0xC2 BAD POOL CALLER Crash 와 관련하여 덤프 분석 과정에 대해서 아래와 같이 정리하였습니다. 보안 소프트웨어에 의해 발생하는 사례가 있긴 했습니다. 잘못 이해하고 있는 부분이 있다면 조언을 부탁드립니다.
[환경]
Windows 2000 Server SP4
[현상]
0xC2 Crash 발생 및 memory dump 생성
[원인]
laigodrv.sys 드라이버에 의해 이미 메모리에서 해제된(free) 커널 메모리 풀을 해제하려는 이중 해제를 시도하여 Bug Check 가 발생하였습니다.
[Action Plan]
laigodrv.sys 드라이버를 사용하지 않도록 하거나 해당 모듈에 버그가 있지 않은지 드라이버 공급자에게 문의하여 확인할 필요가 있습니다.
[분석결과]
커널 메모리 덤프 분석
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000b8a, (reserved)
Arg3: e78bd540, Memory contents of the pool block
Arg4: e78bd548, Address of the block of pool being deallocated
-- 해제하려는 블록이 이미 Free 되어 있음을 확인
0: kd> !pool e78bd548
e78bd000 size: 420 previous size: 0 (Allocated) MmSt
e78bd420 size: 40 previous size: 420 (Free) ....
e78bd460 size: c0 previous size: 40 (Allocated) NtFs
*e78bd520 size: 60 previous size: c0 (Free) *BcMc
e78bd580 size: c0 previous size: 60 (Allocated) NtFs
e78bd640 size: 20 previous size: c0 (Free) RxFc
e78bd660 size: a0 previous size: 20 (Allocated) NtFs
e78bd700 size: c0 previous size: a0 (Allocated) NtFs
e78bd7c0 size: 360 previous size: c0 (Allocated) Ntff
e78bdb20 size: 20 previous size: 360 (Free) RxFc
e78bdb40 size: a0 previous size: 20 (Allocated) NtFs
e78bdbe0 size: 20 previous size: a0 (Free) BcMc
e78bdc00 size: a0 previous size: 20 (Allocated) NtFs
e78bdca0 size: 360 previous size: a0 (Allocated) Ntff
0: kd> kvL
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
b599f464 8046e20d e78bd548 00000000 b70fa70d nt!ExFreePoolWithTag+0x19b
b599f47c b70e428e e78bd548 22100003 e78bd548 nt!ExFreePool+0xb
b599f490 b7077e10 e78bd548 00000000 00000000 laigodrv+0x13f28e
b599f4c4 b7077035 e8ce4008 00000009 00000008 laigodrv+0xd2e10
b599f50c b7076def e8ce4008 e8051748 00000000 laigodrv+0xd2035
b599f524 b7073c14 e8ce4008 e8051748 22100005 laigodrv+0xd1def
b599f55c b70fb124 e8ce4008 e8051748 00000000 laigodrv+0xcec14
b599f58c b70fb03a e8ce4008 e8051748 00000001 laigodrv+0x156124
b599f5a8 b7122942 e8ce4008 00ffffff e8051748 laigodrv+0x15603a
b599f5dc b70f6793 e7338408 e756af48 e5b74a68 laigodrv+0x17d942
b599f638 b70f6002 e76fe668 8630e5e8 b599f660 laigodrv+0x151793
b599f668 b70f8571 e74b3a08 868fa6c8 b599f690 laigodrv+0x151002
b599f69c b70f5c2b e74a65a8 b599f6dc b70f569b laigodrv+0x153571
b599f6bc b70f56a1 e8296ba8 b599f6f8 00000003 laigodrv+0x150c2b
b599f6dc b70f943b e8c43668 85f0c008 b599f748 laigodrv+0x1506a1
b599f6f0 b6fafcd4 e8c43668 85f0c008 b599f748 laigodrv+0x15443b
b599f704 b6fc0a94 e8c43668 85f0c008 b599f748 laigodrv+0xacd4
b599f728 b6fc0964 e8461a08 00000000 85f0c008 laigodrv+0x1ba94
b599f754 b6fab176 e8461a08 85f0c008 00000000 laigodrv+0x1b964
b599f76c b7164187 e8461a08 85f0c008 00000000 laigodrv+0x6176
-- ExFreePool 함수를 호출한 드라이버를 확인합니다.
