Comments on: Crash Dump Analysis Patterns (Part 55) https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 19 May 2026 10:47:01 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-741735 Dmitry Vostokov Sun, 19 Feb 2017 10:23:37 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-741735 Another example: <p align="left">0:001> k # Child-SP RetAddr Call Site 00 00000005`8d71deb8 00007ffb`322b918f ntdll!NtWaitForMultipleObjects+0xa 01 00000005`8d71dec0 00007ffb`322b908e KERNELBASE!WaitForMultipleObjectsEx+0xef 02 00000005`8d71e1c0 00007ffb`32c2155c KERNELBASE!WaitForMultipleObjects+0xe 03 00000005`8d71e200 00007ffb`32c21088 kernel32!WerpReportFaultInternal+0x494 04 00000005`8d71e770 00007ffb`322e03cd kernel32!WerpReportFault+0x48 05 00000005`8d71e7a0 00007ffb`34e48cd2 KERNELBASE!UnhandledExceptionFilter+0x1fd 06 00000005`8d71e8a0 00007ffb`34e34296 ntdll!RtlUserThreadStart$filt$0+0x3e 07 00000005`8d71e8e0 00007ffb`34e4666d ntdll!_C_specific_handler+0x96 08 00000005`8d71e950 00007ffb`34dc3c00 ntdll!RtlpExecuteHandlerForException+0xd 09 00000005`8d71e980 00007ffb`34e4577a ntdll!RtlDispatchException+0x370 0a 00000005`8d71f080 00007ffb`2fb57749 ntdll!KiUserExceptionDispatch+0x3a 0b 00000005`8d71f790 00007ffb`2fbafba5 uDWM!CBaseObject::Release+0x15 0c 00000005`8d71f7c0 00007ffb`2fb9f6dc uDWM!CWindowData::SetIconicBitmap+0x21 0d 00000005`8d71f7f0 00007ffb`2fbaddde uDWM!`ScalingCompatLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1497c 0e 00000005`8d71f820 00007ffb`2fbae13b uDWM!CIconicBitmapRegistry::AcceptBitmap+0x56 0f 00000005`8d71f860 00007ffb`2fbb9d09 uDWM!CIconicBitmapRegistry::BitmapReceived+0x267 10 00000005`8d71fa50 00007ffb`2fb9d9b0 uDWM!CWindowList::SetIconicThumbnail+0x105 11 00000005`8d71fac0 00007ffb`2fb12c0f uDWM!`ScalingCompatLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x12c50 12 00000005`8d71fc40 00007ffb`2fb1d171 dwmredir!CSessionPort::ProcessCommand+0x34f 13 00000005`8d71fcf0 00007ffb`2fb1c889 dwmredir!CPortBase::PortThreadInternal+0x241 14 00000005`8d71fda0 00007ffb`32c12d92 dwmredir!CPortBase::PortThread+0x9 15 00000005`8d71fdd0 00007ffb`34db9f64 kernel32!BaseThreadInitThunk+0x22 16 00000005`8d71fe00 00000000`00000000 ntdll!RtlUserThreadStart+0x34 <p align="left">0:001> .cxr 00000005`8d71f080 rax=0000000000000001 rbx=00390035003a0039 rcx=00390035003a0039 rdx=0000000000000000 rsi=00000000ffffffff rdi=00000005919e6f20 rip=00007ffb2fb57749 rsp=000000058d71f790 rbp=000000058d71f960 r8=00000000000002e3 r9=00000000000002e3 r10=000000058bcc7630 r11=000000059400fbd0 r12=000000058bcc7620 r13=00000005920e0000 r14=0000000000000047 r15=000000000000006c iopl=0 nv up ei ng nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 uDWM!CBaseObject::Release+0x15: 00007ffb`2fb57749 f00fc17108 lock xadd dword ptr [rcx+8],esi ds:00390035`003a0041=???????? <p align="left">0:001> .formats rcx Evaluate expression: Hex: 00390035`003a0039 Decimal: 16044301309575225 Octal: 0000710003240016400071 Binary: 00000000 00111001 00000000 00110101 00000000 00111010 00000000 00111001 Chars: .9.5.:.9 Time: Sat Nov 4 19:02:10.957 1651 (UTC + 0:00) Float: low 5.32654e-039 high 5.2347e-039 Double: 1.39072e-307 Another example:

