« Data Recovery with Memory Dump Analysis
Data Hiding in Crash Dumps »

Crash Dump Analysis Patterns (Part 16b)

I’ve just found that although I covered Stack Overflow in kernel mode I didn’t do this for user mode. In fact this is one of the simplest patterns to see in crash dumps. It has its own characteristic exception code and stack trace:

FAULTING_IP:
StackOverflow!SoFunction+27
00401317 6a00            push    0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00401300 (StackOverflow!SoFunction+0x00000010)
   ExceptionCode: c00000fd (Stack overflow)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00082ffc

0:000> kL
ChildEBP RetAddr 
00083000 00401317 StackOverflow!SoFunction+0x10
00083010 00401317 StackOverflow!SoFunction+0×27
00083020 00401317 StackOverflow!SoFunction+0×27
00083030 00401317 StackOverflow!SoFunction+0×27
00083040 00401317 StackOverflow!SoFunction+0×27
00083050 00401317 StackOverflow!SoFunction+0×27
00083060 00401317 StackOverflow!SoFunction+0×27
00083070 00401317 StackOverflow!SoFunction+0×27
00083080 00401317 StackOverflow!SoFunction+0×27
00083090 00401317 StackOverflow!SoFunction+0×27
000830a0 00401317 StackOverflow!SoFunction+0×27
000830b0 00401317 StackOverflow!SoFunction+0×27
000830c0 00401317 StackOverflow!SoFunction+0×27
000830d0 00401317 StackOverflow!SoFunction+0×27
000830e0 00401317 StackOverflow!SoFunction+0×27
000830f0 00401317 StackOverflow!SoFunction+0×27
00083100 00401317 StackOverflow!SoFunction+0×27
00083110 00401317 StackOverflow!SoFunction+0×27
00083120 00401317 StackOverflow!SoFunction+0×27
00083130 00401317 StackOverflow!SoFunction+0×27

There could be thousands of stack frames:

0:000> kL 2000
[...]
000a2fa0 00401317 StackOverflow!SoFunction+0x27
000a2fb0 00401317 StackOverflow!SoFunction+0x27
000a2fc0 00401317 StackOverflow!SoFunction+0x27
000a2fd0 00401317 StackOverflow!SoFunction+0x27
000a2fe0 00401317 StackOverflow!SoFunction+0x27
000a2ff0 00401317 StackOverflow!SoFunction+0x27

To reach the bottom and avoid over scrolling we can dump the raw stack data, search for the end of the repeating pattern of StackOverflow!SoFunction+0×27 and try to manually reconstruct the bottom of the stack trace:

0:000> !teb
TEB at 7efdd000
    ExceptionList:        0017fdf0
    StackBase:            00180000
    StackLimit:           00081000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7efdd000
    EnvironmentPointer:   00000000
    ClientId:             00001dc4 . 00001b74
    RpcHandle:            00000000
    Tls Storage:          7efdd02c
    PEB Address:          7efde000
    LastErrorValue:       0
    LastStatusValue:      c0000034
    Count Owned Locks:    0
    HardErrorMode:        0

0:000> dds 00081000 00180000
[...]
0017fc74  00401317 StackOverflow!SoFunction+0×27
0017fc78  00000000
0017fc7c  a3a8ea65
0017fc80  0017fc90
0017fc84  00401317 StackOverflow!SoFunction+0×27
0017fc88  10001843
0017fc8c  a3a8ea95
0017fc90  0017fca0
0017fc94  00401317 StackOverflow!SoFunction+0×27
0017fc98  0017fcb8
0017fc9c  a3a8ea85
0017fca0  0017fcb0
0017fca4  00401317 StackOverflow!SoFunction+0×27
0017fca8  00000003
0017fcac  a3a8eab5
0017fcb0  0017fcc0
0017fcb4  00401317 StackOverflow!SoFunction+0×27
0017fcb8  76c68738 user32!_EndUserApiHook+0×11
0017fcbc  a3a8eaa5
0017fcc0  0017fcd0
0017fcc4  00401317 StackOverflow!SoFunction+0×27
0017fcc8  76c6a6cc user32!DefWindowProcW+0×94
0017fccc  a3a8ead5
0017fcd0  0017fce0
0017fcd4  00401317 StackOverflow!SoFunction+0×27
0017fcd8  0037311e
0017fcdc  a3a8eac5
0017fce0  0017fcf0
0017fce4  00401317 StackOverflow!SoFunction+0×27
0017fce8  0017fcd0
0017fcec  a3a8eaf5
0017fcf0  0017fd00
0017fcf4  00401317 StackOverflow!SoFunction+0×27
0017fcf8  76c6ad0f user32!NtUserBeginPaint+0×15
0017fcfc  a3a8eae5
0017fd00  0017fd5c
0017fd04  00401272 StackOverflow!WndProc+0xe2
0017fd08  00401190 StackOverflow!WndProc
0017fd0c  00000003
0017fd10  cf017ada
[…]

We use the extended version of k WinDbg command and supply EBP, ESP and EIP to see in what function it started:

0:000> r
eax=a3b739e5 ebx=00000000 ecx=ac430000 edx=ffefd944 esi=0037311e edi=00000000
eip=00401300 esp=00082ff8 ebp=00083000 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
StackOverflow!SoFunction+0×10:
00401300 89442404        mov     dword ptr [esp+4],eax ss:002b:00082ffc=00000000

