Comments on: Crash Dump Analysis Patterns (Part 128) https://www.dumpanalysis.org/blog/index.php/2011/01/29/crash-dump-analysis-patterns-part-128/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 05 May 2026 17:38:22 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2011/01/29/crash-dump-analysis-patterns-part-128/#comment-764710 Dmitry Vostokov Fri, 29 Jan 2021 21:31:42 +0000 https://www.dumpanalysis.org/blog/index.php/2011/01/29/crash-dump-analysis-patterns-part-128/#comment-764710 x64 Windows dumps are more difficult here, but since the content of some registers used for data flow may be saved on the stack during API calls, sometimes it is possible to reconstruct the passed parameters like in this simple example: <p align="left">0:000> k # Child-SP RetAddr Call Site 00 0000004b`b892efb8 00007ffb`7239d701 win32u!NtUserWaitMessage+0x14 01 0000004b`b892efc0 00007ffb`7239d471 user32!DialogBox2+0x261 02 0000004b`b892f060 00007ffb`7239d322 user32!InternalDialogBox+0x12d 03 0000004b`b892f0c0 00007ffb`7239d28b user32!DialogBoxIndirectParamAorW+0x52 04 0000004b`b892f100 00007ffb`72a6e3a6 user32!DialogBoxParamW+0x7b 05 0000004b`b892f140 00007ffb`72c3722b shell32!SHFusionDialogBoxParam+0x5e 06 0000004b`b892f190 00007ff7`a7af9c90 shell32!ShellAboutW+0x8b 07 0000004b`b892f220 00007ff7`a7afae24 notepad!NPCommand+0xc1c 08 0000004b`b892f800 00007ffb`7237e858 notepad!NPWndProc+0x844 09 0000004b`b892fb30 00007ffb`7237e299 user32!UserCallWinProcCheckWow+0x2f8 0a 0000004b`b892fcc0 00007ff7`a7afb33c user32!DispatchMessageWorker+0x249 0b 0000004b`b892fd40 00007ff7`a7b13d36 notepad!wWinMain+0x29c 0c 0000004b`b892fdf0 00007ffb`725d7034 notepad!__scrt_common_main_seh+0x106 0d 0000004b`b892fe30 00007ffb`73a3d0d1 kernel32!BaseThreadInitThunk+0x14 0e 0000004b`b892fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x21 <p align="left">0:000> ub 00007ffb`72a6e3a6 shell32!SHFusionDialogBoxParam+0x3c: 00007ffb`72a6e384 e81babf8ff call shell32!DelayLoadCC (00007ffb`729f8ea4) 00007ffb`72a6e389 488b442470 mov rax,qword ptr [rsp+70h] 00007ffb`72a6e38e 4c8bcb mov r9,rbx 00007ffb`72a6e391 4c8bc7 mov r8,rdi 00007ffb`72a6e394 4889442420 mov qword ptr [rsp+20h],rax 00007ffb`72a6e399 488bd6 mov rdx,rsi 00007ffb`72a6e39c 488bcd mov rcx,rbp 00007ffb`72a6e39f 48ff1552fe4d00 call qword ptr [shell32!_imp_DialogBoxParamW (00007ffb`72f4e1f8)] <p align="left">0:000> u user32!DialogBoxParamW user32!DialogBoxParamW: 00007ffb`7239d210 48895c2408 mov qword ptr [rsp+8],rbx 00007ffb`7239d215 48896c2410 mov qword ptr [rsp+10h],rbp 00007ffb`7239d21a 4889742418 mov qword ptr [rsp+18h],rsi 00007ffb`7239d21f 57 push rdi 00007ffb`7239d220 4883ec30 sub rsp,30h 00007ffb`7239d224 488b0585600800 mov rax,qword ptr [user32!pfnFindResourceExW (00007ffb`724232b0)] 00007ffb`7239d22b 498be8 mov rbp,r8 00007ffb`7239d22e 498bf1 mov rsi,r9 <p align="left">0:000> dps 0000004b`b892f100 0000004b`b892f100 ffffffff`ffffffff 0000004b`b892f108 00000000`005615dc 0000004b`b892f110 00007ffb`72c2ac20 shell32!AboutDlgProc 0000004b`b892f118 00000000`00003810 0000004b`b892f120 0000004b`b892f1c0 0000004b`b892f128 00000000`00000000 0000004b`b892f130 00000000`005615dc 0000004b`b892f138 00007ffb`72a6e3a6 shell32!SHFusionDialogBoxParam+0x5e 0000004b`b892f140 00007ffb`72c2ac20 shell32!AboutDlgProc 0000004b`b892f148 00007ffb`72970000 <PERF> (shell32+0x0) 0000004b`b892f150 00000000`00003810 0000004b`b892f158 00007ffb`72386cc2 user32!SetThreadDpiAwarenessContext+0x72 0000004b`b892f160 0000004b`b892f1c0 0000004b`b892f168 ffffffff`fffffffc 0000004b`b892f170 1d3841ad`00000006 0000004b`b892f178 0000004b`b892fe60 <p align="left">0:000> lm a 00007ffb`72970000 Browse full module list start end module name 00007ffb`72970000 00007ffb`730b3000 shell32 <p align="left">We see that the dialog template was taken from shell32 module, the dialog function is shell32!AboutDlgProc, and resource identifier is 00000000`00003810. x64 Windows dumps are more difficult here, but since the content of some registers used for data flow may be saved on the stack during API calls, sometimes it is possible to reconstruct the passed parameters like in this simple example:

