Applicatio Verifier를 이용한 커널 핸들 누수 디버깅
?? ?? ?? ?? ??? ????? ??? !htrace debug extension? ??? ? ????. ??? !trace? ???? ??, handle tracing? ????? ??? ???. Handle tracing? ????? ??? windbg ????? !htrace -enable ??? ???? ????. ??? ? ??? ??? ???? production server? live debugging ??? ?????. Handle tracing? ???? ? ?? ? ?? ??? Microsoft Application Verifier? ???? ????. ? ???? ?? ?? ?? ??? ????? ??? Microsoft Application Verifier ? ???? ??? ?????.
NOTE: !htrace debug extension? Microsoft Application Verifier? Windows XP?? ? ??? Windows?? ??? ? ????.
Download Application Verifier
???? ??? ?? ??? ??? ??? ???? ??? ??? ????? ???????. ? ????? 100,000 ?? ?? ??? ??? ???? ??? ???? ?? ?? ?? ?? ?? ??? ??? ? ????.
?? ??? ?? ?? ?? ?? ?? ??? Troubleshooting? ? ????.
1. ?? ??? ???? ??? Application Verifier? ?? ?????.
2. Application Verifier(appverif.exe)? ?????.
3. File/Add Application? ??? ??? ????? ????, handle tracing? ?????.
4. Save ??? ???? Application Verifier? ?????.
5. ??? ????? ???? ?? ??? ?????.
6. ?? ??? ????, ??? crash tool? ???? ???? crash ??? ??? ??? ?????.
7. ??? ??? ??? windbg? ???? ?????. ??? windbg ??? ????. ?? ?????? ?? ??? ???? call stack? ??? ? ????. ??, ?? ????? ?? ??? ??????, ???? ??? call stack?? ??? ????.
kd> !process 0 0 ….. PROCESS 81d866d0 SessionId: 0 Cid: 06c0 Peb: 7ffdb000 ParentCid: 0704 DirBase: 05458000 ObjectTable: e15df658 HandleCount: 100012. Image: SampleHandleLea
Kd>!htrace 0 81d866d0 …. Handle 0x5DDA4 - OPEN Thread ID = 0x000006c4, Process ID = 0x000006c0
0x809afc5c: nt!ExpUpdateDebugInfo+0x16D 0x80967350: nt!ExCreateHandle+0x4A 0x8091bc16: nt!ObpCreateUnnamedHandle+0x11A 0x809074c3: nt!ObInsertObject+0xB8 0x8090bd62: nt!NtCreateEvent+0xBD 0x8082337b: nt!KiFastCallEntry+0xF8 0x77e6aefb: kernel32!CreateEventW+0x4B 0x003a2efb: vfbasics!AVrfpCreateEventW+0x96 0x0042e75e: SampleHandleLeakProgram!function1+0x2E 0x0042e6e0: SampleHandleLeakProgram!main+0x50 0x0042ee77: SampleHandleLeakProgram!__tmainCRTStartup+0x117 0x0042ed4f: SampleHandleLeakProgram!mainCRTStartup+0xF 0x77e523cd: kernel32!BaseProcessStart+0x23 -------------------------------------- Handle 0x5DDA0 - OPEN Thread ID = 0x000006c4, Process ID = 0x000006c0
0x809afc5c: nt!ExpUpdateDebugInfo+0x16D 0x80967350: nt!ExCreateHandle+0x4A 0x8091bc16: nt!ObpCreateUnnamedHandle+0x11A 0x809074c3: nt!ObInsertObject+0xB8 0x8090bd62: nt!NtCreateEvent+0xBD 0x8082337b: nt!KiFastCallEntry+0xF8 0x77e6aefb: kernel32!CreateEventW+0x4B 0x003a2efb: vfbasics!AVrfpCreateEventW+0x96 0x0042e75e: SampleHandleLeakProgram!function1+0x2E 0x0042e6e0: SampleHandleLeakProgram!main+0x50 0x0042ee77: SampleHandleLeakProgram!__tmainCRTStartup+0x117 0x0042ed4f: SampleHandleLeakProgram!mainCRTStartup+0xF 0x77e523cd: kernel32!BaseProcessStart+0x23 |
NOTE: ?? svchost ?????? handle leak ??? ?????, svchost ????? Application Verifier? ???? ?? ??? ? ????. ? ??? Application Verifier? svchost? ??? ?, ???? ????????. Scvhost ????? handle tracking? ?? ??? ???? ??? ????.