Jaa


Applicatio Verifier를 이용한 커널 핸들 누수 디버깅

?? ?? ?? ?? ??? ????? ??? !htrace debug extension? ??? ? ????. ??? !trace? ???? ??, handle tracing? ????? ??? ???. Handle tracing? ????? ??? windbg ????? !htrace -enable ??? ???? ????. ??? ? ??? ??? ???? production server? live debugging ??? ?????. Handle tracing? ???? ? ?? ? ?? ??? Microsoft Application Verifier? ???? ????. ? ???? ?? ?? ?? ??? ????? ??? Microsoft Application Verifier ? ???? ??? ?????.

 

NOTE: !htrace debug extension? Microsoft Application Verifier? Windows XP?? ? ??? Windows?? ??? ? ????.

 

Download Application Verifier

https://www.microsoft.com/downloads/details.aspx?FamilyID=C4A25AB9-649D-4A1B-B4A7-C9D8B095DF18&displaylang=en

 

???? ??? ?? ??? ??? ??? ???? ??? ??? ????? ???????. ? ????? 100,000 ?? ?? ??? ??? ???? ??? ???? ?? ?? ?? ?? ?? ??? ??? ? ????.

 

?? ??? ?? ?? ?? ?? ?? ??? Troubleshooting? ? ????.

 

1. ?? ??? ???? ??? Application Verifier? ?? ?????.

2. Application Verifier(appverif.exe)? ?????.

3. File/Add Application? ??? ??? ????? ????, handle tracing? ?????.

4. Save ??? ???? Application Verifier? ?????.

5. ??? ????? ???? ?? ??? ?????.

6. ?? ??? ????, ??? crash tool? ???? ???? crash ??? ??? ??? ?????.

7. ??? ??? ??? windbg? ???? ?????. ??? windbg ??? ????. ?? ?????? ?? ??? ???? call stack? ??? ? ????. ??, ?? ????? ?? ??? ??????, ???? ??? call stack?? ??? ????.

kd> !process 0 0

…..

PROCESS 81d866d0 SessionId: 0 Cid: 06c0 Peb: 7ffdb000 ParentCid: 0704

    DirBase: 05458000 ObjectTable: e15df658 HandleCount: 100012.

    Image: SampleHandleLea

 

Kd>!htrace 0 81d866d0

….

Handle 0x5DDA4 - OPEN

Thread ID = 0x000006c4, Process ID = 0x000006c0

 

0x809afc5c: nt!ExpUpdateDebugInfo+0x16D

0x80967350: nt!ExCreateHandle+0x4A

0x8091bc16: nt!ObpCreateUnnamedHandle+0x11A

0x809074c3: nt!ObInsertObject+0xB8

0x8090bd62: nt!NtCreateEvent+0xBD

0x8082337b: nt!KiFastCallEntry+0xF8

0x77e6aefb: kernel32!CreateEventW+0x4B

0x003a2efb: vfbasics!AVrfpCreateEventW+0x96

0x0042e75e: SampleHandleLeakProgram!function1+0x2E

0x0042e6e0: SampleHandleLeakProgram!main+0x50

0x0042ee77: SampleHandleLeakProgram!__tmainCRTStartup+0x117

0x0042ed4f: SampleHandleLeakProgram!mainCRTStartup+0xF

0x77e523cd: kernel32!BaseProcessStart+0x23

--------------------------------------

Handle 0x5DDA0 - OPEN

Thread ID = 0x000006c4, Process ID = 0x000006c0

 

0x809afc5c: nt!ExpUpdateDebugInfo+0x16D

0x80967350: nt!ExCreateHandle+0x4A

0x8091bc16: nt!ObpCreateUnnamedHandle+0x11A

0x809074c3: nt!ObInsertObject+0xB8

0x8090bd62: nt!NtCreateEvent+0xBD

0x8082337b: nt!KiFastCallEntry+0xF8

0x77e6aefb: kernel32!CreateEventW+0x4B

0x003a2efb: vfbasics!AVrfpCreateEventW+0x96

0x0042e75e: SampleHandleLeakProgram!function1+0x2E

0x0042e6e0: SampleHandleLeakProgram!main+0x50

0x0042ee77: SampleHandleLeakProgram!__tmainCRTStartup+0x117

0x0042ed4f: SampleHandleLeakProgram!mainCRTStartup+0xF

0x77e523cd: kernel32!BaseProcessStart+0x23

 

NOTE: ?? svchost ?????? handle leak ??? ?????, svchost ????? Application Verifier? ???? ?? ??? ? ????. ? ??? Application Verifier? svchost? ??? ?, ???? ????????. Scvhost ????? handle tracking? ?? ??? ???? ??? ????.