在进入修复模式之前调试 windows 内核?
Debug windows kernel before it goes in repair mode?
我正在用 windbg 调试 windows 内核,但问题是当 windows 在启动过程中检测到错误并进入修复模式时进入修复模式,我没有首先附加到内核。
但显然内核已经加载,并且已经检测到问题,那么为什么在检测到错误之前我没有附加到它呢?我怎样才能附加到它?
请注意,错误不是主要错误,出于测试目的,我自己造成了它,这是因为引导驱动程序列表中有一个自签名驱动程序,我需要附加到内核才能检测到这个问题,如何我可以这样做吗?我需要找到哪个 function/module 正在检测这个问题。
目前我正在通过 COM 管道连接,连接在 VMware 中的两个虚拟机之间。
kd> sxe ld:nt
kd> sxe ibp;.reboot
Shutdown occurred at (Wed Apr 7 02:14:59.871 2021 (UTC + 5:30))...unloading all symbol tables.
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
在 nt 模块加载时中断
Windows 10 Kernel Version 17763 MP (1 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff800`5e204000 PsLoadedModuleList = 0xfffff800`5e61f9f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff800`5e3bf295 cc int 3
堆栈和加载模块名称
kd> k;ds@rcx
# Child-SP RetAddr Call Site
00 fffff800`60a82de8 fffff800`5e294df5 nt!DebugService2+0x5
01 fffff800`60a82df0 fffff800`5eb19be2 nt!DbgLoadImageSymbols+0x45
02 fffff800`60a82e40 fffff800`5e76917c nt!KdInitSystem+0xaa2
03 fffff800`60a82fc0 00000000`00000000 nt!KiSystemStartup+0x16c
fffff800`60a82e70 "\SystemRoot\system32\ntoskrnl.ex"
fffff800`60a82e90 "e"
bp 根据要求
kd> bp nt!IopLoadDriver
kd> bl
0 e Disable Clear fffff800`5e869020 0001 (0001) nt!IopLoadDriver
你可能还需要gflag +ksl
无论如何 sxe ld:nt 打破 ntfs.sys 加载一点改变和堆栈
kd> r
rax=0000000000000003 rbx=fffff80060a82200 rcx=fffff80060a82200
rdx=fffff80060a821b0 rsi=fffff8005fe00000 rdi=fffff8005d26f940
rip=fffff8005e3bf295 rsp=fffff80060a82188 rbp=fffff80060a82320
r8=0000000000000003 r9=fffff80060a82198 r10=0000000000000000
r11=fffff8005d17dbd0 r12=0000000000000000 r13=fffff8005d1515f0
r14=0000000000000001 r15=fffff80e62170000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!DebugService2+0x5:
fffff800`5e3bf295 cc int 3
kd> ds @rcx
ffffbd0f`f003fa20 "Ntfs.sys"
kd> k
# Child-SP RetAddr Call Site
00 fffff800`60a82188 fffff800`5e294df5 nt!DebugService2+0x5
01 fffff800`60a82190 fffff800`5e294d87 nt!DbgLoadImageSymbols+0x45
02 fffff800`60a821e0 fffff800`5ebbdd47 nt!DbgLoadImageSymbolsUnicode+0x2b
03 fffff800`60a82220 fffff800`5ebbc9ea nt!MiReloadBootLoadedDrivers+0x45f
04 fffff800`60a823b0 fffff800`5ebc266d nt!MiInitializeDriverImages+0x192
05 fffff800`60a82460 fffff800`5ebc228d nt!MiInitSystem+0x3a5
06 fffff800`60a82500 fffff800`5ebbb463 nt!MmInitSystem+0x89
07 fffff800`60a82530 fffff800`5e7745fb nt!InitBootProcessor+0x47b
08 fffff800`60a82750 fffff800`5e769219 nt!KiInitializeKernel+0x50b
09 fffff800`60a82a50 00000000`00000000 nt!KiSystemStartup+0x209
带有 sxe ld 的示例加载序列:*
kd> .lastevent
Last event: Load module winload.efi at 00000000`00844000
debugger time: Wed Apr 7 02:35:18.275 2021
kd> r
rax=0000000000000003 rbx=00000000001a6cc0 rcx=00000000001a6cc0
rdx=00000000001a6c60 rsi=00000000009cdb60 rdi=0000000000000000
rip=0000000000992c15 rsp=00000000001a6c38 rbp=00000000001a6d19
r8=0000000000000003 r9=00000000001a6c98 r10=0000000000000000
r11=0000000000000000 r12=0000000000000001 r13=0000000000000002
r14=00000000001a7801 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
cs=0010 ss=0000 ds=0030 es=0030 fs=0030 gs=0030 efl=00000006
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008717d2 : : winload!DebugService2+0x5
01 00000000`0092b413 : : winload!DbgLoadImageSymbols+0x62
02 00000000`0092b8d0 : : winload!BlBdStart+0x197
03 00000000`008c68ac : : winload!BlBdInitialize+0x304
04 00000000`008c5708 : : winload!InitializeLibrary+0x4dc
05 00000000`008451bb : : winload!BlInitializeLibrary+0x8c
06 00000000`10137ea6 : : winload!OslMain+0x12b
07 00000000`00000000 : : 0x10137ea6
kd> g
Shutdown occurred at (Wed Apr 7 02:36:10.939 2021
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
Windows Boot Debugger Kernel Version 17763 UP Free x64
Machine Name:
Primary image base = 0x00000000`00844000 Loaded module list = 0x00000000`009cdb60
System Uptime: not available
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> ds@rcx
00000000`001a62a0 "winload.efi"
kd> g
Shutdown occurred at
Waiting to reconnect...
