'Programing/Kernel'에 해당되는 글 6건
- 2011.07.06 inline hooking시 주의점
- 2011.07.04 강제로 시스템 메모리 덤프 하는 방법
- 2011.06.29 NTSTATUS Error Table
- 2011.06.29 Virtual PC 게스트 OS에 Windbg 붙이기 (Windows Vista 이상)
- 2011.06.29 DriverEntry - 드라이버 시작점 부터 디버깅 하기
- 2011.06.24 win32k.sys의 메모리 읽거나 쓰기시 주의점
Programing/Kernel2011. 7. 6. 14:06
Programing/Kernel2011. 7. 4. 13:29
1. 시작 - 실행으로 regedit 실행
2. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/i8042prt/Parameters 로 들어가 CrashOnCtrlScroll 이라는 이름의 DWORD 값을 새로 만든다. 값은 1
3. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/kbdhid/Parameters 로 들어가 2번과 동일하게 CrashOnCtrlScroll 이라는 이름의 DWORD 값을 새로 만든다. 값은 1
4. 시스템의 설정에서 커널메모리 덤프 설정(xp 기준)
4-1. 내 컴퓨터에 우클릭 -> 속성으로 시스템 등록 정보로 이동
4-2. 고급 탭에 있는 시작 및 복구 부분의 설정을 누릅니다
4-3. 시스템 오류 부분의 디버깅 정보 쓰기를 '전체 메모리 덤프' 로 변경한다
5. 시스템 재부팅
이렇게 설정하면 오른쪽 Ctrl을 누른 상태에서 Scroll Lock을 두번 누르면 강제 BSOD가 발생되고 전체 덤프가 남습니다
덤프가 남는 위치는 C:\Windows\MEMORY.dmp 파일
2. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/i8042prt/Parameters 로 들어가 CrashOnCtrlScroll 이라는 이름의 DWORD 값을 새로 만든다. 값은 1
3. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/kbdhid/Parameters 로 들어가 2번과 동일하게 CrashOnCtrlScroll 이라는 이름의 DWORD 값을 새로 만든다. 값은 1
4. 시스템의 설정에서 커널메모리 덤프 설정(xp 기준)
4-1. 내 컴퓨터에 우클릭 -> 속성으로 시스템 등록 정보로 이동
4-2. 고급 탭에 있는 시작 및 복구 부분의 설정을 누릅니다
4-3. 시스템 오류 부분의 디버깅 정보 쓰기를 '전체 메모리 덤프' 로 변경한다
5. 시스템 재부팅
이렇게 설정하면 오른쪽 Ctrl을 누른 상태에서 Scroll Lock을 두번 누르면 강제 BSOD가 발생되고 전체 덤프가 남습니다
덤프가 남는 위치는 C:\Windows\MEMORY.dmp 파일
Programing/Kernel2011. 6. 29. 20:00
0x00000000: return \"STATUS_SUCCESS\";
0x00000001: return \"STATUS_WAIT_1\";
0x00000002: return \"STATUS_WAIT_2\";
0x00000003: return \"STATUS_WAIT_3\";
0x0000003F: return \"STATUS_WAIT_63\";
0x00000080: return \"STATUS_ABANDONED_WAIT_0\";
0x000000BF: return \"STATUS_ABANDONED_WAIT_63\";
0x000000C0: return \"STATUS_USER_APC\";
0x00000100: return \"STATUS_KERNEL_APC\";
0x00000101: return \"STATUS_ALERTED\";
0x00000102: return \"STATUS_TIMEOUT\";
0x00000103: return \"STATUS_PENDING\";
0x00000104: return \"STATUS_REPARSE\";
0x00000105: return \"STATUS_MORE_ENTRIES\";
0x00000106: return \"STATUS_NOT_ALL_ASSIGNED\";
0x00000107: return \"STATUS_SOME_NOT_MAPPED\";
0x00000108: return \"STATUS_OPLOCK_BREAK_IN_PROGRESS\";
0x00000109: return \"STATUS_VOLUME_MOUNTED\";
0x0000010A: return \"STATUS_RXACT_COMMITTED\";
0x0000010B: return \"STATUS_NOTIFY_CLEANUP\";
0x0000010C: return \"STATUS_NOTIFY_ENUM_DIR\";
0x0000010D: return \"STATUS_NO_QUOTAS_FOR_ACCOUNT\";
0x0000010E: return \"STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED\";
0x00000110: return \"STATUS_PAGE_FAULT_TRANSITION\";
0x00000111: return \"STATUS_PAGE_FAULT_DEMAND_ZERO\";
0x00000112: return \"STATUS_PAGE_FAULT_COPY_ON_WRITE\";
0x00000113: return \"STATUS_PAGE_FAULT_GUARD_PAGE\";
0x00000114: return \"STATUS_PAGE_FAULT_PAGING_FILE\";
0x00000115: return \"STATUS_CACHE_PAGE_LOCKED\";
0x00000116: return \"STATUS_CRASH_DUMP\";
0x00000117: return \"STATUS_BUFFER_ALL_ZEROS\";
0x00000118: return \"STATUS_REPARSE_OBJECT\";
0x00000119: return \"STATUS_RESOURCE_REQUIREMENTS_CHANGED\";
0x00000120: return \"STATUS_TRANSLATION_COMPLETE\";
0x00000121: return \"STATUS_DS_MEMBERSHIP_EVALUATED_LOCALLY\";
0x00010001: return \"DBG_EXCEPTION_HANDLED\";
0x00010002: return \"DBG_CONTINUE\";
0x40000000: return \"STATUS_OBJECT_NAME_EXISTS\";
0x40000001: return \"STATUS_THREAD_WAS_SUSPENDED\";
0x40000002: return \"STATUS_WORKING_SET_LIMIT_RANGE\";
0x40000003: return \"STATUS_IMAGE_NOT_AT_BASE\";
0x40000004: return \"STATUS_RXACT_STATE_CREATED\";
0x40000005: return \"STATUS_SEGMENT_NOTIFICATION\";
0x40000006: return \"STATUS_LOCAL_USER_SESSION_KEY\";
0x40000007: return \"STATUS_BAD_CURRENT_DIRECTORY\";
0x40000008: return \"STATUS_SERIAL_MORE_WRITES\";
0x40000009: return \"STATUS_REGISTRY_RECOVERED\";
0x4000000A: return \"STATUS_FT_READ_RECOVERY_FROM_BACKUP\";
0x4000000B: return \"STATUS_FT_WRITE_RECOVERY\";
0x4000000C: return \"STATUS_SERIAL_COUNTER_TIMEOUT\";
0x4000000D: return \"STATUS_NULL_LM_PASSWORD\";
0x4000000E: return \"STATUS_IMAGE_MACHINE_TYPE_MISMATCH\";
0x4000000F: return \"STATUS_RECEIVE_PARTIAL\";
0x40000010: return \"STATUS_RECEIVE_EXPEDITED\";
0x40000011: return \"STATUS_RECEIVE_PARTIAL_EXPEDITED\";
0x40000012: return \"STATUS_EVENT_DONE\";
0x40000013: return \"STATUS_EVENT_PENDING\";
0x40000014: return \"STATUS_CHECKING_FILE_SYSTEM\";
0x40000015: return \"STATUS_FATAL_APP_EXIT\";
0x40000016: return \"STATUS_PREDEFINED_HANDLE\";
0x40000017: return \"STATUS_WAS_UNLOCKED\";
0x40000018: return \"STATUS_SERVICE_NOTIFICATION\";
0x40000019: return \"STATUS_WAS_LOCKED\";
0x4000001A: return \"STATUS_LOG_HARD_ERROR\";
0x4000001B: return \"STATUS_ALREADY_WIN32\";
0x4000001C: return \"STATUS_WX86_UNSIMULATE\";
0x4000001D: return \"STATUS_WX86_CONTINUE\";
0x4000001E: return \"STATUS_WX86_SINGLE_STEP\";
0x4000001F: return \"STATUS_WX86_BREAKPOINT\";
0x40000020: return \"STATUS_WX86_EXCEPTION_CONTINUE\";
0x40000021: return \"STATUS_WX86_EXCEPTION_LASTCHANCE\";
0x40000022: return \"STATUS_WX86_EXCEPTION_CHAIN\";
0x40000023: return \"STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE\";
0x40000024: return \"STATUS_NO_YIELD_PERFORMED\";
0x40000025: return \"STATUS_TIMER_RESUME_IGNORED\";
0x40000026: return \"STATUS_ARBITRATION_UNHANDLED\";
0x40000027: return \"STATUS_CARDBUS_NOT_SUPPORTED\";
0x40000028: return \"STATUS_WX86_CREATEWX86TIB\";
0x40000029: return \"STATUS_MP_PROCESSOR_MISMATCH\";
0x40010001: return \"DBG_REPLY_LATER\";
0x40010002: return \"DBG_UNABLE_TO_PROVIDE_HANDLE\";
0x40010003: return \"DBG_TERMINATE_THREAD\";
0x40010004: return \"DBG_TERMINATE_PROCESS\";
0x40010005: return \"DBG_CONTROL_C\";
0x40010006: return \"DBG_PRINTEXCEPTION_C\";
0x40010007: return \"DBG_RIPEXCEPTION\";
0x40010008: return \"DBG_CONTROL_BREAK\";
0x80000001: return \"STATUS_GUARD_PAGE_VIOLATION\";
0x80000002: return \"STATUS_DATATYPE_MISALIGNMENT\";
0x80000003: return \"STATUS_BREAKPOINT\";
0x80000004: return \"STATUS_SINGLE_STEP\";
0x80000005: return \"STATUS_BUFFER_OVERFLOW\";
0x80000006: return \"STATUS_NO_MORE_FILES\";
0x80000007: return \"STATUS_WAKE_SYSTEM_DEBUGGER\";
0x8000000A: return \"STATUS_HANDLES_CLOSED\";
0x8000000B: return \"STATUS_NO_INHERITANCE\";
0x8000000C: return \"STATUS_GUID_SUBSTITUTION_MADE\";
0x8000000D: return \"STATUS_PARTIAL_COPY\";
0x8000000E: return \"STATUS_DEVICE_PAPER_EMPTY\";
0x8000000F: return \"STATUS_DEVICE_POWERED_OFF\";
