Defrag Tools: #16 - WinDbg - Driver Verifier

Sign in to queue

Description

Not all Blue Screens of Death are easy to debug! Sometimes, you need to enable extra checking to help catch a buggy device driver. In this episode of Defrag Tools, Chad Beeder and Larry Larsen discuss using Driver Verifier in conjunction with WinDbg to track down a driver which is corrupting kernel mode pool memory.

Debugger commands used:

  • !analyze -v
  • .trap
  • ub
  • dp
  • dps
  • dc
  • kv

Make sure you watch Defrag Tools Episode #1 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbols and source code resolution.

Resources:

Debugging Tools for Windows

Windows Internals book tools (including NotMyFault)

Forcing a System Crash from the Keyboard

How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

Driver Verifier Options

Timeline:

[00:09] - What is Driver Verifier?
[01:54] - Using NotMyFault to cause a buffer overflow
[06:04] - Looking at a buffer overflow dump in WinDbg
[08:10] - What is the .trap command? (see: x64 Register Usage)
[12:45] - First dump was inconclusive. Looking at a second buffer overflow dump.
[15:47] - Memory is corrupted, but how to find out who is corrupting it? Driver Verifier!
[16:55] - Launching and configuring Driver Verifier
[20:20] - Verifier enabled, let's crash the system!
[21:25] - What is special pool?
[22:27] - Looking at the memory dump (captured with Verifier enabled)
[25:13] - Forcing a memory dump of a hung system via keyboard
[28:00] - Forcing a memory dump of a hung system via NMI switch
[31:52] - Advanced/custom Driver Verifier settings

Embed

Download

Download this episode

The Discussion

  • User profile image
    JohnLudlow

    AppVerifier would seem like a good topic for next week Smiley

  • User profile image
    windev

    @JohnLudlow: We are covering the basic commands for about 4 weeks and then will be doing Application Verifier.  We thought of doing it straight away but decided to do the foundation stuff first.

  • User profile image
    JohnLudlow

    @windev: Hi Andrew.  That makes sense.  WinDbg is not a small topic, so it's good that you're covering it in detail Smiley

    Thanks & keep up the good work

  • User profile image
    pcgeek86

    You can use AutoHotkey to remap keyboard keys if you don't have a scroll lock key, or any others for that matter. Helpful if you don't have an external keyboard handy. Smiley 

  • User profile image
    Debojyoti

    Thanks for the serise of videos on WInDbg and Driver Verifier. I am finding them very useful in my day to day work.

    I have doubt regarding driver verifier. If I am developing a WDF driver of File System mini filter driver or a NDIS filter drivers; is it sufficient just to add my driver on the driver verifier?

    For example, If have a FS mini filter driver (which I want to test); do I need to put fltmgr.sys(or any other related drivers) in Driver Verifier driver list?  

Add Your 2 Cents