Windows 调试器(WinDbg)可用于调试内核模式和用户模式代码,分析故障转储并在代码执行时检查 CPU 寄存器,适用蓝屏、异常重启、关机后,分析crash原因
Windbg官网链接:
https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/debugger-download-tools
蓝屏Bug检查代码参考:
https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/bug-check-code-reference2
在腾讯软件中心搜索 windbg 下载安装包 https://pc.qq.com/search.html#!keyword=windbg
DRIVER_IRQL_NOT_LESS_OR_EQUAL 代表一般是软件驱动导致的故障
根据 MODULE_NAME 和 IMAGE_NAME 找到罪魁祸首是 termdd.sys 驱动文件
BUCKET_ID 字段显示当前故障所属的特定故障类别
BUCKET_ID: X64_0xD1_termdd!IcaChannelInputInternal+1f2
根据关键字可以进行匹配,符合Windows 远程代码执行(RCE)漏洞CVE-2019-0708特征
参考文档:https://www.anquanke.com/post/id/185508
For analysis of this file, run !analyze -v
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88002527006, address which referenced memory
Debugging Details:
------------------
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。