0x80000010: return \"STATUS_DEVICE_OFF_LINE\";
0x80000011: return \"STATUS_DEVICE_BUSY\";
0x80000012: return \"STATUS_NO_MORE_EAS\";
0x80000013: return \"STATUS_INVALID_EA_NAME\";
0x80000014: return \"STATUS_EA_LIST_INCONSISTENT\";
0x80000015: return \"STATUS_INVALID_EA_FLAG\";
0x80000016: return \"STATUS_VERIFY_REQUIRED\";
0x80000017: return \"STATUS_EXTRANEOUS_INFORMATION\";
0x80000018: return \"STATUS_RXACT_COMMIT_NECESSARY\";
0x8000001A: return \"STATUS_NO_MORE_ENTRIES\";
0x8000001B: return \"STATUS_FILEMARK_DETECTED\";
0x8000001C: return \"STATUS_MEDIA_CHANGED\";
0x8000001D: return \"STATUS_BUS_RESET\";
0x8000001E: return \"STATUS_END_OF_MEDIA\";
0x8000001F: return \"STATUS_BEGINNING_OF_MEDIA\";
0x80000020: return \"STATUS_MEDIA_CHECK\";
0x80000021: return \"STATUS_SETMARK_DETECTED\";
0x80000022: return \"STATUS_NO_DATA_DETECTED\";
0x80000023: return \"STATUS_REDIRECTOR_HAS_OPEN_HANDLES\";
0x80000024: return \"STATUS_SERVER_HAS_OPEN_HANDLES\";
0x80000025: return \"STATUS_ALREADY_DISCONNECTED\";
0x80000026: return \"STATUS_LONGJUMP\";
0x80010001: return \"DBG_EXCEPTION_NOT_HANDLED\";
0xC0000001: return \"STATUS_UNSUCCESSFUL\";
0xC0000002: return \"STATUS_NOT_IMPLEMENTED\";
0xC0000003: return \"STATUS_INVALID_INFO_CLASS\";
0xC0000004: return \"STATUS_INFO_LENGTH_MISMATCH\";
0xC0000005: return \"STATUS_ACCESS_VIOLATION\";
0xC0000006: return \"STATUS_IN_PAGE_ERROR\";
0xC0000007: return \"STATUS_PAGEFILE_QUOTA\";
0xC0000008: return \"STATUS_INVALID_HANDLE\";
0xC0000009: return \"STATUS_BAD_INITIAL_STACK\";
0xC000000A: return \"STATUS_BAD_INITIAL_PC\";
0xC000000B: return \"STATUS_INVALID_CID\";
0xC000000C: return \"STATUS_TIMER_NOT_CANCELED\";
0xC000000D: return \"STATUS_INVALID_PARAMETER\";
0xC000000E: return \"STATUS_NO_SUCH_DEVICE\";
0xC000000F: return \"STATUS_NO_SUCH_FILE\";
0xC0000010: return \"STATUS_INVALID_DEVICE_REQUEST\";
0xC0000011: return \"STATUS_END_OF_FILE\";
0xC0000012: return \"STATUS_WRONG_VOLUME\";
0xC0000013: return \"STATUS_NO_MEDIA_IN_DEVICE\";
0xC0000014: return \"STATUS_UNRECOGNIZED_MEDIA\";
0xC0000015: return \"STATUS_NONEXISTENT_SECTOR\";
0xC0000016: return \"STATUS_MORE_PROCESSING_REQUIRED\";
0xC0000017: return \"STATUS_NO_MEMORY\";
0xC0000018: return \"STATUS_CONFLICTING_ADDRESSES\";
0xC0000019: return \"STATUS_NOT_MAPPED_VIEW\";
0xC000001A: return \"STATUS_UNABLE_TO_FREE_VM\";
0xC000001B: return \"STATUS_UNABLE_TO_DELETE_SECTION\";
0xC000001C: return \"STATUS_INVALID_SYSTEM_SERVICE\";
0xC000001D: return \"STATUS_ILLEGAL_INSTRUCTION\";
0xC000001E: return \"STATUS_INVALID_LOCK_SEQUENCE\";
0xC000001F: return \"STATUS_INVALID_VIEW_SIZE\";
0xC0000020: return \"STATUS_INVALID_FILE_FOR_SECTION\";
0xC0000021: return \"STATUS_ALREADY_COMMITTED\";
0xC0000022: return \"STATUS_ACCESS_DENIED\";
0xC0000023: return \"STATUS_BUFFER_TOO_SMALL\";
0xC0000024: return \"STATUS_OBJECT_TYPE_MISMATCH\";
0xC0000025: return \"STATUS_NONCONTINUABLE_EXCEPTION\";
0xC0000026: return \"STATUS_INVALID_DISPOSITION\";
0xC0000027: return \"STATUS_UNWIND\";
0xC0000028: return \"STATUS_BAD_STACK\";
0xC0000029: return \"STATUS_INVALID_UNWIND_TARGET\";
0xC000002A: return \"STATUS_NOT_LOCKED\";
0xC000002B: return \"STATUS_PARITY_ERROR\";
0xC000002C: return \"STATUS_UNABLE_TO_DECOMMIT_VM\";
0xC000002D: return \"STATUS_NOT_COMMITTED\";
0xC000002E: return \"STATUS_INVALID_PORT_ATTRIBUTES\";
0xC000002F: return \"STATUS_PORT_MESSAGE_TOO_LONG\";
0xC0000030: return \"STATUS_INVALID_PARAMETER_MIX\";
0xC0000031: return \"STATUS_INVALID_QUOTA_LOWER\";
0xC0000032: return \"STATUS_DISK_CORRUPT_ERROR\";
0xC0000033: return \"STATUS_OBJECT_NAME_INVALID\";
0xC0000034: return \"STATUS_OBJECT_NAME_NOT_FOUND\";
0xC0000035: return \"STATUS_OBJECT_NAME_COLLISION\";
0xC0000037: return \"STATUS_PORT_DISCONNECTED\";
0xC0000038: return \"STATUS_DEVICE_ALREADY_ATTACHED\";
0xC0000039: return \"STATUS_OBJECT_PATH_INVALID\";
0xC000003A: return \"STATUS_OBJECT_PATH_NOT_FOUND\";
0xC000003B: return \"STATUS_OBJECT_PATH_SYNTAX_BAD\";
0xC000003C: return \"STATUS_DATA_OVERRUN\";
0xC000003D: return \"STATUS_DATA_LATE_ERROR\";
0xC000003E: return \"STATUS_DATA_ERROR\";
0xC000003F: return \"STATUS_CRC_ERROR\";
0xC0000040: return \"STATUS_SECTION_TOO_BIG\";
0xC0000041: return \"STATUS_PORT_CONNECTION_REFUSED\";
0xC0000042: return \"STATUS_INVALID_PORT_HANDLE\";
0xC0000043: return \"STATUS_SHARING_VIOLATION\";
0xC0000044: return \"STATUS_QUOTA_EXCEEDED\";
0xC0000045: return \"STATUS_INVALID_PAGE_PROTECTION\";
0xC0000046: return \"STATUS_MUTANT_NOT_OWNED\";
0xC0000047: return \"STATUS_SEMAPHORE_LIMIT_EXCEEDED\";
0xC0000048: return \"STATUS_PORT_ALREADY_SET\";
0xC0000049: return \"STATUS_SECTION_NOT_IMAGE\";
0xC000004A: return \"STATUS_SUSPEND_COUNT_EXCEEDED\";
0xC000004B: return \"STATUS_THREAD_IS_TERMINATING\";
0xC000004C: return \"STATUS_BAD_WORKING_SET_LIMIT\";
0xC000004D: return \"STATUS_INCOMPATIBLE_FILE_MAP\";
0xC000004E: return \"STATUS_SECTION_PROTECTION\";
0xC000004F: return \"STATUS_EAS_NOT_SUPPORTED\";
0xC0000050: return \"STATUS_EA_TOO_LARGE\";
0xC0000051: return \"STATUS_NONEXISTENT_EA_ENTRY\";
0xC0000052: return \"STATUS_NO_EAS_ON_FILE\";
0xC0000053: return \"STATUS_EA_CORRUPT_ERROR\";
0xC0000054: return \"STATUS_FILE_LOCK_CONFLICT\";
0xC0000055: return \"STATUS_LOCK_NOT_GRANTED\";
0xC0000056: return \"STATUS_DELETE_PENDING\";
0xC0000057: return \"STATUS_CTL_FILE_NOT_SUPPORTED\";
0xC0000058: return \"STATUS_UNKNOWN_REVISION\";
0xC0000059: return \"STATUS_REVISION_MISMATCH\";
0xC000005A: return \"STATUS_INVALID_OWNER\";
0xC000005B: return \"STATUS_INVALID_PRIMARY_GROUP\";
0xC000005C: return \"STATUS_NO_IMPERSONATION_TOKEN\";
0xC000005D: return \"STATUS_CANT_DISABLE_MANDATORY\";
0xC000005E: return \"STATUS_NO_LOGON_SERVERS\";
0xC000005F: return \"STATUS_NO_SUCH_LOGON_SESSION\";
0xC0000060: return \"STATUS_NO_SUCH_PRIVILEGE\";
0xC0000061: return \"STATUS_PRIVILEGE_NOT_HELD\";
0xC0000062: return \"STATUS_INVALID_ACCOUNT_NAME\";
0xC0000063: return \"STATUS_USER_EXISTS\";
0xC0000064: return \"STATUS_NO_SUCH_USER\";
0xC0000065: return \"STATUS_GROUP_EXISTS\";
0xC0000066: return \"STATUS_NO_SUCH_GROUP\";
0xC0000067: return \"STATUS_MEMBER_IN_GROUP\";
0xC0000068: return \"STATUS_MEMBER_NOT_IN_GROUP\";
0xC0000069: return \"STATUS_LAST_ADMIN\";
0xC000006A: return \"STATUS_WRONG_PASSWORD\";
0xC000006B: return \"STATUS_ILL_FORMED_PASSWORD\";
0xC000006C: return \"STATUS_PASSWORD_RESTRICTION\";
