Software Diagnostics Library

Archive for October 7th, 2014

Crash Dump Analysis Patterns (Part 213)

Tuesday, October 7th, 2014

Rough Stack Trace is an example of more general Execution Residue pattern or Caller-n-Callee for managed space. It’s just a collection of symbolic references (may also include Coincidental Symbolic Information) from the thread stack region or its fragment. In WinDbg we can get it by using dpS command:

0:003> !teb TEB at 000007fffffd6000 ExceptionList: 0000000000000000 StackBase: 0000000002450000 StackLimit: 000000000244b000 SubSystemTib: 0000000000000000 FiberData: 0000000000001e00 ArbitraryUserPointer: 0000000000000000 Self: 000007fffffd6000 EnvironmentPointer: 0000000000000000 ClientId: 00000000000047fc . 0000000000004824 RpcHandle: 0000000000000000 Tls Storage: 000007fffffd6058 PEB Address: 000007fffffda000 LastErrorValue: 0 LastStatusValue: c0000302 Count Owned Locks: 0 HardErrorMode: 0

0:003> dpS 000000000244b000 0000000002450000 000007fe`fd4a8a2e ole32!InternalVerifyStackAvailable+0x44 [d:\winmain\minio\safealloca\alloca.c @ 317] 000007fe`fd4a8a2e ole32!InternalVerifyStackAvailable+0x44 [d:\winmain\minio\safealloca\alloca.c @ 317] 000007fe`fd4a8a2e ole32!InternalVerifyStackAvailable+0x44 [d:\winmain\minio\safealloca\alloca.c @ 317] 00000000`771d5430 ntdll!RtlpInterceptorRoutines 00000000`771134d8 ntdll!RtlAllocateHeap+0x16c 00000000`770ec9c3 ntdll!RtlAppendUnicodeStringToString+0x53 00000000`76eaebe5 kernel32!Wow64RedirectKeyPathInternal+0x2b7 00000000`770ec9c3 ntdll!RtlAppendUnicodeStringToString+0x53 00000000`771140fd ntdll!RtlFreeHeap+0x1a6 00000000`76eaec01 kernel32!ConstructKernelKeyPath+0x15f 00000000`76eaedd3 kernel32!Wow64NtOpenKey+0xee 00000000`771140fd ntdll!RtlFreeHeap+0x1a6 00000000`76ebc8aa kernel32!BaseRegOpenClassKeyFromLocation+0x3ba 00000000`76f3edf0 kernel32!`string' 00000000`771d5430 ntdll!RtlpInterceptorRoutines 00000000`76ebc9b9 kernel32!BaseRegGetUserPrefixLength+0xea 00000000`76f3ee38 kernel32!`string' 00000000`76f3edc8 kernel32!`string' 00000000`76ebc3a8 kernel32!BaseRegGetKeySemantics+0x1b8 00000000`771150d3 ntdll!RtlNtStatusToDosError+0x27 00000000`76eb36b7 kernel32!LocalBaseRegOpenKey+0x276 000007fe`fd4b6c79 ole32!GetUnquotedPath+0x29 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 2256] 000007fe`fd4b7019 ole32!CClassCache::CDllPathEntry::NegotiateDllInstantiationProperties2+0x145 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3092] 00000000`771d5430 ntdll!RtlpInterceptorRoutines 00000000`771134d8 ntdll!RtlAllocateHeap+0x16c 00000000`77115cc4 ntdll!RtlpAllocateHeap+0xc12 000007fe`fdc10359 usp10!CUspShapingClient::AllocMem+0x49 000007fe`fdc48942 usp10!COtlsClient::AllocMem+0x12 000007fe`fdc48942 usp10!COtlsClient::AllocMem+0x12 000007fe`fdc1d4f1 usp10!UspFreeMem+0x61 000007fe`fdc4896e usp10!COtlsClient::FreeMem+0xe 000007fe`fdc6e817 usp10!ApplyFeatures+0xa17 000007fe`fdc6f2f2 usp10!ApplyLookup+0x592 000007fe`fdc48901 usp10!COtlsClient::GetDefaultGlyphs+0x131 000007fe`fdc60100 usp10!HangulEngineGetGlyphs+0x2c0 000007fe`fdc10359 usp10!CUspShapingClient::AllocMem+0x49 000007fe`fdc48942 usp10!COtlsClient::AllocMem+0x12 000007fe`fdc10359 usp10!CUspShapingClient::AllocMem+0x49 000007fe`fdc1d4f1 usp10!UspFreeMem+0x61 000007fe`fdc48942 usp10!COtlsClient::AllocMem+0x12 000007fe`fdc1d4f1 usp10!UspFreeMem+0x61 000007fe`fdc4896e usp10!COtlsClient::FreeMem+0xe 000007fe`fdc6e817 usp10!ApplyFeatures+0xa17 000007fe`fdc6aaa8 usp10!RePositionOtlGlyphs+0x238 000007fe`fdc48901 usp10!COtlsClient::GetDefaultGlyphs+0x131 000007fe`fdc60100 usp10!HangulEngineGetGlyphs+0x2c0 000007fe`fdc48798 usp10!COtlsClient::ReleaseOtlTable+0x78 000007fe`fdc6ae85 usp10!otlResourceMgr::detach+0xc5 00000000`7717c63e ntdll!EtwEventWriteNoRegistration+0xae 000007fe`fdc48a99 usp10!COtlsClient::Release+0x49 00000000`771150d3 ntdll!RtlNtStatusToDosError+0x27 00000000`7716bd85 ntdll!WaitForWerSvc+0x85 00000000`7717b94e ntdll!WerpAllocateAndInitializeSid+0xbe 00000000`7716bd90 ntdll! ?? ::FNODOBFM::`string' 00000000`77175dcf ntdll!WerpFreeSid+0x3f 00000000`7718123d ntdll!SendMessageToWERService+0x22d 00000000`77181260 ntdll! ?? ::FNODOBFM::`string' 00000000`77182308 ntdll!ReportExceptionInternal+0xc8 000007fe`fd061430 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`76ec1723 kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`76f3b5e5 kernel32!WerpReportFaultInternal+0x215 00000000`76f3b767 kernel32!WerpReportFault+0x77 00000000`76f3b7bf kernel32!BasepReportFault+0x1f 00000000`76f3b9dc kernel32!UnhandledExceptionFilter+0x1fc 00000000`77118d7e ntdll!RtlpFindUnicodeStringInSection+0x50e 00000000`771198fc ntdll!LdrpFindLoadedDll+0x10c 00000000`770e9caa ntdll!RtlDecodePointer+0x2a 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`771e8180 ntdll!