'전체 글'에 해당되는 글 274건

  1. 2007.05.13 New SystemDump tool 2
  2. 2007.05.13 UML and Device drivers 3
  3. 2007.05.13 Reverse Engineering Citrix ThinWire 1
  4. 2007.05.13 IRQL_NOT_LESS_OR_EQUAL 1

New SystemDump tool

Crash dump 불펌스페샬 2007. 5. 13. 23:34 posted by CecilDeSK
반응형

Not really new as it was previously called CtxBSOD v2.1 but was renamed to better show its purpose. In addition to renaming I added a command line option to dump a system remotely or from a command line locallywithout using its GUI interface. The main motivation for me to write this tool was the absence of similar tools for 64-bit Windows. SystemDumpcan dump a 64-bit server too!

You can download it form Citrix support web site (requires free registration):

http://support.citrix.com/article/CTX111072

Main features:

  • The tool has both GUI and command line interfaces.
  • Youcan type a message/text (or copy it from clipboard) before forcing a memory dump. This message is saved in a dump and a support engineer can read it after loading the dump in WinDbg.exe. This is implemented to encourage writing the symptoms and conditions explaining why the dump has to be forced.
  • The tool can stay on top of any window (if you need this to quickly dump the server after a reproduction or during the process of an activity).
  • It is supplied with Program Database (PDB) symbols for the driver (32-bit and 64-bit) which is useful when you want to have all symbols present on the bug check thread.
  • The bug check clearly shows that the dump is manually generated.
  • The tool can force a memory dump on both 32-bit and 64-bit platforms.
  • Before forcing a fatal error on a server, the tool warns about potential damaging consequences: Users are disconnected and all the data which is not saved will be lost. It asks for a confirmation.
  • You can specify a period of time (in minutes) when to force a memory dump.

The latter featureis implemented entirely in kernel. Additional commandthat not covered in the article is

>SystemDump.exe abort

allows you to abort the action if you ran the toolusing command line options.

I attached the UML component diagram showing the architecture of this tool.I recently developed apresentation about device drivers architectureand Citrix kernel drivers where I used this tool asone of examples.

systemdumparchitecture.jpg



- Dmitry Vostokov -

반응형

'Crash dump 불펌스페샬' 카테고리의 다른 글

Using scripts to process hundreds of user dumps  (0) 2007.05.13
Automated Crash Dump Analysis Part1  (0) 2007.05.13
UML and Device drivers  (3) 2007.05.13
Reverse Engineering Citrix ThinWire  (1) 2007.05.13
IRQL_NOT_LESS_OR_EQUAL  (1) 2007.05.13
,

UML and Device drivers

Crash dump 불펌스페샬 2007. 5. 13. 23:33 posted by CecilDeSK
반응형
UML and Device drivers

I got the impression after reading numerous books and articles about device drivers that UML is almost never used in describing kernel and device driver design and architecture.Everything is described either by words or using proprietary notations. If you don’t knowabout UML(Unified Modeling Language) it is time to learnbecauseit isan industry standard general purpose modeling language with graphical notation. You can find many good tutorials on the Web and I can recommendthe book to start:

UML Distilled: A Brief Guide to the Standard Object Modeling Language, Third Edition

Recently I created some diagrams based on my past experience in using UML to describe and communicate architecture and design:

0. Component diagram depicting major driver interfaces

driverinterfaces2.JPG

1. Class and object diagram depicting relationship between drivers and devices

Drivers and Devices

2. Component diagram showing dependencies and interfaces when calling Win32 API function ReadFile

iomanager.JPG

3. Component diagram showing IRP flow in a driver stack (driver-to-driver communication)

Actually I foundthat some driver books incorrectly depict the ordering of I/O stack locations in IRP stack correspondingtodriver or devicestack.The correct layout is depicted above. IRP I/O stack locations grow down (to lower addresses) in memory like any other Wintel stack. You can see it from kernel dumps or the following macro from DDK header file wdm.h which shows that next IRP I/O stack location is down in memory (1 is subtracted from current stack location pointer):

#define IoGetNextIrpStackLocation( Irp ) (
(Irp)->Tail.Overlay.CurrentStackLocation - 1 )