0xC000006D: return \"STATUS_LOGON_FAILURE\";
0xC000006E: return \"STATUS_ACCOUNT_RESTRICTION\";
0xC000006F: return \"STATUS_INVALID_LOGON_HOURS\";
0xC0000070: return \"STATUS_INVALID_WORKSTATION\";
0xC0000071: return \"STATUS_PASSWORD_EXPIRED\";
0xC0000072: return \"STATUS_ACCOUNT_DISABLED\";
0xC0000073: return \"STATUS_NONE_MAPPED\";
0xC0000074: return \"STATUS_TOO_MANY_LUIDS_REQUESTED\";
0xC0000075: return \"STATUS_LUIDS_EXHAUSTED\";
0xC0000076: return \"STATUS_INVALID_SUB_AUTHORITY\";
0xC0000077: return \"STATUS_INVALID_ACL\";
0xC0000078: return \"STATUS_INVALID_SID\";
0xC0000079: return \"STATUS_INVALID_SECURITY_DESCR\";
0xC000007A: return \"STATUS_PROCEDURE_NOT_FOUND\";
0xC000007B: return \"STATUS_INVALID_IMAGE_FORMAT\";
0xC000007C: return \"STATUS_NO_TOKEN\";
0xC000007D: return \"STATUS_BAD_INHERITANCE_ACL\";
0xC000007E: return \"STATUS_RANGE_NOT_LOCKED\";
0xC000007F: return \"STATUS_DISK_FULL\";
0xC0000080: return \"STATUS_SERVER_DISABLED\";
0xC0000081: return \"STATUS_SERVER_NOT_DISABLED\";
0xC0000082: return \"STATUS_TOO_MANY_GUIDS_REQUESTED\";
0xC0000083: return \"STATUS_GUIDS_EXHAUSTED\";
0xC0000084: return \"STATUS_INVALID_ID_AUTHORITY\";
0xC0000085: return \"STATUS_AGENTS_EXHAUSTED\";
0xC0000086: return \"STATUS_INVALID_VOLUME_LABEL\";
0xC0000087: return \"STATUS_SECTION_NOT_EXTENDED\";
0xC0000088: return \"STATUS_NOT_MAPPED_DATA\";
0xC0000089: return \"STATUS_RESOURCE_DATA_NOT_FOUND\";
0xC000008A: return \"STATUS_RESOURCE_TYPE_NOT_FOUND\";
0xC000008B: return \"STATUS_RESOURCE_NAME_NOT_FOUND\";
0xC000008C: return \"STATUS_ARRAY_BOUNDS_EXCEEDED\";
0xC000008D: return \"STATUS_FLOAT_DENORMAL_OPERAND\";
0xC000008E: return \"STATUS_FLOAT_DIVIDE_BY_ZERO\";
0xC000008F: return \"STATUS_FLOAT_INEXACT_RESULT\";
0xC0000090: return \"STATUS_FLOAT_INVALID_OPERATION\";
0xC0000091: return \"STATUS_FLOAT_OVERFLOW\";
0xC0000092: return \"STATUS_FLOAT_STACK_CHECK\";
0xC0000093: return \"STATUS_FLOAT_UNDERFLOW\";
0xC0000094: return \"STATUS_INTEGER_DIVIDE_BY_ZERO\";
0xC0000095: return \"STATUS_INTEGER_OVERFLOW\";
0xC0000096: return \"STATUS_PRIVILEGED_INSTRUCTION\";
0xC0000097: return \"STATUS_TOO_MANY_PAGING_FILES\";
0xC0000098: return \"STATUS_FILE_INVALID\";
0xC0000099: return \"STATUS_ALLOTTED_SPACE_EXCEEDED\";
0xC000009A: return \"STATUS_INSUFFICIENT_RESOURCES\";
0xC000009B: return \"STATUS_DFS_EXIT_PATH_FOUND\";
0xC000009C: return \"STATUS_DEVICE_DATA_ERROR\";
0xC000009D: return \"STATUS_DEVICE_NOT_CONNECTED\";
0xC000009E: return \"STATUS_DEVICE_POWER_FAILURE\";
0xC000009F: return \"STATUS_FREE_VM_NOT_AT_BASE\";
0xC00000A0: return \"STATUS_MEMORY_NOT_ALLOCATED\";
0xC00000A1: return \"STATUS_WORKING_SET_QUOTA\";
0xC00000A2: return \"STATUS_MEDIA_WRITE_PROTECTED\";
0xC00000A3: return \"STATUS_DEVICE_NOT_READY\";
0xC00000A4: return \"STATUS_INVALID_GROUP_ATTRIBUTES\";
0xC00000A5: return \"STATUS_BAD_IMPERSONATION_LEVEL\";
0xC00000A6: return \"STATUS_CANT_OPEN_ANONYMOUS\";
0xC00000A7: return \"STATUS_BAD_VALIDATION_CLASS\";
0xC00000A8: return \"STATUS_BAD_TOKEN_TYPE\";
0xC00000A9: return \"STATUS_BAD_MASTER_BOOT_RECORD\";
0xC00000AA: return \"STATUS_INSTRUCTION_MISALIGNMENT\";
0xC00000AB: return \"STATUS_INSTANCE_NOT_AVAILABLE\";
0xC00000AC: return \"STATUS_PIPE_NOT_AVAILABLE\";
0xC00000AD: return \"STATUS_INVALID_PIPE_STATE\";
0xC00000AE: return \"STATUS_PIPE_BUSY\";
0xC00000AF: return \"STATUS_ILLEGAL_FUNCTION\";
0xC00000B0: return \"STATUS_PIPE_DISCONNECTED\";
0xC00000B1: return \"STATUS_PIPE_CLOSING\";
0xC00000B2: return \"STATUS_PIPE_CONNECTED\";
0xC00000B3: return \"STATUS_PIPE_LISTENING\";
0xC00000B4: return \"STATUS_INVALID_READ_MODE\";
0xC00000B5: return \"STATUS_IO_TIMEOUT\";
0xC00000B6: return \"STATUS_FILE_FORCED_CLOSED\";
0xC00000B7: return \"STATUS_PROFILING_NOT_STARTED\";
0xC00000B8: return \"STATUS_PROFILING_NOT_STOPPED\";
0xC00000B9: return \"STATUS_COULD_NOT_INTERPRET\";
0xC00000BA: return \"STATUS_FILE_IS_A_DIRECTORY\";
0xC00000BB: return \"STATUS_NOT_SUPPORTED\";
0xC00000BC: return \"STATUS_REMOTE_NOT_LISTENING\";
0xC00000BD: return \"STATUS_DUPLICATE_NAME\";
0xC00000BE: return \"STATUS_BAD_NETWORK_PATH\";
0xC00000BF: return \"STATUS_NETWORK_BUSY\";
0xC00000C0: return \"STATUS_DEVICE_DOES_NOT_EXIST\";
0xC00000C1: return \"STATUS_TOO_MANY_COMMANDS\";
0xC00000C2: return \"STATUS_ADAPTER_HARDWARE_ERROR\";
0xC00000C3: return \"STATUS_INVALID_NETWORK_RESPONSE\";
0xC00000C4: return \"STATUS_UNEXPECTED_NETWORK_ERROR\";
0xC00000C5: return \"STATUS_BAD_REMOTE_ADAPTER\";
0xC00000C6: return \"STATUS_PRINT_QUEUE_FULL\";
0xC00000C7: return \"STATUS_NO_SPOOL_SPACE\";
0xC00000C8: return \"STATUS_PRINT_CANCELLED\";
0xC00000C9: return \"STATUS_NETWORK_NAME_DELETED\";
0xC00000CA: return \"STATUS_NETWORK_ACCESS_DENIED\";
0xC00000CB: return \"STATUS_BAD_DEVICE_TYPE\";
0xC00000CC: return \"STATUS_BAD_NETWORK_NAME\";
0xC00000CD: return \"STATUS_TOO_MANY_NAMES\";
0xC00000CE: return \"STATUS_TOO_MANY_SESSIONS\";
0xC00000CF: return \"STATUS_SHARING_PAUSED\";
0xC00000D0: return \"STATUS_REQUEST_NOT_ACCEPTED\";
0xC00000D1: return \"STATUS_REDIRECTOR_PAUSED\";
0xC00000D2: return \"STATUS_NET_WRITE_FAULT\";
0xC00000D3: return \"STATUS_PROFILING_AT_LIMIT\";
0xC00000D4: return \"STATUS_NOT_SAME_DEVICE\";
0xC00000D5: return \"STATUS_FILE_RENAMED\";
0xC00000D6: return \"STATUS_VIRTUAL_CIRCUIT_CLOSED\";
0xC00000D7: return \"STATUS_NO_SECURITY_ON_OBJECT\";
0xC00000D8: return \"STATUS_CANT_WAIT\";
0xC00000D9: return \"STATUS_PIPE_EMPTY\";
0xC00000DA: return \"STATUS_CANT_ACCESS_DOMAIN_INFO\";
0xC00000DB: return \"STATUS_CANT_TERMINATE_SELF\";
0xC00000DC: return \"STATUS_INVALID_SERVER_STATE\";
0xC00000DD: return \"STATUS_INVALID_DOMAIN_STATE\";
0xC00000DE: return \"STATUS_INVALID_DOMAIN_ROLE\";
0xC00000DF: return \"STATUS_NO_SUCH_DOMAIN\";
0xC00000E0: return \"STATUS_DOMAIN_EXISTS\";
0xC00000E1: return \"STATUS_DOMAIN_LIMIT_EXCEEDED\";
0xC00000E2: return \"STATUS_OPLOCK_NOT_GRANTED\";
0xC00000E3: return \"STATUS_INVALID_OPLOCK_PROTOCOL\";
0xC00000E4: return \"STATUS_INTERNAL_DB_CORRUPTION\";
0xC00000E5: return \"STATUS_INTERNAL_ERROR\";
0xC00000E6: return \"STATUS_GENERIC_NOT_MAPPED\";
0xC00000E7: return \"STATUS_BAD_DESCRIPTOR_FORMAT\";
0xC00000E8: return \"STATUS_INVALID_USER_BUFFER\";
0xC00000E9: return \"STATUS_UNEXPECTED_IO_ERROR\";
0xC00000EA: return \"STATUS_UNEXPECTED_MM_CREATE_ERR\";
0xC00000EB: return \"STATUS_UNEXPECTED_MM_MAP_ERROR\";
