Driver load/unload fails if WinDbg attached with breakpoint

时光毁灭记忆、已成空白 提交于 2019-12-07 19:18:17

问题


I just started with driver development. For some experiments with loading, unloading and debugging I have written the following simple driver:

#include <ntddk.h> 

void DriverUnload(PDRIVER_OBJECT pDriverObject) 
{ 
    UNREFERENCED_PARAMETER(pDriverObject);
    DbgPrint("Driver unloading\n"); 
} 

NTSTATUS DriverEntry( 
    PDRIVER_OBJECT DriverObject, 
    PUNICODE_STRING RegistryPath) 
{ 
    UNREFERENCED_PARAMETER(DriverObject);
    UNREFERENCED_PARAMETER(RegistryPath);

    DriverObject->DriverUnload = DriverUnload; 
    DbgPrint("Hello, World\n"); 

    return STATUS_SUCCESS; 
}

I compiled the driver for my target system, Windows 7 64bit, with debug symbols, copied it to target system and loaded and run it with OSR Driver Loader.

Everything works fine and I can unload and load the driver:

I can connect with WinDbg using a serial connection and can successfully break and run the target system. However, the problem occurs when I try to set a breakpoint.

I initially tried setting the breakpoint like this:

kd> bp MyDriver1!DriverEntry

but the problem was, if I reloaded the driver and checked the breakpoints:

kd> bl
0 e fffff880`03572010 0001 (0001) < Unloaded_MyDriver1.sys >+0x1010

For me as beginner, it didn't look good (unloaded?) and no breaks occurred when loading.

So, I found out that its possible to set a breakpoint when a module is loaded:

kd> bu MyDriver1

0 e fffff880`03578000 0001 (0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)

When I continue system execution after the above command and load the driver (net start MyDriver1) the system crashes:

Break instruction exception - code 80000003 (first chance)


  • *
  • You are seeing this message because you pressed either *
  • CTRL+C (if you run console kernel debugger) or, *
  • CTRL+BREAK (if you run GUI kernel debugger), *
  • on your debugger machine's keyboard. *
  • *
  • THIS IS NOT A BUG OR A SYSTEM CRASH *
  • *
  • If you did not intend to break into the debugger, press the "g" key, then *
  • press the "Enter" key now. This message might immediately reappear. If it *
  • does, press "g" and "Enter" again. *
  • *

nt!RtlpBreakWithStatusInstruction: fffff800028ca490 cc int 3 kd > bu MyDriver1 kd> bl 0 e fffff88003572010 0001

(0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)

kd > bc 0 kd> bl 1 e fffff880`03578000 0001 (0001)

MyDriver1!DriverEntry (MyDriver1+0x0)

kd> g Access violation - code c0000005 (!!! second chance !!!)

nt!IopUnloadDriver+0x327: fffff800`02cb8b29 0fb74844 movzx

ecx,word ptr [rax+44h]

Finally, if I continue the execution now, I get a BSOD ...

Whats wrong here? Is my code wrong or am I setting the breakpoints not correctly?


回答1:


The command you are looking for is sxe ld:MyDriver1

This will break when the driver is mapped into memory but before calling MyDriver1!DriverEntry and will allow you to put breakpoints at DriverEntry.

The command bu MyDriver1 puts a breakpoint in the first byte of the PE header of the driver image.

Also, clean up breakpoints after you unload the driver otherwise you cause the debugger to modify memory that could be allocated for something else.



来源:https://stackoverflow.com/questions/10962361/driver-load-unload-fails-if-windbg-attached-with-breakpoint

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!