Crash Dump Analysis Patterns (Part 60)
Tuesday, April 29th, 2008In the pattern about NULL code pointer I created a simple program that crashes when we pass a NULL thread procedure pointer to CreateThread function. We might expect to see little in the raw stack data because there was no user-supplied thread code. In reality, if we dump it we would see lots of symbolic information for code and data including ASCII and UNICODE fragments that I call Execution Residue patterns and one of them is Exception Handling Residue we can use to check for hidden exceptions and differentiate between 1st and 2nd chance exceptions. Code residues are very powerful in reconstructing stack traces manually or looking for partial stack traces and historical information.
To show typical execution residues I created the small program with two additionally created threads based on Visual Studio Win32 project. After we dismiss About box we create the first thread and then we crash the process when creating the second thread because of the NULL thread procedure:
typedef DWORD (WINAPI *THREADPROC)(PVOID);
DWORD WINAPI ThreadProc(PVOID pvParam)
{
for (unsigned int i = 0xFFFFFFFF; i; --i);
return 0;
}
// Message handler for about box.
INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
UNREFERENCED_PARAMETER(lParam);
switch (message)
{
case WM_INITDIALOG:
return (INT_PTR)TRUE;
case WM_COMMAND:
if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL)
{
EndDialog(hDlg, LOWORD(wParam));
THREADPROC thProc = ThreadProc;
HANDLE hThread = CreateThread(NULL, 0, ThreadProc, 0, 0, NULL);
CloseHandle(hThread);
Sleep(1000);
hThread = CreateThread(NULL, 0, NULL, 0, 0, NULL);
CloseHandle(hThread);
return (INT_PTR)TRUE;
}
break;
}
return (INT_PTR)FALSE;
}
When we open the crash dump we see these threads:
0:002> ~*kL
0 Id: cb0.9ac Suspend: 1 Teb: 7efdd000 Unfrozen
ChildEBP RetAddr
0012fdf4 00411554 user32!NtUserGetMessage+0x15
0012ff08 00412329 NullThread!wWinMain+0xa4
0012ffb8 0041208d NullThread!__tmainCRTStartup+0x289
0012ffc0 7d4e7d2a NullThread!wWinMainCRTStartup+0xd
0012fff0 00000000 kernel32!BaseProcessStart+0x28
1 Id: cb0.8b4 Suspend: 1 Teb: 7efda000 Unfrozen
ChildEBP RetAddr
01eafea4 7d63f501 ntdll!NtWaitForMultipleObjects+0x15
01eaff48 7d63f988 ntdll!EtwpWaitForMultipleObjectsEx+0xf7
01eaffb8 7d4dfe21 ntdll!EtwpEventPump+0x27f
01eaffec 00000000 kernel32!BaseThreadStart+0x34
2 Id: cb0.ca8 Suspend: 1 Teb: 7efd7000 Unfrozen
ChildEBP RetAddr
0222ffb8 7d4dfe21 NullThread!ThreadProc+0×34
0222ffec 00000000 kernel32!BaseThreadStart+0×34
# 3 Id: cb0.5bc Suspend: 1 Teb: 7efaf000 Unfrozen
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0236ffb8 7d4dfe21 0×0
0236ffec 00000000 kernel32!BaseThreadStart+0×34
4 Id: cb0.468 Suspend: -1 Teb: 7efac000 Unfrozen
ChildEBP RetAddr
01f7ffb4 7d674807 ntdll!NtTerminateThread+0x12
01f7ffc4 7d66509f ntdll!RtlExitUserThread+0x26
01f7fff4 00000000 ntdll!DbgUiRemoteBreakin+0x41
We see our first created thread looping:
0:003> ~2s
eax=cbcf04b5 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=0222ffb8
eip=00411aa4 esp=0222fee0 ebp=0222ffb8 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
NullThread!ThreadProc+0x34:
00411aa4 7402 je NullThread!ThreadProc+0x38 (00411aa8) [br=0]
0:002> u
NullThread!ThreadProc+0x34:
00411aa4 je NullThread!ThreadProc+0x38 (00411aa8)
00411aa6 jmp NullThread!ThreadProc+0x27 (00411a97)
00411aa8 xor eax,eax
00411aaa pop edi
00411aab pop esi
00411aac pop ebx
00411aad mov esp,ebp
00411aaf pop ebp
We might expect it having very little in its raw stack data but what we see when we dump stack range from !teb command is Thread Startup Residue where some symbolic information might be coincidental:
0:002> dds 0222f000 02230000
0222f000 00000000
0222f004 00000000
0222f008 00000000
[...]
0222f104 00000000
0222f108 00000000
0222f10c 00000000
0222f110 7d621954 ntdll!RtlImageNtHeaderEx+0xee
0222f114 7efde000
0222f118 00000000
0222f11c 00000001
0222f120 000000e8
0222f124 004000e8 NullThread!_enc$textbss$begin <PERF> (NullThread+0xe8)
0222f128 00000000
0222f12c 0222f114
0222f130 00000000
0222f134 0222fca0
0222f138 7d61f1f8 ntdll!_except_handler3
0222f13c 7d621958 ntdll!RtlpRunTable+0x4a0
0222f140 ffffffff
0222f144 7d621954 ntdll!RtlImageNtHeaderEx+0xee
0222f148 7d6218ab ntdll!RtlImageNtHeader+0x1b
0222f14c 00000001
0222f150 00400000 NullThread!_enc$textbss$begin <PERF> (NullThread+0x0)
0222f154 00000000
0222f158 00000000
0222f15c 0222f160
0222f160 004000e8 NullThread!_enc$textbss$begin <PERF> (NullThread+0xe8)
0222f164 0222f7bc
0222f168 7d4dfea3 kernel32!ConsoleApp+0xe
0222f16c 00400000 NullThread!_enc$textbss$begin <PERF> (NullThread+0x0)
0222f170 7d4dfe77 kernel32!ConDllInitialize+0x1f5
0222f174 00000000
0222f178 7d4dfe8c kernel32!ConDllInitialize+0x20a
0222f17c 00000000
0222f180 00000000
[...]
0222f290 00000000
0222f294 0222f2b0
0222f298 7d6256e8 ntdll!bsearch+0x42
0222f29c 00180144
0222f2a0 0222f2b4
0222f2a4 7d625992 ntdll!ARRAY_FITS+0x29
0222f2a8 00000a8c
0222f2ac 00001f1c
0222f2b0 0222f2c0
0222f2b4 0222f2f4
0222f2b8 7d625944 ntdll!RtlpLocateActivationContextSection+0x1da
0222f2bc 00001f1c
0222f2c0 000029a8
[...]
0222f2e0 536cd652
0222f2e4 0222f334
0222f2e8 7d625b62 ntdll!RtlpFindUnicodeStringInSection+0x7b
0222f2ec 0222f418
0222f2f0 00000000
0222f2f4 0222f324
0222f2f8 7d6257f1 ntdll!RtlpFindNextActivationContextSection+0x64
0222f2fc 00181f1c
0222f300 c0150008
[...]
0222f320 7efd7000
0222f324 0222f344
0222f328 7d625cd2 ntdll!RtlFindNextActivationContextSection+0x46
0222f32c 0222f368
0222f330 0222f3a0
0222f334 0222f38c
0222f338 0222f340
0222f33c 00181f1c
0222f340 00000000
0222f344 0222f390
0222f348 7d625ad8 ntdll!RtlFindActivationContextSectionString+0xe1
0222f34c 0222f368
0222f350 0222f3a0
[...]
