How to use 'kb = baseptr'

I am analyzing a crash dump in which a third party filter driver is layered
above mine. Because I do not have symbols for that driver, Windbg gets
confused when reconstructing the stack. Using ‘dds’ I was able to find a
portion of the stack with identifiable calls into my driver.

I am trying to use ‘kb = baseptr’ to dump from that location, but so far
without success. Here is the stack frame:

bdb470c4 8045bda5 bdb47120 860a4698 00000462 nt!KiTrap08+0x41
bdb46210 8045f8b0 bdb469e4 8045f8b0 00000000 nt!RtlUnwind+0x9
bdb46238 8045fdbf bdb469e4 bdb4625c bdb469ec nt!_global_unwind2+0x18
bdb4625c 8046a96a bdb46318 bdb469e4 bdb46368 nt!_except_handler3+0x5f
bdb46280 8045bcd8 bdb46318 bdb469e4 bdb46368 nt!ExecuteHandler+0x26
bdb46308 8046a919 bdb46318 bdb46368 c00000d8 nt!RtlDispatchException+0x76
bdb4663c bfe888fd c00000d8 86eda168 86f04454 nt!ExRaiseStatus+0xb5
bdb4664c bfed8f9f 86eda168 c00000d8 00000000 Ntfs!NtfsRaiseStatus+0x65
bdb46954 bfea2855 86eda168 86f042e8 bdb469b4 Ntfs!NtfsCommonCreate+0x489
bdb469f4 8041d915 8776e360 86f042e8 86f04470 Ntfs!NtfsFsdCreate+0x157
bdb46a08 f6a98ab1 86f04470 86f04494 86f042e8 nt!IopfCallDriver+0x35
WARNING: Stack unwind information not available. Following frames may be
bdb46a40 f6a98f15 8776af98 86f042e8 00000cab myfilter+0xab1
bdb46ad0 8041d915 8776aee0 86f042e8 be24be5c myfilter+0xf15
bdb46ae4 be24225a 00000000 bdb46b40 00000000 nt!IopfCallDriver+0x35
bdb46b0c be244e6b 8776aee0 87078cc0 bdb46b40 SYMEVENT+0x125a
8707d630 8707a728 07095000 00000000 00000000
8707d630 8707a728 07095000 00000000 00000000 0x8707a728
be241708 be244d94 be244d99 be242bcf be242bcf 0x8707a728
be244c44 000000aa 082444f6 56077401 ffd020e8

Here is my a portion dds dump, where my filter is calling

bdb470a0 bdb47120
bdb470a4 00000040
bdb470a8 00000000
bdb470ac 00000000
bdb470b0 8046bae7 nt!ExAllocatePoolWithTag+0x5a7
bdb470b4 33334844 // Tag
bdb470b8 00000980 // Size
bdb470bc 00000000 // Pool type
bdb470c0 bdb470f0
bdb470c4 f6835ce1 myfilter+0x5ce1
bdb470c8 bdb470e8
bdb470cc bdb47120
bdb470d0 860a4698
bdb470d4 00000462

However, ‘kb = bdb470ac’ does not seem to help Windbg get re-oriented to
the new stack location. Any suggestions on how to manually get a sensible
stack when you don’t have symbols for all the drivers?


You are currently subscribed to windbg as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-windbg-$subst(‘Recip.MemberIDChar’)