在进入修复模式之前调试 Windows 内核?
Posted
技术标签:
【中文标题】在进入修复模式之前调试 Windows 内核?【英文标题】:Debug windows kernel before it goes in repair mode? 【发布时间】:2021-07-01 22:49:27 【问题描述】:我正在用windbg调试windows内核,但问题是当windows在启动过程中检测到错误并进入修复模式时进入修复模式时,我根本不附加到内核。
但显然内核已经加载,并且已经检测到问题,那么为什么在检测到错误之前我没有附加到它呢?我怎样才能连接到它?
请注意,该错误不是主要错误,是我自己出于测试目的而造成的,这是因为启动驱动程序列表中有自签名驱动程序,我需要在检测到此问题之前附加到内核,我该如何做这个?我需要找出检测到这个问题的函数/模块。
目前我通过 COM 管道连接,连接在 VMware 中的两个虚拟机之间。
【问题讨论】:
阅读并尝试 bcdedit 引导调试 @blabb 问题是初始中断将在 winload.efi 中。并且 ntoskrnl 尚未加载。那么,当 ntoskrnl 负载或 IopLoadDriver 仍未加载时,我该如何中断呢?当我尝试设置断点时,它说:Bp 表达式'nt!IopLoadDriver' 无法解析, @blabb 另一个问题是启动调试似乎禁用了驱动程序签名强制:*** Windows 无法验证文件 \Windows\system32\drivers\test.sys 的签名。它将被允许加载,因为启动调试器已启用。 查看bu 以获取未解决的断点或查看sxe ld 以在模块加载时中断(nt 也应该工作,但更适合您自己的驱动程序)。
【参考方案1】:
kd> sxe ld:nt
kd> sxe ibp;.reboot
Shutdown occurred at (Wed Apr 7 02:14:59.871 2021 (UTC + 5:30))...unloading all symbol tables.
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
在 nt 模块加载时中断
Windows 10 Kernel Version 17763 MP (1 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff800`5e204000 PsLoadedModuleList = 0xfffff800`5e61f9f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff800`5e3bf295 cc int 3
堆栈和加载模块名称
kd> k;ds@rcx
# Child-SP RetAddr Call Site
00 fffff800`60a82de8 fffff800`5e294df5 nt!DebugService2+0x5
01 fffff800`60a82df0 fffff800`5eb19be2 nt!DbgLoadImageSymbols+0x45
02 fffff800`60a82e40 fffff800`5e76917c nt!KdInitSystem+0xaa2
03 fffff800`60a82fc0 00000000`00000000 nt!KiSystemStartup+0x16c
fffff800`60a82e70 "\SystemRoot\system32\ntoskrnl.ex"
fffff800`60a82e90 "e"
按要求提供 bp
kd> bp nt!IopLoadDriver
kd> bl
0 e Disable Clear fffff800`5e869020 0001 (0001) nt!IopLoadDriver
你可能还需要 gflag +ksl
无论如何 sxe ld:nt 在 ntfs.sys 上中断加载一点改变和堆栈
kd> r
rax=0000000000000003 rbx=fffff80060a82200 rcx=fffff80060a82200
rdx=fffff80060a821b0 rsi=fffff8005fe00000 rdi=fffff8005d26f940
rip=fffff8005e3bf295 rsp=fffff80060a82188 rbp=fffff80060a82320
r8=0000000000000003 r9=fffff80060a82198 r10=0000000000000000
r11=fffff8005d17dbd0 r12=0000000000000000 r13=fffff8005d1515f0
r14=0000000000000001 r15=fffff80e62170000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!DebugService2+0x5:
fffff800`5e3bf295 cc int 3
kd> ds @rcx
ffffbd0f`f003fa20 "Ntfs.sys"
kd> k
# Child-SP RetAddr Call Site
00 fffff800`60a82188 fffff800`5e294df5 nt!DebugService2+0x5
01 fffff800`60a82190 fffff800`5e294d87 nt!DbgLoadImageSymbols+0x45
02 fffff800`60a821e0 fffff800`5ebbdd47 nt!DbgLoadImageSymbolsUnicode+0x2b
03 fffff800`60a82220 fffff800`5ebbc9ea nt!MiReloadBootLoadedDrivers+0x45f
04 fffff800`60a823b0 fffff800`5ebc266d nt!MiInitializeDriverImages+0x192
05 fffff800`60a82460 fffff800`5ebc228d nt!MiInitSystem+0x3a5
06 fffff800`60a82500 fffff800`5ebbb463 nt!MmInitSystem+0x89
07 fffff800`60a82530 fffff800`5e7745fb nt!InitBootProcessor+0x47b
08 fffff800`60a82750 fffff800`5e769219 nt!KiInitializeKernel+0x50b
09 fffff800`60a82a50 00000000`00000000 nt!KiSystemStartup+0x209
带有 sxel 的示例加载序列:*
kd> .lastevent
