Início / coding / Perguntas / 77032647
Accepted
vengy
Asked: 2023-09-03 22:06:01 +0800 CST

BSOD do Windows Palo Alto Cortex XDR com verificação de bug 0x139

  • 772

O antivírus do Windows Cortex XDR Agent version 8.1.1está ativo na minha máquina de desenvolvimento. Ao executar alguns instantâneos de processos especificados usando CreateToolhelp32Snapshot , de repente o Cortex apareceu uma mensagem dizendo Malicious tampering threat detectedseguido por um BSOD

caramba

Depois de algumas horas de depuração, aqui está a reprodução mínima

// HeapTest.c - Release x64 build with Visual C++ 2022 
// BSOD with Bug Check 0x139 in Cortex XDR

#include <windows.h>
#include <tlhelp32.h>

int main()
{
    CreateToolhelp32Snapshot(TH32CS_SNAPHEAPLIST, 8456);
}

onde o ID do processo 8456 é para cytray.exe .

xdr

O Windows criou um minidmp %SystemRoot%\Minidumpe abriu-o com o Windbgdepurador.

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\090223-14718-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 22621 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff807`72600000 PsLoadedModuleList = 0xfffff807`732130e0
Debug session time: Sat Sep  2 19:35:12.743 2023 (UTC - 4:00)
System Uptime: 0 days 5:06:37.745
Loading Kernel Symbols
...............................................................
................................................................
................................................................
....................................................
Loading User Symbols
Loading unloaded module list
...................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {a, 0, 0, fffff80772a2dfc0}

Probably caused by : Unknown_Image ( PAGE_NOT_ZERO )

Followup: MachineOwner
---------

 *** Memory manager detected 178688 instance(s) of page corruption, target is likely to have memory corruption.



6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (139)
Unknown bugcheck description
Arguments:
Arg1: 000000000000000a
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: fffff80772a2dfc0

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x139

PROCESS_NAME:  HeapTest.exe

CURRENT_IRQL:  0

BAD_PAGES_DETECTED: 2ba00

LAST_CONTROL_TRANSFER:  from fffff80772a3bf8e to fffff80772a31250

STACK_TEXT:  
ffffa20c`050b6988 fffff807`72a3bf8e : 00000000`00000139 00000000`0000000a 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffffa20c`050b6990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!guard_icall_bugcheck+0x1e


STACK_COMMAND:  kb

SYMBOL_NAME:  PAGE_NOT_ZERO

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

BUCKET_ID:  PAGE_NOT_ZERO

Followup: MachineOwner
---------

 *** Memory manager detected 178688 instance(s) of page corruption, target is likely to have memory corruption.

Com base nas informações de prevenção do Cortex

OS version: 10.0.22621
Component: Anti Tampering Protection
Cortex XDR code: C04000AC
Prevention description: Malicious tampering threat detected
Verdict: 0
Quarantined: False
Post-Detected: False
Rule name: anti_tampering.8

é mais provável que seja um bug em um dos seguintes drivers Cortex XDR

C:\Program Files\Palo Alto Networks\Traps\cyverak.sys
C:\Program Files\Palo Alto Networks\Traps\cyvrmtgn.sys
C:\Program Files\Palo Alto Networks\Traps\cyvrfsfd.sys
C:\Program Files\Palo Alto Networks\Traps\tedrdrv.sys
C:\Program Files\Palo Alto Networks\Traps\tdevflt.sys
C:\Program Files\Palo Alto Networks\Traps\tedrpers-<version>.sys
C:\Windows\System32\drivers\telam.sys

Pergunta

Por curiosidade, existe uma maneira de identificar o nome do driver sys com bugs?

windows

1 respostas

  1. Best Answer

    Por curiosidade, existe uma maneira de identificar o nome do driver sys com bugs?

    Não há maneira razoável sem o código-fonte dos drivers. A corrupção da memória é algo que aconteceu antes da falha. E é um exercício de depuração que realmente exigiria que o desenvolvedor do driver descobrisse.

    • 1

relate perguntas