1例0xEF:CRITICAL_PROCESS_DIED蓝屏分析

2024-08-19 19:00:08 浏览数 (2)

固定用法:.process /p /r 进程物理地址; !process 进程物理地址 7

参考https://cloud.tencent.com/developer/article/1927567,用!mex.tl

代码语言:txt复制
For analysis of this file, run !analyze -v
34: kd> .load e:Mexmex.dll
Mex External 3.0.0.7172 Loaded!
34: kd> !mex.tl
PID            Address          Name
============== ================ ===========================
0x0    0n0     fffff80081924a00 Idle
0x4    0n4     ffffe58a846b7080 System
0x35c  0n860   ffffe58a847b6040 Registry
0x678  0n1656  ffffe58aa279f280 smss.exe
0x6f0  0n1776  ffffe58aa59c4140 csrss.exe
0x73c  0n1852  ffffe58aa58410c0 wininit.exe
0x744  0n1860  ffffed8bca699140 csrss.exe
0x784  0n1924  ffffed8bca6a6080 winlogon.exe
0x7cc  0n1996  ffffe58accb50200 services.exe
0x7f4  0n2036  ffffe58aa422c0c0 svchost.exe(-p)
0x810  0n2064  ffffed8bca7b02c0 fontdrvhost.exe
0x818  0n2072  ffffe58accb522c0 fontdrvhost.exe
0x870  0n2160  ffffe58accb65240 svchost.exe
0x8a4  0n2212  ffffe58aa42d20c0 svchost.exe
0x918  0n2328  ffffe58aa421f0c0 svchost.exe
0x91c  0n2332  ffffe58aa42630c0 svchost.exe
0x928  0n2344  ffffe58aa2fae0c0 svchost.exe
0x934  0n2356  ffffe58aa42960c0 svchost.exe
0x998  0n2456  ffffe58aa27340c0 svchost.exe
0x9a0  0n2464  ffffe58aa27990c0 svchost.exe
0x9a8  0n2472  ffffe58aa27aa0c0 svchost.exe
0xa04  0n2564  ffffe58aa28460c0 svchost.exe
0xa44  0n2628  ffffed8bca863180 dwm.exe
0xa98  0n2712  ffffe58aa2b570c0 svchost.exe
0xad0  0n2768  ffffe58aa2c020c0 svchost.exe
0xaf4  0n2804  ffffe58aa2c680c0 svchost.exe
0xb70  0n2928  ffffe58aa2fa20c0 svchost.exe
0xb90  0n2960  ffffe58aa428a0c0 svchost.exe
0xbe4  0n3044  ffffe58aa4cc80c0 svchost.exe
0xbec  0n3052  ffffe58aa4d020c0 svchost.exe
0x808  0n2056  ffffe58aa4d230c0 svchost.exe
0xc1c  0n3100  ffffe58aa4dc80c0 svchost.exe
0xc64  0n3172  ffffe58aa51c80c0 svchost.exe
0xc88  0n3208  ffffe58aa52440c0 svchost.exe
0xcb4  0n3252  ffffe58aa53020c0 svchost.exe
0xd64  0n3428  ffffe58aa5b020c0 svchost.exe
0xd6c  0n3436  ffffe58aa5b230c0 svchost.exe
0xd74  0n3444  ffffe58aa5b440c0 svchost.exe
0xdd0  0n3536  ffffe58aa43cc0c0 svchost.exe
0xde8  0n3560  ffffe58accaad0c0 svchost.exe
0xe0c  0n3596  ffffe58accb020c0 svchost.exe
0xe68  0n3688  ffffe58aa438a0c0 svchost.exe
0xf28  0n3880  ffffe58aa2f6d0c0 svchost.exe
0xf44  0n3908  ffffe58aa4266080 svchost.exe
0xf68  0n3944  ffffe58aa3dc30c0 svchost.exe
0x1128 0n4392  ffffe58aa2955080 svchost.exe
0x1130 0n4400  ffffe58aa2966080 svchost.exe
0x113c 0n4412  ffffe58aa29bb080 svchost.exe
0x1144 0n4420  ffffe58aa2a88080 svchost.exe
0x115c 0n4444  ffffe58aa29dd080 svchost.exe
