Comments for Crash Dump Analysis http://www.dumpanalysis.org/blog Exploring Crash Dumps and Debugging Techniques on Windows Platforms Wed, 14 May 2008 02:24:18 +0000 http://wordpress.org/?v=2.3.3 Comment on Crash Dump Analysis Patterns (Part 16a) by Bill http://www.dumpanalysis.org/blog/index.php/2007/06/21/crash-dump-analysis-patterns-part-16a/#comment-26946 Bill Mon, 12 May 2008 17:56:39 +0000 http://www.dumpanalysis.org/blog/index.php/2007/06/21/crash-dump-analysis-patterns-part-16a/#comment-26946 Dmitry This dump file gives clues as to the trap and .tss selector. What do these clues mean: 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: f7727fe0 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ WARNING: Process directory table base AFFB7740 doesn't match CR3 00545000 Unable to get PEB pointer WARNING: Process directory table base AFFB7740 doesn't match CR3 00545000 Unable to get PEB pointer BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=00000000 ebx=f78dd100 ecx=a53a5b40 edx=007ffff8 esi=80000000 edi=c0603018 eip=8085e1d0 esp=f78dcfb8 ebp=f78dd008 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 nt!MmAccessFault+0x8: 8085e1d0 and dword ptr [ebp-1Ch],0 ss:0010:f78dcfec=00000000 Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: drwtsn32.exe CURRENT_IRQL: 2 TRAP_FRAME: f78dd308 -- (.trap 0xfffffffff78dd308) ErrCode = 00000000 eax=40000000 ebx=c0400000 ecx=c0603018 edx=007ffff8 esi=80000000 edi=00000001 eip=8084d509 esp=f78dd37c ebp=f78dd3e8 iopl=0 nv up ei pl nz na po cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203 nt!MiCheckPdeForPagedPool+0x73: 8084d509 mov eax,dword ptr [ecx] ds:0023:c0603018=00549063 Resetting default scope LAST_CONTROL_TRANSFER: from 8088c798 to 8085e1d0 STACK_TEXT: f78dd008 8088c798 00000000 c0603018 00000000 nt!MmAccessFault+0x8 (the dump file continues) Dmitry

This dump file gives clues as to the trap and .tss selector. What do these clues mean:

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it’s a trap of a kind
that the kernel isn’t allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: f7727fe0
Arg3: 00000000
Arg4: 00000000

Debugging Details:
——————

WARNING: Process directory table base AFFB7740 doesn’t match CR3 00545000
Unable to get PEB pointer

WARNING: Process directory table base AFFB7740 doesn’t match CR3 00545000
Unable to get PEB pointer

BUGCHECK_STR: 0×7f_8

TSS: 00000028 — (.tss 0×28)
eax=00000000 ebx=f78dd100 ecx=a53a5b40 edx=007ffff8 esi=80000000 edi=c0603018
eip=8085e1d0 esp=f78dcfb8 ebp=f78dd008 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!MmAccessFault+0×8:
8085e1d0 and dword ptr [ebp-1Ch],0 ss:0010:f78dcfec=00000000
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: drwtsn32.exe

CURRENT_IRQL: 2

TRAP_FRAME: f78dd308 — (.trap 0xfffffffff78dd308)
ErrCode = 00000000
eax=40000000 ebx=c0400000 ecx=c0603018 edx=007ffff8 esi=80000000 edi=00000001
eip=8084d509 esp=f78dd37c ebp=f78dd3e8 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!MiCheckPdeForPagedPool+0×73:
8084d509 mov eax,dword ptr [ecx] ds:0023:c0603018=00549063
Resetting default scope

LAST_CONTROL_TRANSFER: from 8088c798 to 8085e1d0

STACK_TEXT:
f78dd008 8088c798 00000000 c0603018 00000000 nt!MmAccessFault+0×8

(the dump file continues)

]]> Comment on Memory Dump Analysis using Excel by Dmitry Vostokov http://www.dumpanalysis.org/blog/index.php/2007/11/09/memory-dump-analysis-using-excel/#comment-26932 Dmitry Vostokov Mon, 12 May 2008 16:06:32 +0000 http://www.dumpanalysis.org/blog/index.php/2007/11/09/memory-dump-analysis-using-excel/#comment-26932 Component Age Diagrams (CAD): http://www.dumpanalysis.org/blog/index.php/2008/05/12/how-old-is-your-application-or-system/ Component Age Diagrams (CAD):

http://www.dumpanalysis.org/blog/index.php/2008/05/12/how-old-is-your-application-or-system/

