如果WinDbg附带断点,则驱动程序加载/卸载失败 [英] Driver load/unload fails if WinDbg attached with breakpoint
问题描述
我刚开始进行驱动程序开发。对于一些加载,卸载和调试的实验,我编写了以下简单的驱动程序:
I just started with driver development. For some experiments with loading, unloading and debugging I have written the following simple driver:
#include <ntddk.h>
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
UNREFERENCED_PARAMETER(pDriverObject);
DbgPrint("Driver unloading\n");
}
NTSTATUS DriverEntry(
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Hello, World\n");
return STATUS_SUCCESS;
}
我使用调试符号为目标系统Windows 7 64bit编译了驱动程序,将其复制到目标系统并使用OSR Driver Loader加载并运行它。
I compiled the driver for my target system, Windows 7 64bit, with debug symbols, copied it to target system and loaded and run it with OSR Driver Loader.
一切正常,我可以卸载和加载驱动程序:
Everything works fine and I can unload and load the driver:
我可以使用串行连接与WinDbg连接,并且可以成功破坏并运行目标系统。但是,当我尝试设置断点时会出现问题。
I can connect with WinDbg using a serial connection and can successfully break and run the target system. However, the problem occurs when I try to set a breakpoint.
我最初尝试设置断点是这样的:
I initially tried setting the breakpoint like this:
kd> bp MyDriver1!DriverEntry
kd> bp MyDriver1!DriverEntry
但是问题是,如果我重新加载驱动程序并检查断点:
but the problem was, if I reloaded the driver and checked the breakpoints:
kd> bl
0 e fffff880`03572010 0001(0001)< Unloaded_MyDriver1.sys> + 0x1010
kd> bl
0 e fffff880`03572010 0001 (0001) < Unloaded_MyDriver1.sys >+0x1010
对于我来说,初学者看起来不太好(卸载?),加载时没有中断
For me as beginner, it didn't look good (unloaded?) and no breaks occurred when loading.
因此,我发现加载模块时可以设置断点:
So, I found out that its possible to set a breakpoint when a module is loaded:
kd> bu MyDriver1
kd> bu MyDriver1
0 e fffff880`03578000 0001(0001)MyDriver1!DriverEntry< PERF>(MyDriver1 + 0x0)
0 e fffff880`03578000 0001 (0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)
在执行上述命令后继续执行系统并加载驱动程序(净启动MyDriver1)时,系统崩溃:
When I continue system execution after the above command and load the driver (net start MyDriver1) the system crashes:
中断指令异常-代码80000003(第一次机会)
Break instruction exception - code 80000003 (first chance)
- *
- 您看到此消息是因为您按下了*
- CTRL + C(如果运行控制台内核调试器),或者*
- CTRL + BREAK(如果运行GUI内核调试器)**
- 您的调试器机器的键盘。 *
- *
- 这不是错误或系统崩溃*
- *
- 如果您不打算闯入调试器,请按 g键,然后按*
- 现在按 Enter键。此消息可能会立即出现。如果是*
- ,请再次按 g并按 Enter。 *
- *
- *
- You are seeing this message because you pressed either *
- CTRL+C (if you run console kernel debugger) or, *
- CTRL+BREAK (if you run GUI kernel debugger), *
- on your debugger machine's keyboard. *
- *
- THIS IS NOT A BUG OR A SYSTEM CRASH *
- *
- If you did not intend to break into the debugger, press the "g" key, then *
- press the "Enter" key now. This message might immediately reappear. If it *
- does, press "g" and "Enter" again. *
- *
nt!RtlpBreakWithStatusInstruction :fffff800 028ca490 cc int 3 03572010 0001
kd> bu MyDriver1 kd> bl 0 e fffff880
nt!RtlpBreakWithStatusInstruction: fffff800028ca490 cc int 3
kd > bu MyDriver1 kd> bl 0 e fffff88003572010 0001
(0001)MyDriver1!DriverEntry< PERF>(MyDriver1 + 0x0)
(0001) MyDriver1!DriverEntry < PERF > (MyDriver1+0x0)
kd> bc 0 kd> bl 1 e fffff880`03578000 0001(0001)
kd > bc 0 kd> bl 1 e fffff880`03578000 0001 (0001)
MyDriver1!DriverEntry(MyDriver1 + 0x0)
MyDriver1!DriverEntry (MyDriver1+0x0)
kd> g访问冲突-代码c0000005(!!!第二次机会!!!)
kd> g Access violation - code c0000005 (!!! second chance !!!)
nt!IopUnloadDriver + 0x327:fffff800`02cb8b29 0fb74844 movzx
nt!IopUnloadDriver+0x327: fffff800`02cb8b29 0fb74844 movzx
ecx,word ptr [rax + 44h]
ecx,word ptr [rax+44h]
最后,如果我现在继续执行,我会得到BSOD ...
Finally, if I continue the execution now, I get a BSOD ...
怎么了这里?是我的代码错误还是我设置的断点不正确?
Whats wrong here? Is my code wrong or am I setting the breakpoints not correctly?
推荐答案
您要查找的命令是
sxe ld:MyDriver1
The command you are looking for is sxe ld:MyDriver1
当驱动程序映射到内存中但在调用MyDriver1!DriverEntry之前,它将中断,并允许您在DriverEntry处放置断点。
This will break when the driver is mapped into memory but before calling MyDriver1!DriverEntry and will allow you to put breakpoints at DriverEntry.
命令 bu MyDriver1 在驱动程序映像的PE标头的第一个字节中放置一个断点。
The command bu MyDriver1 puts a breakpoint in the first byte of the PE header of the driver image.
此外,在卸载驱动程序后清理断点,否则会导致调试器修改可以分配给其他内容的内存。
Also, clean up breakpoints after you unload the driver otherwise you cause the debugger to modify memory that could be allocated for something else.
这篇关于如果WinDbg附带断点,则驱动程序加载/卸载失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