`string'+0xc040 00000000`771e818c ntdll!`string'+0xc04c 00000000`77153398 ntdll! ?? ::FNODOBFM::`string'+0x2365 00000000`770d85c8 ntdll!_C_specific_handler+0x8c 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`770ec541 ntdll!RtlUserThreadStart+0x1d 00000000`770e9d2d ntdll!RtlpExecuteHandlerForException+0xd 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`770d91cf ntdll!RtlDispatchException+0x45a 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0) 00000000`7711920a ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3da 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`771e8180 ntdll!`string'+0xc040 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`770ec541 ntdll!RtlUserThreadStart+0x1d 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`771d7718 ntdll!LdrpDefaultExtension 00000000`770d852c ntdll!_C_specific_handler 00000000`771e8180 ntdll!`string'+0xc040 000007fe`ff3625c0 msctf!s_szCompClassName 000007fe`fd602790 ole32!`string' 00000000`770e7a33 ntdll!LdrpFindOrMapDll+0x138 00000000`771192a8 ntdll!LdrpApplyFileNameRedirection+0x2d3 000007fe`fd602848 ole32!`string' 00000000`771d5430 ntdll!RtlpInterceptorRoutines 00000000`77113448 ntdll!RtlAllocateHeap+0xe4 00000000`76fd88b8 user32!GetPropW+0x4d 00000000`76fd88b8 user32!GetPropW+0x4d 00000000`76fd7931 user32!IsWindow+0x9 00000000`76fd7931 user32!IsWindow+0x9 00000000`770f41c8 ntdll!RtlpReAllocateHeap+0x178 000007fe`fb601381 uxtheme!CThemeWnd::_PreDefWindowProc+0x31 00000000`76eb59e0 kernel32!BaseThreadInitThunk 00000000`ffdbdb32 calc!CTimedCalc::Start+0xa9 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0) 00000000`ffe0ac64 calc!_dyn_tls_init_callback <PERF> (calc+0x7ac64) 00000000`76ea0000 kernel32!TestResourceDataMatchEntry <PERF> (kernel32+0x0) 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0) 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`76fd760e user32!RealDefWindowProcW+0x5a 000007fe`fb600037 uxtheme!operator delete <PERF> (uxtheme+0x37) 00000000`77111248 ntdll!KiUserExceptionDispatch+0x2e 000007fe`fb63fb40 uxtheme!$$VProc_ImageExportDirectory 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2 00000000`76fe76c2 user32!DefDlgProcW+0x36 00000000`76fd9bef user32!UserCallWinProcCheckWow+0x1cb 00000000`76fd9b43 user32!UserCallWinProcCheckWow+0x99 00000000`76fd9bef user32!UserCallWinProcCheckWow+0x1cb 00000000`76fd72cb user32!DispatchClientMessage+0xc3 00000000`770e46b4 ntdll!NtdllDialogWndProc_W 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2 00000000`77101530 ntdll!NtdllDispatchMessage_W 00000000`76fe505b user32!DialogBox2+0x2ec 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0) 00000000`76fe4edd user32!InternalDialogBox+0x135 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0) 00000000`76fe4f52 user32!DialogBoxIndirectParamAorW+0x58 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0) 00000000`76fdd476 user32!DialogBoxParamW+0x66 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`ffdbdafa calc!CTimedCalc::WatchDogThread+0x72 00000000`76eb59ed kernel32!BaseThreadInitThunk+0xd 00000000`770ec541 ntdll!RtlUserThreadStart+0x1d 00000000`76f3b7e0 kernel32!UnhandledExceptionFilter 00000000`76f3b7e0 kernel32!UnhandledExceptionFilter

The name for this pattern comes from rough sets in mathematics.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, x64 Windows | No Comments »

Archive for October 7th, 2014

Crash Dump Analysis Patterns (Part 213)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

October 2014
M	T	W	T	F	S	S
« Sep				Nov »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31