如何在不获得 WER 对话框的情况下使 Windows-7 上的进程崩溃? [英] How to crash a process on Windows-7 without getting the WER dialog?

问题描述

是否有可能在 Windows-7 上使常规用户模式进程崩溃而不获得 Windows 错误报告 (WER) 对话框?(何时以及是否正常启用 WER 且未应用特定标志.)

注意:我不对禁用 WER 感兴趣，我对 WER 未启动但应该启动的崩溃场景感兴趣 和 Windows静默"终止应用程序.

在 Windows XP 上，编写一个 C 或 C++ 应用程序(在用户模式下)以这样的方式弄乱自己的地址空间是非常简单的，当最终引发访问冲突(或其他未处理的 Win32 异常)时，Windows XP 将在不通知用户的情况下以静默方式终止进程:

<代码>...无效堆栈破坏者(){printf("%s\n", __FUNCTION__);//全局/静态缓冲区static char buf[128] = "在地上的一个洞里住着一个霍比特人.它钻进了你的堆栈.它甚至在你的函数中建了一个圆门.";//获取栈上的地址本地字符；char* stack = &local;//核对堆栈:memcpy(stack - 64, buf, sizeof(buf));//卡布姆.不会调用用户定义的未处理异常过滤器.堆栈核弹.//进程将在 Windows XP 上静默终止.//但在 Windows-7 上，您仍然会看到 WER 对话框.}...

在一个简单的 C++ 项目中调用上述函数(在发布模式下——在测试时注意那些编译器优化——而不是在调试器下运行)将:

• 在 XP 下以静默方式终止进程.
• 在 Windows-7 下显示 WER 崩溃对话框.
• 旁白:在任何情况下它都不会调用您自己的未处理异常过滤器，即使您通过 SetUnhandledExceptionFilter
设置了一个

我现在想知道的是 - 在 Windows 7 下 - WER 机制是否已经以我总是获得崩溃错误对话框的方式实施^[a] 在我的应用程序中，或者 是否存在即使在 Windows 7 中也存在进程损坏情况，这会阻止 WER 对话框弹出?

<小时>

我会添加一些我所做的阅读:

在书中 Windows via C/C++(第 5 版由Richter, Nasarre) 他们描述了故障过程"中发生的事情(第 711 页):

<块引用>

1. 异常过滤器.
2. ...
3. ...
4. 内核检测到未处理的异常
5. 阻止对 Wer 服务的 ALPC 调用
6. WER 报告开始.
7. ...

现在，他们指出 Win7 在这方面的表现与 Windows XP 不同(引用本书第 710 页:)

<块引用>

... 从 Windows Vista 开始，UnhandledExceptionFilter 函数不再向 MS 的服务器发送错误报告.反而.内核检测到异常没有被用户态线程处理(步骤 4)...

所以这意味着，根本没有办法让进程崩溃"——在 Vista 及更高版本中——以防止 WER 启动的方式.我正在尝试确认或反驳这一点.

<小时>

[a]:显然，通过调用各种 *exit 或 terminate* 函数之一，可以轻松地杀死"进程而不会留下任何痕迹.问题是，如果您可以排除这样的终止原因，(如何)有可能以阻止显示 WER 对话框的方式崩溃"Win7 上的用户模式进程.

解决方案

我查看了我的 Windows Internals 版本，但在这个主题上没有太多可说的.在早期版本中，Windows 错误报告例程发生在崩溃线程的上下文中.这意味着如果堆栈被破坏(如您的示例中所示)，它可能无法运行.

在 Vista 及更高版本中，它在崩溃线程的外部运行.此外，内核本身负责在进程崩溃时通知 WER(通过高级本地过程调用).

根据 Windows Internals，这些更改修复了消失的进程问题.我只能相信他们的话.显然，如果 WER 服务本身损坏(或停止)，您仍然会遇到无声的崩溃.

编辑

来自 Windows Internals，第 5 版，第 122 页:

<块引用>

在 Windows Vista 之前，我们描述的所有 [WER] 操作都必须在崩溃线程的上下文中发生……在某些类型的崩溃中……未处理的异常过滤器本身崩溃了.这种无声进程死亡"没有记录在任何地方....如果未处理的异常过滤器本身崩溃，Windows Vista 和更高版本通过从崩溃的线程外部执行此工作来改进 WER 机制.