Connected to Windows 10 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
Windows 10 Kernel Version 17763 MP (1 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff802`26ea8000 PsLoadedModuleList = 0xfffff802`272c39f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\ntoskrnl.ex"
fffff802`29682e90 "e"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\hal.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\kdcom.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44f00 "mcupdate.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44f60 "msrpc.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44fc0 "ksecdd.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43c80 "werkernel.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43ce0 "CLFS.SYS"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43d40 "tm.sys"
已更新以解决评论
正如我所说,您需要知道在哪里设置断点,或者您需要手动跟踪(和错误检查、多次未启动、自动修复等)
下面显示的是 winload.efi
上的初始中断和手动中断
kd> .reboot
Shutdown occurred at (Wed Mar 17 23:21:19.732 2021 )...unloading all symbol tables.
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at (Wed Mar 17 23:21:24.259 2021 ), ptr64 TRUE
Kernel Debugger connection established. (Initial Breakpoint requested)
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ReadVirtual() failed in GetXStateConfiguration() first read attempt (error == 0.)
Windows Boot Debugger Kernel Version 17763 UP Free x64
Machine Name:
Primary image base = 0x00000000`00844000 Loaded module list = 0x00000000`009cdb60
System Uptime: not available
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008717d2 : 00000000`00000001 00000000`001a6d19 00000000`00000000 00000000`00992be5 : winload!DebugService2+0x5
01 00000000`0092b413 : fffff806`63301780 00000000`008440f0 00000000`009cdb60 00000000`00000000 : winload!DbgLoadImageSymbols+0x62
02 00000000`0092b8d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!BlBdStart+0x197
03 00000000`008c68ac : 000007ff`ffffd000 00000000`00000000 00000000`00000000 00000000`001a7000 : winload!BlBdInitialize+0x304
04 00000000`008c5708 : 00000000`895443e8 00000000`0001a014 00000000`001a6f79 00000000`00000000 : winload!InitializeLibrary+0x4dc
05 00000000`008451bb : 00000000`001a7000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!BlInitializeLibrary+0x8c
06 00000000`10137ea6 : 00000000`00000000 00000000`00000000 00000000`001a7000 00000000`00000000 : winload!OslMain+0x12b
07 00000000`00000000 : 00000000`00000000 00000000`001a7000 00000000`00000000 50504120`544f4f42 : 0x10137ea6
kd> bp winload!OslpMain
kd> g
Breakpoint 0 hit
winload!OslpMain:
00000000`00846174 48895c2408 mov qword ptr [rsp+8],rbx
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008451cc : 00000000`001a7000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!OslpMain
01 00000000`10137ea6 : 00000000`00000000 00000000`00000000 00000000`001a7000 00000000`00000000 : winload!OslMain+0x13c
02 00000000`00000000 : 00000000`00000000 00000000`001a7000 00000000`00000000 50504120`544f4f42 : 0x10137ea6
您可以使用 uf 查看可能执行的调用,如下所示
kd> uf /c winload!OslMain
winload!OslMain (00000000`00845090)
winload!OslMain+0x46 (00000000`008450d6):
call to winload!strcmp (00000000`0098a220)
winload!OslMain+0xe0 (00000000`00845170):
call to winload!memset (00000000`00994700)
winload!OslMain+0x126 (00000000`008451b6):
call to winload!BlInitializeLibrary (00000000`008c567c)
winload!OslMain+0x137 (00000000`008451c7):
call to winload!OslpMain (00000000`00846174)
winload!OslMain+0x147 (00000000`008451d7):
call to winload!BlDestroyLibrary (00000000`008c5714)
我正在用 windbg 调试 windows 内核,但问题是当 windows 在启动过程中检测到错误并进入修复模式时进入修复模式,我没有首先附加到内核。
但显然内核已经加载,并且已经检测到问题,那么为什么在检测到错误之前我没有附加到它呢?我怎样才能附加到它?
