Software Diagnostics Library

Archive for January, 2026

Crash Dump Analysis Patterns (Part 305)

Friday, January 9th, 2026

In ARM64 Virtualized Process memory dumps, their Stack Trace Collections, and their Execution Residue we may see pointers that point to ISA-Specific Code. For example, in an x86 process thread stack we may see this x86 disassembly of code pointers:

0:001> u 7573e81c kernel32!BaseThreadInitThunk+0x2c: 7573e81c 2808 sub byte ptr [eax],cl 7573e81e 0090083142b9 add byte ptr [eax-46BDCEF8h],dl 7573e824 e003 loopne kernel32!BaseThreadInitThunk+0x39 (7573e829) 7573e826 002a add byte ptr [edx],ch 7573e828 0001 add byte ptr [ecx],al 7573e82a 3f aas 7573e82b d6 ??? 7573e82c 2808 sub byte ptr [eax],cl

0:001> u 76e12640 KERNELBASE!SetEvent: 76e12640 fd std 76e12641 7bbe jnp KERNELBASE!UnmapViewOfFile+0x11 (76e12601) 76e12643 29fd sub ebp,edi 76e12645 0300 add eax,dword ptr [eax] 76e12647 91 xchg eax,ecx 76e12648 6810009008 push 8900010h 76e1264d a5 movs dword ptr es:[edi],dword ptr [esi] 76e1264e 43 inc ebx

0:001> ub 76e0c11c ^ Unable to find valid previous instruction for 'ub 76e0c11c'

0:001> ub 5f82d9c9 ACE!ACEInitializeEx+0x65573: 5f82d9b7 c3 ret 5f82d9b8 56 push esi 5f82d9b9 57 push edi 5f82d9ba 8b3da8b0835f mov edi,dword ptr [ACE!ACEInitializeEx+0x72c64 (5f83b0a8)] 5f82d9c0 8bf1 mov esi,ecx 5f82d9c2 6aff push 0FFFFFFFFh 5f82d9c4 ff7610 push dword ptr [esi+10h] 5f82d9c7 ffd7 call edi

0:001> ub ntdll!NtWaitForSingleObject+0xc ntdll!NtMapUserPhysicalPagesScatter: 779fd030 b803000a00 mov eax,0A0003h 779fd035 ba70a6a077 mov edx,offset ntdll!Wow64SystemServiceCall (77a0a670) 779fd03a ffd2 call edx 779fd03c c20c00 ret 0Ch 779fd03f 90 nop ntdll!NtWaitForSingleObject: 779fd040 b804000d00 mov eax,0D0004h 779fd045 ba70a6a077 mov edx,offset ntdll!Wow64SystemServiceCall (77a0a670) 779fd04a ffd2 call edx

The first 3 look like Wild Code (or Coincidental Symbolic Information if we use function names). But if we switch to CHPE architecture, we get the inverse, the first 3 right and the last 2 invalid:

0:001> .effmach CHPE Effective machine: CHPE on X86 (read only) (CHPE)

0:001:CHPE> u 7573e81c kernel32!BaseThreadInitThunk+0x2c: 7573e81c 90000828 adrp x8,kernel32!_imp_#LdrQueryImageFileKeyOption (75842000) 7573e820 b9423108 ldr w8,[x8,#0x230] 7573e824 2a0003e0 mov w0,w0 7573e828 d63f0100 blr x8 7573e82c 90000828 adrp x8,kernel32!_imp_#LdrQueryImageFileKeyOption (75842000) 7573e830 b9429d08 ldr w8,[x8,#0x29C] 7573e834 d63f0100 blr x8 7573e838 36225700 tbz w0,#4,kernel32!#IsFusionFullySupported+0x50 (75743318)

0:001:CHPE> u 76e12640 KERNELBASE!SetEvent: 76e12640 29be7bfd stp wfp,wlr,[sp,#-0x10]! 76e12644 910003fd mov fp,sp 76e12648 90001068 adrp x8,KERNELBASE!__hybrid_auxiliary_iat (7701e000) 76e1264c b943a508 ldr w8,[x8,#0x3A4] 76e12650 2a0003e0 mov w0,w0 76e12654 52800001 mov w1,#0 76e12658 d63f0100 blr x8 76e1265c 37f887e0 tbnz w0,#0x1F,KERNELBASE!BasepCheckImageVersion+0xe8 (76e13758)

