Comments on: Crash Dump Analysis Patterns (Part 8)

By: Dmitry Vostokov

Dmitry Vostokov — Sat, 07 May 2016 15:10:52 +0000

On Windows 10 RSP below KiUserExceptionDispatch can be used as an address for .cxr command:

[…]
00000023`d432f4e8 00000023`d3e3c190
00000023`d432f4f0 00000000`00000000
00000023`d432f4f8 00007ffa`e5c5577a ntdll!KiUserExceptionDispatch+0×3a
00000023`d432f500 00000000`00000000
00000023`d432f508 00000000`00000810
[…]

0:001> .cxr 00000023`d432f500
rax=0000000000000000 rbx=0000000000000000 rcx=00007ff676f399b0
rdx=0000000000000000 rsi=00000023d3e3c190 rdi=00007ff676f211e0
rip=00007ff676f2120d rsp=00000023d432fc30 rbp=0000000000000000
r8=00006f6d5c4f5ead r9=0000000000000032 r10=0000000000000032
r11=00000023d432f960 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Application+0×120d:
00007ff6`76f2120d c70000000000 mov dword ptr [rax],0 ds:00000000`00000000=????????

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 15 May 2015 15:16:24 +0000

Sometimes we can spot 0001003f and its address can be the beginning of a context record:

[…]
0070f668 00000000
0070f66c 00000000
0070f670 00000000
0070f674 00000000
0070f678 00000000
0070f67c 0001003f
[…]

By: Crash Dump Analysis » Blog Archive » Coupled processes, wait chains, message box, waiting thread time, paged out data, incorrect stack trace, hidden exception, unknown component and execution residue: pattern cooperation

Fri, 13 Aug 2010 19:09:24 +0000

[…] We also see that stack trace is incorrect and we try to reconstruct the point of exception by looking at thread raw stack and searching for any hidden exception: […]

By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 105)

Thu, 05 Aug 2010 20:07:43 +0000

[…] see any exception thread it doesn’t mean that no exception had occurred. There could be hidden exceptions on raw stack […]

By: Crash Dump Analysis » Blog Archive » Strong process coupling, stack trace collection, critical section coruption and wait chains, message box, self-diagnosis and hidden exception and dynamic memory corruption: pattern cooperation

Mon, 26 Apr 2010 20:00:29 +0000

[…] was an exception indeed diagnosed by FilterException call. The exception is probably hidden somewhere on the raw […]

By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 12)

Thu, 25 Mar 2010 15:55:17 +0000

[…] we introduce an icon for Hidden Exception […]

By: Crash Dump Analysis » Blog Archive » Statement current, coupled processes, wait chain, spiking thread, hidden exception, and not my version: memory dump and trace analysis pattern cooperation

Mon, 12 Oct 2009 19:11:37 +0000

[…] Looking at the raw stack data (using !teb and dds WinDbg commands) we see a hidden processed exception: […]

By: Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation

Sun, 12 Jul 2009 16:59:16 +0000

[…] addresses we used to try for .exr and .cxr commands in hidden exception pattern are beyond user space and we therefore conclude that somehow such structures or pointers […]

By: Crash Dump Analysis » Blog Archive » Manual dump, virtualized process, stack trace collection, multiple exceptions, optimized code, wild code pointer, incorrect stack trace and hidden exception: pattern cooperation

Thu, 04 Jun 2009 09:34:51 +0000

[…] or the case of incorrect stack trace. However using techniques to get exception context from hidden exceptions we get the following stack […]

By: !analyze -v : Crash Dump Analysis Patterns (Part 8)

!analyze -v : Crash Dump Analysis Patterns (Part 8) — Thu, 18 Sep 2008 05:24:41 +0000

[…] 원문 http://www.dumpanalysis.org/blog/index.php/2007/02/02/crash-dump-analysis-patterns-part-8/ […]