Crash Dump Analysis Patterns (Part 128)

Similar to Message Box and String Parameter patterns we also have Dialog Box pattern (I’m grateful to Etienne Jeanneau for this suggestion) where we can see dialog window caption and contents when we examine function parameters (I guess this information comes from dialog box template). Although in the examples below we know the dialog purpose from friendly call stack function names for many 3rd-party applications we either don’t have symbols or no such helper functions but we want to know what was on the screen when screenshots were not collected.

The first 2 examples are from notepad and the 3rd is from IE:

0:000> kv
ChildEBP RetAddr  Args to Child             
0017f5c4 777b073f 777c3c9f 000d023c 00000001 ntdll!KiFastSystemCallRet
0017f5c8 777c3c9f 000d023c 00000001 00000000 user32!NtUserWaitMessage+0xc
0017f5fc 777c2dc0 00310778 000d023c 00000001 user32!DialogBox2+0x202
0017f624 777c2eec 76460000 02a6bc60 000d023c user32!InternalDialogBox+0xd0
0017f644 76489a65 76460000 02a6bc60 000d023c user32!DialogBoxIndirectParamAorW+0×37
0017f680 76489ccf 0017f68c 00000001 0017f6d4 comdlg32!ChooseFontX+0×1ba
0017f6bc 006741c7 0017f6d4 00000111 00000000 comdlg32!ChooseFontW+0×2e
0017f734 0067164a 000d023c 00000021 00000000 notepad!NPCommand+0×4c7
0017f758 777afd72 000d023c 00000111 00000021 notepad!NPWndProc+0×4cf
0017f784 777afe4a 0067146c 000d023c 00000111 user32!InternalCallWinProc+0×23
0017f7fc 777b018d 00000000 0067146c 000d023c user32!UserCallWinProcCheckWow+0×14b
0017f860 777b022b 0067146c 00000000 0017f8a4 user32!DispatchMessageWorker+0×322
0017f870 00671465 0017f888 00000000 0067a21c user32!DispatchMessageW+0xf
0017f8a4 0067195d 00670000 00000000 00231cfa notepad!WinMain+0xe3
0017f934 7652d0e9 7ffd9000 0017f980 77b019bb notepad!_initterm_e+0×1a1
0017f940 77b019bb 7ffd9000 78f7b908 00000000 kernel32!BaseThreadInitThunk+0xe
0017f980 77b0198e 006731ed 7ffd9000 00000000 ntdll!__RtlUserThreadStart+0×23
0017f998 00000000 006731ed 7ffd9000 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> dc 02a6bc60 l50
02a6bc60  80c800c4 00000000 000d0014 011f0036  ............6...
02a6bc70  000000c4 00460000 006e006f 00000074  ......F.o.n.t
02a6bc80  004d0008 00200053 00680053 006c0065  ..M.S. .S.h.e.l.
02a6bc90  0020006c 006c0044 00000067 50020000  l. .D.l.g……P
02a6bca0  00000000 00070007 00090028 ffff0440  ……..(…@…
02a6bcb0  00260082 006f0046 0074006e 0000003a  ..&.F.o.n.t.:…
02a6bcc0  00000000 50210b51 00000000 00100007  ….Q.!P……..
02a6bcd0  004c0062 ffff0470 00000085 00000000  b.L.p………..
02a6bce0  50020000 00000000 0007006e 0009002c  …P….n…,…
02a6bcf0  ffff0441 00460082 006e006f 00200074  A…..F.o.n.t. .
02a6bd00  00740073 00790026 0065006c 0000003a  s.t.&.y.l.e.:…
02a6bd10  00000000 50210041 00000000 0010006e  ….A.!P….n…
02a6bd20  004c004a ffff0471 00000085 00000000  J.L.q………..
02a6bd30  50020000 00000000 000700bd 0009001e  …P…………
02a6bd40  ffff0442 00260082 00690053 0065007a  B…..&.S.i.z.e.
02a6bd50  0000003a 00000000 50210b51 00000000  :…….Q.!P….
02a6bd60  001000be 004c0024 ffff0472 00000085  ….$.L.r…….
02a6bd70  00000000 50020007 00000000 00610007  …….P……a.
02a6bd80  00480062 ffff0430 00450080 00660066  b.H.0…..E.f.f.
02a6bd90  00630065 00730074 00000000 50010003  e.c.t.s……..P

