Windows 防病毒软件Cortex XDR Agent version 8.1.1
在我的开发计算机上处于活动状态。使用CreateToolhelp32Snapshot运行指定进程的一些快照时,Cortex 突然弹出一条消息,Malicious tampering threat detected
并显示 BSOD
经过几个小时的调试,这是最小的再现
// HeapTest.c - Release x64 build with Visual C++ 2022
// BSOD with Bug Check 0x139 in Cortex XDR
#include <windows.h>
#include <tlhelp32.h>
int main()
{
CreateToolhelp32Snapshot(TH32CS_SNAPHEAPLIST, 8456);
}
其中进程 ID 8456 是cytray.exe的。
Windows 创建了一个 minidmp%SystemRoot%\Minidump
并用调试器打开它Windbg
显示
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\090223-14718-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 22621 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff807`72600000 PsLoadedModuleList = 0xfffff807`732130e0
Debug session time: Sat Sep 2 19:35:12.743 2023 (UTC - 4:00)
System Uptime: 0 days 5:06:37.745
Loading Kernel Symbols
...............................................................
................................................................
................................................................
....................................................
Loading User Symbols
Loading unloaded module list
...................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {a, 0, 0, fffff80772a2dfc0}
Probably caused by : Unknown_Image ( PAGE_NOT_ZERO )
Followup: MachineOwner
---------
*** Memory manager detected 178688 instance(s) of page corruption, target is likely to have memory corruption.
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Unknown bugcheck code (139)
Unknown bugcheck description
Arguments:
Arg1: 000000000000000a
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: fffff80772a2dfc0
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x139
PROCESS_NAME: HeapTest.exe
CURRENT_IRQL: 0
BAD_PAGES_DETECTED: 2ba00
LAST_CONTROL_TRANSFER: from fffff80772a3bf8e to fffff80772a31250
STACK_TEXT:
ffffa20c`050b6988 fffff807`72a3bf8e : 00000000`00000139 00000000`0000000a 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffffa20c`050b6990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!guard_icall_bugcheck+0x1e
STACK_COMMAND: kb
SYMBOL_NAME: PAGE_NOT_ZERO
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: PAGE_NOT_ZERO
Followup: MachineOwner
---------
*** Memory manager detected 178688 instance(s) of page corruption, target is likely to have memory corruption.
基于 Cortex 的预防信息
OS version: 10.0.22621
Component: Anti Tampering Protection
Cortex XDR code: C04000AC
Prevention description: Malicious tampering threat detected
Verdict: 0
Quarantined: False
Post-Detected: False
Rule name: anti_tampering.8
这很可能是以下Cortex XDR 驱动程序之一中的错误
C:\Program Files\Palo Alto Networks\Traps\cyverak.sys
C:\Program Files\Palo Alto Networks\Traps\cyvrmtgn.sys
C:\Program Files\Palo Alto Networks\Traps\cyvrfsfd.sys
C:\Program Files\Palo Alto Networks\Traps\tedrdrv.sys
C:\Program Files\Palo Alto Networks\Traps\tdevflt.sys
C:\Program Files\Palo Alto Networks\Traps\tedrpers-<version>.sys
C:\Windows\System32\drivers\telam.sys
问题
出于好奇,有没有办法识别有缺陷的系统驱动程序的名称?
如果没有驱动程序的源代码,就没有合理的方法。内存损坏是崩溃之前发生的事情。这是一个真正需要驱动程序开发人员弄清楚的调试练习。