第 124 页:

<块引用>

...所有 Windows 进程现在都有一个错误端口，它实际上是 WER 服务注册的 ALPC 端口对象.内核 ... 将使用此端口向 WER 服务发送消息，然后该服务将分析崩溃过程....这解决了所有静默进程死亡的问题...

Is it possible to crash a regular user-mode process on Windows-7 without getting the Windows Error Reporting (WER) dialog? (When and if WER is normally enabled and no specific flags are applied.)

Note: I'm not interested in disabling WER, I'm interested in crash scenarios where WER isn't launched although it should and Windows "silently" terminates an app.

On Windows XP, it is pretty trivial to write a C or C++ application (in user mode) that messes up its own address space in such a way that when an Access Violation (or other unhandled Win32 Exception) is finally raised, Windows XP will just silently terminate the process without informing the user at all:

...
void stackbreaker() {
    printf("%s\n", __FUNCTION__);
    // global/static buffer
    static char buf[128] = "In a hole in the ground there lived a hobbit. And it burrowed through your stack. It even built a round door into you function.";
    // Get address on the stack
    char local;
    char* stack = &local;
    // nuke the stack:
    memcpy(stack - 64, buf, sizeof(buf));
    // Kaboom. No user defined unhandled exception filter will be called. Stack nuked.
    // Process will terminate silently on Windows XP.
    // But on Windows-7 you still get the WER dialog.
}
...

Calling the above function in a simple C++ project (in release mode -- watch out for those compiler optimizations when testing -- and not run under the debugger) will:

• Silently terminate the process, under XP.
• Display the WER crash dialog under Windows-7.
• Aside: In no circumstance will it call your own unhandled exception filter, even if you set one via SetUnhandledExceptionFilter

What I am wondering now is whether - under Windows 7 - the WER mechanism has been implemented in a way that I always get an error dialog for a crash^[a] in my application, or whether there exist process corruption scenarios even in Windows 7, that will prevent the WER dialog from popping up?

---

I'll add a bit of the reading up I did:

In the book Windows via C/C++ (5th ed by Richter, Nasarre) they describe what happens in a "Faulting Process" (p 711):

1. Exception filters.
2. ...
3. ...
4. kernel detects unhandled exception
5. blocking ALPC call to Wer Service
6. WER reporting kicks in.
7. ...

Now, they point here is that Win7 does this differently than Windows XP (to quote this book p. 710:)

... Starting with Windows Vista, the UnhandledExceptionFilter function no longer sends an error report to MS' servers. Instead. The kernel detects that the exception is not handled by the user-mode thread (Step 4)...

So this would imply, that there is no way at all for a process to "crash" -- in Vista and above -- in a way that prevents WER kicking in. I'm trying to either confirm or refute this.

---

[a]: Obviously, a process can easily be "killed" without any trace by calling one of the various *exit or terminate* functions. The question is, if you can rule out such a termination reason, (how) is it possible to "crash" a user-mode process on Win7 in a way that would prevent the WER dialog from being displayed.

解决方案

I took a look at my edition of Windows Internals, but it doesn't have a whole lot to say on the subject. In earlier versions, the windows error reporting routine took place in the context of the crashing thread. This means that if the stack is trashed (as in your example), it might not be able to run.

In Vista and later, it runs externally to the crashing thread. In addition, the kernel itself is responsible for notifying WER when a process crashes (through an advanced local procedure call).

According to Windows Internals, these changes fix the vanishing process problem. I can only take their word for that. Obviously, if the WER service is itself damaged (or stopped), you'll still get silent crashes.

EDIT

From Windows Internals, 5th Edition, page 122:

Until Windows Vista, all the [WER] operations we've described had to occur within the crashing thread's context... In certain types of crashes ... the unhandled exception filter itself crashed. This "silent process death" was not logged anywhere. ... Windows Vista and later versions improved the WER mechanism by performing this work externally from the crashed thread, if the unhandled exception filter itself crashes.

Page 124:

...all Windows processes now have an error port that is actually an ALPC port object registered by the WER service. The kernel ... will use this port to send a message to the WER service, which will then analyze the crashing process. ... This solves all the problems of silent process death...

这篇关于如何在不获得 WER 对话框的情况下使 Windows-7 上的进程崩溃?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！