0222f38c 00000a8c
0222f390 0222f454
0222f394 7d626381 ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace+0xa57
0222f398 00000003
0222f39c 00000000
0222f3a0 00181f1c
0222f3a4 0222f418
0222f3a8 0222f3b4
0222f3ac 7d6a0340 ntdll!LdrApiDefaultExtension
0222f3b0 7d6263df ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace+0xb73
0222f3b4 00000040
0222f3b8 00000000
[...]
0222f420 00000000
0222f424 0222f458
0222f428 7d625f9a ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace+0x4c1
0222f42c 00020000
0222f430 0222f44c
0222f434 0222f44c
0222f438 0222f44c
0222f43c 00000002
0222f440 00000002
0222f444 7d625f9a ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace+0x4c1
0222f448 00020000
0222f44c 00000000
0222f450 00003cfb
0222f454 0222f5bc
0222f458 0222f4f4
0222f45c 0222f5bc
0222f460 7d626290 ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x346
0222f464 0222f490
0222f468 00000000
0222f46c 0222f69c
0222f470 7d6262f5 ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3de
0222f474 0222f510
0222f478 7d6a0340 ntdll!LdrApiDefaultExtension
0222f47c 7d626290 ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x346
0222f480 00000000
0222f484 00800000
[...]
0222f544 00000000
0222f548 00000001
0222f54c 7d6a0290 ntdll!LdrpHashTable+0x50
0222f550 00000000
0222f554 00500000
[...]
0222f59c 00000000
0222f5a0 0222f5d4
0222f5a4 7d6251d0 ntdll!LdrUnlockLoaderLock+0x84
0222f5a8 7d6251d7 ntdll!LdrUnlockLoaderLock+0xad
0222f5ac 00000000
0222f5b0 0222f69c
0222f5b4 00000000
0222f5b8 00003cfb
0222f5bc 0222f5ac
0222f5c0 7d626de0 ntdll!LdrGetDllHandleEx+0xbe
0222f5c4 0222f640
0222f5c8 7d61f1f8 ntdll!_except_handler3
0222f5cc 7d6251e0 ntdll!`string'+0x74
0222f5d0 ffffffff
0222f5d4 7d6251d7 ntdll!LdrUnlockLoaderLock+0xad
0222f5d8 7d626fb3 ntdll!LdrGetDllHandleEx+0x368
0222f5dc 00000001
0222f5e0 0ca80042
0222f5e4 7d626f76 ntdll!LdrGetDllHandleEx+0x329
0222f5e8 00000000
0222f5ec 7d626d0b ntdll!LdrGetDllHandle
0222f5f0 00000002
0222f5f4 001a0018
[...]
0222f640 0222f6a8
0222f644 7d61f1f8 ntdll!_except_handler3
0222f648 7d626e60 ntdll!`string'+0xb4
0222f64c ffffffff
0222f650 7d626f76 ntdll!LdrGetDllHandleEx+0x329
0222f654 7d626d23 ntdll!LdrGetDllHandle+0x18
0222f658 00000001
[...]
0222f66c 0222f6b8
0222f670 7d4dff0e kernel32!GetModuleHandleForUnicodeString+0x20
0222f674 00000001
0222f678 00000000
0222f67c 0222f6d4
0222f680 7d4dff1e kernel32!GetModuleHandleForUnicodeString+0x97
0222f684 00000000
0222f688 7efd7c00
0222f68c 00000002
0222f690 00000001
0222f694 00000000
0222f698 0222f6f0
0222f69c 7d4c0000 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0x0)
0222f6a0 0222f684
0222f6a4 7efd7c00
0222f6a8 0222fb20
0222f6ac 7d4d89c4 kernel32!_except_handler3
0222f6b0 7d4dff28 kernel32!`string'+0x18
0222f6b4 ffffffff
0222f6b8 7d4dff1e kernel32!GetModuleHandleForUnicodeString+0x97
0222f6bc 7d4e001f kernel32!BasepGetModuleHandleExW+0x17f
0222f6c0 7d4e009f kernel32!BasepGetModuleHandleExW+0x23c
0222f6c4 00000000
0222f6c8 0222fc08
0222f6cc 00000001
0222f6d0 ffffffff
0222f6d4 001a0018
0222f6d8 7efd7c00
0222f6dc 0222fb50
0222f6e0 00000000
0222f6e4 00000000
0222f6e8 00000000
0222f6ec 02080000 oleaut32!_PictSaveEnhMetaFile+0x76
0222f6f0 0222f90c
0222f6f4 02080000 oleaut32!_PictSaveEnhMetaFile+0x76
0222f6f8 0222f704
0222f6fc 00000000
0222f700 7d4c0000 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0x0)
0222f704 00000000
0222f708 02080000 oleaut32!_PictSaveEnhMetaFile+0x76
0222f70c 0222f928
0222f710 02080000 oleaut32!_PictSaveEnhMetaFile+0x76
0222f714 0222f720
0222f718 00000000
0222f71c 7d4c0000 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0x0)
0222f720 00000000
0222f724 00000000
[...]
0222f7b8 0000f949
0222f7bc 0222fbf4
0222f7c0 7d4dfdd0 kernel32!_BaseDllInitialize+0x6b
0222f7c4 00000002
0222f7c8 00000000
0222f7cc 00000000
0222f7d0 7d4dfde4 kernel32!_BaseDllInitialize+0x495
0222f7d4 00000000
0222f7d8 7efde000
0222f7dc 7d4c0000 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0x0)
0222f7e0 00000000
0222f7e4 00000000
[...]
0222f894 01c58ae0
0222f898 0222fac0
0222f89c 7d62155b ntdll!RtlAllocateHeap+0x460
0222f8a0 7d61f78c ntdll!RtlAllocateHeap+0xee7
0222f8a4 00000000
0222f8a8 0222fc08
[...]