0: kd> ub b70e428e
laigodrv+0x13f278:
b70e4278 fc cld
b70e4279 8b4208 mov eax,dword ptr [edx+8]
b70e427c 50 push eax
b70e427d e80efcffff call laigodrv+0x13ee90 (b70e3e90)
b70e4282 8945f8 mov dword ptr [ebp-8],eax
b70e4285 8b4dfc mov ecx,dword ptr [ebp-4]
b70e4288 51 push ecx
b70e4289 e872640100 call laigodrv+0x155700 (b70fa700)
0: kd> dps ebp
b599f464 b599f47c
b599f468 8046e20d nt!ExFreePool+0xb
b599f46c e78bd548
b599f470 00000000
b599f474 b70fa70d laigodrv+0x15570d
b599f478 e78bd548
b599f47c b599f490
b599f480 b70e428e laigodrv+0x13f28e
b599f484 e78bd548
b599f488 22100003
b599f48c e78bd548
b599f490 b599f4c4
b599f494 b7077e10 laigodrv+0xd2e10
b599f498 e78bd548
b599f49c 00000000
b599f4a0 00000000
b599f4a4 e78bd548
b599f4a8 00000000
b599f4ac e3dcfce8
b599f4b0 e8ce4008
b599f4b4 00000014
b599f4b8 00000000
b599f4bc 00000000
b599f4c0 e74c2cd4
b599f4c4 b599f50c
b599f4c8 b7077035 laigodrv+0xd2035
b599f4cc e8ce4008
b599f4d0 00000009
b599f4d4 00000008
b599f4d8 e8051748
b599f4dc 00000400
b599f4e0 e69ea388
0: kd> !for_each_module s -a @#Base @#End "BcMc"
b6e44624 42 63 4d 63 8b 45 08 50-6a 01 ff 15 30 c3 f5 b6 BcMc.E.Pj...0...
b6f04057 42 63 4d 63 6a 38 6a 00-ff 15 30 c3 f5 b6 89 45 BcMcj8j...0....E
b70ccce4 42 63 4d 63 8b 45 08 50-6a 01 ff 15 3c 66 12 b7 BcMc.E.Pj...<f..
b70d1f87 42 63 4d 63 6a 38 6a 00-ff 15 3c 66 12 b7 89 45 BcMcj8j...<f...E
0: kd> lmvm laigodrv
start end module name
b6fa5000 b7155980 laigodrv (no symbols)
Loaded symbol image file: laigodrv.sys
Image path: \??\C:\WINNT\system32\drivers\laigodrv.sys
Image name: laigodrv.sys
Timestamp: Wed May 5 11:30:20 2010 (4BFCDC1C)
CheckSum: 001B62D4
ImageSize: 001B0980
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000b8a, (reserved)
Arg3: e78bd540, Memory contents of the pool block
Arg4: e78bd548, Address of the block of pool being deallocated
-- 해제하려는 블록이 이미 Free 되어 있음을 확인
0: kd> !pool e78bd548
e78bd000 size: 420 previous size: 0 (Allocated) MmSt
e78bd420 size: 40 previous size: 420 (Free) ....
e78bd460 size: c0 previous size: 40 (Allocated) NtFs
*e78bd520 size: 60 previous size: c0 (Free) *BcMc
e78bd580 size: c0 previous size: 60 (Allocated) NtFs
e78bd640 size: 20 previous size: c0 (Free) RxFc
e78bd660 size: a0 previous size: 20 (Allocated) NtFs
e78bd700 size: c0 previous size: a0 (Allocated) NtFs
e78bd7c0 size: 360 previous size: c0 (Allocated) Ntff
e78bdb20 size: 20 previous size: 360 (Free) RxFc
e78bdb40 size: a0 previous size: 20 (Allocated) NtFs
e78bdbe0 size: 20 previous size: a0 (Free) BcMc
e78bdc00 size: a0 previous size: 20 (Allocated) NtFs
e78bdca0 size: 360 previous size: a0 (Allocated) Ntff
0: kd> kvL
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
b599f464 8046e20d e78bd548 00000000 b70fa70d nt!ExFreePoolWithTag+0x19b
b599f47c b70e428e e78bd548 22100003 e78bd548 nt!ExFreePool+0xb
b599f490 b7077e10 e78bd548 00000000 00000000 laigodrv+0x13f28e