]]> Comment on Crash Dump Analysis Poster v1.1 (HTML version) by Dmitry Vostokov http://www.dumpanalysis.org/blog/index.php/2007/04/22/crash-dump-analysis-poster-v11-html-version/#comment-26492 Dmitry Vostokov Fri, 09 May 2008 10:30:00 +0000 http://www.dumpanalysis.org/blog/index.php/2007/04/22/crash-dump-analysis-poster-v11-html-version/#comment-26492 Now the new version 2.0 is posted that uses online MSDN docs. No need to copy HTML locally :-) Please give it a try Now the new version 2.0 is posted that uses online MSDN docs. No need to copy HTML locally :-) Please give it a try

]]> Comment on ASLR: Address Space Layout Randomization by Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 10a) http://www.dumpanalysis.org/blog/index.php/2007/05/22/aslr-address-space-layout-randomization/#comment-26229 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 10a) Wed, 07 May 2008 13:05:29 +0000 http://www.dumpanalysis.org/blog/index.php/2007/05/22/aslr-address-space-layout-randomization/#comment-26229 [...] similar address space reshuffling happens with ASLR-enabled applications with the difference that system DLLs are never remapped below [...] […] similar address space reshuffling happens with ASLR-enabled applications with the difference that system DLLs are never remapped below […]

]]> Comment on Crash Dump Analysis Patterns (Part 10) by Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 10a) http://www.dumpanalysis.org/blog/index.php/2007/03/19/crash-dump-analysis-patterns-part-10/#comment-26228 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 10a) Wed, 07 May 2008 13:04:24 +0000 http://www.dumpanalysis.org/blog/index.php/2007/03/19/crash-dump-analysis-patterns-part-10/#comment-26228 [...] Layout is a specialization of the general Changed Environment pattern where the whole modules are moved in virtual memory by changing their load order and load [...] […] Layout is a specialization of the general Changed Environment pattern where the whole modules are moved in virtual memory by changing their load order and load […]

]]> Comment on What is KiFastSystemCallRet? by If broken it is, fix it you should : ntdll!kifastSystemcallret, SharedUserData!SystemCallStub and search engines... http://www.dumpanalysis.org/blog/index.php/2008/01/10/what-is-kifastsystemcallret/#comment-26196 If broken it is, fix it you should : ntdll!kifastSystemcallret, SharedUserData!SystemCallStub and search engines... Wed, 07 May 2008 09:31:35 +0000 http://www.dumpanalysis.org/blog/index.php/2008/01/10/what-is-kifastsystemcallret/#comment-26196 [...] paint dry:)  but if you're interested in the details you can read more about it here.  What is interesting though is where you see it, and that is probably what gets people [...] […] paint dry:)  but if you’re interested in the details you can read more about it here.  What is interesting though is where you see it, and that is probably what gets people […]

]]> Comment on Windows® Debugging Notebook by Dmitry Vostokov http://www.dumpanalysis.org/blog/index.php/2008/04/25/windows-debugging-notebook/#comment-25450 Dmitry Vostokov Sat, 03 May 2008 08:51:25 +0000 http://www.dumpanalysis.org/blog/index.php/2008/04/25/windows-debugging-notebook/#comment-25450 Table of Contents: http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/ Table of Contents:

http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/

]]> Comment on Draft TOC for WDN book by Dmitry Vostokov http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/#comment-25332 Dmitry Vostokov Fri, 02 May 2008 11:07:54 +0000 http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/#comment-25332 Thank you all! Also answering the question about the purpose of hexadecimal page numbering. It is for teaching this notation in the most natural way! Still after all these debugging years I cannot remember by heart the decimal value of 0xD :-) Thank you all! Also answering the question about the purpose of hexadecimal page numbering. It is for teaching this notation in the most natural way! Still after all these debugging years I cannot remember by heart the decimal value of 0xD :-)

]]> Comment on Draft TOC for WDN book by Jeff Curless http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/#comment-25311 Jeff Curless Fri, 02 May 2008 07:36:42 +0000 http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/#comment-25311 Speaking of your books, I just got your hardcover Memory Dump Analysis book. You should be having a bunch more people buying it, as I showed it off at the OSR File Systems Internals course I just took. Great book! Speaking of your books, I just got your hardcover Memory Dump Analysis book. You should be having a bunch more people buying it, as I showed it off at the OSR File Systems Internals course I just took. Great book!

]]> Comment on Draft TOC for WDN book by DC http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/#comment-25220 DC Thu, 01 May 2008 15:32:42 +0000 http://www.dumpanalysis.org/blog/index.php/2008/05/01/draft-toc-for-wdn-book/#comment-25220 Hi Dmitry, Thanks a bunch for sharing all these debugging techniques at this web site. I really appreciate it, and can't wait to see this new book. And, what is the hexadecimal and binary page numbering for? Thanks and best wishes, D.C. Hi Dmitry, Thanks a bunch for sharing all these debugging techniques at this web site. I really appreciate it, and can’t wait to see this new book. And, what is the hexadecimal and binary page numbering for? Thanks and best wishes, D.C.

]]>