Dumps (and live debugging) are good in studying component relationships, reconstructing sequence diagrams, etc.For example, this edited fragment below is from crash dump and it shows who calls whom and component dependencies be reconstructed from call stackof Win32 API function GetDriveType: SHELL32 (calls it) -> kernel32 -> ntdll -> nt (ntoskrnl.exe). You can also see various Citrix hooks and filters here (CtxSbxXXX):

kd> kL
CtxSbx!xxx
nt!IovCallDriver
nt!IofCallDriver
CtxAltStr!xxx
nt!IovCallDriver
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtOpenFile
nt!KiSystemService
SharedUserData!SystemCallStub
ntdll!ZwOpenFile
CtxSbxHook!xxx
kernel32!GetDriveTypeW
SHELL32!CMountPoint::_EnumMountPoints

- Dmitry Vostokov -

반응형

'Crash dump 불펌스페샬' 카테고리의 다른 글

Using scripts to process hundreds of user dumps  (0) 2007.05.13
Automated Crash Dump Analysis Part1  (0) 2007.05.13
New SystemDump tool  (2) 2007.05.13
Reverse Engineering Citrix ThinWire  (1) 2007.05.13
IRQL_NOT_LESS_OR_EQUAL  (1) 2007.05.13
,

Reverse Engineering Citrix ThinWire

Crash dump 불펌스페샬 2007. 5. 13. 23:32 posted by CecilDeSK
반응형

Reverse Engineering Citrix ThinWire

Crash dumps (and live debugging) can be very usefulfor reverse engineering component dependencies. Let’s look at MS Video Driver Architecture UML component diagram (synthesized after reading various articles from OSRand DDK):

Coupled with this understanding and armed with Citrix symbol files (which are freely downloadable from Citrix supportand you don’t really need them tosee component dependencies)Iwas able totransform this thread stack below and other similar stacks into the following UML component diagram (some functions are shown as module!xxx and offsets are removed for clarity):

nt!KiSwapContext
nt!KiSwapThread
nt!KeWaitForSingleObject
tcpip!xxx
tcpip!TCPDispatch
nt!IofCallDriver
nt!xxx
nt!xxx
TDTCP!xxx
TDTCP!xxx
TDTCP!TdIoctl
termdd!_IcaCallSd
termdd!IcaCallNextDriver
pdrframe!xxx
pdrframe!PdIoctl
termdd!_IcaCallSd
termdd!IcaCallNextDriver
pdcrypt1!xxx
pdcrypt1!PdIoctl
termdd!_IcaCallSd
termdd!IcaCallNextDriver
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!xxx
WDICA!WdIoctl
termdd!IcaCallStack
termdd!IcaCallDriver
termdd!IcaDeviceControlChannel
termdd!IcaDeviceControl
termdd!IcaDispatch
win32k!GreDeviceIoControl
win32k!EngDeviceIoControl
vdtw30!xxx
vdtw30!xxx
win32k!vMovePointer
win32k!GreMovePointer
win32k!xxxMoveEventAbsolute
win32k!ProcessMouseInput
win32k!InputApc
nt!KiDeliverApc
nt!KiSwapThread
nt!KeWaitForMultipleObjects
win32k!xxxMsgWaitForMultipleObjects
win32k!xxxDesktopThread
win32k!xxxCreateSystemThreads
win32k!NtUserCallOneParam
nt!KiSystemServiceCopyEnd
nt!KiSwapThread
nt!KeWaitForSingleObject
win32k!EngWaitForSingleObject
vdtw30!xxx
vdtw30!xxx
vdtw30!xxx
vdtw30!DrvTw2SaveScreenBits
win32k!GreSaveScreenBits
win32k!CreateSpb
win32k!zzzChangeStates
win32k!zzzBltValidBits
win32k!xxxEndDeferWindowPosEx
win32k!xxxSetWindowPos
win32k!xxxShowWindow
win32k!NtUserShowWindow
nt!KiSystemService
USER32!NtUserShowWindow
USER32!InternalDialogBox
USER32!DialogBoxIndirectParamAorW
USER32!DialogBoxParamW

We replace MS components with Citrix ones:

  • Video Displaywith vdtw30.dll
  • Video Miniportwith icacdd.sys
  • Hardware andHALwithTerminal Services stack components (MS termdd.sys, Citrix wdica.sys, etc)

twarchitecture.JPG

- Dmitry Vostokov -

This entry was posted on Tuesday, October 24th, 2006 at 5:43 am and is filed under Crash Dump Analysis, Software Architecture, Kernel Development. You can follow any responses to this entry through the RSS 2.0feed. You can leave a response, or trackbackfrom your own site.