0:000> k
# Child-SP RetAddr Call Site
00 0000004b`b892efb8 00007ffb`7239d701 win32u!NtUserWaitMessage+0×14
01 0000004b`b892efc0 00007ffb`7239d471 user32!DialogBox2+0×261
02 0000004b`b892f060 00007ffb`7239d322 user32!InternalDialogBox+0×12d
03 0000004b`b892f0c0 00007ffb`7239d28b user32!DialogBoxIndirectParamAorW+0×52
04 0000004b`b892f100 00007ffb`72a6e3a6 user32!DialogBoxParamW+0×7b
05 0000004b`b892f140 00007ffb`72c3722b shell32!SHFusionDialogBoxParam+0×5e
06 0000004b`b892f190 00007ff7`a7af9c90 shell32!ShellAboutW+0×8b
07 0000004b`b892f220 00007ff7`a7afae24 notepad!NPCommand+0xc1c
08 0000004b`b892f800 00007ffb`7237e858 notepad!NPWndProc+0×844
09 0000004b`b892fb30 00007ffb`7237e299 user32!UserCallWinProcCheckWow+0×2f8
0a 0000004b`b892fcc0 00007ff7`a7afb33c user32!DispatchMessageWorker+0×249
0b 0000004b`b892fd40 00007ff7`a7b13d36 notepad!wWinMain+0×29c
0c 0000004b`b892fdf0 00007ffb`725d7034 notepad!__scrt_common_main_seh+0×106
0d 0000004b`b892fe30 00007ffb`73a3d0d1 kernel32!BaseThreadInitThunk+0×14
0e 0000004b`b892fe60 00000000`00000000 ntdll!RtlUserThreadStart+0×21

0:000> ub 00007ffb`72a6e3a6
shell32!SHFusionDialogBoxParam+0×3c:
00007ffb`72a6e384 e81babf8ff call shell32!DelayLoadCC (00007ffb`729f8ea4)
00007ffb`72a6e389 488b442470 mov rax,qword ptr [rsp+70h]
00007ffb`72a6e38e 4c8bcb mov r9,rbx
00007ffb`72a6e391 4c8bc7 mov r8,rdi
00007ffb`72a6e394 4889442420 mov qword ptr [rsp+20h],rax
00007ffb`72a6e399 488bd6 mov rdx,rsi
00007ffb`72a6e39c 488bcd mov rcx,rbp
00007ffb`72a6e39f 48ff1552fe4d00 call qword ptr [shell32!_imp_DialogBoxParamW (00007ffb`72f4e1f8)]

0:000> u user32!DialogBoxParamW
user32!DialogBoxParamW:
00007ffb`7239d210 48895c2408 mov qword ptr [rsp+8],rbx
00007ffb`7239d215 48896c2410 mov qword ptr [rsp+10h],rbp
00007ffb`7239d21a 4889742418 mov qword ptr [rsp+18h],rsi
00007ffb`7239d21f 57 push rdi
00007ffb`7239d220 4883ec30 sub rsp,30h
00007ffb`7239d224 488b0585600800 mov rax,qword ptr [user32!pfnFindResourceExW (00007ffb`724232b0)]
00007ffb`7239d22b 498be8 mov rbp,r8
00007ffb`7239d22e 498bf1 mov rsi,r9

0:000> dps 0000004b`b892f100
0000004b`b892f100 ffffffff`ffffffff
0000004b`b892f108 00000000`005615dc
0000004b`b892f110 00007ffb`72c2ac20 shell32!AboutDlgProc
0000004b`b892f118 00000000`00003810
0000004b`b892f120 0000004b`b892f1c0
0000004b`b892f128 00000000`00000000
0000004b`b892f130 00000000`005615dc
0000004b`b892f138 00007ffb`72a6e3a6 shell32!SHFusionDialogBoxParam+0×5e
0000004b`b892f140 00007ffb`72c2ac20 shell32!AboutDlgProc
0000004b`b892f148 00007ffb`72970000 (shell32+0×0)
0000004b`b892f150 00000000`00003810
0000004b`b892f158 00007ffb`72386cc2 user32!SetThreadDpiAwarenessContext+0×72
0000004b`b892f160 0000004b`b892f1c0
0000004b`b892f168 ffffffff`fffffffc
0000004b`b892f170 1d3841ad`00000006
0000004b`b892f178 0000004b`b892fe60

0:000> lm a 00007ffb`72970000
Browse full module list
start end module name
00007ffb`72970000 00007ffb`730b3000 shell32

We see that the dialog template was taken from shell32 module, the dialog function is shell32!AboutDlgProc, and resource identifier is 00000000`00003810.

]]> By: SK https://www.dumpanalysis.org/blog/index.php/2011/01/29/crash-dump-analysis-patterns-part-128/#comment-256542 SK Fri, 25 Mar 2011 05:43:50 +0000 https://www.dumpanalysis.org/blog/index.php/2011/01/29/crash-dump-analysis-patterns-part-128/#comment-256542 Would this be the same with x64 dump? Would this be the same with x64 dump?

]]>