0xC00000EC: return \"STATUS_UNEXPECTED_MM_EXTEND_ERR\";
0xC00000ED: return \"STATUS_NOT_LOGON_PROCESS\";
0xC00000EE: return \"STATUS_LOGON_SESSION_EXISTS\";
0xC00000EF: return \"STATUS_INVALID_PARAMETER_1\";
0xC00000F0: return \"STATUS_INVALID_PARAMETER_2\";
0xC00000F1: return \"STATUS_INVALID_PARAMETER_3\";
0xC00000F2: return \"STATUS_INVALID_PARAMETER_4\";
0xC00000F3: return \"STATUS_INVALID_PARAMETER_5\";
0xC00000F4: return \"STATUS_INVALID_PARAMETER_6\";
0xC00000F5: return \"STATUS_INVALID_PARAMETER_7\";
0xC00000F6: return \"STATUS_INVALID_PARAMETER_8\";
0xC00000F7: return \"STATUS_INVALID_PARAMETER_9\";
0xC00000F8: return \"STATUS_INVALID_PARAMETER_10\";
0xC00000F9: return \"STATUS_INVALID_PARAMETER_11\";
0xC00000FA: return \"STATUS_INVALID_PARAMETER_12\";
0xC00000FB: return \"STATUS_REDIRECTOR_NOT_STARTED\";
0xC00000FC: return \"STATUS_REDIRECTOR_STARTED\";
0xC00000FD: return \"STATUS_STACK_OVERFLOW\";
0xC00000FE: return \"STATUS_NO_SUCH_PACKAGE\";
0xC00000FF: return \"STATUS_BAD_FUNCTION_TABLE\";
0xC0000100: return \"STATUS_VARIABLE_NOT_FOUND\";
0xC0000101: return \"STATUS_DIRECTORY_NOT_EMPTY\";
0xC0000102: return \"STATUS_FILE_CORRUPT_ERROR\";
0xC0000103: return \"STATUS_NOT_A_DIRECTORY\";
0xC0000104: return \"STATUS_BAD_LOGON_SESSION_STATE\";
0xC0000105: return \"STATUS_LOGON_SESSION_COLLISION\";
0xC0000106: return \"STATUS_NAME_TOO_LONG\";
0xC0000107: return \"STATUS_FILES_OPEN\";
0xC0000108: return \"STATUS_CONNECTION_IN_USE\";
0xC0000109: return \"STATUS_MESSAGE_NOT_FOUND\";
0xC000010A: return \"STATUS_PROCESS_IS_TERMINATING\";
0xC000010B: return \"STATUS_INVALID_LOGON_TYPE\";
0xC000010C: return \"STATUS_NO_GUID_TRANSLATION\";
0xC000010D: return \"STATUS_CANNOT_IMPERSONATE\";
0xC000010E: return \"STATUS_IMAGE_ALREADY_LOADED\";
0xC000010F: return \"STATUS_ABIOS_NOT_PRESENT\";
0xC0000110: return \"STATUS_ABIOS_LID_NOT_EXIST\";
0xC0000111: return \"STATUS_ABIOS_LID_ALREADY_OWNED\";
0xC0000112: return \"STATUS_ABIOS_NOT_LID_OWNER\";
0xC0000113: return \"STATUS_ABIOS_INVALID_COMMAND\";
0xC0000114: return \"STATUS_ABIOS_INVALID_LID\";
0xC0000115: return \"STATUS_ABIOS_SELECTOR_NOT_AVAILABLE\";
0xC0000116: return \"STATUS_ABIOS_INVALID_SELECTOR\";
0xC0000117: return \"STATUS_NO_LDT\";
0xC0000118: return \"STATUS_INVALID_LDT_SIZE\";
0xC0000119: return \"STATUS_INVALID_LDT_OFFSET\";
0xC000011A: return \"STATUS_INVALID_LDT_DESCRIPTOR\";
0xC000011B: return \"STATUS_INVALID_IMAGE_NE_FORMAT\";
0xC000011C: return \"STATUS_RXACT_INVALID_STATE\";
0xC000011D: return \"STATUS_RXACT_COMMIT_FAILURE\";
0xC000011E: return \"STATUS_MAPPED_FILE_SIZE_ZERO\";
0xC000011F: return \"STATUS_TOO_MANY_OPENED_FILES\";
0xC0000120: return \"STATUS_CANCELLED\";
0xC0000121: return \"STATUS_CANNOT_DELETE\";
0xC0000122: return \"STATUS_INVALID_COMPUTER_NAME\";
0xC0000123: return \"STATUS_FILE_DELETED\";
0xC0000124: return \"STATUS_SPECIAL_ACCOUNT\";
0xC0000125: return \"STATUS_SPECIAL_GROUP\";
0xC0000126: return \"STATUS_SPECIAL_USER\";
0xC0000127: return \"STATUS_MEMBERS_PRIMARY_GROUP\";
0xC0000128: return \"STATUS_FILE_CLOSED\";
0xC0000129: return \"STATUS_TOO_MANY_THREADS\";
0xC000012A: return \"STATUS_THREAD_NOT_IN_PROCESS\";
0xC000012B: return \"STATUS_TOKEN_ALREADY_IN_USE\";
0xC000012C: return \"STATUS_PAGEFILE_QUOTA_EXCEEDED\";
0xC000012D: return \"STATUS_COMMITMENT_LIMIT\";
0xC000012E: return \"STATUS_INVALID_IMAGE_LE_FORMAT\";
0xC000012F: return \"STATUS_INVALID_IMAGE_NOT_MZ\";
0xC0000130: return \"STATUS_INVALID_IMAGE_PROTECT\";
0xC0000131: return \"STATUS_INVALID_IMAGE_WIN_16\";
0xC0000132: return \"STATUS_LOGON_SERVER_CONFLICT\";
0xC0000133: return \"STATUS_TIME_DIFFERENCE_AT_DC\";
0xC0000134: return \"STATUS_SYNCHRONIZATION_REQUIRED\";
0xC0000135: return \"STATUS_DLL_NOT_FOUND\";
0xC0000136: return \"STATUS_OPEN_FAILED\";
0xC0000137: return \"STATUS_IO_PRIVILEGE_FAILED\";
0xC0000138: return \"STATUS_ORDINAL_NOT_FOUND\";
0xC0000139: return \"STATUS_ENTRYPOINT_NOT_FOUND\";
0xC000013A: return \"STATUS_CONTROL_C_EXIT\";
0xC000013B: return \"STATUS_LOCAL_DISCONNECT\";
0xC000013C: return \"STATUS_REMOTE_DISCONNECT\";
0xC000013D: return \"STATUS_REMOTE_RESOURCES\";
0xC000013E: return \"STATUS_LINK_FAILED\";
0xC000013F: return \"STATUS_LINK_TIMEOUT\";
0xC0000140: return \"STATUS_INVALID_CONNECTION\";
0xC0000141: return \"STATUS_INVALID_ADDRESS\";
0xC0000142: return \"STATUS_DLL_INIT_FAILED\";
0xC0000143: return \"STATUS_MISSING_SYSTEMFILE\";
0xC0000144: return \"STATUS_UNHANDLED_EXCEPTION\";
0xC0000145: return \"STATUS_APP_INIT_FAILURE\";
0xC0000146: return \"STATUS_PAGEFILE_CREATE_FAILED\";
0xC0000147: return \"STATUS_NO_PAGEFILE\";
0xC0000148: return \"STATUS_INVALID_LEVEL\";
0xC0000149: return \"STATUS_WRONG_PASSWORD_CORE\";
0xC000014A: return \"STATUS_ILLEGAL_FLOAT_CONTEXT\";
0xC000014B: return \"STATUS_PIPE_BROKEN\";
0xC000014C: return \"STATUS_REGISTRY_CORRUPT\";
0xC000014D: return \"STATUS_REGISTRY_IO_FAILED\";
0xC000014E: return \"STATUS_NO_EVENT_PAIR\";
0xC000014F: return \"STATUS_UNRECOGNIZED_VOLUME\";
0xC0000150: return \"STATUS_SERIAL_NO_DEVICE_INITED\";
0xC0000151: return \"STATUS_NO_SUCH_ALIAS\";
0xC0000152: return \"STATUS_MEMBER_NOT_IN_ALIAS\";
0xC0000153: return \"STATUS_MEMBER_IN_ALIAS\";
0xC0000154: return \"STATUS_ALIAS_EXISTS\";
0xC0000155: return \"STATUS_LOGON_NOT_GRANTED\";
0xC0000156: return \"STATUS_TOO_MANY_SECRETS\";
0xC0000157: return \"STATUS_SECRET_TOO_LONG\";
0xC0000158: return \"STATUS_INTERNAL_DB_ERROR\";
0xC0000159: return \"STATUS_FULLSCREEN_MODE\";
0xC000015A: return \"STATUS_TOO_MANY_CONTEXT_IDS\";
0xC000015B: return \"STATUS_LOGON_TYPE_NOT_GRANTED\";
0xC000015C: return \"STATUS_NOT_REGISTRY_FILE\";
0xC000015D: return \"STATUS_NT_CROSS_ENCRYPTION_REQUIRED\";
0xC000015E: return \"STATUS_DOMAIN_CTRLR_CONFIG_ERROR\";
0xC000015F: return \"STATUS_FT_MISSING_MEMBER\";
0xC0000160: return \"STATUS_ILL_FORMED_SERVICE_ENTRY\";
0xC0000161: return \"STATUS_ILLEGAL_CHARACTER\";
0xC0000162: return \"STATUS_UNMAPPABLE_CHARACTER\";
0xC0000163: return \"STATUS_UNDEFINED_CHARACTER\";
0xC0000164: return \"STATUS_FLOPPY_VOLUME\";
0xC0000165: return \"STATUS_FLOPPY_ID_MARK_NOT_FOUND\";
0xC0000166: return \"STATUS_FLOPPY_WRONG_CYLINDER\";
0xC0000167: return \"STATUS_FLOPPY_UNKNOWN_ERROR\";
0xC0000168: return \"STATUS_FLOPPY_BAD_REGISTERS\";
0xC0000169: return \"STATUS_DISK_RECALIBRATE_FAILED\";
