 : An extended processor control register 27 : Type 1 pool corruption 28 : Type 2 pool corruption 29 : Type 3 pool corruption 2a : Type 4 pool corruption 101 : General pool corruption 102 : Modification of win32k.sys kd> ln 0xfffff800f472af34 (fffff800`f472af34) nt!NtCreateUserProcess

出事前正在断这个点。

看上去是这样,kd附加得太晚了,结果PatchGuard未被阻止,然后bp设置的0xCC断点 被扫描到,判定关键函数被修改,"Fatal System Error"之后kd已经接不进去。

靠那几个硬件断点不是个事儿,万一还想改点数据区啥的,更没法规避PatchGuard。 可惜我的快照了,得重新做。