Last event: Load module winload.efi at 00000000`00844000
debugger time: Wed Apr 7 02:35:18.275 2021
kd> r
rax=0000000000000003 rbx=00000000001a6cc0 rcx=00000000001a6cc0
rdx=00000000001a6c60 rsi=00000000009cdb60 rdi=0000000000000000
rip=0000000000992c15 rsp=00000000001a6c38 rbp=00000000001a6d19
r8=0000000000000003 r9=00000000001a6c98 r10=0000000000000000
r11=0000000000000000 r12=0000000000000001 r13=0000000000000002
r14=00000000001a7801 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
cs=0010 ss=0000 ds=0030 es=0030 fs=0030 gs=0030 efl=00000006
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008717d2 : : winload!DebugService2+0x5
01 00000000`0092b413 : : winload!DbgLoadImageSymbols+0x62
02 00000000`0092b8d0 : : winload!BlBdStart+0x197
03 00000000`008c68ac : : winload!BlBdInitialize+0x304
04 00000000`008c5708 : : winload!InitializeLibrary+0x4dc
05 00000000`008451bb : : winload!BlInitializeLibrary+0x8c
06 00000000`10137ea6 : : winload!OslMain+0x12b
07 00000000`00000000 : : 0x10137ea6
kd> g
Shutdown occurred at (Wed Apr 7 02:36:10.939 2021
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
Windows Boot Debugger Kernel Version 17763 UP Free x64
Machine Name:
Primary image base = 0x00000000`00844000 Loaded module list = 0x00000000`009cdb60
System Uptime: not available
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> ds@rcx
00000000`001a62a0 "winload.efi"
kd> g
Shutdown occurred at
Waiting to reconnect...
Connected to Windows 10 17763 x64 target at
Kernel Debugger connection established. (Initial Breakpoint requested)
Windows 10 Kernel Version 17763 MP (1 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff802`26ea8000 PsLoadedModuleList = 0xfffff802`272c39f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\ntoskrnl.ex"
fffff802`29682e90 "e"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\hal.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
fffff802`29682e70 "\SystemRoot\system32\kdcom.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44f00 "mcupdate.dll"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44f60 "msrpc.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a44fc0 "ksecdd.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43c80 "werkernel.sys"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43ce0 "CLFS.SYS"
kd> g
nt!DebugService2+0x5:
fffff802`27063295 cc int 3
kd> ds@rcx
ffffca87`69a43d40 "tm.sys"
更新以解决 cmets
正如我评论的那样,您需要知道在哪里设置断点,或者您需要手动跟踪(和错误检查、多次未启动、自动修复等)
下面显示的是 winload.efi 上的初始中断和手动中断
kd> .reboot
Shutdown occurred at (Wed Mar 17 23:21:19.732 2021 )...unloading all symbol tables.
Waiting to reconnect...
BD: Boot Debugger Initialized
Connected to Windows Boot Debugger 17763 x64 target at (Wed Mar 17 23:21:24.259 2021 ), ptr64 TRUE
Kernel Debugger connection established. (Initial Breakpoint requested)
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
ReadVirtual() failed in GetXStateConfiguration() first read attempt (error == 0.)