b599f4c4 b7077035 e8ce4008 00000009 00000008 laigodrv+0xd2e10
b599f50c b7076def e8ce4008 e8051748 00000000 laigodrv+0xd2035
b599f524 b7073c14 e8ce4008 e8051748 22100005 laigodrv+0xd1def
b599f55c b70fb124 e8ce4008 e8051748 00000000 laigodrv+0xcec14
b599f58c b70fb03a e8ce4008 e8051748 00000001 laigodrv+0x156124
b599f5a8 b7122942 e8ce4008 00ffffff e8051748 laigodrv+0x15603a
b599f5dc b70f6793 e7338408 e756af48 e5b74a68 laigodrv+0x17d942
b599f638 b70f6002 e76fe668 8630e5e8 b599f660 laigodrv+0x151793
b599f668 b70f8571 e74b3a08 868fa6c8 b599f690 laigodrv+0x151002
b599f69c b70f5c2b e74a65a8 b599f6dc b70f569b laigodrv+0x153571
b599f6bc b70f56a1 e8296ba8 b599f6f8 00000003 laigodrv+0x150c2b
b599f6dc b70f943b e8c43668 85f0c008 b599f748 laigodrv+0x1506a1
b599f6f0 b6fafcd4 e8c43668 85f0c008 b599f748 laigodrv+0x15443b
b599f704 b6fc0a94 e8c43668 85f0c008 b599f748 laigodrv+0xacd4
b599f728 b6fc0964 e8461a08 00000000 85f0c008 laigodrv+0x1ba94
b599f754 b6fab176 e8461a08 85f0c008 00000000 laigodrv+0x1b964
b599f76c b7164187 e8461a08 85f0c008 00000000 laigodrv+0x6176
-- ExFreePool 함수를 호출한 드라이버를 확인합니다.
0: kd> ub b70e428e
laigodrv+0x13f278:
b70e4278 fc cld
b70e4279 8b4208 mov eax,dword ptr [edx+8]
b70e427c 50 push eax
b70e427d e80efcffff call laigodrv+0x13ee90 (b70e3e90)
b70e4282 8945f8 mov dword ptr [ebp-8],eax
b70e4285 8b4dfc mov ecx,dword ptr [ebp-4]
b70e4288 51 push ecx
b70e4289 e872640100 call laigodrv+0x155700 (b70fa700)
0: kd> dps ebp
b599f464 b599f47c
b599f468 8046e20d nt!ExFreePool+0xb
b599f46c e78bd548
b599f470 00000000
b599f474 b70fa70d laigodrv+0x15570d
b599f478 e78bd548
b599f47c b599f490
b599f480 b70e428e laigodrv+0x13f28e
b599f484 e78bd548
b599f488 22100003
b599f48c e78bd548
b599f490 b599f4c4
b599f494 b7077e10 laigodrv+0xd2e10
b599f498 e78bd548
b599f49c 00000000
b599f4a0 00000000
b599f4a4 e78bd548
b599f4a8 00000000
b599f4ac e3dcfce8
b599f4b0 e8ce4008
b599f4b4 00000014
b599f4b8 00000000
b599f4bc 00000000
b599f4c0 e74c2cd4
b599f4c4 b599f50c
b599f4c8 b7077035 laigodrv+0xd2035
b599f4cc e8ce4008
b599f4d0 00000009
b599f4d4 00000008
b599f4d8 e8051748
b599f4dc 00000400
b599f4e0 e69ea388
0: kd> !for_each_module s -a @#Base @#End "BcMc"
b6e44624 42 63 4d 63 8b 45 08 50-6a 01 ff 15 30 c3 f5 b6 BcMc.E.Pj...0...
b6f04057 42 63 4d 63 6a 38 6a 00-ff 15 30 c3 f5 b6 89 45 BcMcj8j...0....E
b70ccce4 42 63 4d 63 8b 45 08 50-6a 01 ff 15 3c 66 12 b7 BcMc.E.Pj...<f..
b70d1f87 42 63 4d 63 6a 38 6a 00-ff 15 3c 66 12 b7 89 45 BcMcj8j...<f...E
0: kd> lmvm laigodrv
start end module name
b6fa5000 b7155980 laigodrv (no symbols)
Loaded symbol image file: laigodrv.sys
Image path: \??\C:\WINNT\system32\drivers\laigodrv.sys
Image name: laigodrv.sys
Timestamp: Wed May 5 11:30:20 2010 (4BFCDC1C)
CheckSum: 001B62D4
ImageSize: 001B0980
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
[참고자료]
Bug Check 0xC2: BAD_POOL_CALLER
http://msdn.microsoft.com/en-us/library/ff560185(VS.85).aspx
작성자 : Lai Go / 작성일자 : 2010.05.31