0:000> kv
ChildEBP RetAddr  Args to Child             
0017f5a8 777b073f 777c3c9f 000d023c 00000001 ntdll!KiFastSystemCallRet
0017f5ac 777c3c9f 000d023c 00000001 00000000 user32!NtUserWaitMessage+0xc
0017f5e0 777c2dc0 0044034a 000d023c 00000001 user32!DialogBox2+0x202
0017f608 777c2eec 768a0000 029030bc000d023c user32!InternalDialogBox+0xd0
0017f628 777c10ef 768a0000 029030bc 000d023c user32!DialogBoxIndirectParamAorW+0×37
0017f64c 7695d877 768a0000 00003810 000d023c user32!DialogBoxParamW+0×3f
0017f670 76a744dc 768a0000 00003810 000d023c shell32!SHFusionDialogBoxParam+0×32
0017f6b0 00674416 000d023c 002530dc 00672fc4 shell32!ShellAboutW+0×4d
0017f734 0067164a 000d023c 00000041 00000000 notepad!NPCommand+0×718
0017f758 777afd72 000d023c 00000111 00000041 notepad!NPWndProc+0×4cf
0017f784 777afe4a 0067146c 000d023c 00000111 user32!InternalCallWinProc+0×23
0017f7fc 777b018d 00000000 0067146c 000d023c user32!UserCallWinProcCheckWow+0×14b
0017f860 777b022b 0067146c 00000000 0017f8a4 user32!DispatchMessageWorker+0×322
0017f870 00671465 0017f888 00000000 0067a21c user32!DispatchMessageW+0xf
0017f8a4 0067195d 00670000 00000000 00231cfa notepad!WinMain+0xe3
0017f934 7652d0e9 7ffd9000 0017f980 77b019bb notepad!_initterm_e+0×1a1
0017f940 77b019bb 7ffd9000 78f7b908 00000000 kernel32!BaseThreadInitThunk+0xe
0017f980 77b0198e 006731ed 7ffd9000 00000000 ntdll!__RtlUserThreadStart+0×23
0017f998 00000000 006731ed 7ffd9000 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> dc 029030bc l50
029030bc  ffff0001 00000000 00000000 80c800cc  ................
029030cc  0014000c 01130014 000000ee 00410000  ..............A.
029030dc  006f0062 00740075 00250020 00000073  b.o.u.t. .%.s…
029030ec  00000008 004d0000 00200053 00680053  ……M.S. .S.h.
029030fc  006c0065 0020006c 006c0044 00000067  e.l.l. .D.l.g…
0290310c  00000000 00000000 50000043 00370007  ……..C..P..7.
0290311c  00140015 00003009 0082ffff 0000ffff  …..0……….
0290312c  00000000 00000000 00000000 5000008c  ……………P
0290313c  00370023 000a00c8 00003500 0082ffff  #.7……5……
0290314c  00000000 00000000 00000000 5000008c  ……………P
0290315c  00410023 000a00eb 0000350b 0082ffff  #.A……5……
0290316c  00000000 00000000 00000000 50000080  ……………P
0290317c  004b0023 000a00d2 0000350a 0082ffff  #.K……5……
0290318c  00000000 00000000 00000000 50000080  ……………P
0290319c  00550023 002800d2 00003513 0082ffff  #.U…(..5……
029031ac  00680054 00200065 00570025 004e0049  T.h.e. .%.W.I.N.
029031bc  004f0044 00530057 004c005f 004e004f  D.O.W.S._.L.O.N.
029031cc  00250047 006f0020 00650070 00610072  G.%. .o.p.e.r.a.
029031dc  00690074 0067006e 00730020 00730079  t.i.n.g. .s.y.s.
029031ec  00650074 0020006d 006e0061 00200064  t.e.m. .a.n.d. .

