Defrag Tools: #15 - WinDbg - Bugchecks (BSOD)
Description
Not all Blue Screens of Death are easy to debug! Sometimes, you need to enable extra checking to help catch a buggy device driver. In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss using Driver Verifier in conjunction with WinDbg to track down a driver which is corrupting kernel mode pool memory.
Debugger commands used:
- !analyze -v
- .trap
- ub
- dp
- dps
- dc
- kv
Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.
Resources:
Windows Internals book tools (including NotMyFault)
Forcing a System Crash from the Keyboard
How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system
Driver Verifier Options
Timeline:
[00:09] - What is Driver Verifier?
[01:54] - Using NotMyFault to cause a buffer overflow
[06:04] - Looking at a buffer overflow dump in WinDbg
[08:10] - What is the .trap command? (see: x64 Register Usage)
[12:45] - First dump was inconclusive. Looking at a second buffer overflow dump.
[15:47] - Memory is corrupted, but how to find out who is corrupting it? Driver Verifier!
[16:55] - Launching and configuring Driver Verifier
[20:20] - Verifier enabled, let's crash the system!
[21:25] - What is special pool?
[22:27] - Looking at the memory dump (captured with Verifier enabled)
[25:13] - Forcing a memory dump of a hung system via keyboard
[28:00] - Forcing a memory dump of a hung system via NMI switch
[31:52] - Advanced/custom Driver Verifier settings
Share
Download
Download this episode
- MP3 (30.9 MB)
- Low Quality MP4 (186.8 MB)
- Mid Quality WMV (94.3 MB)
- High Quality MP4 (409.4 MB)
- Mid Quality MP4 (286.1 MB)
- High Quality WMV (350.2 MB)
More episodes in this series
Defrag Tools: #17 - WinDbg - Driver Verifier - Part 2
Related episodes
Access Violation C0000005 - Execute
Access Violation C0000005 - Read or Write
Access Violation C0000005
CLR Exception E0434352
Point-of-Failure Exception C000027C
Stowed Exception C000027B
Bugcheck 0x1C8 MANUALLY_INITIATED_POWER_BUTTON_HOLD
Bugcheck 0xE2 MANUALLY_INITIATED_CRASH
.trap
.cxr
The Discussion
-
JohnLudlow AppVerifier would seem like a good topic for next week
-
windev @JohnLudlow: We are covering the basic commands for about 4 weeks and then will be doing Application Verifier. We thought of doing it straight away but decided to do the foundation stuff first.
-
JohnLudlow @windev: Hi Andrew. That makes sense. WinDbg is not a small topic, so it's good that you're covering it in detail
Thanks & keep up the good work
-
pcgeek86 You can use AutoHotkey to remap keyboard keys if you don't have a scroll lock key, or any others for that matter. Helpful if you don't have an external keyboard handy.
-
Debojyoti Thanks for the serise of videos on WInDbg and Driver Verifier. I am finding them very useful in my day to day work.
I have doubt regarding driver verifier. If I am developing a WDF driver of File System mini filter driver or a NDIS filter drivers; is it sufficient just to add my driver on the driver verifier?
For example, If have a FS mini filter driver (which I want to test); do I need to put fltmgr.sys(or any other related drivers) in Driver Verifier driver list?