Windows Boot Debugger Kernel Version 17763 UP Free x64
Machine Name:
Primary image base = 0x00000000`00844000 Loaded module list = 0x00000000`009cdb60
System Uptime: not available
winload!DebugService2+0x5:
00000000`00992c15 cc int 3
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008717d2 : 00000000`00000001 00000000`001a6d19 00000000`00000000 00000000`00992be5 : winload!DebugService2+0x5
01 00000000`0092b413 : fffff806`63301780 00000000`008440f0 00000000`009cdb60 00000000`00000000 : winload!DbgLoadImageSymbols+0x62
02 00000000`0092b8d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!BlBdStart+0x197
03 00000000`008c68ac : 000007ff`ffffd000 00000000`00000000 00000000`00000000 00000000`001a7000 : winload!BlBdInitialize+0x304
04 00000000`008c5708 : 00000000`895443e8 00000000`0001a014 00000000`001a6f79 00000000`00000000 : winload!InitializeLibrary+0x4dc
05 00000000`008451bb : 00000000`001a7000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!BlInitializeLibrary+0x8c
06 00000000`10137ea6 : 00000000`00000000 00000000`00000000 00000000`001a7000 00000000`00000000 : winload!OslMain+0x12b
07 00000000`00000000 : 00000000`00000000 00000000`001a7000 00000000`00000000 50504120`544f4f42 : 0x10137ea6
kd> bp winload!OslpMain
kd> g
Breakpoint 0 hit
winload!OslpMain:
00000000`00846174 48895c2408 mov qword ptr [rsp+8],rbx
kd> kb
# RetAddr : Args to Child : Call Site
00 00000000`008451cc : 00000000`001a7000 00000000`00000000 00000000`00000000 00000000`00000000 : winload!OslpMain
01 00000000`10137ea6 : 00000000`00000000 00000000`00000000 00000000`001a7000 00000000`00000000 : winload!OslMain+0x13c
02 00000000`00000000 : 00000000`00000000 00000000`001a7000 00000000`00000000 50504120`544f4f42 : 0x10137ea6
您可以使用下面的 uf 检查可能执行的调用是什么
kd> uf /c winload!OslMain
winload!OslMain (00000000`00845090)
winload!OslMain+0x46 (00000000`008450d6):
call to winload!strcmp (00000000`0098a220)
winload!OslMain+0xe0 (00000000`00845170):
call to winload!memset (00000000`00994700)
winload!OslMain+0x126 (00000000`008451b6):
call to winload!BlInitializeLibrary (00000000`008c567c)
winload!OslMain+0x137 (00000000`008451c7):
call to winload!OslpMain (00000000`00846174)
winload!OslMain+0x147 (00000000`008451d7):
call to winload!BlDestroyLibrary (00000000`008c5714)
【讨论】:
我的.lastevent 为sxe ld:* 是ntosknrl 而不是winload.efi。我有bcdedit /bootdebug on 和bcdedit /bootdebug bootmgr on。我无法中断winload 或bootmgr。我目前正在使用 VirtualKD
已修复。摆脱 virtualkd 并在 vm 上设置串行 COM1 管道并通过 windbg 手动连接到它。现在调试 bootmgr -- upvoting 因为这个答案与我的评论相结合现在很有用
虽然我一生都无法弄清楚如何调试 winload。 sxe ld:* 会在 bootmgr 和 nt 上中断,但不会在 winload 上中断。 This 是我目前的配置
尝试使用 current 而不是 bootmgr
顺便说一句,您要么需要正确的符号 gflags +ksl,要么需要使用 t 单步执行。如果您执行并且没有任何适当的 bps,则没有任何执行步骤,例如 p 或 g
以上是关于在进入修复模式之前调试 Windows 内核?的主要内容,如果未能解决你的问题,请参考以下文章