Nvidia CoProcManager DLL诡异的问题
最近在使用电脑的时候,发现电脑打开Edge、Taskmgr,甚至Process Explorer、Process Monitor时总是莫名崩溃,实在是干扰使用啊,但是还好Windbg打开之后没有崩溃。于是,我在程序崩溃后,WerFault的框尚在的时候,使用Windbg挂上进程,~*k查看所有线程的调用信息,找到了其中一个线程触发了崩溃。
可以看到nvd3d9wrapx.dll这个DLL在RtlExitUserThread-LdrShutdownThread-LdrpCallInitRoutine这个过程中插进来了,并且在这个线程要退出的时候,被initialise给插了一脚,直接崩了。
0:010> k
Child-SP RetAddr Call Site
0000006f`0c3fd568 00007ffe`ea443b4f ntdll!NtWaitForMultipleObjects+0x14
0000006f`0c3fd570 00007ffe`ea443a4e KERNELBASE!WaitForMultipleObjectsEx+0xef
0000006f`0c3fd870 00007ffe`ec43278f KERNELBASE!WaitForMultipleObjects+0xe
0000006f`0c3fd8b0 00007ffe`ec4322a2 KERNEL32!WerpReportFaultInternal+0x4ab
0000006f`0c3fde60 00007ffe`ea4c7ee7 KERNEL32!WerpReportFault+0x52
0000006f`0c3fde90 00007ffe`ed5cd998 KERNELBASE!UnhandledExceptionFilter+0x277
0000006f`0c3fdf90 00007ffe`ed5b5b26 ntdll!RtlUserThreadStart$filt$0+0x3e
0000006f`0c3fdfd0 00007ffe`ed5c9afd ntdll!_C_specific_handler+0x96
0000006f`0c3fe040 00007ffe`ed554fe9 ntdll!RtlpExecuteHandlerForException+0xd
0000006f`0c3fe070 00007ffe`ed5c8c0a ntdll!RtlDispatchException+0x3a9
0000006f`0c3fe780 00007ffe`e7749cde ntdll!KiUserExceptionDispatch+0x3a
0000006f`0c3fee98 00007ffe`e7750ee2 nvd3d9wrapx!initialise+0x3fe
0000006f`0c3ff5a8 00007ffe`ed5352c8 nvd3d9wrapx!setDeviceHandle+0x5832
0000006f`0c3ff618 00007ffe`ed532bf1 ntdll!LdrpCallInitRoutine+0x4c
0000006f`0c3ff678 00007ffe`ed57c62e ntdll!LdrShutdownThread+0x151
0000006f`0c3ff778 0000006f`0c3ff7ef ntdll!RtlExitUserThread+0x3e
0000006f`0c3ff7b8 00000000`00001000 0x0000006f`0c3ff7ef
0000006f`0c3ff7c0 0000019f`00000000 0x1000
0000006f`0c3ff7c8 00007ffe`ec4532a0 0x0000019f`00000000
0000006f`0c3ff7d0 0000019f`1fa100cb KERNEL32!VirtualFreeStub
0000006f`0c3ff7d8 0000019f`1fa10081 0x0000019f`1fa100cb
0000006f`0c3ff7e0 00000000`00001000 0x0000019f`1fa10081
0000006f`0c3ff7e8 00d5ffcf`8b49d3ff 0x1000
0000006f`0c3ff7f0 0000006f`0c3ff7e8 0x00d5ffcf`8b49d3ff
0000006f`0c3ff7f8 0000019f`1fa10000 0x0000006f`0c3ff7e8
0000006f`0c3ff800 00000000`00000000 0x0000019f`1fa10000
查看一下位置
0:010> lm vm nvd3d9wrapx
start end module name
00007ffe`e7740000 00007ffe`e777a000 nvd3d9wrapx (export symbols) F:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
Loaded symbol image file: F:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
Image path: F:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
Image name: nvd3d9wrapx.dll
Timestamp: Fri Jun 03 10:51:18 2016 (5750F0A6)
CheckSum: 00037FD6
ImageSize: 0003A000
File version: 10.18.13.6839
Product version: 10.18.13.6839
File flags: 8 (Mask 3F) Private
File OS: 40004 NT Win32
File type: 3.4 Driver
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: NVIDIA Corporation
ProductName: NVIDIA D3D shim drivers
InternalName: nvd3d9wrap
OriginalFilename: nvd3d9wrap.dll
ProductVersion: 10.18.13.6839
FileVersion: 10.18.13.6839
FileDescription: NVIDIA d3d9wrap dll, Version 368.39
LegalCopyright: (C) 2016 NVIDIA Corporation. All rights reserved.
进去一看更神奇的事情出现了,这个文件的数字签名居然是自签名的,而其他文件的签名则都是正常的CA发下来的。开始我还以为我中毒了,直到看了官网包释放的DLL同样是自签名的之后,服了。你这样还不如不签名,害得我以为是病毒来着。