Defrag Tools

Defrag Tools: #16 - WinDbg - Driver Verifier

Download this episode

Download Video

Description

Not all Blue Screens of Death are easy to debug! Sometimes, you need to enable extra checking to help catch a buggy device driver. In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss using Driver Verifier in conjunction with WinDbg to track down a driver which is corrupting kernel mode pool memory.

Debugger commands used:

  • !analyze -v
  • .trap
  • ub
  • dp
  • dps
  • dc
  • kv

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:

Debugging Tools for Windows

Windows Internals book tools (including NotMyFault)

Forcing a System Crash from the Keyboard

How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

Driver Verifier Options

Timeline:

[00:09] - What is Driver Verifier?
[01:54] - Using NotMyFault to cause a buffer overflow
[06:04] - Looking at a buffer overflow dump in WinDbg
[08:10] - What is the .trap command? (see: x64 Register Usage)
[12:45] - First dump was inconclusive. Looking at a second buffer overflow dump.
[15:47] - Memory is corrupted, but how to find out who is corrupting it? Driver Verifier!
[16:55] - Launching and configuring Driver Verifier
[20:20] - Verifier enabled, let's crash the system!
[21:25] - What is special pool?
[22:27] - Looking at the memory dump (captured with Verifier enabled)
[25:13] - Forcing a memory dump of a hung system via keyboard
[28:00] - Forcing a memory dump of a hung system via NMI switch
[31:52] - Advanced/custom Driver Verifier settings

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • JohnLudlow

      AppVerifier would seem like a good topic for next week Smiley

    • windev

      @JohnLudlow: We are covering the basic commands for about 4 weeks and then will be doing Application Verifier.  We thought of doing it straight away but decided to do the foundation stuff first.

    • JohnLudlow

      @windev: Hi Andrew.  That makes sense.  WinDbg is not a small topic, so it's good that you're covering it in detail Smiley

      Thanks & keep up the good work

    • pcgeek86

      You can use AutoHotkey to remap keyboard keys if you don't have a scroll lock key, or any others for that matter. Helpful if you don't have an external keyboard handy. Smiley 

    • Debojyoti

      Thanks for the serise of videos on WInDbg and Driver Verifier. I am finding them very useful in my day to day work.

      I have doubt regarding driver verifier. If I am developing a WDF driver of File System mini filter driver or a NDIS filter drivers; is it sufficient just to add my driver on the driver verifier?

      For example, If have a FS mini filter driver (which I want to test); do I need to put fltmgr.sys(or any other related drivers) in Driver Verifier driver list?  

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.