0x1164 0n4452  ffffe58aa2a55080 svchost.exe
0x116c 0n4460  ffffe58aa2f8f080 svchost.exe
0x1174 0n4468  ffffe58a90db1080 svchost.exe
0x1178 0n4472  ffffe58aa2fb1080 svchost.exe
0x1184 0n4484  ffffe58aa2fa0080 svchost.exe
0x11b4 0n4532  ffffe58aa2c33080 winvnc.exe
0x11c4 0n4548  ffffe58aa2d52080 vpnclient_x64.exe
0x11dc 0n4572  ffffe58aa2fc2080 vm3dservice.exe
0x1208 0n4616  ffffe58aa2c44080 svchost.exe
0x1244 0n4676  ffffe58aa5584080 MsMpEng.exe
0x12c8 0n4808  ffffe58aa5684080 svchost.exe
0x1310 0n4880  ffffe58aa5321080 svchost.exe
0x1350 0n4944  ffffe58a846ba080 svchost.exe
0x1370 0n4976  ffffed8bcaba5080 vm3dservice.exe
0x12b4 0n4788  ffffe58aa5421080 svchost.exe
0x1480 0n5248  ffffe58aa40430c0 svchost.exe
0x1a94 0n6804  ffffe58aa4192080 rlm.foundry.exe
0x1bc0 0n7104  ffffe58acccd6200 svchost.exe
0x1cc4 0n7364  ffffe58accebc240 WmiPrvSE.exe
0x1e50 0n7760  ffffe58acd06f080 SearchIndexer.exe
0x1ee4 0n7908  ffffe58acd0c3080 AggregatorHost.exe
0x1f84 0n8068  ffffe58acd11c080 svchost.exe
0x1c38 0n7224  ffffed8bcacaa0c0 winvnc.exe
0x1e7c 0n7804  ffffe58acd26c080 svchost.exe
0x2200 0n8704  ffffe58acd2e3080 NisSrv.exe
0x226c 0n8812  ffffe58acd2e4080 svchost.exe
0x2284 0n8836  ffffed8bcd21b080 sihost.exe
0x22bc 0n8892  ffffe58aa53c6080 svchost.exe
0x22e0 0n8928  ffffe58acd3020c0 MicrosoftEdgeUpdate.exe*32
0x2318 0n8984  ffffe58acd31a080 taskhostw.exe
0x2398 0n9112  ffffe58acd31f080 svchost.exe
0x23b4 0n9140  ffffe58acd320080 svchost.exe
0x23f4 0n9204  ffffe58acd3dc080 ctfmon.exe
0x2458 0n9304  ffffe58acd40f080 svchost.exe
0x24d4 0n9428  ffffed8bcd337080 explorer.exe
0x2558 0n9560  ffffe58acd489080 ChsIME.exe
0x2604 0n9732  ffffe58acd52f080 svchost.exe
0x26c8 0n9928  ffffe58aa29aa080 StartMenuExperienceHost.exe
0x270c 0n9996  ffffe58acd5f3080 svchost.exe
0x2768 0n10088 ffffe58acd6cf080 RuntimeBroker.exe
0x22f8 0n8952  ffffe58acd722080 SearchApp.exe
0x25e8 0n9704  ffffe58acd7560c0 RuntimeBroker.exe
0x2934 0n10548 ffffe58acd7c2080 RuntimeBroker.exe
0x2ad8 0n10968 ffffe58acd27d080 TextInputHost.exe
0x2b50 0n11088 ffffe58acd6de240 svchost.exe
0x2bb4 0n11188 ffffe58acd6e1080 MoUsoCoreWorker.exe
0x24e8 0n9448  ffffe58acd890080 SecurityHealthSystray.exe
0x2c20 0n11296 ffffe58acd7ea080 SecurityHealthService.exe
0x2c98 0n11416 ffffe58acd8710c0 vpnclient_x64.exe
0x2ce0 0n11488 ffffe58acdb7a080 msedge.exe
0x2cf8 0n11512 ffffe58acdb8d080 msedge.exe
0x2f70 0n12144 ffffe58acd9bc080 msedge.exe
0x2f78 0n12152 ffffe58acdd26080 msedge.exe
0x2f8c 0n12172 ffffe58acde350c0 msedge.exe
0x31a4 0n12708 ffffe58acdcf1080 svchost.exe
0x3224 0n12836 ffffe58acdc82080 vpncmgr_x64.exe