0xC000016A: return \"STATUS_DISK_OPERATION_FAILED\";
0xC000016B: return \"STATUS_DISK_RESET_FAILED\";
0xC000016C: return \"STATUS_SHARED_IRQ_BUSY\";
0xC000016D: return \"STATUS_FT_ORPHANING\";
0xC000016E: return \"STATUS_BIOS_FAILED_TO_CONNECT_INTERRUPT\";
0xC0000172: return \"STATUS_PARTITION_FAILURE\";
0xC0000173: return \"STATUS_INVALID_BLOCK_LENGTH\";
0xC0000174: return \"STATUS_DEVICE_NOT_PARTITIONED\";
0xC0000175: return \"STATUS_UNABLE_TO_LOCK_MEDIA\";
0xC0000176: return \"STATUS_UNABLE_TO_UNLOAD_MEDIA\";
0xC0000177: return \"STATUS_EOM_OVERFLOW\";
0xC0000178: return \"STATUS_NO_MEDIA\";
0xC000017A: return \"STATUS_NO_SUCH_MEMBER\";
0xC000017B: return \"STATUS_INVALID_MEMBER\";
0xC000017C: return \"STATUS_KEY_DELETED\";
0xC000017D: return \"STATUS_NO_LOG_SPACE\";
0xC000017E: return \"STATUS_TOO_MANY_SIDS\";
0xC000017F: return \"STATUS_LM_CROSS_ENCRYPTION_REQUIRED\";
0xC0000180: return \"STATUS_KEY_HAS_CHILDREN\";
0xC0000181: return \"STATUS_CHILD_MUST_BE_VOLATILE\";
0xC0000182: return \"STATUS_DEVICE_CONFIGURATION_ERROR\";
0xC0000183: return \"STATUS_DRIVER_INTERNAL_ERROR\";
0xC0000184: return \"STATUS_INVALID_DEVICE_STATE\";
0xC0000185: return \"STATUS_IO_DEVICE_ERROR\";
0xC0000186: return \"STATUS_DEVICE_PROTOCOL_ERROR\";
0xC0000187: return \"STATUS_BACKUP_CONTROLLER\";
0xC0000188: return \"STATUS_LOG_FILE_FULL\";
0xC0000189: return \"STATUS_TOO_LATE\";
0xC000018A: return \"STATUS_NO_TRUST_LSA_SECRET\";
0xC000018B: return \"STATUS_NO_TRUST_SAM_ACCOUNT\";
0xC000018C: return \"STATUS_TRUSTED_DOMAIN_FAILURE\";
0xC000018D: return \"STATUS_TRUSTED_RELATIONSHIP_FAILURE\";
0xC000018E: return \"STATUS_EVENTLOG_FILE_CORRUPT\";
0xC000018F: return \"STATUS_EVENTLOG_CANT_START\";
0xC0000190: return \"STATUS_TRUST_FAILURE\";
0xC0000191: return \"STATUS_MUTANT_LIMIT_EXCEEDED\";
0xC0000192: return \"STATUS_NETLOGON_NOT_STARTED\";
0xC0000193: return \"STATUS_ACCOUNT_EXPIRED\";
0xC0000194: return \"STATUS_POSSIBLE_DEADLOCK\";
0xC0000195: return \"STATUS_NETWORK_CREDENTIAL_CONFLICT\";
0xC0000196: return \"STATUS_REMOTE_SESSION_LIMIT\";
0xC0000197: return \"STATUS_EVENTLOG_FILE_CHANGED\";
0xC0000198: return \"STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT\";
0xC0000199: return \"STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT\";
0xC000019A: return \"STATUS_NOLOGON_SERVER_TRUST_ACCOUNT\";
0xC000019B: return \"STATUS_DOMAIN_TRUST_INCONSISTENT\";
0xC000019C: return \"STATUS_FS_DRIVER_REQUIRED\";
0xC0000202: return \"STATUS_NO_USER_SESSION_KEY\";
0xC0000203: return \"STATUS_USER_SESSION_DELETED\";
0xC0000204: return \"STATUS_RESOURCE_LANG_NOT_FOUND\";
0xC0000205: return \"STATUS_INSUFF_SERVER_RESOURCES\";
0xC0000206: return \"STATUS_INVALID_BUFFER_SIZE\";
0xC0000207: return \"STATUS_INVALID_ADDRESS_COMPONENT\";
0xC0000208: return \"STATUS_INVALID_ADDRESS_WILDCARD\";
0xC0000209: return \"STATUS_TOO_MANY_ADDRESSES\";
0xC000020A: return \"STATUS_ADDRESS_ALREADY_EXISTS\";
0xC000020B: return \"STATUS_ADDRESS_CLOSED\";
0xC000020C: return \"STATUS_CONNECTION_DISCONNECTED\";
0xC000020D: return \"STATUS_CONNECTION_RESET\";
0xC000020E: return \"STATUS_TOO_MANY_NODES\";
0xC000020F: return \"STATUS_TRANSACTION_ABORTED\";
0xC0000210: return \"STATUS_TRANSACTION_TIMED_OUT\";
0xC0000211: return \"STATUS_TRANSACTION_NO_RELEASE\";
0xC0000212: return \"STATUS_TRANSACTION_NO_MATCH\";
0xC0000213: return \"STATUS_TRANSACTION_RESPONDED\";
0xC0000214: return \"STATUS_TRANSACTION_INVALID_ID\";
0xC0000215: return \"STATUS_TRANSACTION_INVALID_TYPE\";
0xC0000216: return \"STATUS_NOT_SERVER_SESSION\";
0xC0000217: return \"STATUS_NOT_CLIENT_SESSION\";
0xC0000218: return \"STATUS_CANNOT_LOAD_REGISTRY_FILE\";
0xC0000219: return \"STATUS_DEBUG_ATTACH_FAILED\";
0xC000021A: return \"STATUS_SYSTEM_PROCESS_TERMINATED\";
0xC000021B: return \"STATUS_DATA_NOT_ACCEPTED\";
0xC000021C: return \"STATUS_NO_BROWSER_SERVERS_FOUND\";
0xC000021D: return \"STATUS_VDM_HARD_ERROR\";
0xC000021E: return \"STATUS_DRIVER_CANCEL_TIMEOUT\";
0xC000021F: return \"STATUS_REPLY_MESSAGE_MISMATCH\";
0xC0000220: return \"STATUS_MAPPED_ALIGNMENT\";
0xC0000221: return \"STATUS_IMAGE_CHECKSUM_MISMATCH\";
0xC0000222: return \"STATUS_LOST_WRITEBEHIND_DATA\";
0xC0000223: return \"STATUS_CLIENT_SERVER_PARAMETERS_INVALID\";
0xC0000224: return \"STATUS_PASSWORD_MUST_CHANGE\";
0xC0000225: return \"STATUS_NOT_FOUND\";
0xC0000226: return \"STATUS_NOT_TINY_STREAM\";
0xC0000227: return \"STATUS_RECOVERY_FAILURE\";
0xC0000228: return \"STATUS_STACK_OVERFLOW_READ\";
0xC0000229: return \"STATUS_FAIL_CHECK\";
0xC000022A: return \"STATUS_DUPLICATE_OBJECTID\";
0xC000022B: return \"STATUS_OBJECTID_EXISTS\";
0xC000022C: return \"STATUS_CONVERT_TO_LARGE\";
0xC000022D: return \"STATUS_RETRY\";
0xC000022E: return \"STATUS_FOUND_OUT_OF_SCOPE\";
0xC000022F: return \"STATUS_ALLOCATE_BUCKET\";
0xC0000230: return \"STATUS_PROPSET_NOT_FOUND\";
0xC0000231: return \"STATUS_MARSHALL_OVERFLOW\";
0xC0000232: return \"STATUS_INVALID_VARIANT\";
0xC0000233: return \"STATUS_DOMAIN_CONTROLLER_NOT_FOUND\";
0xC0000234: return \"STATUS_ACCOUNT_LOCKED_OUT\";
0xC0000235: return \"STATUS_HANDLE_NOT_CLOSABLE\";
0xC0000236: return \"STATUS_CONNECTION_REFUSED\";
0xC0000237: return \"STATUS_GRACEFUL_DISCONNECT\";
0xC0000238: return \"STATUS_ADDRESS_ALREADY_ASSOCIATED\";
0xC0000239: return \"STATUS_ADDRESS_NOT_ASSOCIATED\";
0xC000023A: return \"STATUS_CONNECTION_INVALID\";
0xC000023B: return \"STATUS_CONNECTION_ACTIVE\";
0xC000023C: return \"STATUS_NETWORK_UNREACHABLE\";
0xC000023D: return \"STATUS_HOST_UNREACHABLE\";
0xC000023E: return \"STATUS_PROTOCOL_UNREACHABLE\";
0xC000023F: return \"STATUS_PORT_UNREACHABLE\";
0xC0000240: return \"STATUS_REQUEST_ABORTED\";
0xC0000241: return \"STATUS_CONNECTION_ABORTED\";
0xC0000242: return \"STATUS_BAD_COMPRESSION_BUFFER\";
0xC0000243: return \"STATUS_USER_MAPPED_FILE\";
0xC0000244: return \"STATUS_AUDIT_FAILED\";
0xC0000245: return \"STATUS_TIMER_RESOLUTION_NOT_SET\";
0xC0000246: return \"STATUS_CONNECTION_COUNT_LIMIT\";
0xC0000247: return \"STATUS_LOGIN_TIME_RESTRICTION\";
0xC0000248: return \"STATUS_LOGIN_WKSTA_RESTRICTION\";
0xC0000249: return \"STATUS_IMAGE_MP_UP_MISMATCH\";
0xC0000250: return \"STATUS_INSUFFICIENT_LOGON_INFO\";
0xC0000251: return \"STATUS_BAD_DLL_ENTRYPOINT\";
0xC0000252: return \"STATUS_BAD_SERVICE_ENTRYPOINT\";
0xC0000253: return \"STATUS_LPC_REPLY_LOST\";
0xC0000254: return \"STATUS_IP_ADDRESS_CONFLICT1\";
