0.ring0-blue screen Dump analysis process

Here are some of my own experiences in analyzing dump, personal opinion

After the system blue screen, will first come out a hint:

You can also see by dump:

Instructions for turning on MSDN on the blue screen: http://msdn.microsoft.com/en-us/library/windows/hardware/hh994433 (v=vs.85). aspx

Instructions for finding 0x19:

0x00000019 Bad_pool_header

Then find the place where parameter 1 is 0x20:

The pool entry that should has been found the
next pool entry
Reserved the
pool block header size is corrupt.

Meaning the heap head size is destroyed, so it should be a heap allocation problem!!!!!!!!!!!!!!!

So see 0x19, the first parameter is 20, the first reaction is the memory operation error caused by
Another common mistake is 0x50,page_fault_in_nonpaged_area, which typically accesses an invalid address, such as

_asm
{
    Xor eax,eax
    Mov [Eax],eax
}

WinDbg analysis (signed PDB)
This should be noted, because it is kernel dump, so if it is extracted to the local machine (not the virtual machine), the symbol path is set (point to its kernel file pdb, such as the virtual machine is XP, with XP, plus its local PDB path)

Bugcheck 7E, {c0000005, f889b0d3, f8935b88, f8935884}: The same effect as above, indicating the blue screen type and four sub-parameters
0xc0000005:status_access_violation Indicates a memory access violation OCCURRED:MSDN indicates that this is an error
Probably caused By:BSODCheck.sys (bsodcheck! ISEXITPROCESS+A3): Indicates the drive FAULTING_IP caused by the blue screen
:
bsodcheck! ISEXITPROCESS+A3 [e:\bsodcheck\bsodcheck.c @ +]
f889b0d3 8b08 mov ecx,dword ptr [eax]: Indicates the actual code that raises the blue screen
CONTEXT: f8935884-(. CXR 0xfffffffff8935884)
eax=00000014 ebx=00000000 ecx=80008138 edx=00000000 esi=e1b3129c edi=827743b8
eip=f889b0d3 ESP=F8935C50 ebp=f8935c6c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs= 0000 efl=0001020

Live context on blue screen
The combination of the two, one is the scene of the crime, a crime scene in the environment, combined to a good case

Analysis Process:
1.mov Ecx,dword ptr [eax]: Indicates the actual code that caused the blue screen to be raised
2.EAX=00000014: From the scene at the time of the crime, this is an invalid value
3. Code:

Kd> UB f889b0d3 L4
f889b0c8 8b11			mov	 edx,dword ptr [ecx]
f889b0ca 8955f8		  mov	 dword ptr [ Ebp-8],edx
f889b0cd 8b45f8		  mov	 eax,dword ptr [ebp-8]
f889b0d0 0345ec		  add	 eax,dword ptr [ EBP-14H]
 
kd> u f889b0c8 l30
f889b0c8 8b11			mov	 edx,dword ptr [ecx]
f889b0ca 8955f8		  mov	 dword ptr [Ebp-8],edx
f889b0cd 8b45f8		  mov	 eax,dword ptr [ebp-8]
f889b0d0 0345ec		  Add	 eax,dword ptr [ebp-14h]
f889b0d3 8b08			mov	 ecx,dword ptr [eax]
f889b0d5 894DFC		  mov	 DWORD ptr [EBP-4],ECX

4.dword ptr [ebp-8] is a local variable, saved to Eax,eax+dword PTR [ebp-14h] local variable
5. Binding code: Segment = * (Pulong) ((ULONG) Sectionobject + segmentoffset); blue screen.
6. Combined with the circumstances of the crime: ebp=f8935c6c:

kd> dd f8935c6c-8 L1
F8935C64 00000000
kd> dd f8935c6c-14 L1
f8935c58 00000014

The sum equals 14, then the pointer to 14 is taken, and the value is hung off.

//------------------------------------------------------------------------------------------------------------- ------------

WinDbg analysis (unsigned pdb, combined with IDA)

FOLLOWUP_IP: Crime scene
bsodcheck+10d3
f889b0d3 8b08 mov ecx,dword ptr [eax]
context:f8935884-(. CXR 0xfffffffff8935884): Crime scene Environment
eax=00000014 ebx=00000000 ecx=80008138 edx=00000000
esi=e1b3129c edi=827743b8 EIP=F889B0D3 ESP=F8935C50 ebp=f8935c6c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206

1. By 7e type, the first parameter c0000005 found on MSDN This is a memory access error
2. View the assembly:

kd> u f889b0ca L4
bsodcheck+0x10ca:
f889b0ca 8955f8 mov dword ptr [Ebp-8],edx
f889b0cd 8B45F8 mov eax,dwor D ptr [ebp-8]
f889b0d0 0345ec add Eax,dword ptr [ebp-14h]
f889b0d3 8b08 mov ecx,dword ptr [eax]            //collapse here

3. Location Signature:

kd> u f889b0d3
bsodcheck+0x10d3:
f889b0d3 8b08 mov ecx,dword ptr [eax]
f889b0d5 894DFC mov dword ptr [ebp-4 ],ECX
f889b0d8 8B55FC mov edx,dword ptr [ebp-4]
f889b0db push edx

The Machine code is:

Kd> db f889b0d3 f889b0db
f889b0d3 8b 4d FC 8b Fc-52

4.IDA Open sys, switch to text mode, search signature: 8b, 4d FC 8b, FC 52
Direct search–>sequence of bytes or shortcut alt+b

Double-click to jump to the specified code location, and the contrast is clear where the code comes from