.ecxr
eax=7ffdd000
...
ntdll!DbgBreakPoint:
7c81a3e1 cc int 3
!analzye -v found the correct exception, but took very long time to run,
here is some kind of shortcut:
By reviewing stacks I've found kernel32!UnhandledExceptionFilter+xxx
00a7d4f4 01001623 00a7d79c 00000000 77ecb7c0 kernel32!UnhandledExceptionFilter+0x7c0 (FPO: [SEH])
00a7d510 7a09c0ff 00a7d79c 00a7d774 77e761b7 w3wp!WpUnhandledExceptionFilter+0x3d (FPO: [1,1,4])
00a7d51c 77e761b7 00a7d79c 00000000 00000000 mscorwks!InternalUnhandledExceptionFilter+0x16 (FPO: [1,0,0])
00a7d774 77e792a3 00a7d79c 77e61ac1 00a7d7a4 kernel32!UnhandledExceptionFilter+0x12a (FPO: [SEH])
00a7d77c 77e61ac1 00a7d7a4 00000000 00a7d7a4 kernel32!BaseThreadStart+0x4a (FPO: [SEH])
00a7d7a4 7c828772 00a7d888 00a7ffdc 00a7d8a4 kernel32!_except_handler3+0x61 (FPO: [Uses EBP] [3,0,7])
00a7d7c8 7c828743 00a7d888 00a7ffdc 00a7d8a4 ntdll!ExecuteHandler2+0x26
00a7d870 7c82857e 00a78000 00a7d8a4 00a7d888 ntdll!ExecuteHandler+0x24
00a7d870 005e7617 00a78000 00a7d8a4 00a7d888 ntdll!KiUserExceptionDispatcher+0xe (FPO: [2,0,0]) (CONTEXT @ 00a7d8a4)
00a7dc64 005e7240 006da4c8 00a7dd48 00a7dd48 my!code+0x117
....
Get exception record:
>.exr poi(00a7d79c)
ExceptionAddress: 005e7617 (my!code+0x00000117)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
Get exception context:
>.cxr poi(00a7d79c+4)
eax=00000000 ebx=00a7fd60 ecx=99fab407 edx=9f7c000d esi=00a7fd6c edi=00a7dc64
eip=005e7617 esp=00a7db70 ebp=00a7dc64 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
my!code+0x117:
005e7617 0fbe08 movsx ecx,byte ptr [eax] ds:0023:00000000=??
If original stack did not show your frames:
>kv = 00a7dc64
ChildEBP RetAddr Args to Child
00a7dc64 005e7240 006da4c8 00a7dd48 00a7dd48 my!code+0x117
00a7fd60 005e7e4a 006da4c8 00a7ff70 00000000 my!code1+0x70
00a7fe90 005e7b3a 00000000 00000000 00746538 my!code2+0x10a
Profit!
No comments:
Post a Comment