0:000> k L=0017fcf0 00082ff8 00401300
ChildEBP RetAddr 
0017fcb0 00401317 StackOverflow!SoFunction+0×10
0017fd00 00401272 StackOverflow!SoFunction+0×27
0017fd5c 76c687af StackOverflow!WndProc+0xe2
0017fd88 76c68936 user32!InternalCallWinProc+0×23
0017fe00 76c6a571 user32!UserCallWinProcCheckWow+0×109
0017fe5c 76c6a5dd user32!DispatchClientMessage+0xe0
0017fe98 77ccee2e user32!__fnDWORD+0×2b
0017fedc 0040107d ntdll!KiUserCallbackDispatcher+0×2e
0017ff08 0040151e StackOverflow!wWinMain+0×7d
00402ba0 20245c8b StackOverflow!__tmainCRTStartup+0×176

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Tuesday, June 10th, 2008 at 4:16 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Debugging. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Crash Dump Analysis Patterns (Part 16b)”

  1. Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation Says:
    October 5th, 2009 at 10:14 pm

    […] looks like a stack overflow. Usually it manifests via a PUSH instruction or a data access violation when ESP/RSP < […]

  2. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 32) Says:
    May 5th, 2010 at 1:00 pm

    […] we introduce an icon for Stack Overflow (user mode) […]

  3. Crash Dump Analysis » Blog Archive » Incorrect stack trace, stack overflow, early crash dump, nested exception, problem exception handler and same vendor: pattern cooperation Says:
    October 30th, 2010 at 11:19 pm

    […] The default analysis command detected stack overflow pattern:  […]

  4. sergmat Says:
    March 4th, 2011 at 5:03 pm

    void func1(void);
    void __cdecl main(void)
    {
    func1();
    }
    void func1(void)
    {
    func1();
    }

    0:000> .lastevent
    Last event: d0c.e94: Stack overflow - code c00000fd (first chance)

    0:000> k L50
    ChildEBP RetAddr
    00103000 002a18e8 test!func1+0×3
    00103008 002a18e8 test!func1+0×8
    00103010 002a18e8 test!func1+0×8
    00103018 002a18e8 test!func1+0×8

    0:000> !teb
    TEB at 7ffdf000
    ExceptionList: 001ffa1c
    StackBase: 00200000
    StackLimit: 00101000

    0:000>dds 101000 200000
    …[ebp][ret addr].. minframe…
    001ff9d4 002a18e8 test!func1+0×8
    001ff9d8 001ff9e0
    001ff9dc 002a18e8 test!func1+0×8
    001ff9e0 001ff9e8
    001ff9e4 002a18f8 test!main+0×8
    001ff9e8 001ffa2c
    001ff9ec 002a1174 test!__tmainCRTStartup+0×122
    001ff9f0 00000001
    001ff9f4 00651388
    001ff9f8 00651928
    001ff9fc bc2792b1
    001ffa00 00000000
    001ffa04 00000000
    001ffa08 7ffdc000
    001ffa0c 00000000
    001ffa10 00000000
    001ffa14 001ff9fc
    001ffa18 b33a09b6
    001ffa1c 001ffa68
    001ffa20 002a1619 test!_except_handler4
    001ffa24 bc124925
    001ffa28 00000000
    001ffa2c 001ffa38
    001ffa30 75911194 kernel32!BaseThreadInitThunk+0xe
    001ffa34 7ffdc000
    001ffa38 001ffa78
    001ffa3c 7747b495 ntdll!__RtlUserThreadStart+0×70
    001ffa40 7ffdc000
    001ffa44 774f7154 ntdll!RtlpSecMemListHead
    001ffa48 00000000
    001ffa4c 00000000
    001ffa50 7ffdc000
    001ffa54 00000000
    001ffa58 00000000
    001ffa5c 00000000
    001ffa60 001ffa44
    001ffa64 00000000
    001ffa68 ffffffff
    001ffa6c 7743d75d ntdll!_except_handler4
    001ffa70 00178d24
    001ffa74 00000000
    001ffa78 001ffa90
    001ffa7c 7747b468 ntdll!_RtlUserThreadStart+0×1b
    001ffa80 002a12dc test!mainCRTStartup
    001ffa84 7ffdc000
    001ffa88 00000000
    001ffa8c 00000000
    001ffa90 00000000
    001ffa94 00000000
    001ffa98 002a12dc test!mainCRTStartup

    0:000> r
    eax=00651928 ebx=00000000 ecx=6ca33714 edx=00000000 esi=00000001 edi=002a3378
    eip=002a18e3 esp=00103000 ebp=00103000 iopl=0 nv up ei pl zr na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
    test!func1+0×3:
    002a18e3 e8f8ffffff call test!func1 (002a18e0)

    0:000> k 1ff9d8 103000 2a18e3
    Requested number of stack frames (0×1ff9d8) is too large! The maximum number is 0xffff.
    ^ Range error in ‘k 1ff9d8 103000 2a18e3′

    0:000> :)

    0:000> k L=1ff9d8 103000 2a18e3
    ChildEBP RetAddr
    001ff9d8 002a18e8 test!func1+0×3
    001ff9e0 002a18f8 test!func1+0×8
    001ff9e8 002a1174 test!main+0×8
    001ffa2c 75911194 test!__tmainCRTStartup+0×122
    001ffa38 7747b495 kernel32!BaseThreadInitThunk+0xe
    001ffa78 7747b468 ntdll!__RtlUserThreadStart+0×70
    001ffa90 00000000 ntdll!_RtlUserThreadStart+0×1b
    ….

Leave a Reply

You must be logged in to post a comment.