By: Dmitry Vostokov

Dmitry Vostokov — Wed, 05 Oct 2016 15:28:49 +0000

By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 20)

Thu, 08 Apr 2010 16:26:42 +0000

[…] Today we introduce an icon for OMAP Code Optimization pattern: […]

By: !analyze -v : Crash Dump Analysis Patterns (Part 5b)

!analyze -v : Crash Dump Analysis Patterns (Part 5b) — Thu, 18 Sep 2008 08:20:48 +0000

[…] Crash Dump Analysis Patterns (Part 5b) […]

By: Dmitry Vostokov

Dmitry Vostokov — Tue, 22 May 2007 12:07:39 +0000

Another example of OMAP when we try to disassemble backwards:

ChildEBP RetAddr Args to Child 0006f87c 01034efb application!MultiUserLogonAttempt+0x5ba 0006fee4 01037120 application!LogonAttempt+0x406

1: kd> ub application!LogonAttempt+0x406 ^ Unable to find valid previous instruction for 'ub application!LogonAttempt+0x406' 1: kd> u application!LogonAttempt+0x406 application!LogonAttempt+0x20b: 010348d5 add dword ptr [edx+10h],ebp

We have to specify the return address for MultiUserLogonAttempt:

1: kd> ub 01034efb application!LogonAttempt+0x3e4: 01034ed9 mov dword ptr [ebp-628h],ecx 01034edf mov ecx,dword ptr [ebp-61Ch] 01034ee5 mov dword ptr [eax+24h],ecx 01034ee8 push dword ptr [ebp-61Ch] 01034eee lea eax,[ebp-638h] 01034ef4 push eax 01034ef5 push ebx 01034ef6 call application!MultiUserLogonAttempt (0102c822)

1: kd> u 01034efb application!LogonAttempt+0x406: 01034efb mov ecx,dword ptr [ebp-628h] 01034f01 mov dword ptr [ebp-608h],eax 01034f07 mov eax,dword ptr [ebx+8] 01034f0a mov dword ptr [eax+24h],ecx 01034f0d cmp dword ptr [application!g_SessionId (010742dc)],0 01034f14 je application!LogonAttempt+0x47e (01034f73) 01034f16 lea eax,[ebx+1078h] 01034f1c push eax

Comments on: Crash Dump Analysis Patterns (Part 5b)

By: Dmitry Vostokov

By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 20)

By: !analyze -v : Crash Dump Analysis Patterns (Part 5b)

By: Dmitry Vostokov