Crash Dump Analysis Patterns (Part 197)
Injected Symbols pattern can be used to add missing symbols when we have Reduced Symbol Information like it was done previously in this old case study. For example, TestWER module was compiled with static MFC and CRT libraries and its private PDB file contains all necessary symbols including MSG structure. We can load that module into notepad.exe process space and apply symbols:
0:000:x86> lm
start end module name
00fc0000 00ff0000 notepad (pdb symbols) c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000 WinCRT (deferred)
727f0000 7298e000 comctl32 (deferred)
72aa0000 72af1000 winspool (deferred)
72b10000 72b19000 version (deferred)
72e40000 72e48000 wow64cpu (deferred)
72e50000 72eac000 wow64win (pdb symbols) c:\mss\wow64win.pdb\B2D08CC152D64E71B79167DC0A0A53E91\wow64win.pdb
72eb0000 72eef000 wow64 (deferred)
733d0000 733e3000 dwmapi (deferred)
735b0000 73606000 uxtheme (deferred)
746f0000 746fc000 CRYPTBASE (deferred)
74700000 74760000 sspicli (deferred)
747c0000 74817000 shlwapi (deferred)
74830000 7547a000 shell32 (deferred)
755d0000 7564b000 comdlg32 (deferred)
75650000 7567e000 imm32 (deferred)
75770000 75810000 advapi32 (deferred)
75810000 75920000 kernel32 (pdb symbols) c:\mss\wkernel32.pdb\1C690A8592304467BB15A09CEA7180FA2\wkernel32.pdb
75920000 759b0000 gdi32 (deferred)
759b0000 759f7000 KERNELBASE (deferred)
75a00000 75b00000 user32 (pdb symbols) c:\mss\wuser32.pdb\0FCE9CC301ED4567A819705B2718E1D62\wuser32.pdb
75b00000 75b8f000 oleaut32 (deferred)
75be0000 75c7d000 usp10 (deferred)
75ff0000 76009000 sechost (deferred)
76010000 76100000 rpcrt4 (deferred)
76230000 762dc000 msvcrt (deferred)
76470000 7647a000 lpk (deferred)
76480000 7654c000 msctf (deferred)
76550000 766ac000 ole32 (deferred)
766d0000 76753000 clbcatq (deferred)
76e40000 76fe9000 ntdll (deferred)
77020000 771a0000 ntdll_77020000 (pdb symbols) c:\mss\wntdll.pdb\D74F79EB1F8D4A45ABCD2F476CCABACC2\wntdll.pdb
0:000:x86> .sympath+ C:\DebuggingTV\TestWER\x86
Symbol search path is: srv*;C:\DebuggingTV\TestWER\x86
Expanded Symbol search path is: SRV*c:\mss*http://msdl.microsoft.com/download/symbols;c:\debuggingtv\testwer\x86
0:000:x86> .reload /f /i C:\DebuggingTV\TestWER\x86\TestWER.exe=10000000
0:000:x86> lm
start end module name
00fc0000 00ff0000 notepad (pdb symbols) c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000 TestWER (private pdb symbols) c:\debuggingtv\testwer\x86\TestWER.pdb
727f0000 7298e000 comctl32 (deferred)
72aa0000 72af1000 winspool (deferred)
72b10000 72b19000 version (deferred)
72e40000 72e48000 wow64cpu (deferred)
72e50000 72eac000 wow64win (pdb symbols) c:\mss\wow64win.pdb\B2D08CC152D64E71B79167DC0A0A53E91\wow64win.pdb
72eb0000 72eef000 wow64 (deferred)
733d0000 733e3000 dwmapi (deferred)
735b0000 73606000 uxtheme (deferred)
746f0000 746fc000 CRYPTBASE (deferred)
74700000 74760000 sspicli (deferred)
747c0000 74817000 shlwapi (deferred)
74830000 7547a000 shell32 (deferred)
755d0000 7564b000 comdlg32 (deferred)
75650000 7567e000 imm32 (deferred)
75770000 75810000 advapi32 (deferred)
75810000 75920000 kernel32 (pdb symbols) c:\mss\wkernel32.pdb\1C690A8592304467BB15A09CEA7180FA2\wkernel32.pdb
75920000 759b0000 gdi32 (deferred)
759b0000 759f7000 KERNELBASE (deferred)
75a00000 75b00000 user32 (pdb symbols) c:\mss\wuser32.pdb\0FCE9CC301ED4567A819705B2718E1D62\wuser32.pdb
75b00000 75b8f000 oleaut32 (deferred)
75be0000 75c7d000 usp10 (deferred)
75ff0000 76009000 sechost (deferred)
76010000 76100000 rpcrt4 (deferred)
76230000 762dc000 msvcrt (deferred)
76470000 7647a000 lpk (deferred)
76480000 7654c000 msctf (deferred)
76550000 766ac000 ole32 (deferred)
766d0000 76753000 clbcatq (deferred)
76e40000 76fe9000 ntdll (deferred)
77020000 771a0000 ntdll_77020000 (pdb symbols) c:\mss\wntdll.pdb\D74F79EB1F8D4A45ABCD2F476CCABACC2\wntdll.pdb
0:000:x86> kv
ChildEBP RetAddr Args to Child
0013fe34 75a1790d 0013fe74 00000000 00000000 user32!NtUserGetMessage+0x15
0013fe50 00fc148a 0013fe74 00000000 00000000 user32!GetMessageW+0×33
0013fe90 00fc16ec 00fc0000 00000000 00354082 notepad!WinMain+0xe6
0013ff20 758233aa 7efde000 0013ff6c 77059ef2 notepad!_initterm_e+0×1a1
0013ff2c 77059ef2 7efde000 57785ae5 00000000 kernel32!BaseThreadInitThunk+0xe
0013ff6c 77059ec5 00fc3689 7efde000 00000000 ntdll_77020000!__RtlUserThreadStart+0×70
0013ff84 00000000 00fc3689 7efde000 00000000 ntdll_77020000!_RtlUserThreadStart+0×1b
0:000:x86> dt -r MSG 0013fe74
TestWER!MSG
+0x000 hwnd : 0x0007149c HWND__
+0x000 unused : ??
+0×004 message : 0×113
+0×008 wParam : 0×38a508
+0×00c lParam : 0n1921500630
+0×010 time : 0×2079a177
+0×014 pt : tagPOINT
+0×000 x : 0n1337
+0×004 y : 0n448- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -