2016年7月

Nvidia CoProcManager DLL诡异的问题

最近在使用电脑的时候,发现电脑打开Edge、Taskmgr,甚至Process Explorer、Process Monitor时总是莫名崩溃,实在是干扰使用啊,但是还好Windbg打开之后没有崩溃。于是,我在程序崩溃后,WerFault的框尚在的时候,使用Windbg挂上进程,~*k查看所有线程的调用信息,找到了其中一个线程触发了崩溃。

crash01.png

可以看到nvd3d9wrapx.dll这个DLL在RtlExitUserThread-LdrShutdownThread-LdrpCallInitRoutine这个过程中插进来了,并且在这个线程要退出的时候,被initialise给插了一脚,直接崩了。

0:010> k
Child-SP          RetAddr           Call Site
0000006f`0c3fd568 00007ffe`ea443b4f ntdll!NtWaitForMultipleObjects+0x14
0000006f`0c3fd570 00007ffe`ea443a4e KERNELBASE!WaitForMultipleObjectsEx+0xef
0000006f`0c3fd870 00007ffe`ec43278f KERNELBASE!WaitForMultipleObjects+0xe
0000006f`0c3fd8b0 00007ffe`ec4322a2 KERNEL32!WerpReportFaultInternal+0x4ab
0000006f`0c3fde60 00007ffe`ea4c7ee7 KERNEL32!WerpReportFault+0x52
0000006f`0c3fde90 00007ffe`ed5cd998 KERNELBASE!UnhandledExceptionFilter+0x277
0000006f`0c3fdf90 00007ffe`ed5b5b26 ntdll!RtlUserThreadStart$filt$0+0x3e
0000006f`0c3fdfd0 00007ffe`ed5c9afd ntdll!_C_specific_handler+0x96
0000006f`0c3fe040 00007ffe`ed554fe9 ntdll!RtlpExecuteHandlerForException+0xd
0000006f`0c3fe070 00007ffe`ed5c8c0a ntdll!RtlDispatchException+0x3a9
0000006f`0c3fe780 00007ffe`e7749cde ntdll!KiUserExceptionDispatch+0x3a
0000006f`0c3fee98 00007ffe`e7750ee2 nvd3d9wrapx!initialise+0x3fe
0000006f`0c3ff5a8 00007ffe`ed5352c8 nvd3d9wrapx!setDeviceHandle+0x5832
0000006f`0c3ff618 00007ffe`ed532bf1 ntdll!LdrpCallInitRoutine+0x4c
0000006f`0c3ff678 00007ffe`ed57c62e ntdll!LdrShutdownThread+0x151
0000006f`0c3ff778 0000006f`0c3ff7ef ntdll!RtlExitUserThread+0x3e
0000006f`0c3ff7b8 00000000`00001000 0x0000006f`0c3ff7ef
0000006f`0c3ff7c0 0000019f`00000000 0x1000
0000006f`0c3ff7c8 00007ffe`ec4532a0 0x0000019f`00000000
0000006f`0c3ff7d0 0000019f`1fa100cb KERNEL32!VirtualFreeStub
0000006f`0c3ff7d8 0000019f`1fa10081 0x0000019f`1fa100cb
0000006f`0c3ff7e0 00000000`00001000 0x0000019f`1fa10081
0000006f`0c3ff7e8 00d5ffcf`8b49d3ff 0x1000
0000006f`0c3ff7f0 0000006f`0c3ff7e8 0x00d5ffcf`8b49d3ff
0000006f`0c3ff7f8 0000019f`1fa10000 0x0000006f`0c3ff7e8
0000006f`0c3ff800 00000000`00000000 0x0000019f`1fa10000

查看一下位置

0:010> lm vm nvd3d9wrapx
start             end                 module name
00007ffe`e7740000 00007ffe`e777a000   nvd3d9wrapx   (export symbols)       F:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
    Loaded symbol image file: F:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
    Image path: F:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
    Image name: nvd3d9wrapx.dll
    Timestamp:        Fri Jun 03 10:51:18 2016 (5750F0A6)
    CheckSum:         00037FD6
    ImageSize:        0003A000
    File version:     10.18.13.6839
    Product version:  10.18.13.6839
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        3.4 Driver
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      NVIDIA Corporation
    ProductName:      NVIDIA D3D shim drivers
    InternalName:     nvd3d9wrap
    OriginalFilename: nvd3d9wrap.dll
    ProductVersion:   10.18.13.6839
    FileVersion:      10.18.13.6839
    FileDescription:  NVIDIA d3d9wrap dll, Version 368.39 
    LegalCopyright:   (C) 2016 NVIDIA Corporation. All rights reserved.

进去一看更神奇的事情出现了,这个文件的数字签名居然是自签名的,而其他文件的签名则都是正常的CA发下来的。开始我还以为我中毒了,直到看了官网包释放的DLL同样是自签名的之后,服了。你这样还不如不签名,害得我以为是病毒来着。

crash02.png