For hardware generated exceptions (such as access violations), one can look for ntdll!KiUserExceptionDispatcher on the stack, which takes a PCONTEXT and PEXCEPTION_RECORD as argument.
Stack Trace:
0021e9fc 77db5f79 fffffffe 0021f878 0021eb04 ntdll!_except_handler4+0x8e
0021ea20 77db5f4b 0021eae8 0021f878 0021eb04 ntdll!ExecuteHandler2+0x26
0021ead0 77db5dd7 0121eae8 0021eb04 0021eae8 ntdll!ExecuteHandler+0x24
0021ead0 77d8e13d 0121eae8 0021eb04 0021eae8 ntdll!KiUserExceptionDispatcher+0xf
0021ee20 77d8e04d 00000000 00000000 00000001 ntdll!RtlpWaitOnCriticalSection+0xc5
0:000> .exr 0x21eae8
ExceptionAddress: 77d8e13d (ntdll!RtlpWaitOnCriticalSection+0x000000c5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000014
Attempt to write to address 00000014
0:000> .cxr 0x21eb04
eax=00000000 ebx=fffffffc ecx=00000000 edx=00000004 esi=737b19a0 edi=737b19a4
eip=77d8e13d esp=0021edd0 ebp=0021ee20 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
ntdll!RtlpWaitOnCriticalSection+0xc5:
77d8e13d 83401401 add dword ptr [eax+14h],1 ds:0023:00000014=????????
0:000> dt -r1 0x21eb04 CONTEXT
ntdll!CONTEXT
+0x000 ContextFlags : 0x1003f
+0x004 Dr0 : 0
+0x008 Dr1 : 0
+0x00c Dr2 : 0
+0x010 Dr3 : 0
+0x014 Dr6 : 0
+0x018 Dr7 : 0
+0x01c FloatSave : _FLOATING_SAVE_AREA
+0x000 ControlWord : 0xffff027f
+0x004 StatusWord : 0xffff0000
+0x008 TagWord : 0xffffffff
+0x00c ErrorOffset : 0
+0x010 ErrorSelector : 0
+0x014 DataOffset : 0
+0x018 DataSelector : 0xffff0000
+0x01c RegisterArea : [80] ""
+0x06c Cr0NpxState : 0
+0x08c SegGs : 0
+0x090 SegFs : 0x3b
+0x094 SegEs : 0x23
+0x098 SegDs : 0x23
+0x09c Edi : 0x737b19a4
+0x0a0 Esi : 0x737b19a0
+0x0a4 Ebx : 0xfffffffc
+0x0a8 Edx : 4
+0x0ac Ecx : 0
+0x0b0 Eax : 0
+0x0b4 Ebp : 0x21ee20
+0x0b8 Eip : 0x77d8e13d
+0x0bc SegCs : 0x1b
+0x0c0 EFlags : 0x10213
+0x0c4 Esp : 0x21edd0
+0x0c8 SegSs : 0x23
+0x0cc ExtendedRegisters : [512] "???"
0:000> dt -r1 0x21eae8 EXCEPTION_RECORD
ntdll!EXCEPTION_RECORD
+0x000 ExceptionCode : 0xc0000005
+0x004 ExceptionFlags : 0
+0x008 ExceptionRecord : (null)
+0x00c ExceptionAddress : 0x77d8e13d
+0x010 NumberParameters : 2
+0x014 ExceptionInformation : [15] 1
0:000> !error 0xc0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
You can see the exception code is 0xc0000005 which is Access Violation
So whenever you find the KiUserExceptionDispatcher() function in call stack you can check for CONTEXT structure and EXCEPTION_RECORD structure, to find the exception code.
References:Debugger tricks: Find all probable CONTEXT records in a crash dump
No comments:
Post a Comment