54亿美金蒸发,83岁老人失踪!蓝屏元凶30天崩一个系统,微软急发事故报告
新智元报道
新智元报道
【新智元导读】史上最大规模TI故障,已经为财富500强带来了54亿美元损失,甚至导致一位83岁老人失踪至今未归。如今,微软终于给出了一份详尽的分析报告。
CrowdStrike不知道如何展开工作,并且需要基本的质量保证(QA)实践指导,我们很乐意教他们……
CrowdStrike事件分析
FAULTING_THREAD: ffffe402fe868040
READ_ADDRESS: ffff840500000074 Paged pool
MM_INTERNAL_CODE: 2
IMAGE_NAME: csagent.sys
MODULE_NAME: csagent
FAULTING_MODULE: fffff80671430000 csagent
PROCESS_NAME: System
TRAP_FRAME: ffff94058305ec20 -- (.trap 0xffff94058305ec20)
.trap 0xffff94058305ec20
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0
r8=ffff840500000074 r9=0000000000000000 r10=0000000000000000
r11=0000000000000014 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
csagent+0xe14ed:
fffff806`715114ed 458b08 mov r9d,dword ptr [r8] ds:ffff8405`00000074=????????
.trap
Resetting default scope
STACK_TEXT:
ffff9405`8305e9f8 fffff806`5388c1e4 : 00000000`00000050 ffff8405`00000074 00000000`00000000 ffff9405`8305ec20 : nt!KeBugCheckEx
ffff9405`8305ea00 fffff806`53662d8c : 00000000`00000000 00000000`00000000 00000000`00000000 ffff8405`00000074 : nt!MiSystemFault+0x1fcf94
ffff9405`8305eb00 fffff806`53827529 : ffffffff`00000030 ffff8405`af8351a2 ffff9405`8305f020 ffff9405`8305f020 : nt!MmAccessFault+0x29c
ffff9405`8305ec20 fffff806`715114ed : 00000000`00000000 ffff9405`8305eeb0 ffff8405`b0bcd00c ffff8405`b0bc505c : nt!KiPageFault+0x369
ffff9405`8305edb0 fffff806`714e709e : 00000000`00000000 00000000`e01f008d ffff9405`8305f102 fffff806`716baaf8 : csagent+0xe14ed
ffff9405`8305ef50 fffff806`714e8335 : 00000000`00000000 00000000`00000010 00000000`00000002 ffff8405`b0bc501c : csagent+0xb709e
ffff9405`8305f080 fffff806`717220c7 : 00000000`00000000 00000000`00000000 ffff9405`8305f382 00000000`00000000 : csagent+0xb8335
ffff9405`8305f1b0 fffff806`7171ec44 : ffff9405`8305f668 fffff806`53eac2b0 ffff8405`afad4ac0 00000000`00000003 : csagent+0x2f20c7
ffff9405`8305f430 fffff806`71497a31 : 00000000`0000303b ffff9405`8305f6f0 ffff8405`afb1d140 ffffe402`ff251098 : csagent+0x2eec44
ffff9405`8305f5f0 fffff806`71496aee : ffff8405`afb1d140 fffff806`71541e7e 00000000`000067a0 fffff806`7168f8f0 : csagent+0x67a31
ffff9405`8305f760 fffff806`7149685b : ffff9405`8305f9d8 ffff8405`afb1d230 ffff8405`afb1d140 ffffe402`fe8644f8 : csagent+0x66aee
ffff9405`8305f7d0 fffff806`715399ea : 00000000`4a8415aa ffff8eee`1c68ca4f 00000000`00000000 ffff8405`9e95fc30 : csagent+0x6685b
ffff9405`8305f850 fffff806`7148efbb : 00000000`00000000 ffff9405`8305fa59 ffffe402`fe864050 ffffe402`fede62c0 : csagent+0x1099ea
ffff9405`8305f980 fffff806`7148edd7 : ffffffff`ffffffa1 fffff806`7152e5c1 ffffe402`fe864050 00000000`00000001 : csagent+0x5efbb
ffff9405`8305fac0 fffff806`7152e681 : 00000000`00000000 fffff806`53789272 00000000`00000002 ffffe402`fede62c0 : csagent+0x5edd7
ffff9405`8305faf0 fffff806`53707287 : ffffe402`fe868040 00000000`00000080 fffff806`7152e510 006fe47f`b19bbdff : csagent+0xfe681
