Kernel mode/BugCheck2014. 3. 21. 19:47

BugCheck 0xC1 SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION

Verifier에서 발생된 BugCheck 분석.



*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption.  Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 93008fd0, address trying to free

Arg2: 93008ffc, address where bits are corrupted

Arg3: 00ed4030, (reserved)

Arg4: 00000024, caller is freeing an address where bytes after the end of the allocation have been overwritten


할당된 메모리 공간.

0: kd> db 0x93008fd0

93008fd0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

93008fe0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

93008ff0  00 00 00 00 00 00 00 00-00 00 00 00 ed ed ed ed  ................

93009000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????


해당 메모리의 페이지 처음.

할당한 크기는 0x2C인데 왜 0x30이지..

0: kd> db 0x93008000

93008000  30 40 ed 00 57 72 61 70-c0 2d 9e 87 ed ed ed ed  0@..Wrap.-......

93008010  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................

93008020  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................

93008030  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................

93008040  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................

93008050  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................

93008060  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................

93008070  ed ed ed ed ed ed ed ed-ed ed ed ed ed ed ed ed  ................


메모리를 꺠먹고 난 후의 모습

0: kd> db 0x93008fd0

93008fd0  01 00 00 00 00 00 00 00-ef 7b c8 ce cf cf cf cf  .........{......

93008fe0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

93008ff0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

93009000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

93009040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????


범인은 이놈.

ULONG code의 크기가 다른 변수 크기에 맞춰져버려서 4byte가 아닌 8byte로 인식.

해당 구조체를 사용하는 다른 구조체에까지 영향을 미쳐서 메모리를 깨먹었음.

#pragma pack(1) ~ #pragma pack() 사용 후 정상 동작 ㅠㅠ


typedef struct _LOG

{

        ULONG code;

        ULONG64 param1;

        ULONG64 param2;

        ULONG64 param3;

        ULONG64 param4;

}LOG, *PLOG;



[참조]

http://greemate.tistory.com/m/post/13


'Kernel mode > BugCheck' 카테고리의 다른 글

BugCheck 0x3F NO_MORE_SYSTEM_PTES  (0) 2014.05.16
BugCheck 0xC2 BAD_POOL_CALLER  (0) 2014.04.22
BugCheck 0xD1 DRIVER_IRQL_NOT_LESS_OR_EQUAL  (0) 2014.02.13
BugCheck 0x133 DPC_WATCHDOG_VIOLATION  (0) 2013.12.23
Posted by hswang

티스토리툴바