Not able to get assembly code

WINDBG
1

Hi All,

I am doing dump analysis, I am not able get assembly code of a frame in call stack( jccatch+0x53f3 ). But lml command shows that particular module ( jccatch.dll )has been loaded in to memory.

Call stack:
0:029> k20
ChildEBP RetAddr
1028d468 76500962 ntdll!NtWaitForMultipleObjects+0x15
1028d504 7631162d KERNELBASE!WaitForMultipleObjectsEx+0x100
1028d54c 76311921 kernel32!WaitForMultipleObjectsExImplementation+0xe0
1028d568 76339b0d kernel32!WaitForMultipleObjects+0x18
1028d5d4 76339baa kernel32!WerpReportFaultInternal+0x186
1028d5e8 763398d8 kernel32!WerpReportFault+0x70
1028d5f8 76339855 kernel32!BasepReportFault+0x20
1028d684 77ef0727 kernel32!UnhandledExceptionFilter+0x1af
1028d68c 77ef0604 ntdll!__RtlUserThreadStart+0x62
1028d6a0 77ef04a9 ntdll!_EH4_CallFilterFunc+0x12
1028d6c8 77ed87b9 ntdll!_except_handler4+0x8e
1028d6ec 77ed878b ntdll!ExecuteHandler2+0x26
1028d79c 77e9010f ntdll!ExecuteHandler+0x24
1028d79c 77eae23e ntdll!KiUserExceptionDispatcher+0xf
1028db20 77eadea3 ntdll!RtlpLowFragHeapFree+0x31
1028db38 760c98cd ntdll!RtlFreeHeap+0x105
1028db84 02a61e70 msvcrt!free+0xcd
WARNING: Stack unwind information not available. Following frames may be wrong.
1028dde4 77a03ec3 jccatch+0x1e70
1028de00 77a03d3d oleaut32!DispCallFunc+0x165
1028de90 02a653f3 oleaut32!CTypeInfo2::Invoke+0x23f
1028deb8 684d371b jccatch+0x53f3
1028def4 6bec04a2 vbscript!IDispatchInvoke2+0xb2

0:029> u jccatch+0x53f3
jccatch+0x53f3:
02a653f3 ?? ???
^ Memory access error in ‘u jccatch+0x53f3’

0:029> lml
start end module name
02a60000 02a77000 jccatch T (no symbols)
684d0000 6853b000 vbscript (pdb symbols) d:\symbols\mssymbols\vbscript.pdb\570BDFC793084685825B86E2ED6B01492\vbscript.pdb
6bea0000 6bf5a000 Scxpx86 (private pdb symbols) d:\symbols\symsymbols\Scxpx86.pdb\1A12E262435D4F49A91C1C1F25482C6A1\Scxpx86.pdb
760c0000 7616c000 msvcrt (pdb symbols) d:\symbols\mssymbols\msvcrt.pdb\6EC79267530C45188F2A816AD59DBBF92\msvcrt.pdb
76300000 76400000 kernel32 (pdb symbols) d:\symbols\mssymbols\wkernel32.pdb\247C9009E69B43AB95E8DDA34622320A2\wkernel32.pdb
764f0000 76536000 KERNELBASE (pdb symbols) d:\symbols\mssymbols\wkernelbase.pdb\74D5C6E200BD410780AD91A62D03C8CA1\wkernelbase.pdb
779f0000 77a7f000 oleaut32 (pdb symbols) d:\symbols\mssymbols\oleaut32.pdb\204621952AB4418390863F295E593B882\oleaut32.pdb
77e80000 78000000 ntdll (pdb symbols) d:\symbols\mssymbols\wntdll.pdb\E9D10FA3EB884A23A5854E04FB7E2F0C2\wntdll.pdb

2

My question is why I am able to get the assembly code even jccatch module is loaded?

3

My guess is that the dump you are analyzing doesn’t actually
contain the pages from jccatch.dll. Depending on how the dump
was taken, you may not have much of the non-stack memory in the
dump.

You’ll probably need a full-memory dump or a copy of the jccatch.dll
to get what your looking for.

Thanks,

Joseph

xxxxx@gmail.com wrote:

Hi All,

I am doing dump analysis, I am not able get assembly code of a frame in call stack( jccatch+0x53f3 ). But lml command shows that particular module ( jccatch.dll )has been loaded in to memory.