ffff9405`8305fb30 fffff806`5381b8e4 : ffff9680`37651180 ffffe402`fe868040 fffff806`53707230 00000000`00000000 : nt!PspSystemThreadStartup+0x57
ffff9405`8305fb80 00000000`00000000 : ffff9405`83060000 ffff9405`83059000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34
6: kd> .trap 0xffff94058305ec20
.trap 0xffff94058305ec20
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0
r8=ffff840500000074 r9=0000000000000000 r10=0000000000000000
r11=0000000000000014 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=000000000000
000
iopl=0 nv up ei ng nz na po nc
csagent+0xe14ed:
fffff806`715114ed 458b08 mov r9d,dword ptr [r8] ds:ffff8405`00000074=????????
6: kd> !pte ffff840500000074
!pte ffff840500000074
VA ffff840500000074
PXE at FFFFABD5EAF57840 PPE at FFFFABD5EAF080A0 PDE at FFFFABD5E1014000 PTE at FFFFABC202800000
contains 0A00000277200863 contains 0000000000000000
pfn 277200 ---DA--KWEV contains 0000000000000000
not valid
6: kd> ub fffff806`715114ed
ub fffff806`715114ed
csagent+0xe14d9:
fffff806`715114d9 04d8 add al,0D8h
fffff806`715114db 750b jne csagent+0xe14e8 (fffff806`715114e8)
fffff806`715114dd 4d85c0 test r8,r8
fffff806`715114e0 7412 je csagent+0xe14f4 (fffff806`715114f4)
fffff806`715114e2 450fb708 movzx r9d,word ptr [r8]
fffff806`715114e6 eb08 jmp csagent+0xe14f0 (fffff806`715114f0)
fffff806`715114e8 4d85c0 test r8,r8
fffff806`715114eb 7407 je csagent+0xe14f4 (fffff806`715114f4)
6: kd> ub fffff806`715114d9
ub fffff806`715114d9
^ Unable to find valid previous instruction for 'ub fffff806`715114d9'
6: kd> u fffff806`715114eb
u fffff806`715114eb
csagent+0xe14eb:
fffff806`715114eb 7407 je csagent+0xe14f4 (fffff806`715114f4)
fffff806`715114ed 458b08 mov r9d,dword ptr [r8]
fffff806`715114f0 4d8b5008 mov r10,qword ptr [r8+8]
fffff806`715114f4 4d8bc2 mov r8,r10
fffff806`715114f7 488d4d90 lea rcx,[rbp-70h]
fffff806`715114fb 488bd6 mov rdx,rsi
fffff806`715114fe e8212c0000 call csagent+0xe4124 (fffff806`71514124)
fffff806`71511503 4533d2 xor r10d,r10d
6: kd> db ffff840500000074
db ffff840500000074
ffff8405`00000074 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`00000084 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`00000094 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`000000a4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`000000b4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`000000c4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`000000d4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
ffff8405`000000e4 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
typedef union _FLT_PARAMETERS {
... ;
struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT Reserved;
USHORT ShareAccess;
PVOID Parameters;
} CreatePipe;
... ;
} FLT_PARAMETERS, *PFLT_PARAMETERS;
6: kd>!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
Hive ffff84059ca7b000
KeyNode ffff8405a6f67f9c
[SubKeyAddr] [SubKeyName]
ffff8405a6f683ac Instances
