I just started with driver development. For some experiments with loading, unloading and debugging I have written the following simple driver:
#include <ntddk.h>
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
DbgPrint("Driver unloading\n");
}
NTSTATUS DriverEntry(
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Hello, World\n");
return STATUS_SUCCESS;
}
I compiled the driver for my target system, Windows 7 64bit, with debug symbols, copied it to target system and loaded and run it with OSR Driver Loader.
Everything works fine and I can unload and load the driver:
I can connect with WinDbg using a serial connection and can successfully break and run the target system. However, the problem occurs when I try to set a breakpoint.
I initially tried setting the breakpoint like this:
kd> bp MyDriver1!DriverEntry
but the problem was, if I reloaded the driver and checked the breakpoints:
kd> bl
0 e fffff880`03572010 0001 (0001) < Unloaded_MyDriver1.sys >+0x1010
For me as beginner, it didn't look good (unloaded?) and no breaks occurred when loading.
So, I found out that its possible to set a breakpoint when a module is loaded:
kd> bu MyDriver1
0 e fffff880`03578000 0001 (0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)
When I continue system execution after the above command and load the driver (net start MyDriver1) the system crashes:
Break instruction exception - code 80000003 (first chance)
- *
- You are seeing this message because you pressed either *
- CTRL+C (if you run console kernel debugger) or, *
- CTRL+BREAK (if you run GUI kernel debugger), *
- on your debugger machine's keyboard. *
- *
- THIS IS NOT A BUG OR A SYSTEM CRASH *
- *
- If you did not intend to break into the debugger, press the "g" key, then *
- press the "Enter" key now. This message might immediately reappear. If it *
- does, press "g" and "Enter" again. *
- *
nt!RtlpBreakWithStatusInstruction: fffff800
028ca490 cc int 3 kd > bu MyDriver1 kd> bl 0 e fffff88003572010 0001(0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)
kd > bc 0 kd> bl 1 e fffff880`03578000 0001 (0001)
MyDriver1!DriverEntry (MyDriver1+0x0)
kd> g Access violation - code c0000005 (!!! second chance !!!)
nt!IopUnloadDriver+0x327: fffff800`02cb8b29 0fb74844 movzx
ecx,word ptr [rax+44h]
Finally, if I continue the execution now, I get a BSOD ...
Whats wrong here? Is my code wrong or am I setting the breakpoints not correctly?
The command you are looking for is sxe ld:MyDriver1
This will break when the driver is mapped into memory but before calling MyDriver1!DriverEntry and will allow you to put breakpoints at DriverEntry.
The command bu MyDriver1 puts a breakpoint in the first byte of the PE header of the driver image.
Also, clean up breakpoints after you unload the driver otherwise you cause the debugger to modify memory that could be allocated for something else.
来源:https://stackoverflow.com/questions/10962361/driver-load-unload-fails-if-windbg-attached-with-breakpoint