0222f8d8 00000000
0222f8dc 7d621954 ntdll!RtlImageNtHeaderEx+0xee
0222f8e0 0222f9a4
0222f8e4 7d614c88 ntdll!$$VProc_ImageExportDirectory+0x2c48
0222f8e8 0222f9a6
0222f8ec 7d612040 ntdll!$$VProc_ImageExportDirectory
0222f8f0 00000221
0222f8f4 0222f944
0222f8f8 7d627405 ntdll!LdrpSnapThunk+0xc0
0222f8fc 0222f9a6
0222f900 00000584
0222f904 7d600000 ntdll!RtlDosPathSeperatorsString <PERF> (ntdll+0x0)
0222f908 7d613678 ntdll!$$VProc_ImageExportDirectory+0x1638
0222f90c 7d614c88 ntdll!$$VProc_ImageExportDirectory+0x2c48
0222f910 0222f9a4
0222f914 00000001
0222f918 0222f9a4
0222f91c 00000000
0222f920 0222f990
0222f924 7d6000f0 ntdll!RtlDosPathSeperatorsString <PERF> (ntdll+0xf0)
0222f928 0222f968
0222f92c 00000001
0222f930 0222f9a4
0222f934 7d6000f0 ntdll!RtlDosPathSeperatorsString <PERF> (ntdll+0xf0)
0222f938 0222f954
0222f93c 00000000
0222f940 00000000
0222f944 0222fa00
0222f948 7d62757a ntdll!LdrpGetProcedureAddress+0x189
0222f94c 0222f95c
0222f950 00000098
0222f954 00000005
0222f958 01c44f48
0222f95c 0222fb84
0222f960 7d62155b ntdll!RtlAllocateHeap+0x460
0222f964 7d61f78c ntdll!RtlAllocateHeap+0xee7
0222f968 00000000
0222f96c 0000008c
0222f970 00000000
0222f974 7d4d8472 kernel32!$$VProc_ImageExportDirectory+0x6d4e
0222f978 0222fa1c
0222f97c 7d627607 ntdll!LdrpGetProcedureAddress+0x274
0222f980 7d612040 ntdll!$$VProc_ImageExportDirectory
0222f984 002324f8
0222f988 7d600000 ntdll!RtlDosPathSeperatorsString <PERF> (ntdll+0x0)
0222f98c 0222faa8
0222f990 0000a7bb
0222f994 00221f08
0222f998 0222f9a4
0222f99c 7d627c2e ntdll!RtlDecodePointer
0222f9a0 00000000
0222f9a4 74520000
0222f9a8 6365446c
0222f9ac 5065646f
0222f9b0 746e696f
0222f9b4 00007265
0222f9b8 7d627c2e ntdll!RtlDecodePointer
0222f9bc 00000000
[...]
0222f9f8 01c40640
0222f9fc 00000000
0222fa00 7d6275b2 ntdll!LdrpGetProcedureAddress+0xb3
0222fa04 7d627772 ntdll!LdrpSnapThunk+0x31c
0222fa08 7d600000 ntdll!RtlDosPathSeperatorsString <PERF> (ntdll+0x0)
0222fa0c 0222fa44
0222fa10 00000000
0222fa14 0222faa8
0222fa18 00000000
0222fa1c 0222fab0
0222fa20 00000001
0222fa24 00000001
0222fa28 00000000
0222fa2c 0222fa9c
0222fa30 7d4c00e8 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0xe8)
0222fa34 01c44fe0
0222fa38 00000001
0222fa3c 01c401a0
0222fa40 7d4c00e8 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0xe8)
0222fa44 00110010
0222fa48 7d4d8478 kernel32!$$VProc_ImageExportDirectory+0x6d54
0222fa4c 00000000
0222fa50 0222fb0c
0222fa54 7d62757a ntdll!LdrpGetProcedureAddress+0x189
0222fa58 7d600000 ntdll!RtlDosPathSeperatorsString <PERF> (ntdll+0x0)
0222fa5c 00000000
0222fa60 0022faa8
0222fa64 0222fab0
0222fa68 0222fb0c
0222fa6c 7d627607 ntdll!LdrpGetProcedureAddress+0x274
0222fa70 7d6a0180 ntdll!LdrpLoaderLock
0222fa74 7d6275b2 ntdll!LdrpGetProcedureAddress+0xb3
0222fa78 102ce1ac msvcr80d!`string'
0222fa7c 0222fc08
0222fa80 0000ffff
0222fa84 0022f8b0
0222fa88 0022f8a0
0222fa8c 00000003
0222fa90 0222fbd4
0222fa94 020215fc oleaut32!DllMain+0x2c
0222fa98 02020000 oleaut32!_imp__RegFlushKey <PERF> (oleaut32+0x0)
0222fa9c 00000002
0222faa0 00000000
0222faa4 00000000
0222faa8 00000002
0222faac 0202162d oleaut32!DllMain+0x203
0222fab0 65440000
0222fab4 02020000 oleaut32!_imp__RegFlushKey <PERF> (oleaut32+0x0)
0222fab8 00000001
0222fabc 00726574
0222fac0 0222facc
0222fac4 7d627c2e ntdll!RtlDecodePointer
0222fac8 00000000
0222facc 65440000
0222fad0 00000000
0222fad4 00000000
0222fad8 00726574
0222fadc 00000005
0222fae0 00000000
0222fae4 1021af95 msvcr80d!_heap_alloc_dbg+0x375
0222fae8 002322f0
0222faec 00000000
0222faf0 01c40238
0222faf4 0222fa78
0222faf8 7efd7bf8
0222fafc 00000020
0222fb00 7d61f1f8 ntdll!_except_handler3
0222fb04 7d6275b8 ntdll!`string'+0xc
0222fb08 ffffffff
0222fb0c 7d6275b2 ntdll!LdrpGetProcedureAddress+0xb3
0222fb10 00000000
0222fb14 00000000
0222fb18 0222fb48
0222fb1c 00000000
0222fb20 01000000
0222fb24 00000001
0222fb28 0222fb50
0222fb2c 7d4dac3a kernel32!GetProcAddress+0x44
0222fb30 0222fb50
0222fb34 7d4dac4c kernel32!GetProcAddress+0x5c
0222fb38 0222fc08
0222fb3c 00000013
0222fb40 00000000
0222fb44 01c44f40
0222fb48 01c4015c
0222fb4c 00000098
0222fb50 01c44f40
0222fb54 01c44f48
0222fb58 01c40238
0222fb5c 10204f9f msvcr80d!_initptd+0x10f
0222fb60 00000098
0222fb64 00000000
0222fb68 01c40000
0222fb6c 0222f968
0222fb70 7d4c0000 kernel32!_imp__NtFsControlFile <PERF> (kernel32+0x0)
0222fb74 00000ca8
0222fb78 4b405064 msctf!g_timlist
0222fb7c 0222fbb8
0222fb80 4b3c384f msctf!CTimList::Leave+0x6
0222fb84 4b3c14d7 msctf!CTimList::IsThreadId+0x5a
0222fb88 00000ca8
0222fb8c 4b405064 msctf!g_timlist
0222fb90 4b3c0000 msctf!_imp__CheckTokenMembership <PERF> (msctf+0x0)
0222fb94 01c70000
0222fb98 00000000
0222fb9c 4b405064 msctf!g_timlist
0222fba0 0222fb88
0222fba4 7d4dfd40 kernel32!FlsSetValue+0xc7
0222fba8 0222fca0
0222fbac 4b401dbd msctf!_except_handler3
0222fbb0 4b3c14e0 msctf!`string'+0x78
0222fbb4 0222fbd4
0222fbb8 0022f8a0
0222fbbc 00000001
0222fbc0 00000000
0222fbc4 00000000
0222fbc8 0222fc80
0222fbcc 0022f8a0
0222fbd0 0000156f
0222fbd4 0222fbf4
0222fbd8 020215a4 oleaut32!_DllMainCRTStartup+0x52
0222fbdc 02020000 oleaut32!_imp__RegFlushKey <PERF> (oleaut32+0x0)
0222fbe0 00000002
0222fbe4 00000000
0222fbe8 00000000
0222fbec 0222fc08
0222fbf0 00000001
0222fbf4 0222fc14
0222fbf8 7d610024 ntdll!LdrpCallInitRoutine+0x14
0222fbfc 02020000 oleaut32!_imp__RegFlushKey <PERF> (oleaut32+0x0)
0222fc00 00000001
0222fc04 00000000
0222fc08 00000001
0222fc0c 00000000
0222fc10 0022f8a0
0222fc14 00000001
0222fc18 00000000
0222fc1c 0222fcb0
0222fc20 7d62822e ntdll!LdrpInitializeThread+0x1a5
0222fc24 7d6a0180 ntdll!LdrpLoaderLock
0222fc28 7d62821c ntdll!LdrpInitializeThread+0x18f
0222fc2c 00000000
0222fc30 7efde000
0222fc34 00000000
[...]