请注意,错误不是主要错误,出于测试目的,我自己造成了它,这是因为引导驱动程序列表中有一个自签名驱动程序,我需要附加到内核才能检测到这个问题,如何我可以这样做吗?我需要找到哪个 function/module 正在检测这个问题。
目前我正在通过 COM 管道连接,连接在 VMware 中的两个虚拟机之间。
kd> sxe ld:nt
kd> sxe ibp;.reboot
Shutdown occurred at (Wed Apr 7 02:14:59.871 2021 (UTC + 5:30))...unloading all symbol tables.
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
在 nt 模块加载时中断
Windows 10 Kernel Version 17763 MP (1 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff800`5e204000 PsLoadedModuleList = 0xfffff800`5e61f9f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff800`5e3bf295 cc int 3
堆栈和加载模块名称
kd> k;ds@rcx
# Child-SP RetAddr Call Site
00 fffff800`60a82de8 fffff800`5e294df5 nt!DebugService2+0x5
01 fffff800`60a82df0 fffff800`5eb19be2 nt!DbgLoadImageSymbols+0x45
02 fffff800`60a82e40 fffff800`5e76917c nt!KdInitSystem+0xaa2
03 fffff800`60a82fc0 00000000`00000000 nt!KiSystemStartup+0x16c
fffff800`60a82e70 "\SystemRoot\system32\ntoskrnl.ex"
fffff800`60a82e90 "e"
bp 根据要求
kd> bp nt!IopLoadDriver
kd> bl
0 e Disable Clear fffff800`5e869020 0001 (0001) nt!IopLoadDriver
你可能还需要gflag +ksl
无论如何 sxe ld:nt 打破 ntfs.sys 加载一点改变和堆栈
kd> r
rax=0000000000000003 rbx=fffff80060a82200 rcx=fffff80060a82200
rdx=fffff80060a821b0 rsi=fffff8005fe00000 rdi=fffff8005d26f940
rip=fffff8005e3bf295 rsp=fffff80060a82188 rbp=fffff80060a82320
r8=0000000000000003 r9=fffff80060a82198 r10=0000000000000000
r11=fffff8005d17dbd0 r12=0000000000000000 r13=fffff8005d1515f0
r14=0000000000000001 r15=fffff80e62170000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!DebugService2+0x5:
fffff800`5e3bf295 cc int 3
kd> ds @rcx
ffffbd0f`f003fa20 "Ntfs.sys"
kd> k
# Child-SP RetAddr Call Site
00 fffff800`60a82188 fffff800`5e294df5 nt!DebugService2+0x5
01 fffff800`60a82190 fffff800`5e294d87 nt!DbgLoadImageSymbols+0x45
02 fffff800`60a821e0 fffff800`5ebbdd47 nt!DbgLoadImageSymbolsUnicode+0x2b
03 fffff800`60a82220 fffff800`5ebbc9ea nt!MiReloadBootLoadedDrivers+0x45f
04 fffff800`60a823b0 fffff800`5ebc266d nt!MiInitializeDriverImages+0x192
05 fffff800`60a82460 fffff800`5ebc228d nt!MiInitSystem+0x3a5
06 fffff800`60a82500 fffff800`5ebbb463 nt!MmInitSystem+0x89
07 fffff800`60a82530 fffff800`5e7745fb nt!InitBootProcessor+0x47b
08 fffff800`60a82750 fffff800`5e769219 nt!KiInitializeKernel+0x50b
09 fffff800`60a82a50 00000000`00000000 nt!KiSystemStartup+0x209
带有 sxe ld 的示例加载序列:*
kd> .lastevent
Last event: Load module winload.efi at 00000000`00844000
debugger time: Wed Apr 7 02:35:18.275 2021
kd> r
rax=0000000000000003 rbx=00000000001a6cc0 rcx=00000000001a6cc0
rdx=00000000001a6c60 rsi=00000000009cdb60 rdi=0000000000000000
rip=0000000000992c15 rsp=00000000001a6c38 rbp=00000000001a6d19
r8=0000000000000003 r9=00000000001a6c98 r10=0000000000000000
r11=0000000000000000 r12=0000000000000001 r13=0000000000000002
r14=00000000001a7801 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
cs=0010 ss=0000 ds=0030 es=0030 fs=0030 gs=0030 efl=00000006
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008717d2 : : winload!DebugService2+0x5
01 00000000`0092b413 : : winload!DbgLoadImageSymbols+0x62
02 00000000`0092b8d0 : : winload!BlBdStart+0x197
03 00000000`008c68ac : : winload!BlBdInitialize+0x304
04 00000000`008c5708 : : winload!InitializeLibrary+0x4dc
05 00000000`008451bb : : winload!BlInitializeLibrary+0x8c
06 00000000`10137ea6 : : winload!OslMain+0x12b
07 00000000`00000000 : : 0x10137ea6
kd> g
Shutdown occurred at (Wed Apr 7 02:36:10.939 2021
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
Windows Boot Debugger Kernel Version 17763 UP Free x64
Machine Name:
Primary image base = 0x00000000`00844000 Loaded module list = 0x00000000`009cdb60
System Uptime: not available
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> ds@rcx
00000000`001a62a0 "winload.efi"
kd> g
Shutdown occurred at
Waiting to reconnect...