0x3298 0n12952 ffffe58acddb2080 cmd.exe
0x32a0 0n12960 ffffed8bcdd62200 conhost.exe
0x32ec 0n13036 ffffed8bcdd670c0 java.exe
0x32f4 0n13044 ffffed8bcdd780c0 jusched.exe*32
0x35d4 0n13780 ffffe58acdd9e080 svchost.exe
0x35b0 0n13744 ffffed8bca605240 rlm.foundry.exe
0xaa4  0n2724  ffffe58acddc4080 conhost.exe
0x3728 0n14120 ffffe58acdc3b080 cmd.exe
0x1b38 0n6968  ffffe58acdc3c080 cmd.exe
0x24dc 0n9436  ffffe58acdd7d080 conhost.exe
0x24c0 0n9408  ffffed8bcdfcb200 conhost.exe
0x2ab0 0n10928 ffffed8bcdd6a200 watcher.exe
0x2ab8 0n10936 ffffe58acdcde340 process-controller.exe*32
0x243c 0n9276  ffffe58acdbfb300 cmd.exe
0x22dc 0n8924  ffffe58acd313080 cmd.exe
0x31f8 0n12792 ffffe58acd9f02c0 conhost.exe
0x31cc 0n12748 ffffed8bcdfee200 conhost.exe
0x34fc 0n13564 ffffe58acdcf6080 vds.exe
0x354c 0n13644 ffffe58acd91a080 WmiPrvSE.exe
0x352c 0n13612 ffffe58acd488080 java.exe
0x1b18 0n6936  ffffe58acd862080 taskhostw.exe
0x32e0 0n13024 ffffed8bce4d1200 get_wmi_exporter.exe
0x3708 0n14088 ffffed8bce652200 get_wmi_exporter.exe
0xcd0  0n3280  ffffe58acdbe6080 svchost.exe
0x3254 0n12884 ffffe58acdc1c340 svchost.exe
0x3ac4 0n15044 ffffe58acd9ea300 SgrmBroker.exe
0x3b1c 0n15132 ffffe58acdc8d340 svchost.exe
0x3b50 0n15184 ffffe58ace0db340 svchost.exe
0x3bdc 0n15324 ffffe58acd982340 svchost.exe
0x3944 0n14660 ffffe58ace5710c0 windows_exporter.exe
0x2268 0n8808  ffffe58acf8ea080 svchost.exe
0x10e8 0n4328  ffffe58aa2bdf0c0 UserOOBEBroker.exe
0x38d0 0n14544 ffffe58acd487080 sesinetd.exe
0x29f8 0n10744 ffffe58acdd212c0 hserver.exe*32
0x35e0 0n13792 ffffe58acf8f3080 rlm.exe
0x1f04 0n7940  ffffed8bd43fc340 conhost.exe
0x30e8 0n12520 ffffed8bd4b53340 rlm.exe
0x3aac 0n15020 ffffed8bd181c200 hython.exe
0x230c 0n8972  ffffe58acceae0c0 svchost.exe
0x3e04 0n15876 ffffe58acdddc080 taskhostw.exe
0x2628 0n9768  ffffed8bcf92d200 ADPClientService.exe
0x3c2c 0n15404 ffffed8bcf930200 conhost.exe
0x13e8 0n5096  ffffed8bd2a9b200 cmd.exe
0x1344 0n4932  ffffed8bd2a9e200 pskill64.exe
============== ================ ===========================
PID            Address          Name

进程信息毕竟有限,实在没思路的话,按开头那个固定用法把可疑的进程遍历一遍也无妨

代码语言:txt复制
0x1344 0n4932  ffffed8bd2a9e200 pskill64.exe
代码语言:txt复制
.process /p /r ffffed8bd2a9e200; !process ffffed8bd2a9e200 7

这个case中从pskill64.exe中看到:

代码语言:txt复制
        Owning Process            ffffed8bd2a9e200       Image:         pskill64.exe
        Attached Process          ffffe58aa422c0c0       Image:         svchost.exe

继而不断查看父进程,最终看到调用路径是这样的:

process-controller.exe hython.exe cmd.exe pskill64.exe

其实,这个case从一开始能看到TerminateAllThreadsTerminateProcess

直接一个!thread -1就搞定了

0 人点赞