0222fc6c 00000070
0222fc70 ffffffff
0222fc74 ffffffff
0222fc78 7d6281c7 ntdll!LdrpInitializeThread+0xd8
0222fc7c 7d6280d6 ntdll!LdrpInitializeThread+0x12c
0222fc80 00000000
0222fc84 00000000
0222fc88 0022f8a0
0222fc8c 0202155c oleaut32!_DllMainCRTStartup
0222fc90 7efde000
0222fc94 7d6a01f4 ntdll!PebLdr+0x14
0222fc98 0222fc2c
0222fc9c 00000000
0222fca0 0222fcfc
0222fca4 7d61f1f8 ntdll!_except_handler3
0222fca8 7d628148 ntdll!`string'+0xac
0222fcac ffffffff
0222fcb0 7d62821c ntdll!LdrpInitializeThread+0x18f
0222fcb4 7d61e299 ntdll!ZwTestAlert+0x15
0222fcb8 7d628088 ntdll!_LdrpInitialize+0x1de
0222fcbc 0222fd20
0222fcc0 00000000
[...]
0222fcfc 0222ffec
0222fd00 7d61f1f8 ntdll!_except_handler3
0222fd04 7d628090 ntdll!`string'+0xfc
0222fd08 ffffffff
0222fd0c 7d628088 ntdll!_LdrpInitialize+0x1de
0222fd10 7d61ce0d ntdll!NtContinue+0x12
0222fd14 7d61e9b2 ntdll!KiUserApcDispatcher+0x3a
0222fd18 0222fd20
0222fd1c 00000001
0222fd20 0001002f
[...]
0222fdc8 00000000
0222fdcc 00000000
0222fdd0 00411032 NullThread!ILT+45(?ThreadProcYGKPAXZ)
0222fdd4 00000000
0222fdd8 7d4d1504 kernel32!BaseThreadStartThunk
0222fddc 00000023
0222fde0 00000202
[...]
0222ffb4 cccccccc
0222ffb8 0222ffec
0222ffbc 7d4dfe21 kernel32!BaseThreadStart+0x34
0222ffc0 00000000
0222ffc4 00000000
0222ffc8 00000000
0222ffcc 00000000
0222ffd0 00000000
0222ffd4 0222ffc4
0222ffd8 00000000
0222ffdc ffffffff
0222ffe0 7d4d89c4 kernel32!_except_handler3
0222ffe4 7d4dfe28 kernel32!`string'+0x18
0222ffe8 00000000
0222ffec 00000000
0222fff0 00000000
0222fff4 00411032 NullThread!ILT+45(?ThreadProcYGKPAXZ)
0222fff8 00000000
0222fffc 00000000
02230000 ????????
The second crashed thread has much more symbolic information in it overwriting previous thread startup residue. It is mostly exception handling residue because exception handling consumes stack space as explained in the post Who calls the postmortem debugger?:
0:003> dds 0236a000 02370000
0236a000 00000000
[...]
0236a060 00000000
0236a064 0236a074
0236a068 00220000
0236a06c 7d61f7b4 ntdll!RtlpAllocateFromHeapLookaside+0x13
0236a070 00221378
0236a074 0236a29c
0236a078 7d61f748 ntdll!RtlAllocateHeap+0x1dd
0236a07c 7d61f78c ntdll!RtlAllocateHeap+0xee7
0236a080 0236a5f4
0236a084 00000000
[...]
0236a1b4 0236a300
0236a1b8 0236a1dc
0236a1bc 7d624267 ntdll!RtlIsDosDeviceName_Ustr+0x2f
0236a1c0 0236a21c
0236a1c4 7d624274 ntdll!RtlpDosSlashCONDevice
0236a1c8 00000001
0236a1cc 0236a317
0236a1d0 00000000
0236a1d4 0236a324
0236a1d8 0236a290
0236a1dc 7d6248af ntdll!RtlGetFullPathName_Ustr+0x80b
0236a1e0 7d6a00e0 ntdll!FastPebLock
0236a1e4 7d62489d ntdll!RtlGetFullPathName_Ustr+0x15b
0236a1e8 0236a5f4
0236a1ec 00000208
[...]
0236a224 00000000
0236a228 00000038
0236a22c 02080038 oleaut32!_PictSaveMetaFile+0x33
0236a230 00000000
[...]
0236a27c 00000000
0236a280 0236a53c
0236a284 7d61f1f8 ntdll!_except_handler3
0236a288 7d6245f0 ntdll!`string'+0x5c
0236a28c ffffffff
0236a290 7d62489d ntdll!RtlGetFullPathName_Ustr+0x15b
0236a294 0236a5c8
0236a298 00000008
0236a29c 00000000
0236a2a0 0236a54c
0236a2a4 7d624bcf ntdll!RtlpDosPathNameToRelativeNtPathName_Ustr+0x3d8
0236a2a8 7d6a00e0 ntdll!FastPebLock
0236a2ac 7d624ba1 ntdll!RtlpDosPathNameToRelativeNtPathName_Ustr+0x3cb
0236a2b0 00000000
0236a2b4 0236e6d0
[...]
0236a2e0 000a0008
0236a2e4 7d624be8 ntdll!`string'
0236a2e8 00000000
0236a2ec 003a0038
[...]
0236a330 00650070
0236a334 0050005c
0236a338 00480043 advapi32!LsaGetQuotasForAccount+0x25
0236a33c 00610046
0236a340 006c0075
0236a344 00520074
0236a348 00700065
0236a34c 00780045
0236a350 00630065
0236a354 00690050
0236a358 00650070
0236a35c 00000000
0236a360 00000000
[..]
0236a4a0 0236a4b0
0236a4a4 00000001
0236a4a8 7d61f645 ntdll!RtlpFreeToHeapLookaside+0x22
0236a4ac 00230b98
0236a4b0 0236a590
0236a4b4 7d61f5d1 ntdll!RtlFreeHeap+0x20e
0236a4b8 00221378
0236a4bc 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236a4c0 00000000
0236a4c4 7d61f4ab ntdll!RtlFreeHeap
0236a4c8 00000000
0236a4cc 00000000
[...]
0236a538 00000000
0236a53c 0236a678
0236a540 7d61f1f8 ntdll!_except_handler3
0236a544 7d624ba8 ntdll!`string'+0x1c
0236a548 ffffffff
0236a54c 7d624ba1 ntdll!RtlpDosPathNameToRelativeNtPathName_Ustr+0x3cb
0236a550 7d624c43 ntdll!RtlpDosPathNameToRelativeNtPathName_U+0x55
0236a554 00000001
0236a558 0236a56c
[...]
