我有一些崩溃转储是由堆栈溢出引起的。驱动程序是使用/GS编译的,因此当安全cookie损坏时,它会触发错误检查。这并不奇怪。但是,论点是:
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ffffd000a91557dd, Actual security check cookie from the stack
Arg2: 00008505f890dcd0, Expected security check cookie
Arg3: ffffd466d2205dcd, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
请注意Arg2 != ~Arg3。在我见过的所有类似的崩溃转储中,它们总是匹配。
安全检查cookie的计算方法是将___security_cookie与返回地址进行异或。然后在检查时,它计算同样的事情。我总是认为补充是为了冗余,因为它们总是返回4个参数。
预期的cookie及其补充不匹配意味着什么?