ffff8405a6f6854c Sim
Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
[ValueType] [ValueName] [ValueData]
REG_DWORD Type 2
REG_DWORD Start 1
REG_DWORD ErrorControl 1
REG_EXPAND_SZ ImagePath \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys
REG_SZ DisplayName CrowdStrike Falcon
REG_SZ Group FSFilter Activity Monitor
REG_MULTI_SZ DependOnService FltMgr\0
REG_SZ CNFG Config.sys
REG_DWORD SupportedFeatures f
!ca ffffde8a870a8290
ControlArea @ ffffde8a870a8290
Segment ffff880ce0689c10 Flink ffffde8a87267718 Blink ffffde8a870a7d98
Section Ref 0 Pfn Ref b Mapped Views 0
User Ref 0 WaitForDel 0 Flush Count 0
File Object ffffde8a879b29a0 ModWriteCount 0 System Views 0
WritableRefs 0 PartitionId 0
Flags (8008080) File WasPurged OnUnusedList
\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys
1: kd> !ntfskd.ccb ffff880ce06f6970
!ntfskd.ccb ffff880ce06f6970
Ccb: ffff880c`e06f6970
Flags: 00008003 Cleanup OpenAsFile IgnoreCase
Flags2: 00000841 OpenComplete AccessAffectsOplocks SegmentObjectReferenced
Type: UserFileOpen
FileObj: ffffde8a879b29a0
ffff880c`db937370 FullFileName [\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys]
000000000000004C LastFileNameOffset
0000000000000000 EaModificationCount
0000000000000000 NextEaOffset
FFFF880CE06F69F8 Lcb
(058) 0000000000000002 TypeOfOpen
6: kd> lmDvmCSFirmwareAnalysis
lmDvmCSFirmwareAnalysis
Browse full module list
start end module name
fffff806`58920000 fffff806`5893c000 CSFirmwareAnalysis (deferred)
Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys
Image name: CSFirmwareAnalysis.sys
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Mar 18 11:32:14 2024 (65F888AE)
CheckSum: 0002020E
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
6: kd> lmDvmcspcm4
lmDvmcspcm4
Browse full module list
start end module name
fffff806`71870000 fffff806`7187d000 cspcm4 (deferred)
Image path: \??\C:\Windows\system32\drivers\CrowdStrike\cspcm4.sys
Image name: cspcm4.sys
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Jul 8 18:33:22 2024 (668C9362)
CheckSum: 00012F69
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
6: kd> lmDvmcsboot.sys
lmDvmcsboot.sys
Browse full module list
start end module name
Unloaded modules:
fffff806`587d0000 fffff806`587dc000 CSBoot.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0000C000
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot
Hive ffff84059ca7b000
KeyNode ffff8405a6f68924
[ValueType] [ValueName] [ValueData]
REG_DWORD Type 1
REG_DWORD Start 0
REG_DWORD ErrorControl 1
REG_EXPAND_SZ ImagePath system32\drivers\CrowdStrike\CSBoot.sys
REG_SZ DisplayName CrowdStrike Falcon Sensor Boot Driver
REG_SZ Group Early-Launch
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol
Hive ffff84059ca7b000
KeyNode ffff8405a6f694ac
[SubKeyAddr] [VolatileSubKeyName]
ffff84059ce196c4 Enum
Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
[ValueType] [ValueName] [ValueData]