0236a590 0236a5c0
0236a594 7d620304 ntdll!RtlNtStatusToDosError+0x38
0236a598 7d620309 ntdll!RtlNtStatusToDosError+0x3d
0236a59c 7d61c828 ntdll!ZwWaitForSingleObject+0x15
0236a5a0 7d4d8c82 kernel32!WaitForSingleObjectEx+0xac
0236a5a4 00000124
0236a5a8 00000000
0236a5ac 7d4d8ca7 kernel32!WaitForSingleObjectEx+0xdc
0236a5b0 00000124
0236a5b4 7d61f49c ntdll!RtlGetLastWin32Error
0236a5b8 80070000
0236a5bc 00000024
[...]
0236a5f8 00000000
0236a5fc 0236a678
0236a600 7d4d89c4 kernel32!_except_handler3
0236a604 7d4d8cb0 kernel32!`string'+0x68
0236a608 ffffffff
0236a60c 7d4d8ca7 kernel32!WaitForSingleObjectEx+0xdc
0236a610 7d4d8bf1 kernel32!WaitForSingleObject+0x12
0236a614 7d61f49c ntdll!RtlGetLastWin32Error
0236a618 7d61c92d ntdll!NtClose+0x12
0236a61c 7d4d8e4f kernel32!CloseHandle+0x59
0236a620 00000124
0236a624 0236a688
0236a628 69511753 <Unloaded_faultrep.dll>+0x11753
0236a62c 6951175b <Unloaded_faultrep.dll>+0x1175b
0236a630 0236c6d0
[...]
0236a668 00000120
0236a66c 00000000
0236a670 0236a630
0236a674 7d94a2e9 user32!GetSystemMetrics+0x62
0236a678 0236f920
0236a67c 69510078 <Unloaded_faultrep.dll>+0x10078
0236a680 69503d10 <Unloaded_faultrep.dll>+0x3d10
0236a684 ffffffff
0236a688 6951175b <Unloaded_faultrep.dll>+0x1175b
0236a68c 69506136 <Unloaded_faultrep.dll>+0x6136
0236a690 0236e6d0
0236a694 0236c6d0
0236a698 0000009c
0236a69c 0236a6d0
0236a6a0 00002000
0236a6a4 0236eae4
0236a6a8 695061ff <Unloaded_faultrep.dll>+0x61ff
0236a6ac 00000000
0236a6b0 00000001
0236a6b4 0236f742
0236a6b8 69506210 <Unloaded_faultrep.dll>+0x6210
0236a6bc 00000028
0236a6c0 0236c76c
[...]
0236e6e0 0050005c
0236e6e4 00480043 advapi32!LsaGetQuotasForAccount+0x25
0236e6e8 00610046
[...]
0236e718 002204d8
0236e71c 0236e890
0236e720 77b940bb <Unloaded_VERSION.dll>+0x40bb
0236e724 77b91798 <Unloaded_VERSION.dll>+0x1798
0236e728 ffffffff
0236e72c 77b9178e <Unloaded_VERSION.dll>+0x178e
0236e730 69512587 <Unloaded_faultrep.dll>+0x12587
0236e734 0236e744
0236e738 00220000
0236e73c 7d61f7b4 ntdll!RtlpAllocateFromHeapLookaside+0x13
0236e740 00221378
0236e744 0236e96c
0236e748 7d61f748 ntdll!RtlAllocateHeap+0x1dd
0236e74c 7d61f78c ntdll!RtlAllocateHeap+0xee7
0236e750 0236eca4
0236e754 00000000
0236e758 0236ec94
0236e75c 7d620309 ntdll!RtlNtStatusToDosError+0x3d
0236e760 0236e7c8
0236e764 7d61c9db ntdll!NtQueryValueKey
0236e768 0236e888
0236e76c 0236e760
0236e770 7d61c9ed ntdll!NtQueryValueKey+0x12
0236e774 0236f920
0236e778 7d61f1f8 ntdll!_except_handler3
0236e77c 7d620310 ntdll!RtlpRunTable+0x490
0236e780 0236e790
0236e784 00220000
0236e788 7d61f7b4 ntdll!RtlpAllocateFromHeapLookaside+0x13
0236e78c 00221378
0236e790 0236e9b8
0236e794 7d61f748 ntdll!RtlAllocateHeap+0x1dd
0236e798 7d61f78c ntdll!RtlAllocateHeap+0xee7
0236e79c 0236ef18
0236e7a0 00000000
0236e7a4 00000000
0236e7a8 00220000
0236e7ac 0236e89c
0236e7b0 00000000
0236e7b4 00000128
0236e7b8 00000000
0236e7bc 0236e8c8
0236e7c0 0236e7c8
0236e7c4 c0000034
0236e7c8 0236e814
0236e7cc 7d61f1f8 ntdll!_except_handler3
0236e7d0 7d61f5f0 ntdll!CheckHeapFillPattern+0x64
0236e7d4 ffffffff
0236e7d8 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236e7dc 7d4ded95 kernel32!FindClose+0x9b
0236e7e0 00220000
0236e7e4 00000000
0236e7e8 00220000
0236e7ec 00000000
0236e7f0 002314b4
0236e7f4 7d61ca1d ntdll!NtQueryInformationProcess+0x12
0236e7f8 7d4da465 kernel32!GetErrorMode+0x18
0236e7fc ffffffff
0236e800 0000000c
0236e804 7d61ca65 ntdll!ZwSetInformationProcess+0x12
0236e808 7d4da441 kernel32!SetErrorMode+0x37
0236e80c ffffffff
0236e810 0000000c
0236e814 0236e820
0236e818 00000004
0236e81c 00000000
0236e820 00000005
0236e824 0236eae8
0236e828 7d4e445f kernel32!GetLongPathNameW+0x38f
0236e82c 7d4e4472 kernel32!GetLongPathNameW+0x3a2
0236e830 00000001
0236e834 00000103
0236e838 00000000
0236e83c 0236f712
0236e840 7efaf000
0236e844 002316f0
0236e848 0000005c
0236e84c 7efaf000
0236e850 00000004
0236e854 002314b4
0236e858 0000ea13
0236e85c 0236e894
0236e860 00456b0d advapi32!RegQueryValueExW+0x96
0236e864 00000128
0236e868 0236e888
0236e86c 0236e8ac
0236e870 0236e8c8
0236e874 0236e8a4
0236e878 0236e89c
0236e87c 0236e88c
0236e880 7d635dc4 ntdll!iswdigit+0xf
0236e884 00000064
0236e888 00000004
0236e88c 7d624d81 ntdll!RtlpValidateCurrentDirectory+0xf6
0236e890 7d635d4e ntdll!RtlIsDosDeviceName_Ustr+0x1c0
0236e894 00000064
0236e898 0236e9d0
0236e89c 0236e9e7
0236e8a0 00000000
0236e8a4 0236e9f4
0236e8a8 0236e960
0236e8ac 7d6248af ntdll!RtlGetFullPathName_Ustr+0x80b
0236e8b0 7d6a00e0 ntdll!FastPebLock
0236e8b4 7d62489d ntdll!RtlGetFullPathName_Ustr+0x15b
0236e8b8 0236eca4
0236e8bc 00000208
0236e8c0 0236ec94
0236e8c4 00000000
0236e8c8 00220178
0236e8cc 00000004
0236e8d0 0236eb3c
0236e8d4 0236e8c8
0236e8d8 7d624d81 ntdll!RtlpValidateCurrentDirectory+0xf6
0236e8dc 0236e8f8
0236e8e0 7d6246c1 ntdll!RtlIsDosDeviceName_Ustr+0x14
0236e8e4 0236ea1c
0236e8e8 0236ea33
0236e8ec 00000000
0236e8f0 0236ea40
0236e8f4 0236e9ac
0236e8f8 7d6248af ntdll!RtlGetFullPathName_Ustr+0x80b
0236e8fc 7d6a00e0 ntdll!FastPebLock
0236e900 7d62489d ntdll!RtlGetFullPathName_Ustr+0x15b
0236e904 0236ef18
0236e908 00000208
[...]
