0xC2 BAD POOL CALLER Crash 와 관련하여 덤프 분석 과정에 대해서 아래와 같이 정리하였습니다. 보안 소프트웨어에 의해 발생하는 사례가 있긴 했습니다. 잘못 이해하고 있는 부분이 있다면 조언을 부탁드립니다. 


[환경]
Windows 2000 Server SP4


[현상]
0xC2 Crash 발생 및 memory dump 생성


[원인]
laigodrv.sys 드라이버에 의해 이미 메모리에서 해제된(free) 커널 메모리 풀을 해제하려는 이중 해제를 시도하여 Bug Check 가 발생하였습니다.


[Action Plan]
laigodrv.sys 드라이버를 사용하지 않도록 하거나 해당 모듈에 버그가 있지 않은지 드라이버 공급자에게 문의하여 확인할 필요가 있습니다.


[분석결과]
커널 메모리 덤프 분석

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000b8a, (reserved)
Arg3: e78bd540, Memory contents of the pool block
Arg4: e78bd548, Address of the block of pool being deallocated


-- 해제하려는 블록이 이미 Free 되어 있음을 확인
0: kd> !pool e78bd548
 e78bd000 size:  420 previous size:    0  (Allocated)  MmSt
 e78bd420 size:   40 previous size:  420  (Free)       ....
 e78bd460 size:   c0 previous size:   40  (Allocated)  NtFs
*e78bd520 size:   60 previous size:   c0  (Free)      *BcMc
 e78bd580 size:   c0 previous size:   60  (Allocated)  NtFs
 e78bd640 size:   20 previous size:   c0  (Free)       RxFc
 e78bd660 size:   a0 previous size:   20  (Allocated)  NtFs
 e78bd700 size:   c0 previous size:   a0  (Allocated)  NtFs
 e78bd7c0 size:  360 previous size:   c0  (Allocated)  Ntff
 e78bdb20 size:   20 previous size:  360  (Free)       RxFc
 e78bdb40 size:   a0 previous size:   20  (Allocated)  NtFs
 e78bdbe0 size:   20 previous size:   a0  (Free)       BcMc
 e78bdc00 size:   a0 previous size:   20  (Allocated)  NtFs
 e78bdca0 size:  360 previous size:   a0  (Allocated)  Ntff


0: kd> kvL
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
b599f464 8046e20d e78bd548 00000000 b70fa70d nt!ExFreePoolWithTag+0x19b
b599f47c b70e428e e78bd548 22100003 e78bd548 nt!ExFreePool+0xb
b599f490 b7077e10 e78bd548 00000000 00000000 laigodrv+0x13f28e
b599f4c4 b7077035 e8ce4008 00000009 00000008 laigodrv+0xd2e10
b599f50c b7076def e8ce4008 e8051748 00000000 laigodrv+0xd2035
b599f524 b7073c14 e8ce4008 e8051748 22100005 laigodrv+0xd1def
b599f55c b70fb124 e8ce4008 e8051748 00000000 laigodrv+0xcec14
b599f58c b70fb03a e8ce4008 e8051748 00000001 laigodrv+0x156124
b599f5a8 b7122942 e8ce4008 00ffffff e8051748 laigodrv+0x15603a
b599f5dc b70f6793 e7338408 e756af48 e5b74a68 laigodrv+0x17d942
b599f638 b70f6002 e76fe668 8630e5e8 b599f660 laigodrv+0x151793
b599f668 b70f8571 e74b3a08 868fa6c8 b599f690 laigodrv+0x151002
b599f69c b70f5c2b e74a65a8 b599f6dc b70f569b laigodrv+0x153571
b599f6bc b70f56a1 e8296ba8 b599f6f8 00000003 laigodrv+0x150c2b
b599f6dc b70f943b e8c43668 85f0c008 b599f748 laigodrv+0x1506a1
b599f6f0 b6fafcd4 e8c43668 85f0c008 b599f748 laigodrv+0x15443b
b599f704 b6fc0a94 e8c43668 85f0c008 b599f748 laigodrv+0xacd4
b599f728 b6fc0964 e8461a08 00000000 85f0c008 laigodrv+0x1ba94
b599f754 b6fab176 e8461a08 85f0c008 00000000 laigodrv+0x1b964
b599f76c b7164187 e8461a08 85f0c008 00000000 laigodrv+0x6176


-- ExFreePool 함수를 호출한 드라이버를 확인합니다.
0: kd> ub b70e428e
laigodrv+0x13f278:
b70e4278 fc              cld
b70e4279 8b4208          mov     eax,dword ptr [edx+8]
b70e427c 50              push    eax
b70e427d e80efcffff      call    laigodrv+0x13ee90 (b70e3e90)
b70e4282 8945f8          mov     dword ptr [ebp-8],eax
b70e4285 8b4dfc          mov     ecx,dword ptr [ebp-4]
b70e4288 51              push    ecx
b70e4289 e872640100      call    laigodrv+0x155700 (b70fa700)


0: kd> dps ebp
b599f464  b599f47c
b599f468  8046e20d nt!ExFreePool+0xb
b599f46c  e78bd548
b599f470  00000000
b599f474  b70fa70d laigodrv+0x15570d
b599f478  e78bd548
b599f47c  b599f490
b599f480  b70e428e laigodrv+0x13f28e
b599f484  e78bd548
b599f488  22100003
b599f48c  e78bd548
b599f490  b599f4c4
b599f494  b7077e10 laigodrv+0xd2e10
b599f498  e78bd548
b599f49c  00000000
b599f4a0  00000000
b599f4a4  e78bd548
b599f4a8  00000000
b599f4ac  e3dcfce8
b599f4b0  e8ce4008
b599f4b4  00000014
b599f4b8  00000000
b599f4bc  00000000
b599f4c0  e74c2cd4
b599f4c4  b599f50c
b599f4c8  b7077035 laigodrv+0xd2035
b599f4cc  e8ce4008
b599f4d0  00000009
b599f4d4  00000008
b599f4d8  e8051748
b599f4dc  00000400
b599f4e0  e69ea388


0: kd> !for_each_module s -a @#Base @#End "BcMc"
b6e44624  42 63 4d 63 8b 45 08 50-6a 01 ff 15 30 c3 f5 b6  BcMc.E.Pj...0...
b6f04057  42 63 4d 63 6a 38 6a 00-ff 15 30 c3 f5 b6 89 45  BcMcj8j...0....E
b70ccce4  42 63 4d 63 8b 45 08 50-6a 01 ff 15 3c 66 12 b7  BcMc.E.Pj...<f..
b70d1f87  42 63 4d 63 6a 38 6a 00-ff 15 3c 66 12 b7 89 45  BcMcj8j...<f...E


0: kd> lmvm laigodrv
start    end        module name
b6fa5000 b7155980   laigodrv   (no symbols)          
    Loaded symbol image file: laigodrv.sys
    Image path: \??\C:\WINNT\system32\drivers\laigodrv.sys
    Image name: laigodrv.sys
    Timestamp:        Wed May 5 11:30:20 2010 (4BFCDC1C)
    CheckSum:         001B62D4
    ImageSize:        001B0980
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4



[참고자료]
Bug Check 0xC2: BAD_POOL_CALLER
http://msdn.microsoft.com/en-us/library/ff560185(VS.85).aspx


작성자 : Lai Go / 작성일자 : 2010.05.31

Posted by Lai Go