0xC0000255: return \"STATUS_IP_ADDRESS_CONFLICT2\";
0xC0000256: return \"STATUS_REGISTRY_QUOTA_LIMIT\";
0xC0000257: return \"STATUS_PATH_NOT_COVERED\";
0xC0000258: return \"STATUS_NO_CALLBACK_ACTIVE\";
0xC0000259: return \"STATUS_LICENSE_QUOTA_EXCEEDED\";
0xC000025A: return \"STATUS_PWD_TOO_SHORT\";
0xC000025B: return \"STATUS_PWD_TOO_RECENT\";
0xC000025C: return \"STATUS_PWD_HISTORY_CONFLICT\";
0xC000025E: return \"STATUS_PLUGPLAY_NO_DEVICE\";
0xC000025F: return \"STATUS_UNSUPPORTED_COMPRESSION\";
0xC0000260: return \"STATUS_INVALID_HW_PROFILE\";
0xC0000261: return \"STATUS_INVALID_PLUGPLAY_DEVICE_PATH\";
0xC0000262: return \"STATUS_DRIVER_ORDINAL_NOT_FOUND\";
0xC0000263: return \"STATUS_DRIVER_ENTRYPOINT_NOT_FOUND\";
0xC0000264: return \"STATUS_RESOURCE_NOT_OWNED\";
0xC0000265: return \"STATUS_TOO_MANY_LINKS\";
0xC0000266: return \"STATUS_QUOTA_LIST_INCONSISTENT\";
0xC0000267: return \"STATUS_FILE_IS_OFFLINE\";
0xC0000268: return \"STATUS_EVALUATION_EXPIRATION\";
0xC0000269: return \"STATUS_ILLEGAL_DLL_RELOCATION\";
0xC000026A: return \"STATUS_LICENSE_VIOLATION\";
0xC000026B: return \"STATUS_DLL_INIT_FAILED_LOGOFF\";
0xC000026C: return \"STATUS_DRIVER_UNABLE_TO_LOAD\";
0xC000026D: return \"STATUS_DFS_UNAVAILABLE\";
0xC000026E: return \"STATUS_VOLUME_DISMOUNTED\";
0xC000026F: return \"STATUS_WX86_INTERNAL_ERROR\";
0xC0000270: return \"STATUS_WX86_FLOAT_STACK_CHECK\";
0xC0000271: return \"STATUS_VALIDATE_CONTINUE\";
0xC0000272: return \"STATUS_NO_MATCH\";
0xC0000273: return \"STATUS_NO_MORE_MATCHES\";
0xC0000275: return \"STATUS_NOT_A_REPARSE_POINT\";
0xC0000276: return \"STATUS_IO_REPARSE_TAG_INVALID\";
0xC0000277: return \"STATUS_IO_REPARSE_TAG_MISMATCH\";
0xC0000278: return \"STATUS_IO_REPARSE_DATA_INVALID\";
0xC0000279: return \"STATUS_IO_REPARSE_TAG_NOT_HANDLED\";
0xC0000280: return \"STATUS_REPARSE_POINT_NOT_RESOLVED\";
0xC0000281: return \"STATUS_DIRECTORY_IS_A_REPARSE_POINT\";
0xC0000282: return \"STATUS_RANGE_LIST_CONFLICT\";
0xC0000283: return \"STATUS_SOURCE_ELEMENT_EMPTY\";
0xC0000284: return \"STATUS_DESTINATION_ELEMENT_FULL\";
0xC0000285: return \"STATUS_ILLEGAL_ELEMENT_ADDRESS\";
0xC0000286: return \"STATUS_MAGAZINE_NOT_PRESENT\";
0xC0000287: return \"STATUS_REINITIALIZATION_NEEDED\";
0x80000288: return \"STATUS_DEVICE_REQUIRES_CLEANING\";
0x80000289: return \"STATUS_DEVICE_DOOR_OPEN\";
0xC000028A: return \"STATUS_ENCRYPTION_FAILED\";
0xC000028B: return \"STATUS_DECRYPTION_FAILED\";
0xC000028C: return \"STATUS_RANGE_NOT_FOUND\";
0xC000028D: return \"STATUS_NO_RECOVERY_POLICY\";
0xC000028E: return \"STATUS_NO_EFS\";
0xC000028F: return \"STATUS_WRONG_EFS\";
0xC0000290: return \"STATUS_NO_USER_KEYS\";
0xC0000291: return \"STATUS_FILE_NOT_ENCRYPTED\";
0xC0000292: return \"STATUS_NOT_EXPORT_FORMAT\";
0xC0000293: return \"STATUS_FILE_ENCRYPTED\";
0x40000294: return \"STATUS_WAKE_SYSTEM\";
0xC0000295: return \"STATUS_WMI_GUID_NOT_FOUND\";
0xC0000296: return \"STATUS_WMI_INSTANCE_NOT_FOUND\";
0xC0000297: return \"STATUS_WMI_ITEMID_NOT_FOUND\";
0xC0000298: return \"STATUS_WMI_TRY_AGAIN\";
0xC0000299: return \"STATUS_SHARED_POLICY\";
0xC000029A: return \"STATUS_POLICY_OBJECT_NOT_FOUND\";
0xC000029B: return \"STATUS_POLICY_ONLY_IN_DS\";
0xC000029C: return \"STATUS_VOLUME_NOT_UPGRADED\";
0xC000029D: return \"STATUS_REMOTE_STORAGE_NOT_ACTIVE\";
0xC000029E: return \"STATUS_REMOTE_STORAGE_MEDIA_ERROR\";
0xC000029F: return \"STATUS_NO_TRACKING_SERVICE\";
0xC00002A0: return \"STATUS_SERVER_SID_MISMATCH\";
0xC00002A1: return \"STATUS_DS_NO_ATTRIBUTE_OR_VALUE\";
0xC00002A2: return \"STATUS_DS_INVALID_ATTRIBUTE_SYNTAX\";
0xC00002A3: return \"STATUS_DS_ATTRIBUTE_TYPE_UNDEFINED\";
0xC00002A4: return \"STATUS_DS_ATTRIBUTE_OR_VALUE_EXISTS\";
0xC00002A5: return \"STATUS_DS_BUSY\";
0xC00002A6: return \"STATUS_DS_UNAVAILABLE\";
0xC00002A7: return \"STATUS_DS_NO_RIDS_ALLOCATED\";
0xC00002A8: return \"STATUS_DS_NO_MORE_RIDS\";
0xC00002A9: return \"STATUS_DS_INCORRECT_ROLE_OWNER\";
0xC00002AA: return \"STATUS_DS_RIDMGR_INIT_ERROR\";
0xC00002AB: return \"STATUS_DS_OBJ_CLASS_VIOLATION\";
0xC00002AC: return \"STATUS_DS_CANT_ON_NON_LEAF\";
0xC00002AD: return \"STATUS_DS_CANT_ON_RDN\";
0xC00002AE: return \"STATUS_DS_CANT_MOD_OBJ_CLASS\";
0xC00002AF: return \"STATUS_DS_CROSS_DOM_MOVE_FAILED\";
0xC00002B0: return \"STATUS_DS_GC_NOT_AVAILABLE\";
0xC00002B1: return \"STATUS_DIRECTORY_SERVICE_REQUIRED\";
0xC00002B2: return \"STATUS_REPARSE_ATTRIBUTE_CONFLICT\";
0xC00002B3: return \"STATUS_CANT_ENABLE_DENY_ONLY\";
0xC00002B4: return \"STATUS_FLOAT_MULTIPLE_FAULTS\";
0xC00002B5: return \"STATUS_FLOAT_MULTIPLE_TRAPS\";
0xC00002B6: return \"STATUS_DEVICE_REMOVED\";
0xC00002B7: return \"STATUS_JOURNAL_DELETE_IN_PROGRESS\";
0xC00002B8: return \"STATUS_JOURNAL_NOT_ACTIVE\";
0xC00002B9: return \"STATUS_NOINTERFACE\";
0xC00002C1: return \"STATUS_DS_ADMIN_LIMIT_EXCEEDED\";
0xC00002C2: return \"STATUS_DRIVER_FAILED_SLEEP\";
0xC00002C3: return \"STATUS_MUTUAL_AUTHENTICATION_FAILED\";
0xC00002C4: return \"STATUS_CORRUPT_SYSTEM_FILE\";
0xC00002C5: return \"STATUS_DATATYPE_MISALIGNMENT_ERROR\";
0xC00002C6: return \"STATUS_WMI_READ_ONLY\";
0xC00002C7: return \"STATUS_WMI_SET_FAILURE\";
0xC00002C8: return \"STATUS_COMMITMENT_MINIMUM\";
0xC00002C9: return \"STATUS_REG_NAT_CONSUMPTION\";
0xC00002CA: return \"STATUS_TRANSPORT_FULL\";
0xC00002CB: return \"STATUS_DS_SAM_INIT_FAILURE\";
0xC00002CC: return \"STATUS_ONLY_IF_CONNECTED\";
0xC00002CD: return \"STATUS_DS_SENSITIVE_GROUP_VIOLATION\";
0xC00002CE: return \"STATUS_PNP_RESTART_ENUMERATION\";
0xC00002CF: return \"STATUS_JOURNAL_ENTRY_DELETED\";
0xC00002D0: return \"STATUS_DS_CANT_MOD_PRIMARYGROUPID\";
0xC00002D1: return \"STATUS_SYSTEM_IMAGE_BAD_SIGNATURE\";
0xC00002D2: return \"STATUS_PNP_REBOOT_REQUIRED\";
0xC00002D3: return \"STATUS_POWER_STATE_INVALID\";
0xC00002D4: return \"STATUS_DS_INVALID_GROUP_TYPE\";
0xC00002D5: return \"STATUS_DS_NO_NEST_GLOBALGROUP_IN_MIXEDDOMAIN\";
0xC00002D6: return \"STATUS_DS_NO_NEST_LOCALGROUP_IN_MIXEDDOMAIN\";
0xC00002D7: return \"STATUS_DS_GLOBAL_CANT_HAVE_LOCAL_MEMBER\";
0xC00002D8: return \"STATUS_DS_GLOBAL_CANT_HAVE_UNIVERSAL_MEMBER\";
0xC00002D9: return \"STATUS_DS_UNIVERSAL_CANT_HAVE_LOCAL_MEMBER\";
0xC00002DA: return \"STATUS_DS_GLOBAL_CANT_HAVE_CROSSDOMAIN_MEMBER\";
0xC00002DB: return \"STATUS_DS_LOCAL_CANT_HAVE_CROSSDOMAIN_LOCAL_MEMBER\";
0xC00002DC: return \"STATUS_DS_HAVE_PRIMARY_MEMBERS\";