0236e934 00000022
0236e938 00460044 advapi32!GetPerflibKeyValue+0x19e
0236e93c 0236ecd0
0236e940 00000000
0236e944 00000044
0236e948 02080044 oleaut32!_PictSaveMetaFile+0x3f
0236e94c 00000000
0236e950 4336ec0c
[...]
0236e9a8 0236ebd0
0236e9ac 7d62155b ntdll!RtlAllocateHeap+0x460
0236e9b0 7d61f78c ntdll!RtlAllocateHeap+0xee7
0236e9b4 00000000
0236e9b8 000003ee
0236e9bc 0236ed2c
0236e9c0 7d624bcf ntdll!RtlpDosPathNameToRelativeNtPathName_Ustr+0x3d8
0236e9c4 7d6a00e0 ntdll!FastPebLock
0236e9c8 00000ab0
0236e9cc 00000381
0236e9d0 00233950
0236e9d4 0236ebfc
0236e9d8 7d62155b ntdll!RtlAllocateHeap+0x460
0236e9dc 7d61f78c ntdll!RtlAllocateHeap+0xee7
0236e9e0 00000003
0236e9e4 fffffffc
0236e9e8 00000aa4
0236e9ec 00230ba0
0236e9f0 00000004
0236e9f4 003a0043
0236e9f8 00000000
0236e9fc 000a0008
0236ea00 7d624be8 ntdll!`string'
0236ea04 00000000
0236ea08 00460044 advapi32!GetPerflibKeyValue+0x19e
0236ea0c 0236ecd0
0236ea10 00233948
[...]
0236ea44 00220640
0236ea48 7d62273d ntdll!RtlIntegerToUnicode+0x126
0236ea4c 0000000c
[...]
0236eab4 0236f79c
0236eab8 7d61f1f8 ntdll!_except_handler3
0236eabc 7d622758 ntdll!RtlpIntegerWChars+0x54
0236eac0 00220178
0236eac4 0236ed3c
0236eac8 00000005
0236eacc 0236ed00
0236ead0 7d622660 ntdll!RtlConvertSidToUnicodeString+0x1cb
0236ead4 00220178
0236ead8 0236eaf0
0236eadc 0236eaec
0236eae0 00000001
0236eae4 7d61f645 ntdll!RtlpFreeToHeapLookaside+0x22
0236eae8 00223620
0236eaec 00220178
0236eaf0 7d61f5d1 ntdll!RtlFreeHeap+0x20e
0236eaf4 002217f8
0236eaf8 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236eafc 00000000
0236eb00 00220178
[...]
0236eb48 0236eb58
0236eb4c 7d635dc4 ntdll!iswdigit+0xf
0236eb50 00220178
0236eb54 00000381
0236eb58 002343f8
0236eb5c 0236eb78
0236eb60 7d620deb ntdll!RtlpCoalesceFreeBlocks+0x383
0236eb64 00000381
0236eb68 002343f8
0236eb6c 00220000
0236eb70 00233948
0236eb74 00220000
0236eb78 00000000
0236eb7c 00220000
0236eb80 0236ec60
0236eb84 7d620fbe ntdll!RtlFreeHeap+0x6b0
0236eb88 00220608
0236eb8c 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236eb90 000000e8
0236eb94 7d61cd23 ntdll!ZwWriteVirtualMemory
0236eb98 7efde000
0236eb9c 000000e8
0236eba0 00233948
0236eba4 7efde000
0236eba8 000002e8
0236ebac 0000005d
0236ebb0 00220178
0236ebb4 00000156
0236ebb8 0236e9b4
0236ebbc 00233948
0236ebc0 7d61f1f8 ntdll!_except_handler3
0236ebc4 00000ab0
0236ebc8 00233948
0236ebcc 00233950
0236ebd0 00220178
0236ebd4 00220000
0236ebd8 00000ab0
0236ebdc 00220178
0236ebe0 00000000
0236ebe4 00233950
0236ebe8 7d4ddea8 kernel32!`string'+0x50
0236ebec 00000000
0236ebf0 00233950
0236ebf4 00220178
0236ebf8 00000aa4
0236ebfc 00000000
0236ec00 0236ec54
0236ec04 7d63668a ntdll!RtlCreateProcessParameters+0x375
0236ec08 7d63668f ntdll!RtlCreateProcessParameters+0x37a
0236ec0c 7d6369e9 ntdll!RtlCreateProcessParameters+0x35f
0236ec10 00000000
[...]
0236ec4c 0000007f
0236ec50 0236ef4c
0236ec54 7d61f1f8 ntdll!_except_handler3
0236ec58 7d61f5f0 ntdll!CheckHeapFillPattern+0x64
0236ec5c ffffffff
0236ec60 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236ec64 7d6365e2 ntdll!RtlDestroyProcessParameters+0x1b
0236ec68 00220000
0236ec6c 00000000
0236ec70 00233950
0236ec74 0236ef5c
0236ec78 7d4ec4bc kernel32!BasePushProcessParameters+0x806
0236ec7c 00233950
0236ec80 7d4ec478 kernel32!BasePushProcessParameters+0x7c5
0236ec84 7efde000
0236ec88 0236f748
0236ec8c 00000000
0236ec90 0236ed92
0236ec94 00000000
0236ec98 00000000
0236ec9c 01060104
0236eca0 0236f814
0236eca4 0020001e
0236eca8 7d535b50 kernel32!`string'
0236ecac 00780076
0236ecb0 002314e0
0236ecb4 00780076
0236ecb8 0236ed2c
0236ecbc 00020000
0236ecc0 7d4ddee4 kernel32!`string'
0236ecc4 0236efec
[...]
0236ed3c 006d0061
0236ed40 00460020 advapi32!GetPerflibKeyValue+0x17a
0236ed44 006c0069
0236ed48 00730065
0236ed4c 00280020
0236ed50 00380078
0236ed54 00290036
0236ed58 0044005c advapi32!CryptDuplicateHash+0x3
0236ed5c 00620065
0236ed60 00670075
[...]
0236ee7c 0236ee8c
0236ee80 00000001
0236ee84 7d61f645 ntdll!RtlpFreeToHeapLookaside+0x22
0236ee88 00230dc0
0236ee8c 0236ef6c
0236ee90 0236eea0
0236ee94 00000001
0236ee98 7d61f645 ntdll!RtlpFreeToHeapLookaside+0x22
0236ee9c 00223908
0236eea0 0236ef80
0236eea4 7d61f5d1 ntdll!RtlFreeHeap+0x20e
0236eea8 00221d38
0236eeac 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236eeb0 7d61f4ab ntdll!RtlFreeHeap
0236eeb4 7d61c91b ntdll!NtClose
0236eeb8 00000000
[...]
