How can I debug a kernel driver crash in Windows? [closed]
https://stackoverflow.com/questions/4677715
-
10-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I wrote a kernel driver that hooks into a process and hides a folder. This driver works very well, until I connect an external hard disk.
At this point, my OS (either Windows XP or Server 2003) crashes with a blue screen of death (BSOD).
What could be causing this crash, and how can I modify my driver to solve it?
Solution
There would be two ways in general:
- post-mortem debugging. This is usually what you do when you have no local machine available to reproduce the crash. In this case you're inspecting the crashdump file (either full or mini dump).
- live debugging. In this case, if you know the system is going to crash, you prepare one machine to control this machine using WinDbg and connect via serial or FireWire cable. The latter is much faster.
However, I agree that you give way too few details. You "hook"? Well, how? SSDT-hooking? Or do you use the proper way of writing a filter driver? If a filter driver, which model? Mini-filter or legacy filter?
I just noticed your comment that you hook "NtOpenProcess and NtQueryDirectoryFile", so it sounds like SSDT-hooking. What exactly are you doing in your implementation? I know plenty of drivers that do improper SSDT-hooking. It starts with the method used to get the hook in place and usually does not end with a daring implementation.
Please note that for live debugging WinDbg offers some fine features to transfer and load your latest driver version at boot time. So you can debug your latest version without extra preparation. The kernel debugger on the remote end and WinDbg on your machine will take care of it.
Also, you may want to post your question to the lists over at OSR (namely NTDEV).
OTHER TIPS
When developing kernel drivers, typically you want to test them in a virtual machine, with a kernel debugger connection (host is debugger, VM is debuggee). Some of the virtual machine environments provide direct support for debugging.
Afterward of course you need to debug on a variety of physical and virtual hardware.
You have posted almost no technical details of the BSOD, or how your code works, so it is impossible to provide a specific answer. As a general starting point, I would suggest you analyze the minidump to get some specifics of what went wrong to trigger the BSOD. Here is a good getting started guide.