0:001:CHPE> ub 76e0c11c KERNELBASE!#WaitForSingleObjectEx+0xdc: 76e0c0fc 110083a2 add w2,wfp,#0x20 76e0c100 b90017a2 str w2,[fp,#0x14] 76e0c104 53001e61 uxtb w1,w19 76e0c108 2a0203e2 mov w2,w2 76e0c10c 2a0003e0 mov w0,w0 76e0c110 d0001088 adrp x8,KERNELBASE!__hybrid_auxiliary_iat (7701e000) 76e0c114 b9440d08 ldr w8,[x8,#0x40C] 76e0c118 d63f0100 blr x8

0:001:CHPE> ub 5f82d9c9 ACE!ACEInitializeEx+0x65565: 5f82d9a9 000003e8 ??? ^ Memory access error in 'ub 5f82d9c9'

0:001:CHPE> ub ntdll!NtWaitForSingleObject+0xc ntdll!NtAcceptConnectPort+0xc: 779fd02c 900018c2 adrp x2,77d15000 ntdll!NtMapUserPhysicalPagesScatter: 779fd030 0a0003b8 and w24,wfp,w0 779fd034 a670ba00 ??? 779fd038 d2ff77a0 mov x0,#-0x443000000000000 779fd03c 90000cc2 adrp x2,77b95000 ntdll!NtWaitForSingleObject: 779fd040 0d0004b8 st1 {v24.b}[1],[x5] 779fd044 a670ba00 ??? 779fd048 d2ff77a0 mov x0,#-0x443000000000000

0:001:CHPE> .effmach x86 Effective machine: x86 compatible (x86)

The same is observable for the x64 process thread raw stack region pointers:

0:000> ub 00007ff7`83432ac9 pointers_c!invoke_main+0x16: 00007ff7`83432aa6 4889442430 mov qword ptr [rsp+30h],rax 00007ff7`83432aab e82ae8ffff call pointers_c!ILT+725(__p___argc) (00007ff7`834312da) 00007ff7`83432ab0 8b00 mov eax,dword ptr [rax] 00007ff7`83432ab2 89442420 mov dword ptr [rsp+20h],eax 00007ff7`83432ab6 4c8b442428 mov r8,qword ptr [rsp+28h] 00007ff7`83432abb 488b542430 mov rdx,qword ptr [rsp+30h] 00007ff7`83432ac0 8b4c2420 mov ecx,dword ptr [rsp+20h] 00007ff7`83432ac4 e8b7e7ffff call pointers_c!ILT+635(main) (00007ff7`83431280)

0:000> ub 00007ff8`046917ac ^ Unable to find valid previous instruction for 'ub 00007ff8`046917ac'

0:000> .effmach ARM64EC
Effective machine: ARM64EC (CHPEv2 on X64) (ARM64EC)

0:000:ARM64EC> ub 00007ff7`83432ac9 pointers_c!invoke_main+0x19: 00007ff7`83432aa9 2ae83024 ??? ^ Memory access error in 'ub 00007ff7`83432ac9'

0:000:ARM64EC> ub 00007ff8`046917ac kernel32!$iexit_thunk$cdecl$d$d+0x2c: 00007ff8`0469178c 00000000 ??? kernel32!$iexit_thunk$cdecl$i8$i8: 00007ff8`04691790 d503237f pacibsp 00007ff8`04691794 a9bf7bfd stp fp,lr,[sp,#-0x10]! 00007ff8`04691798 910003fd mov fp,sp 00007ff8`0469179c d10083ff sub sp,sp,#0x20 00007ff8`046917a0 b0000048 adrp x8,kernel32!_os_arm64x_dispatch_call_no_redirect (00007ff8`0469a000) 00007ff8`046917a4 f9400110 ldr xip0,[x8] 00007ff8`046917a8 d63f0200 blr xip0

0:000:ARM64EC> .effmach AMD64 Effective machine: x64 (AMD64)

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in ARM64 Windows, Crash Dump Analysis, Crash Dump Patterns | 1 Comment »

Archive for January, 2026

Crash Dump Analysis Patterns (Part 305)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

January 2026
M	T	W	T	F	S	S
« Dec				Feb »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31