꿈과 희망이 함께하는 Inside Windows

머리가 예전 같지 않아 잘 안돌아 가는거 같습니다. 한 2달 쉬었더니 완전 굳어버린거 같다는 생각이 ..
간혼 !running -i -t를 통해서 강제 덤프를 열어 보면 실제 CPU를 선점하고 있는 놈을 찾을 때가 있습니다. 꽤나 유용하죠 . ( 보통은 idle이 선점을 하고 있다는 .. ^^ ) 근데 2개의 CPU 모두를 선점하는 process가 나오는 경우도 있군요.대략 희귀한 경우라 올려보니다.

근데 이넘은 어떻게 분석해야할까요 ??
제약 사항
 1. 심볼 없음
 2. Pack 되어 있는 부분( Virtualize )이 있어서 리버싱이 오래걸림

이럴때는 그냥 웃지요 …ㅎㅎㅎ

낼은 덤프를 여러개 떠서 좀더 다양하게 확인해 봐야겠내요 ..

1: kd> !running -i -t

System Processors 3 (affinity mask)
  Idle Processors 0

Prcbs  Current   Next   
  0    ffdff120  88a2c4e8            …………….

ChildEBP RetAddr 
WARNING: Stack unwind information not available. Following frames may be wrong.
b4845478 b34a05a9 xxxx+0×1214d
b4845494 b34a0731 xxxx+0×15a9
b48454c8 b34a3aab xxxx+0×1731
b48454fc b34a3bcc xxxx+0×4aab
b4845590 b466df70 xxxx+0×4bcc
b48455ac 804e33eb UDSecDrvXP+0×1f70
b48455bc b468d22e nt!IopfCallDriver+0×31
b4845608 b468f6f1 mfehidk+0×522e
b484569c b469d367 mfehidk+0×76f1
b48456ac b469d3b7 mfehidk+0×15367
b48456d4 804e33eb mfehidk!DEVICEDISPATCH::DispatchPassThrough+0×48
b48456e4 8057dbed nt!IopfCallDriver+0×31
b48457c4 8056f03b nt!IopParseDevice+0xa12
b484583c 80572358 nt!ObpLookupObjectName+0×53c
b4845890 8057e246 nt!ObOpenObjectByName+0xea
b484590c 80586cc8 nt!IopCreateFile+0×407
b4845954 b4692e3a nt!IoCreateFileSpecifyDeviceObjectHint+0×52
b48459f0 b4692a72 mfehidk+0xae3a
b4845a48 b4637046 mfehidk+0xaa72
b4845a98 b463785e mfeavfk+0×4046

  1    f771f120  88aebda8            …………….

ChildEBP RetAddr 
b4941334 ba7127fb nt!KeBugCheckEx+0×1b
b4941350 ba712033 i8042prt!I8xProcessCrashDump+0×237
b4941398 804dd90f i8042prt!I8042KeyboardInterruptService+0×21c
b4941398 b34b1154 nt!KiInterruptDispatch+0×45
WARNING: Stack unwind information not available. Following frames may be wrong.
b4941478 b34a05a9 xxxx+0×12154
b4941494 b34a0731 xxxx+0×15a9
b49414c8 b34a3aab xxxx+0×1731
b49414fc b34a3bcc xxxx+0×4aab
b4941590 b466df70 xxxx+0×4bcc
b49415ac 804e33eb UDSecDrvXP+0×1f70
b49415bc b468d22e nt!IopfCallDriver+0×31
b4941608 b468f6f1 mfehidk+0×522e
b494169c b469d367 mfehidk+0×76f1
b49416ac b469d3b7 mfehidk+0×15367
b49416d4 804e33eb mfehidk!DEVICEDISPATCH::DispatchPassThrough+0×48
b49416e4 8057dbed nt!IopfCallDriver+0×31
b49417c4 8056f03b nt!IopParseDevice+0xa12
b494183c 80572358 nt!ObpLookupObjectName+0×53c
b4941890 8057e246 nt!ObOpenObjectByName+0xea
b494190c 80586cc8 nt!IopCreateFile+0×407

1: kd> u iofcalldriver
nt!IofCallDriver:
804e33b9 ff2580d75580    jmp     dword ptr [nt!pIofCallDriver (8055d780)]
804e33bf 90              nop
804e33c0 90              nop
804e33c1 90              nop
804e33c2 90              nop
804e33c3 90              nop
nt!IopfCallDriver:
804e33c4 fe4a23          dec     byte ptr [edx+23h]
804e33c7 8a4223          mov     al,byte ptr [edx+23h]
1: kd> dd 8055d780
8055d780  b34a3bc0 804e37da 804ecd58 804eceb1
8055d790  00000000 00000000 00000000 00000000
8055d7a0  00000000 00000000 00000000 00000000
8055d7b0  00000000 00000000 00000000 00000000
8055d7c0  00000000 00000000 00000000 00000000
8055d7d0  00000000 00000000 00000000 00000000
8055d7e0  00000000 00000000 00000000 00000000
8055d7f0  00000000 00000000 00000000 00000000
1: kd> u b34a3bc0
xxxx+0×4bc0:
b34a3bc0 8bc4            mov     eax,esp
b34a3bc2 60              pushad
b34a3bc3 52              push    edx
b34a3bc4 51              push    ecx
b34a3bc5 ff30            push    dword ptr [eax]
b34a3bc7 e80efeffff      call    xxxx+0×49da (b34a39da)
b34a3bcc 83f800          cmp     eax,0
b34a3bcf 7407            je      xxxx+0×4bd8 (b34a3bd8)