0236ef08 00000000
0236ef0c 7d621954 ntdll!RtlImageNtHeaderEx+0xee
0236ef10 7efde000
0236ef14 00001000
0236ef18 00000000
0236ef1c 000000e8
0236ef20 004000e8 NullThread!_enc$textbss$begin <PERF> (NullThread+0xe8)
0236ef24 00000000
0236ef28 0236ef10
0236ef2c 00000000
0236ef30 0236f79c
0236ef34 7d61f1f8 ntdll!_except_handler3
0236ef38 7d621954 ntdll!RtlImageNtHeaderEx+0xee
0236ef3c 00220000
[...]
0236ef68 0236eeb0
0236ef6c 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236ef70 0236f79c
0236ef74 7d61f1f8 ntdll!_except_handler3
0236ef78 7d61f5f0 ntdll!CheckHeapFillPattern+0x64
0236ef7c ffffffff
0236ef80 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236ef84 7d4ea183 kernel32!CreateProcessInternalW+0x21f5
0236ef88 00220000
0236ef8c 00000000
0236ef90 00223910
0236ef94 7d4ebc0b kernel32!CreateProcessInternalW+0x1f26
0236ef98 00000000
0236ef9c 00000096
0236efa0 0236f814
0236efa4 00000103
0236efa8 7efde000
0236efac 00000001
0236efb0 0236effc
0236efb4 00000200
0236efb8 00000cb0
0236efbc 0236f00c
0236efc0 0236efdc
0236efc4 7d6256e8 ntdll!bsearch+0x42
0236efc8 00180144
0236efcc 0236efe0
0236efd0 7d625992 ntdll!ARRAY_FITS+0x29
0236efd4 00000a8c
0236efd8 00000000
0236efdc 00000000
0236efe0 00080000
0236efe4 00070000
0236efe8 00040000
0236efec 00000044
0236eff0 00000000
0236eff4 7d535b50 kernel32!`string'
0236eff8 00000000
0236effc 00000000
[...]
0236f070 00000001
0236f074 7d625ad8 ntdll!RtlFindActivationContextSectionString+0xe1
0236f078 004000e8 NullThread!_enc$textbss$begin <PERF> (NullThread+0xe8)
0236f07c 0236f0cc
0236f080 00000000
0236f084 7d6256e8 ntdll!bsearch+0x42
0236f088 00180144
0236f08c 0236f0a0
0236f090 7d625992 ntdll!ARRAY_FITS+0x29
0236f094 00000a8c
[...]
0236f0d0 0236f120
0236f0d4 7d625b62 ntdll!RtlpFindUnicodeStringInSection+0x7b
0236f0d8 0236f204
0236f0dc 00000020
[...]
0236f190 000002a8
0236f194 7d625b62 ntdll!RtlpFindUnicodeStringInSection+0x7b
0236f198 00000001
0236f19c 00000000
0236f1a0 0236f1d0
0236f1a4 7d6257f1 ntdll!RtlpFindNextActivationContextSection+0x64
0236f1a8 00181f1c
[...]
0236f1f0 7efaf000
0236f1f4 7d625ad8 ntdll!RtlFindActivationContextSectionString+0xe1
0236f1f8 0236f214
0236f1fc 0236f24c
0236f200 00000000
0236f204 7d6256e8 ntdll!bsearch+0x42
0236f208 00180144
[...]
0236f24c 00000200
0236f250 00000734
0236f254 7d625b62 ntdll!RtlpFindUnicodeStringInSection+0x7b
0236f258 0236f384
[...]
0236f3f0 00000000
0236f3f4 00000000
0236f3f8 01034236
0236f3fc 00000000
0236f400 7d4d1510 kernel32!BaseProcessStartThunk
0236f404 00000018
0236f408 00003000
[...]
0236f62c 0236f63c
0236f630 00000001
0236f634 7d61f645 ntdll!RtlpFreeToHeapLookaside+0x22
0236f638 00231088
0236f63c 0236f71c
[...]
0236f70c 002333b8
0236f710 0236f720
0236f714 00000001
0236f718 7d61f645 ntdll!RtlpFreeToHeapLookaside+0x22
0236f71c 00228fb0
0236f720 0236f800
0236f724 7d61f5d1 ntdll!RtlFreeHeap+0x20e
0236f728 00221318
0236f72c 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236f730 00000000
0236f734 00000096
0236f738 0236f814
0236f73c 00220608
0236f740 7d61f5ed ntdll!RtlFreeHeap+0x70f
0236f744 0236f904
0236f748 008e0000
0236f74c 002334c2
[...]
0236f784 0236f7bc
0236f788 7d63d275 ntdll!_vsnwprintf+0x30
0236f78c 0236f79c
0236f790 0000f949
0236f794 0236ef98
0236f798 00000095
0236f79c 0236fb7c
0236f7a0 7d4d89c4 kernel32!_except_handler3
0236f7a4 7d4ed1d0 kernel32!`string'+0xc
0236f7a8 ffffffff
0236f7ac 7d4ebc0b kernel32!CreateProcessInternalW+0x1f26
0236f7b0 7d4d14a2 kernel32!CreateProcessW+0x2c
0236f7b4 00000000
[...]
0236f7f0 0236fb7c
0236f7f4 7d61f1f8 ntdll!_except_handler3
0236f7f8 7d61d051 ntdll!NtWaitForMultipleObjects+0x15
0236f7fc 7d61c92d ntdll!NtClose+0x12
0236f800 7d4d8e4f kernel32!CloseHandle+0x59
0236f804 00000108
0236f808 0236fb8c
0236f80c 7d535b07 kernel32!UnhandledExceptionFilter+0x815
0236f810 00000108
0236f814 00430022 advapi32!_imp__OutputDebugStringW <PERF> (advapi32+0x22)
0236f818 005c003a
0236f81c 00720050
[...]
0236f8ec 0055005c
0236f8f0 00650073
0236f8f4 00440072 advapi32!CryptDuplicateHash+0x19
0236f8f8 006d0075
0236f8fc 00730070
0236f900 006e005c
0236f904 00770065
0236f908 0064002e
0236f90c 0070006d
0236f910 0020003b
0236f914 00220071
0236f918 00000000
0236f91c 00000096
0236f920 7d4dda47 kernel32!DuplicateHandle+0xd0
0236f924 7d4dda47 kernel32!DuplicateHandle+0xd0
0236f928 0236fb8c
0236f92c 7d5358cb kernel32!UnhandledExceptionFilter+0x5f1
0236f930 0236f9f0
0236f934 00000001
0236f938 00000000
0236f93c 7d535b43 kernel32!UnhandledExceptionFilter+0x851
0236f940 00000000
0236f944 00000000
0236f948 00000000
0236f94c 0236f95c
0236f950 00000098
0236f954 000001a2
0236f958 01c423b0
0236f95c 0236fb84
0236f960 7d62155b ntdll!RtlAllocateHeap+0x460
0236f964 7d61f78c ntdll!RtlAllocateHeap+0xee7
0236f968 00000000
0236f96c 0000008c
0236f970 00000000
0236f974 7d4d8472 kernel32!$$VProc_ImageExportDirectory+0x6d4e
0236f978 0236fa1c
0236f97c 00000044
0236f980 00000000
0236f984 7d535b50 kernel32!`string'
0236f988 00000000
0236f98c 00000000
0236f990 00000000
0236f994 00000000
0236f998 00000000
0236f99c 00000000
0236f9a0 00000000
0236f9a4 00000000
0236f9a8 00000000
0236f9ac 00000000
0236f9b0 00000000
0236f9b4 00000000
0236f9b8 00000000
0236f9bc 00000000
0236f9c0 0010000e
0236f9c4 7ffe0030 SharedUserData+0x30
0236f9c8 000000e8
0236f9cc 00000108
0236f9d0 00000200
0236f9d4 00000734
0236f9d8 00000018
0236f9dc 00000000
0236f9e0 7d5621d0 kernel32!ProgramFilesEnvironment+0x74
0236f9e4 00000040
0236f9e8 00000000
0236f9ec 00000000
0236f9f0 0000000c
0236f9f4 00000000
0236f9f8 00000001
0236f9fc 00000118
0236fa00 000000e8
0236fa04 c0000005
0236fa08 00000000
0236fa0c 00000008
0236fa10 00000000
0236fa14 00000110
0236fa18 0236f814
0236fa1c 6950878a <Unloaded_faultrep.dll>+0x878a
0236fa20 00120010
0236fa24 7d51c5e4 kernel32!`string'
0236fa28 00000003
0236fa2c 05bc0047
[...]