0xC00002DD: return \"STATUS_WMI_NOT_SUPPORTED\";
0xC00002DE: return \"STATUS_INSUFFICIENT_POWER\";
0xC00002DF: return \"STATUS_SAM_NEED_BOOTKEY_PASSWORD\";
0xC00002E0: return \"STATUS_SAM_NEED_BOOTKEY_FLOPPY\";
0xC00002E1: return \"STATUS_DS_CANT_START\";
0xC00002E2: return \"STATUS_DS_INIT_FAILURE\";
0xC00002E3: return \"STATUS_SAM_INIT_FAILURE\";
0xC00002E4: return \"STATUS_DS_GC_REQUIRED\";
0xC00002E5: return \"STATUS_DS_LOCAL_MEMBER_OF_LOCAL_ONLY\";
0xC00002E6: return \"STATUS_DS_NO_FPO_IN_UNIVERSAL_GROUPS\";
0xC00002E7: return \"STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED\";
0xC00002E8: return \"STATUS_MULTIPLE_FAULT_VIOLATION\";
0xC0000300: return \"STATUS_NOT_SUPPORTED_ON_SBS\";
0xC0009898: return \"STATUS_WOW_ASSERTION\";
0xC0010001: return \"DBG_NO_STATE_CHANGE\";
0xC0010002: return \"DBG_APP_NOT_IDLE\";
0xC0020001: return \"RPC_NT_INVALID_STRING_BINDING\";
0xC0020002: return \"RPC_NT_WRONG_KIND_OF_BINDING\";
0xC0020003: return \"RPC_NT_INVALID_BINDING\";
0xC0020004: return \"RPC_NT_PROTSEQ_NOT_SUPPORTED\";
0xC0020005: return \"RPC_NT_INVALID_RPC_PROTSEQ\";
0xC0020006: return \"RPC_NT_INVALID_STRING_UUID\";
0xC0020007: return \"RPC_NT_INVALID_ENDPOINT_FORMAT\";
0xC0020008: return \"RPC_NT_INVALID_NET_ADDR\";
0xC0020009: return \"RPC_NT_NO_ENDPOINT_FOUND\";
0xC002000A: return \"RPC_NT_INVALID_TIMEOUT\";
0xC002000B: return \"RPC_NT_OBJECT_NOT_FOUND\";
0xC002000C: return \"RPC_NT_ALREADY_REGISTERED\";
0xC002000D: return \"RPC_NT_TYPE_ALREADY_REGISTERED\";
0xC002000E: return \"RPC_NT_ALREADY_LISTENING\";
0xC002000F: return \"RPC_NT_NO_PROTSEQS_REGISTERED\";
0xC0020010: return \"RPC_NT_NOT_LISTENING\";
0xC0020011: return \"RPC_NT_UNKNOWN_MGR_TYPE\";
0xC0020012: return \"RPC_NT_UNKNOWN_IF\";
0xC0020013: return \"RPC_NT_NO_BINDINGS\";
0xC0020014: return \"RPC_NT_NO_PROTSEQS\";
0xC0020015: return \"RPC_NT_CANT_CREATE_ENDPOINT\";
0xC0020016: return \"RPC_NT_OUT_OF_RESOURCES\";
0xC0020017: return \"RPC_NT_SERVER_UNAVAILABLE\";
0xC0020018: return \"RPC_NT_SERVER_TOO_BUSY\";
0xC0020019: return \"RPC_NT_INVALID_NETWORK_OPTIONS\";
0xC002001A: return \"RPC_NT_NO_CALL_ACTIVE\";
0xC002001B: return \"RPC_NT_CALL_FAILED\";
0xC002001C: return \"RPC_NT_CALL_FAILED_DNE\";
0xC002001D: return \"RPC_NT_PROTOCOL_ERROR\";
0xC002001F: return \"RPC_NT_UNSUPPORTED_TRANS_SYN\";
0xC0020021: return \"RPC_NT_UNSUPPORTED_TYPE\";
0xC0020022: return \"RPC_NT_INVALID_TAG\";
0xC0020023: return \"RPC_NT_INVALID_BOUND\";
0xC0020024: return \"RPC_NT_NO_ENTRY_NAME\";
0xC0020025: return \"RPC_NT_INVALID_NAME_SYNTAX\";
0xC0020026: return \"RPC_NT_UNSUPPORTED_NAME_SYNTAX\";
0xC0020028: return \"RPC_NT_UUID_NO_ADDRESS\";
0xC0020029: return \"RPC_NT_DUPLICATE_ENDPOINT\";
0xC002002A: return \"RPC_NT_UNKNOWN_AUTHN_TYPE\";
0xC002002B: return \"RPC_NT_MAX_CALLS_TOO_SMALL\";
0xC002002C: return \"RPC_NT_STRING_TOO_LONG\";
0xC002002D: return \"RPC_NT_PROTSEQ_NOT_FOUND\";
0xC002002E: return \"RPC_NT_PROCNUM_OUT_OF_RANGE\";
0xC002002F: return \"RPC_NT_BINDING_HAS_NO_AUTH\";
0xC0020030: return \"RPC_NT_UNKNOWN_AUTHN_SERVICE\";
0xC0020031: return \"RPC_NT_UNKNOWN_AUTHN_LEVEL\";
0xC0020032: return \"RPC_NT_INVALID_AUTH_IDENTITY\";
0xC0020033: return \"RPC_NT_UNKNOWN_AUTHZ_SERVICE\";
0xC0020034: return \"EPT_NT_INVALID_ENTRY\";
0xC0020035: return \"EPT_NT_CANT_PERFORM_OP\";
0xC0020036: return \"EPT_NT_NOT_REGISTERED\";
0xC0020037: return \"RPC_NT_NOTHING_TO_EXPORT\";
0xC0020038: return \"RPC_NT_INCOMPLETE_NAME\";
0xC0020039: return \"RPC_NT_INVALID_VERS_OPTION\";
0xC002003A: return \"RPC_NT_NO_MORE_MEMBERS\";
0xC002003B: return \"RPC_NT_NOT_ALL_OBJS_UNEXPORTED\";
0xC002003C: return \"RPC_NT_INTERFACE_NOT_FOUND\";
0xC002003D: return \"RPC_NT_ENTRY_ALREADY_EXISTS\";
0xC002003E: return \"RPC_NT_ENTRY_NOT_FOUND\";
0xC002003F: return \"RPC_NT_NAME_SERVICE_UNAVAILABLE\";
0xC0020040: return \"RPC_NT_INVALID_NAF_ID\";
0xC0020041: return \"RPC_NT_CANNOT_SUPPORT\";
0xC0020042: return \"RPC_NT_NO_CONTEXT_AVAILABLE\";
0xC0020043: return \"RPC_NT_INTERNAL_ERROR\";
0xC0020044: return \"RPC_NT_ZERO_DIVIDE\";
0xC0020045: return \"RPC_NT_ADDRESS_ERROR\";
0xC0020046: return \"RPC_NT_FP_DIV_ZERO\";
0xC0020047: return \"RPC_NT_FP_UNDERFLOW\";
0xC0020048: return \"RPC_NT_FP_OVERFLOW\";
0xC0030001: return \"RPC_NT_NO_MORE_ENTRIES\";
0xC0030002: return \"RPC_NT_SS_CHAR_TRANS_OPEN_FAIL\";
0xC0030003: return \"RPC_NT_SS_CHAR_TRANS_SHORT_FILE\";
0xC0030004: return \"RPC_NT_SS_IN_NULL_CONTEXT\";
0xC0030005: return \"RPC_NT_SS_CONTEXT_MISMATCH\";
Programing/Kernel2011. 6. 29. 17:44
Virtual PC를 이용해 Windows 7 커널 디버깅을 하려다가 디버그모드 설정을 까먹어서 검색 후 작성..
이제 까먹지 말아야지 -_-
Virtual PC에서의 설정
Windbg을 실행하고 File - Kernel Debugging을 설정
(Port부분이 짤렸는데, 위에 있는 Virtual PC에서의 Named pipe와 동일하게 넣으면 된다)
확인을 누르면 아래와 같이 대기함
그리고 Virtual PC를 이용해 게스트 OS 실행. 이때는 아직 디버그모드를 안켰기때문에 그냥 실행됨. 윈도우가 실행되고 나서 아래와 같이 설정한다.
1. cmd창을 관리자 권한으로 실행
2. bededit /debug on (디버그모드를 끌 경우 bededit /debug off)
3. 재부팅
그리고 기다리다가 Command창에 이렇게 뜨면 성공
윈도우가 전부 부팅되고 Ctrl + Break를 눌러 브레이크가 걸리는지 확인
브레이크가 걸리면 끝. 디버깅-
디버그모드를 on한 다음부터는 수동으로 off하기 전까진 계속 유지되므로
바로 Windbg에서 커널 디버깅 켜고 대기한 담에 Virtual PC OS를 동작시키면 바로 붙음
이제 까먹지 말아야지 -_-
Virtual PC에서의 설정
Windbg을 실행하고 File - Kernel Debugging을 설정
(Port부분이 짤렸는데, 위에 있는 Virtual PC에서의 Named pipe와 동일하게 넣으면 된다)
확인을 누르면 아래와 같이 대기함
그리고 Virtual PC를 이용해 게스트 OS 실행. 이때는 아직 디버그모드를 안켰기때문에 그냥 실행됨. 윈도우가 실행되고 나서 아래와 같이 설정한다.
1. cmd창을 관리자 권한으로 실행
2. bededit /debug on (디버그모드를 끌 경우 bededit /debug off)
3. 재부팅
그리고 기다리다가 Command창에 이렇게 뜨면 성공
윈도우가 전부 부팅되고 Ctrl + Break를 눌러 브레이크가 걸리는지 확인
브레이크가 걸리면 끝. 디버깅-
디버그모드를 on한 다음부터는 수동으로 off하기 전까진 계속 유지되므로
바로 Windbg에서 커널 디버깅 켜고 대기한 담에 Virtual PC OS를 동작시키면 바로 붙음
Programing/Kernel2011. 6. 29. 13:25
출처 : http://bananamilk-textcube.blogspot.com/2010/03/driverentry-%EB%93%9C%EB%9D%BC%EC%9D%B4%EB%B2%84-%EC%8B%9C%EC%9E%91%EC%A0%90-%EB%B6%80%ED%84%B0-%EB%94%94%EB%B2%84%EA%B9%85-%ED%95%98%EA%B8%B0.html
드라이버(.sys)파일의 시작점(Entry-Point)부터 디버깅 하는 방법 입니다. 커널 디버깅 환경이 준비 되어야 하며 분석대상 드라이버 PDB 파일의 유무에 따라 분석 방법이 조금 달라 집니다. 먼저 디버기 시스템(Virtual PC 2007)에서 드라이버를 등록(Register Service)하고 나서 디버거(WinDBG)에 입력되는 명령어는 아래와 같습니다. [예제 드라이버 소스코드 경로]
1. 디버깅 대상 드라이버 파일의 PDB 있을 경우
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> sxe ld cr0.sys // cr0.sys 드라이버 로드 시점에 BP 설정
kd> g
nt!DebugService2+0x10:
80506d3e cc int 3 // BP가 걸렸습니다 (cr0.sys 드라이버 로딩)
kd> lm
start end module name
7c900000 7c9b2000 ntdll (pdb symbols)
...