4 Responses to “Reverse Engineering Citrix ThinWire”

  1. Toby Opferman Says:
    November 5th, 2006 at 11:00 am

    The diagram is slightly inaccurate. The video driver only ever directly links against WIN32K and would not call VideoPort.Sys directly without going through WIN32K. There is also another Citrix related path missing which I would not be able to mention in a public forum.

  2. Dmitry Vostokov Says:
    November 5th, 2006 at 2:45 pm

    Thanks for pointing this out! This was adopted from the picture in OSR article:

    “From Andy’s Bookshelf: So you Wanna Write a Video Driver”
    Figure 2 - DDI and Miniport Drivers

    http://www.osronline.com/article.cfm?id=66

    I’ll add a label to that link: “via win32k!EngDeviceIoControl” similar I’ve done for vdtw30.dll and termdd.sys interaction

    Thanks,
    Dmitry

반응형

'Crash dump 불펌스페샬' 카테고리의 다른 글

Using scripts to process hundreds of user dumps  (0) 2007.05.13
Automated Crash Dump Analysis Part1  (0) 2007.05.13
New SystemDump tool  (2) 2007.05.13
UML and Device drivers  (3) 2007.05.13
IRQL_NOT_LESS_OR_EQUAL  (1) 2007.05.13
,

IRQL_NOT_LESS_OR_EQUAL

Crash dump 불펌스페샬 2007. 5. 13. 23:29 posted by CecilDeSK
반응형

Bugchecks depicted: IRQL_NOT_LESS_OR_EQUAL

Duringkernel debugging training I’mprovidingI came up to the idea to use UML sequence diagrams to depict various Windows kernel behavior including bugchecks.Today I start with bugcheck A. To understand why this bugcheck is needed you need to understand the difference between thread scheduling and IRQL and I use the following diagram to illustrate it:

Then I explain interrupt masking:

Next I explain thread scheduling (thread dispatcher):

And finally here is the diagram showing whenbugcheck Ahappens and what would happenifit doesn’t exist:

This bugcheckhappens in the trap handler and IRQL checking before bugcheck happens in memory manager as you can see from the dump example below. There is no IRQL checking in disassembled handler so it must be in one of Mm functions:

BugCheck A, {3, 1c, 1, 8042d8f9}
0: kd> k
nt!KiTrap0E+0×210
driver!foo+0×209
0: kd> u nt!KiTrap0E nt!KiTrap0E+0×210
nt!KiTrap0E:

8046b05e call nt!MmAccessFault (8044bfba)

8046b189 call dword ptr [nt!_imp__KeGetCurrentIrql (8040063c)]
8046b18f lock inc dword ptr [nt!KiHardwareTrigger (80470cc0)]
8046b196 mov ecx,[ebp+0×64]
8046b199 and ecx,0×2
8046b19c shr ecx,1
8046b19e mov esi,[ebp+0×68]
8046b1a1 push esi
8046b1a2 push ecx
8046b1a3 push eax
8046b1a4 push edi
8046b1a5 push 0xa
8046b1a7 call nt!KeBugCheckEx (8042c1e2)

- Dmitry Vostokov -

반응형

'Crash dump 불펌스페샬' 카테고리의 다른 글

Using scripts to process hundreds of user dumps  (0) 2007.05.13
Automated Crash Dump Analysis Part1  (0) 2007.05.13
New SystemDump tool  (2) 2007.05.13
UML and Device drivers  (3) 2007.05.13
Reverse Engineering Citrix ThinWire  (1) 2007.05.13
,
<< prev 1 ··· 47 48 49 50 51 52 53 ··· 69 next >>

티스토리툴바