0236fa74 0057005c
0236fa78 004b0032 advapi32!szPerflibSectionName <PERF> (advapi32+0x80032)
0236fa7c 005c0033
0236fa80 00790073
[...]
0236fac8 0000002b
0236facc 00000000
0236fad0 7d61e3e6 ntdll!ZwWow64CsrNewThread+0x12
0236fad4 00000000
[...]
0236fb44 00000000
0236fb48 00000000
0236fb4c 7d61cb0d ntdll!ZwQueryVirtualMemory+0x12
0236fb50 7d54eeb8 kernel32!_ValidateEH3RN+0xb6
0236fb54 ffffffff
0236fb58 7d4dfe28 kernel32!`string'+0x18
0236fb5c 00000000
0236fb60 0236fb78
0236fb64 0000001c
0236fb68 0000000f
0236fb6c 7d4dfe28 kernel32!`string'+0x18
0236fb70 0000f949
0236fb74 0236f814
0236fb78 7d4df000 kernel32!CheckForSameCurdir+0x39
0236fb7c 0236fbd4
0236fb80 7d4d89c4 kernel32!_except_handler3
0236fb84 7d535be0 kernel32!`string'+0xc
0236fb88 ffffffff
0236fb8c 7d535b43 kernel32!UnhandledExceptionFilter+0x851
0236fb90 7d508f4e kernel32!BaseThreadStart+0x4a
0236fb94 0236fbb4
0236fb98 7d4d8a25 kernel32!_except_handler3+0x61
0236fb9c 0236fbbc
0236fba0 00000000
0236fba4 0236fbbc
0236fba8 00000000
0236fbac 00000000
0236fbb0 00000000
0236fbb4 0236fca0
0236fbb8 0236fcf0
0236fbbc 0236fbe0
0236fbc0 7d61ec2a ntdll!ExecuteHandler2+0x26
0236fbc4 0236fca0
0236fbc8 0236ffdc
0236fbcc 0236fcf0
0236fbd0 0236fc7c
0236fbd4 0236ffdc
0236fbd8 7d61ec3e ntdll!ExecuteHandler2+0x3a
0236fbdc 0236ffdc
0236fbe0 0236fc88
0236fbe4 7d61ebfb ntdll!ExecuteHandler+0x24
0236fbe8 0236fca0
0236fbec 0236ffdc
0236fbf0 00000000
0236fbf4 0236fc7c
0236fbf8 7d4d89c4 kernel32!_except_handler3
0236fbfc 00000000
0236fc00 0036fca0
0236fc04 0236fc18
0236fc08 7d640ca6 ntdll!RtlCallVectoredContinueHandlers+0x15
0236fc0c 0236fca0
0236fc10 0236fcf0
0236fc14 7d6a0608 ntdll!RtlpCallbackEntryList
0236fc18 0236fc88
0236fc1c 7d6354c9 ntdll!RtlDispatchException+0x11f
0236fc20 0236fca0
0236fc24 0236fcf0
0236fc28 00000000
0236fc2c 00000000
[...]
0236fc88 0236ffec
0236fc8c 7d61dd26 ntdll!NtRaiseException+0x12
0236fc90 7d61ea51 ntdll!KiUserExceptionDispatcher+0x29
0236fc94 0236fca0
0236fc98 0236fcf0
0236fc9c 00000000
0236fca0 c0000005
0236fca4 00000000
0236fca8 00000000
0236fcac 00000000
0236fcb0 00000002
0236fcb4 00000008
0236fcb8 00000000
0236fcbc 00000000
0236fcc0 00000000
0236fcc4 6b021fa0
0236fcc8 78b83980
0236fccc 00000000
0236fcd0 00000000
0236fcd4 00000000
0236fcd8 7efad000
0236fcdc 023afd00
0236fce0 023af110
0236fce4 78b83980
0236fce8 010402e1
0236fcec 00000000
0236fcf0 0001003f
0236fcf4 00000000
0236fcf8 00000000
0236fcfc 00000000
0236fd00 00000000
0236fd04 00000000
0236fd08 00000000
0236fd0c 0000027f
0236fd10 00000000
0236fd14 0000ffff
0236fd18 00000000
0236fd1c 00000000
0236fd20 00000000
0236fd24 00000000
0236fd28 00000000
0236fd2c 00000000
0236fd30 00000000
0236fd34 00000000
0236fd38 00000000
0236fd3c 00000000
0236fd40 00000000
0236fd44 00000000
0236fd48 00000000
0236fd4c 00000000
0236fd50 00000000
0236fd54 00000000
0236fd58 00000000
0236fd5c 00000000
0236fd60 00000000
0236fd64 00000000
0236fd68 00000000
0236fd6c 00000000
0236fd70 00000000
0236fd74 00000000
0236fd78 00000000
0236fd7c 0000002b
0236fd80 00000053
0236fd84 0000002b
0236fd88 0000002b
0236fd8c 00000000
0236fd90 00000000
0236fd94 00000000
0236fd98 00000000
0236fd9c 47f30000
0236fda0 00000000
0236fda4 0236ffec
0236fda8 00000000
0236fdac 00000023
0236fdb0 00010246
0236fdb4 0236ffbc
0236fdb8 0000002b
0236fdbc 0000027f
0236fdc0 00000000
0236fdc4 00000000
0236fdc8 00000000
0236fdcc 00000000
0236fdd0 00000000
0236fdd4 00001f80
0236fdd8 00000000
0236fddc 00000000
[...]
0236ffb4 00000000
0236ffb8 00000000
0236ffbc 7d4dfe21 kernel32!BaseThreadStart+0x34
0236ffc0 00000000
0236ffc4 00000000
0236ffc8 00000000
0236ffcc 00000000
0236ffd0 c0000005
0236ffd4 0236ffc4
0236ffd8 0236fbb4
0236ffdc ffffffff
0236ffe0 7d4d89c4 kernel32!_except_handler3
0236ffe4 7d4dfe28 kernel32!`string'+0x18
0236ffe8 00000000
0236ffec 00000000
0236fff0 00000000
0236fff4 00000000
0236fff8 00000000
0236fffc 00000000
02370000 ????????
- Dmitry Vostokov @ DumpAnalysis.org -