f8c8a000 f8c8a800 cr0 (private pdb symbols) // cr0.sys pdb 확인
kd> bp cr0!DriverEntry // cr0.sys 코드시작(DriverEntry)점에 BP 설정
kd> bl
0 e f8c8a4c0 0001 (0001) cr0!DriverEntry
kd> g
Breakpoint 0 hit
cr0!DriverEntry: // BP가 걸렸습니다 (DriverEntry)
f8c8a4c0 8bff mov edi,edi
kd> u
cr0!DriverEntry [c:\sdt_cr0\set_cr0.cpp @ 22]:
f8c8a4c0 8bff mov edi,edi
f8c8a4c2 55 push ebp
f8c8a4c3 8bec mov ebp,esp
f8c8a4c5 6810a5c8f8 push offset cr0! ?? ::FNODOBFM::`string' (f8c8a510)
f8c8a4ca e825000000 call cr0!DbgPrint (f8c8a4f4)
f8c8a4cf 83c404 add esp,4
f8c8a4d2 8b4508 mov eax,dword ptr [ebp+8]
f8c8a4d5 c7403490a4c8f8 mov dword ptr [eax+34h],offset cr0!OnUnload (f8c8a490)
kd> db f8c8a510 // DbgPrint 인자값 확인
f8c8a510 44 72 69 76 65 72 45 6e-74 72 79 28 29 20 53 74 DriverEntry() St
f8c8a520 61 72 74 0a 00 00 00 00-00 00 00 00 00 00 00 00 art.............
f8c8a530 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a550 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a560 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a570 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a580 00 20 55 80 79 f0 4f 80-00 00 00 00 00 00 00 00 . U.y.O.........
804e3592 cc int 3
kd> sxe ld cr0.sys // cr0.sys 드라이버 로드 시점에 BP 설정
kd> g
nt!DebugService2+0x10:
80506d3e cc int 3 // BP가 걸렸습니다 (cr0.sys 드라이버 로딩)
kd> lm
start end module name
7c900000 7c9b2000 ntdll (pdb symbols)
...
f8c8a000 f8c8a800 cr0 (private pdb symbols) // cr0.sys pdb 확인
kd> bp cr0!DriverEntry // cr0.sys 코드시작(DriverEntry)점에 BP 설정
kd> bl
0 e f8c8a4c0 0001 (0001) cr0!DriverEntry
kd> g
Breakpoint 0 hit
cr0!DriverEntry: // BP가 걸렸습니다 (DriverEntry)
f8c8a4c0 8bff mov edi,edi
kd> u
cr0!DriverEntry [c:\sdt_cr0\set_cr0.cpp @ 22]:
f8c8a4c0 8bff mov edi,edi
f8c8a4c2 55 push ebp
f8c8a4c3 8bec mov ebp,esp
f8c8a4c5 6810a5c8f8 push offset cr0! ?? ::FNODOBFM::`string' (f8c8a510)
f8c8a4ca e825000000 call cr0!DbgPrint (f8c8a4f4)
f8c8a4cf 83c404 add esp,4
f8c8a4d2 8b4508 mov eax,dword ptr [ebp+8]
f8c8a4d5 c7403490a4c8f8 mov dword ptr [eax+34h],offset cr0!OnUnload (f8c8a490)
kd> db f8c8a510 // DbgPrint 인자값 확인
f8c8a510 44 72 69 76 65 72 45 6e-74 72 79 28 29 20 53 74 DriverEntry() St
f8c8a520 61 72 74 0a 00 00 00 00-00 00 00 00 00 00 00 00 art.............
f8c8a530 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a550 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a560 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a570 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8c8a580 00 20 55 80 79 f0 4f 80-00 00 00 00 00 00 00 00 . U.y.O.........
2. 디버깅 대상 드라이버 파일의 PDB 없을 경우
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> sxe ld cr0.sys // cr0.sys 드라이버 로드 시점에 BP 설정
kd> g
nt!DebugService2+0x10:
80506d3e cc int 3 // BP가 걸렸습니다 (cr0.sys 드라이버 로딩)
kd> lm
start end module name
7c900000 7c9b2000 ntdll (pdb symbols)
...
f8b84000 f8b84800 cr0 (deferred) // cr0.sys pdb 없음
kd> bp cr0!DriverEntry
*** ERROR: Module load completed but symbols could not be loaded for cr0.sys
Couldn't resolve error at 'cr0!DriverEntry' // DriverEntry 지점에 BP를 걸 수 없습니다
kd> u f8b846be // cr0 start address(f8b84000) + cr0 Address Entry Point(6be)
cr0+0x6be:
f8b846be 8bff mov edi,edi
f8b846c0 55 push ebp
f8b846c1 8bec mov ebp,esp
f8b846c3 e8bdffffff call cr0+0x685 (f8b84685)
f8b846c8 5d pop ebp
f8b846c9 e9f2fdffff jmp cr0+0x4c0 (f8b844c0)
f8b846ce cc int 3
f8b846cf cc int 3
804e3592 cc int 3
kd> sxe ld cr0.sys // cr0.sys 드라이버 로드 시점에 BP 설정
kd> g
nt!DebugService2+0x10:
80506d3e cc int 3 // BP가 걸렸습니다 (cr0.sys 드라이버 로딩)
kd> lm
start end module name
7c900000 7c9b2000 ntdll (pdb symbols)
...
f8b84000 f8b84800 cr0 (deferred) // cr0.sys pdb 없음
kd> bp cr0!DriverEntry
*** ERROR: Module load completed but symbols could not be loaded for cr0.sys
Couldn't resolve error at 'cr0!DriverEntry' // DriverEntry 지점에 BP를 걸 수 없습니다
kd> u f8b846be // cr0 start address(f8b84000) + cr0 Address Entry Point(6be)
cr0+0x6be:
f8b846be 8bff mov edi,edi
f8b846c0 55 push ebp
f8b846c1 8bec mov ebp,esp
f8b846c3 e8bdffffff call cr0+0x685 (f8b84685)
f8b846c8 5d pop ebp
f8b846c9 e9f2fdffff jmp cr0+0x4c0 (f8b844c0)
f8b846ce cc int 3
f8b846cf cc int 3
kd> bp f8b844c0 // cr0.sys 코드시작(DriverEntry)점에 BP 설정
kd> bl
0 e f8b844c0 0001 (0001) cr0+0x4c0
kd> g
Breakpoint 0 hit
cr0+0x4c0: // BP가 걸렸습니다 (DriverEntry)
f8b844c0 8bff mov edi,edi
kd> u
cr0+0x4c0:
f8b844c0 8bff mov edi,edi
f8b844c2 55 push ebp
f8b844c3 8bec mov ebp,esp
f8b844c5 681045b8f8 push offset cr0+0x510 (f8b84510)
f8b844ca e825000000 call cr0+0x4f4 (f8b844f4)
f8b844cf 83c404 add esp,4
f8b844d2 8b4508 mov eax,dword ptr [ebp+8]
f8b844d5 c740349044b8f8 mov dword ptr [eax+34h],offset cr0+0x490 (f8b84490)
kd> db f8b84510 // DbgPrint 인자값 확인
f8b84510 44 72 69 76 65 72 45 6e-74 72 79 28 29 20 53 74 DriverEntry() St
f8b84520 61 72 74 0a 00 00 00 00-00 00 00 00 00 00 00 00 art.............
f8b84530 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84550 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84560 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84570 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84580 00 20 55 80 79 f0 4f 80-00 00 00 00 00 00 00 00 . U.y.O.........
kd> bl
0 e f8b844c0 0001 (0001) cr0+0x4c0
kd> g
Breakpoint 0 hit
cr0+0x4c0: // BP가 걸렸습니다 (DriverEntry)
f8b844c0 8bff mov edi,edi
kd> u
cr0+0x4c0:
f8b844c0 8bff mov edi,edi
f8b844c2 55 push ebp
f8b844c3 8bec mov ebp,esp
f8b844c5 681045b8f8 push offset cr0+0x510 (f8b84510)
f8b844ca e825000000 call cr0+0x4f4 (f8b844f4)
f8b844cf 83c404 add esp,4
f8b844d2 8b4508 mov eax,dword ptr [ebp+8]
f8b844d5 c740349044b8f8 mov dword ptr [eax+34h],offset cr0+0x490 (f8b84490)
kd> db f8b84510 // DbgPrint 인자값 확인
f8b84510 44 72 69 76 65 72 45 6e-74 72 79 28 29 20 53 74 DriverEntry() St
f8b84520 61 72 74 0a 00 00 00 00-00 00 00 00 00 00 00 00 art.............
f8b84530 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84550 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84560 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84570 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
f8b84580 00 20 55 80 79 f0 4f 80-00 00 00 00 00 00 00 00 . U.y.O.........
Programing/Kernel2011. 6. 24. 09:34
DriverEntry, Unload 함수는 SYSTEM 프로세스에서 실행되지만
SYSTEM 프로세스에는 win32k.sys가 없으므로 DriverEntry, Unload에서 읽거나 쓰기시 에러 발생 가능성이 있음. 항상 발생하지는 않았고 특정 상황에서만 발생헀었는데 정확한 상황은 기억나지 않음..
에러 이유는 DRIVER_IRQL_NOT_LESS_OR_EQUAL
유저모드에서 드라이버와의 IOCTL 통신으로 메모리 읽기, 쓰기를 수행할 경우 해당 에러가 발생하지 않음
출처 : http://driveronline.org/bbs/view.asp?tb=drivetc&no=961
SYSTEM 프로세스에는 win32k.sys가 없으므로 DriverEntry, Unload에서 읽거나 쓰기시 에러 발생 가능성이 있음. 항상 발생하지는 않았고 특정 상황에서만 발생헀었는데 정확한 상황은 기억나지 않음..
에러 이유는 DRIVER_IRQL_NOT_LESS_OR_EQUAL
유저모드에서 드라이버와의 IOCTL 통신으로 메모리 읽기, 쓰기를 수행할 경우 해당 에러가 발생하지 않음
출처 : http://driveronline.org/bbs/view.asp?tb=drivetc&no=961