  16  Id: 10fc.124c Suspend: 0 Teb: 7ffd7000 Unfrozen
ChildEBP RetAddr  Args to Child             
053f8098 777b073f 777c3c9f 003d0650 00000001 ntdll!KiFastSystemCallRet
053f809c 777c3c9f 003d0650 00000001 00000000 user32!NtUserWaitMessage+0xc
053f80d0 777c2dc0 002e0378 003d0650 00000001 user32!DialogBox2+0x202
053f80f8 777c2eec 6f270000 03387bd4 003d0650 user32!InternalDialogBox+0xd0
053f8118 777c10ef 6f270000 03387bd4 003d0650 user32!DialogBoxIndirectParamAorW+0×37
053f813c 6f2c5548 6f270000 00005398 003d0650 user32!DialogBoxParamW+0×3f
053f8164 6f2c5743 6f270000 00005398 003d0650 ieframe!Detour_DialogBoxParamW+0×47
053f8188 6f2c56f5 6f270000 00005398 001905ea ieframe!SHFusionDialogBoxParam+0×32
053f9228 6f2c5378 001905ea 053fb540 00000104 ieframe!DoAddToFavDlgEx+0xcf
053fbb5c 6f2c58f9 001905ea 0e69a0c0 053fbff0 ieframe!AddToFavoritesEx+0×349
053fbdb8 6f2c57ee 00000000 053fbff0 00000000 ieframe!CBaseBrowser2::_AddToFavorites+0xe9
053fc0f4 6f2c3e5e 00000000 00000000 00000001 ieframe!CBaseBrowser2::_ExecAddToFavorites+0×123
053fc124 6f39ca4e 6f39c524 00000008 00000001 ieframe!CBaseBrowser2::_ExecExplorer+0xbe
053fc14c 6f39cee8 114ea39c 6f39c524 00000008 ieframe!CBaseBrowser2::Exec+0×12d
053fc17c 6f39cf17 6f39c524 00000008 00000001 ieframe!CShellBrowser2::_Exec_CCommonBrowser+0×80
053fc414 6f498284 114ea39c 6f39c524 00000008 ieframe!CShellBrowser2::Exec+0×626
053fc43c 6f49e5cd 0000a173 00000000 ffffff71 ieframe!CShellBrowser2::_FavoriteOnCommand+0×75
053fc458 6f3c5ea8 0000a173 00000000 00000111 ieframe!CShellBrowser2::_OnDefault+0×3e
053fd6f0 6f394194 0000a173 00000000 0000031a ieframe!CShellBrowser2::v_OnCommand+0xa7b
053fd70c 6f39898d 001905ea 00000111 0000a173 ieframe!CBaseBrowser2::v_WndProc+0×247
053fd770 6f3988db 001905ea 00000111 0000a173 ieframe!CShellBrowser2::v_WndProc+0×3fe
053fd794 777afd72 001905ea 00000111 0000a173 ieframe!CShellBrowser2::s_WndProc+0xfb
053fd7c0 777afe4a 6f39887a 001905ea 00000111 user32!InternalCallWinProc+0×23
053fd838 777b0943 00000000 6f39887a 001905ea user32!UserCallWinProcCheckWow+0×14b
053fd878 777b0b36 00252838 01223dc0 0000a173 user32!SendMessageWorker+0×4b7
053fd898 6f3cf032 001905ea 00000111 0000a173 user32!SendMessageW+0×7c
053fd8d0 6f396ead 0056049c 00000111 0000a173 ieframe!CInternetToolbarHost::v_WndProc+0xf8
053fd8f4 777afd72 0056049c 00000111 0000a173 ieframe!CImpWndProc::s_WndProc+0×65
053fd920 777afe4a 6f396e6e 0056049c 00000111 user32!InternalCallWinProc+0×23
053fd998 777b018d 00000000 6f396e6e 0056049c user32!UserCallWinProcCheckWow+0×14b
053fd9fc 777b022b 6f396e6e 00000000 053ffb14 user32!DispatchMessageWorker+0×322
053fda0c 6f39c1f5 053fda30 00000000 10eec4c0 user32!DispatchMessageW+0xf
053ffb14 6f34337f 0e7c3708 00000000 11bd8dc8 ieframe!CTabWindow::_TabWindowThreadProc+0×54c
053ffbcc 77525179 10eec4c0 00000000 053ffbe8 ieframe!LCIETab_ThreadProc+0×2c1
053ffbdc 7652d0e9 11bd8dc8 053ffc28 77b019bb iertutil!CIsoScope::RegisterThread+0xab
053ffbe8 77b019bb 11bd8dc8 7dd62326 00000000 kernel32!BaseThreadInitThunk+0xe
053ffc28 77b0198e 7752516b 11bd8dc8 00000000 ntdll!__RtlUserThreadStart+0×23
053ffc40 00000000 7752516b 11bd8dc8 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> dc 03387bd4 l50
03387bd4  ffff0001 00000000 00000000 80c808c0  ................
03387be4  0000000a 011f0000 00000064 00410000  ........d.....A.
03387bf4  00640064 00610020 00460020 00760061  d.d. .a. .F.a.v.
03387c04  0072006f 00740069 00000065 00000008  o.r.i.t.e…….
03387c14  004d0000 00200053 00680053 006c0065  ..M.S. .S.h.e.l.
03387c24  0020006c 006c0044 00000067 00000000  l. .D.l.g…….
03387c34  00000000 50000003 0007000f 00140015  …….P……..
03387c44  00009760 0082ffff 00bfffff 00000000  `……………
03387c54  00000000 00000000 50020000 00070035  ………..P5…
03387c64  000800db 000003f4 0082ffff 00640041  …………A.d.
03387c74  00200064 00200061 00610046 006f0076  d. .a. .F.a.v.o.
03387c84  00690072 00650074 00000000 00000000  r.i.t.e………
03387c94  00000000 50020000 00110035 001000db  …….P5…….
03387ca4  000003f5 0082ffff 00640041 00200064  ……..A.d.d. .
03387cb4  00680074 00730069 00770020 00620065  t.h.i.s. .w.e.b.
03387cc4  00610070 00650067 00610020 00200073  p.a.g.e. .a.s. .
03387cd4  00200061 00610066 006f0076 00690072  a. .f.a.v.o.r.i.
03387ce4  00650074 0020002e 006f0054 00610020  t.e… .T.o. .a.
03387cf4  00630063 00730065 00200073 006f0079  c.c.e.s.s. .y.o.
03387d04  00720075 00660020 00760061 0072006f  u.r. .f.a.v.o.r.

Stack traces with DialogBoxIndirectParam call and x64 complicates the picture a bit and are subject of another post. Please also note that a user might not see the dialog box you see on a stack trace due to many reasons like terminal session problems or a process running in a non-interactive session.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

One Response to “Crash Dump Analysis Patterns (Part 128)”

  1. SK Says:

    Would this be the same with x64 dump?

Leave a Reply