0:001> k
# Child-SP RetAddr Call Site
00 00000005`8d71deb8 00007ffb`322b918f ntdll!NtWaitForMultipleObjects+0xa
01 00000005`8d71dec0 00007ffb`322b908e KERNELBASE!WaitForMultipleObjectsEx+0xef
02 00000005`8d71e1c0 00007ffb`32c2155c KERNELBASE!WaitForMultipleObjects+0xe
03 00000005`8d71e200 00007ffb`32c21088 kernel32!WerpReportFaultInternal+0×494
04 00000005`8d71e770 00007ffb`322e03cd kernel32!WerpReportFault+0×48
05 00000005`8d71e7a0 00007ffb`34e48cd2 KERNELBASE!UnhandledExceptionFilter+0×1fd
06 00000005`8d71e8a0 00007ffb`34e34296 ntdll!RtlUserThreadStart$filt$0+0×3e
07 00000005`8d71e8e0 00007ffb`34e4666d ntdll!_C_specific_handler+0×96
08 00000005`8d71e950 00007ffb`34dc3c00 ntdll!RtlpExecuteHandlerForException+0xd
09 00000005`8d71e980 00007ffb`34e4577a ntdll!RtlDispatchException+0×370
0a 00000005`8d71f080 00007ffb`2fb57749 ntdll!KiUserExceptionDispatch+0×3a
0b 00000005`8d71f790 00007ffb`2fbafba5 uDWM!CBaseObject::Release+0×15
0c 00000005`8d71f7c0 00007ffb`2fb9f6dc uDWM!CWindowData::SetIconicBitmap+0×21
0d 00000005`8d71f7f0 00007ffb`2fbaddde uDWM!`ScalingCompatLogging::Instance’::`2′::`dynamic atexit destructor for ‘wrapper”+0×1497c
0e 00000005`8d71f820 00007ffb`2fbae13b uDWM!CIconicBitmapRegistry::AcceptBitmap+0×56
0f 00000005`8d71f860 00007ffb`2fbb9d09 uDWM!CIconicBitmapRegistry::BitmapReceived+0×267
10 00000005`8d71fa50 00007ffb`2fb9d9b0 uDWM!CWindowList::SetIconicThumbnail+0×105
11 00000005`8d71fac0 00007ffb`2fb12c0f uDWM!`ScalingCompatLogging::Instance’::`2′::`dynamic atexit destructor for ‘wrapper”+0×12c50
12 00000005`8d71fc40 00007ffb`2fb1d171 dwmredir!CSessionPort::ProcessCommand+0×34f
13 00000005`8d71fcf0 00007ffb`2fb1c889 dwmredir!CPortBase::PortThreadInternal+0×241
14 00000005`8d71fda0 00007ffb`32c12d92 dwmredir!CPortBase::PortThread+0×9
15 00000005`8d71fdd0 00007ffb`34db9f64 kernel32!BaseThreadInitThunk+0×22
16 00000005`8d71fe00 00000000`00000000 ntdll!RtlUserThreadStart+0×34

0:001> .cxr 00000005`8d71f080
rax=0000000000000001 rbx=00390035003a0039 rcx=00390035003a0039
rdx=0000000000000000 rsi=00000000ffffffff rdi=00000005919e6f20
rip=00007ffb2fb57749 rsp=000000058d71f790 rbp=000000058d71f960
r8=00000000000002e3 r9=00000000000002e3 r10=000000058bcc7630
r11=000000059400fbd0 r12=000000058bcc7620 r13=00000005920e0000
r14=0000000000000047 r15=000000000000006c
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
uDWM!CBaseObject::Release+0×15:
00007ffb`2fb57749 f00fc17108 lock xadd dword ptr [rcx+8],esi ds:00390035`003a0041=????????

0:001> .formats rcx
Evaluate expression:
Hex: 00390035`003a0039
Decimal: 16044301309575225
Octal: 0000710003240016400071
Binary: 00000000 00111001 00000000 00110101 00000000 00111010 00000000 00111001
Chars: .9.5.:.9
Time: Sat Nov 4 19:02:10.957 1651 (UTC + 0:00)
Float: low 5.32654e-039 high 5.2347e-039
Double: 1.39072e-307

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 110) https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-194237 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 110) Mon, 18 Oct 2010 14:09:18 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-194237 [...] call stack) boundaries. Its effect is visible when the buffer data contains pointers that become wild after the overwrite and are later dereferenced resulting in a crash. For example, when the [...] […] call stack) boundaries. Its effect is visible when the buffer data contains pointers that become wild after the overwrite and are later dereferenced resulting in a crash. For example, when the […]

]]> By: Software Generalist » Blog Archive » Reading Notebook: 09-April-10 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-142586 Software Generalist » Blog Archive » Reading Notebook: 09-April-10 Sat, 10 Apr 2010 00:25:18 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-142586 [...] m_CodeOrIL: 00920070 (p. 61) - the address looks like as UNICODE string but I belive this is just a coincidence, the false positive of Wild Pointer pattern: http://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/ [...] […] m_CodeOrIL: 00920070 (p. 61) - the address looks like as UNICODE string but I belive this is just a coincidence, the false positive of Wild Pointer pattern: http://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/ […]

]]> By: Crash Dump Analysis » Blog Archive » Manual dump, virtualized process, stack trace collection, multiple exceptions, optimized code, wild code pointer, incorrect stack trace and hidden exception: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-77719 Crash Dump Analysis » Blog Archive » Manual dump, virtualized process, stack trace collection, multiple exceptions, optimized code, wild code pointer, incorrect stack trace and hidden exception: pattern cooperation Thu, 04 Jun 2009 09:34:07 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-77719 [...] code is through an invalid address 0×161dc2c so we might guess that this was an instance of wild code pointer or the case of incorrect stack trace. However using techniques to get exception context from hidden [...] […] code is through an invalid address 0×161dc2c so we might guess that this was an instance of wild code pointer or the case of incorrect stack trace. However using techniques to get exception context from hidden […]

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 6a) https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-24890 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 6a) Mon, 28 Apr 2008 18:23:25 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-24890 [...] the pointer value to be non-NULL might not work if the pointer value is random (Wild Pointer pattern) but at least it eliminates this class of problems. NULL pointers can be NULL data [...] […] the pointer value to be non-NULL might not work if the pointer value is random (Wild Pointer pattern) but at least it eliminates this class of problems. NULL pointers can be NULL data […]

]]> By: newsoft https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-20993 newsoft Tue, 18 Mar 2008 11:45:48 +0000 https://www.dumpanalysis.org/blog/index.php/2008/03/11/crash-dump-analysis-patterns-part-55/#comment-20993 BTW, if EIP/RIP has been subverted to this point, you have a clear security issue in your code :) BTW, if EIP/RIP has been subverted to this point, you have a clear security issue in your code :)

]]>