REG_DWORD Type 1
REG_DWORD Start 3
REG_DWORD ErrorControl 1
REG_DWORD Tag 1f
REG_EXPAND_SZ ImagePath \SystemRoot\System32\drivers\CSDeviceControl.sys
REG_SZ DisplayName @oem40.inf,%DeviceControl.SVCDESC%;CrowdStrike Device Control Service
REG_SZ Group Base
REG_MULTI_SZ Owners oem40.inf\0!csdevicecontrol.inf_amd64_b6725a84d4688d5a\0!csdevicecontrol.inf_amd64_016e965488e83578\0
REG_DWORD BootFlags 14
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
Hive ffff84059ca7b000
KeyNode ffff8405a6f67f9c
[SubKeyAddr] [SubKeyName]
ffff8405a6f683ac Instances
ffff8405a6f6854c Sim
Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
[ValueType] [ValueName] [ValueData]
REG_DWORD Type 2
REG_DWORD Start 1
REG_DWORD ErrorControl 1
REG_EXPAND_SZ ImagePath \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys
REG_SZ DisplayName CrowdStrike Falcon
REG_SZ Group FSFilter Activity Monitor
REG_MULTI_SZ DependOnService FltMgr\0
REG_SZ CNFG Config.sys
REG_DWORD SupportedFeatures f
6: kd> lmDvmCSFirmwareAnalysis
lmDvmCSFirmwareAnalysis
Browse full module list
start end module name
fffff806`58920000 fffff806`5893c000 CSFirmwareAnalysis (deferred)
Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys
Image name: CSFirmwareAnalysis.sys
Browse all global symbols functions data Symbol Reload
Timestamp: Mon Mar 18 11:32:14 2024 (65F888AE)
CheckSum: 0002020E
ImageSize: 0001C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis
Hive ffff84059ca7b000
KeyNode ffff8405a6f69d9c
[SubKeyAddr] [VolatileSubKeyName]
ffff84059ce197cc Enum
Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
[ValueType] [ValueName] [ValueData]
REG_DWORD Type 1
REG_DWORD Start 0
REG_DWORD ErrorControl 1
REG_DWORD Tag 6
REG_EXPAND_SZ ImagePath system32\DRIVERS\CSFirmwareAnalysis.sys
REG_SZ DisplayName @oem43.inf,%FirmwareAnalysis.SVCDESC%;CrowdStrike Firmware Analysis Service
REG_SZ Group Boot Bus Extender
REG_MULTI_SZ Owners oem43.inf\0!csfirmwareanalysis.inf_amd64_12861fc608fb1440\0
6: kd> !reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch
!reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch
为什么安全解决方案,必须依赖内核驱动程序
性能
防篡改能力
如何在更高安全模式下进行部署
安全启动(Secure Boot):通过在系统启动过程中强制执行签名一致性,防止早期启动恶意软件和rootkit
测量启动(Measured Boot):通过集成的证明服务(如设备健康证明)提供基于TPM的硬件加密测量,以检测启动时的属性。
内存完整性(Memory integrity,也称HVCI):防止在内核中运行时生成动态代码,确保控制流完整性
易受攻击驱动程序阻止列表:集成在操作系统中并由微软管理,与恶意驱动程序黑名单相辅相成
受保护的本地安全机构(Protected Local Security Authority):负责保护一系列凭据,企业版默认开启基于硬件的凭据保护
Microsoft Defender Antivirus:在整个操作系统中提供反恶意软件保护
通过App Control for Business来编写一个安全策略,只允许受信任和/或业务关键的应用程序 结合内存完整性(Memory integrity)与特定的允许列表策略,利用基于虚拟化的安全性(VBS)进一步保护Windows内核 以标准用户身份运行,并仅在必要时提升权限 使用设备健康证明(Device Health Attestation, DHA)监控设备的正确安全策略,包括硬件基础的机器安全姿态测量
为反恶意软件生态提供最佳实践
最后,微软计划利用新推出的数十种安全功能和架构改进,来帮助反恶意软件完成方法的现代化,从而提升安全性和可靠性:
提供安全部署指南、最佳实践和技术,使执行安全产品更新更安全
减少内核驱动程序访问重要安全数据的需求
提供增强的隔离和防篡改能力,如VBS enclaves技术
启用零信任方法,如高完整性证明
微信扫码关注该文公众号作者
戳这里提交新闻线索和高质量文章给我们。
来源: qq
点击查看作者最近其他文章