Connected to Windows 10 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
Windows 10 Kernel Version 17763 MP (1 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff802`26ea8000 PsLoadedModuleList = 0xfffff802`272c39f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\ntoskrnl.ex"
fffff802`29682e90 "e"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\hal.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\kdcom.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44f00 "mcupdate.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44f60 "msrpc.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44fc0 "ksecdd.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43c80 "werkernel.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43ce0 "CLFS.SYS"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43d40 "tm.sys"
已更新以解决评论
正如我所说,您需要知道在哪里设置断点,或者您需要手动跟踪(和错误检查、多次未启动、自动修复等)
下面显示的是 winload.efi
上的初始中断和手动中断kd> .reboot
Shutdown occurred at (Wed Mar 17 23:21:19.732 2021 )...unloading all symbol tables.
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at (Wed Mar 17 23:21:24.259 2021 ), ptr64 TRUE
Kernel Debugger connection established. (Initial Breakpoint requested)
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ReadVirtual() failed in GetXStateConfiguration() first read attempt (error == 0.)
Windows Boot Debugger Kernel Version 17763 UP Free x64
Machine Name:
Primary image base = 0x00000000`00844000 Loaded module list = 0x00000000`009cdb60
System Uptime: not available
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008717d2 : 00000000`00000001 00000000`001a6d19 00000000`00000000 00000000`00992be5 : winload!DebugService2+0x5
01 00000000`0092b413 : fffff806`63301780 00000000`008440f0 00000000`009cdb60 00000000`00000000 : winload!DbgLoadImageSymbols+0x62
02 00000000`0092b8d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!BlBdStart+0x197
03 00000000`008c68ac : 000007ff`ffffd000 00000000`00000000 00000000`00000000 00000000`001a7000 : winload!BlBdInitialize+0x304
04 00000000`008c5708 : 00000000`895443e8 00000000`0001a014 00000000`001a6f79 00000000`00000000 : winload!InitializeLibrary+0x4dc
05 00000000`008451bb : 00000000`001a7000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!BlInitializeLibrary+0x8c
06 00000000`10137ea6 : 00000000`00000000 00000000`00000000 00000000`001a7000 00000000`00000000 : winload!OslMain+0x12b
07 00000000`00000000 : 00000000`00000000 00000000`001a7000 00000000`00000000 50504120`544f4f42 : 0x10137ea6
kd> bp winload!OslpMain
kd> g
Breakpoint 0 hit
winload!OslpMain:
00000000`00846174 48895c2408 mov qword ptr [rsp+8],rbx
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008451cc : 00000000`001a7000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!OslpMain
01 00000000`10137ea6 : 00000000`00000000 00000000`00000000 00000000`001a7000 00000000`00000000 : winload!OslMain+0x13c
02 00000000`00000000 : 00000000`00000000 00000000`001a7000 00000000`00000000 50504120`544f4f42 : 0x10137ea6
您可以使用 uf 查看可能执行的调用,如下所示
kd> uf /c winload!OslMain
winload!OslMain (00000000`00845090)
winload!OslMain+0x46 (00000000`008450d6):
call to winload!strcmp (00000000`0098a220)
winload!OslMain+0xe0 (00000000`00845170):
call to winload!memset (00000000`00994700)
winload!OslMain+0x126 (00000000`008451b6):
call to winload!BlInitializeLibrary (00000000`008c567c)
winload!OslMain+0x137 (00000000`008451c7):
call to winload!OslpMain (00000000`00846174)
winload!OslMain+0x147 (00000000`008451d7):
call to winload!BlDestroyLibrary (00000000`008c5714)