Call stack:
0:029> k20
ChildEBP RetAddr
1028d468 76500962 ntdll!NtWaitForMultipleObjects+0x15
1028d504 7631162d KERNELBASE!WaitForMultipleObjectsEx+0x100
1028d54c 76311921 kernel32!WaitForMultipleObjectsExImplementation+0xe0
1028d568 76339b0d kernel32!WaitForMultipleObjects+0x18
1028d5d4 76339baa kernel32!WerpReportFaultInternal+0x186
1028d5e8 763398d8 kernel32!WerpReportFault+0x70
1028d5f8 76339855 kernel32!BasepReportFault+0x20
1028d684 77ef0727 kernel32!UnhandledExceptionFilter+0x1af
1028d68c 77ef0604 ntdll!__RtlUserThreadStart+0x62
1028d6a0 77ef04a9 ntdll!_EH4_CallFilterFunc+0x12
1028d6c8 77ed87b9 ntdll!_except_handler4+0x8e
1028d6ec 77ed878b ntdll!ExecuteHandler2+0x26
1028d79c 77e9010f ntdll!ExecuteHandler+0x24
1028d79c 77eae23e ntdll!KiUserExceptionDispatcher+0xf
1028db20 77eadea3 ntdll!RtlpLowFragHeapFree+0x31
1028db38 760c98cd ntdll!RtlFreeHeap+0x105
1028db84 02a61e70 msvcrt!free+0xcd
WARNING: Stack unwind information not available. Following frames may be wrong.
1028dde4 77a03ec3 jccatch+0x1e70
1028de00 77a03d3d oleaut32!DispCallFunc+0x165
1028de90 02a653f3 oleaut32!CTypeInfo2::Invoke+0x23f
1028deb8 684d371b jccatch+0x53f3
1028def4 6bec04a2 vbscript!IDispatchInvoke2+0xb2

0:029> u jccatch+0x53f3
jccatch+0x53f3:
02a653f3 ?? ???
^ Memory access error in ‘u jccatch+0x53f3’

0:029> lml
start end module name
02a60000 02a77000 jccatch T (no symbols)
684d0000 6853b000 vbscript (pdb symbols) d:\symbols\mssymbols\vbscript.pdb\570BDFC793084685825B86E2ED6B01492\vbscript.pdb
6bea0000 6bf5a000 Scxpx86 (private pdb symbols) d:\symbols\symsymbols\Scxpx86.pdb\1A12E262435D4F49A91C1C1F25482C6A1\Scxpx86.pdb
760c0000 7616c000 msvcrt (pdb symbols) d:\symbols\mssymbols\msvcrt.pdb\6EC79267530C45188F2A816AD59DBBF92\msvcrt.pdb
76300000 76400000 kernel32 (pdb symbols) d:\symbols\mssymbols\wkernel32.pdb\247C9009E69B43AB95E8DDA34622320A2\wkernel32.pdb
764f0000 76536000 KERNELBASE (pdb symbols) d:\symbols\mssymbols\wkernelbase.pdb\74D5C6E200BD410780AD91A62D03C8CA1\wkernelbase.pdb
779f0000 77a7f000 oleaut32 (pdb symbols) d:\symbols\mssymbols\oleaut32.pdb\204621952AB4418390863F295E593B882\oleaut32.pdb
77e80000 78000000 ntdll (pdb symbols) d:\symbols\mssymbols\wntdll.pdb\E9D10FA3EB884A23A5854E04FB7E2F0C2\wntdll.pdb

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Thanks Joseph.

We are taking dumps using .dump /mf command which would create dump with all committed pages in the process.

5

is there any way to find whether dump contains the page of a particular module?

6

Can you unassemble the other modules on the stack or it it just this one?
The /ma option of .dump is better than /mf.

From the stack trace my first instinct is heap corruption so you’ll probably
need to enable page heap
http://technet.microsoft.com/en-us/library/cc738435(WS.10).aspx with glfags
and wait for another dump in any case.

Thomas
On Wed, Dec 16, 2009 at 7:40 AM, wrote:

> is there any way to find whether dump contains the page of a particular
> module?
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

xxxxx@gmail.com wrote:

is there any way to find whether dump contains the page of a particular module?

Are you able to dump any of the user-mode routines in the stack? It’s
possible that jccatch has been unloaded.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

8

>> Can you unassemble the other modules on the stack or it it just this one?

I am able to unassemable other modules in this stack.

9

>>Are you able to dump any of the user-mode routines in the stack? It’s

>possible that jccatch has been unloaded.

I am able to dump other modules in the stack.

10

>>It’s possible that jccatch has been unloaded.

lml command shows jccatch module in loaded module list.

0:029> lml
start end module name
02a60000 02a77000 jccatch T (no symbols)
684d0000 6853b000 vbscript (pdb symbols)
d:\symbols\mssymbols\vbscript.pdb\570BDFC793084685825B86E2ED6B01492\vbscript.pdb
6bea0000 6bf5a000 Scxpx86 (private pdb symbols)
d:\symbols\symsymbols\Scxpx86.pdb\1A12E262435D4F49A91C1C1F25482C6A1\Scxpx86.pdb
760c0000 7616c000 msvcrt (pdb symbols)
d:\symbols\mssymbols\msvcrt.pdb\6EC79267530C45188F2A816AD59DBBF92\msvcrt.pdb
76300000 76400000 kernel32 (pdb symbols)
d:\symbols\mssymbols\wkernel32.pdb\247C9009E69B43AB95E8DDA34622320A2\wkernel32.pd
b
764f0000 76536000 KERNELBASE (pdb symbols)
d:\symbols\mssymbols\wkernelbase.pdb\74D5C6E200BD410780AD91A62D03C8CA1\wkernelbas
e.pdb
779f0000 77a7f000 oleaut32 (pdb symbols)
d:\symbols\mssymbols\oleaut32.pdb\204621952AB4418390863F295E593B882\oleaut32.pdb
77e80000 78000000 ntdll (pdb symbols)
d:\symbols\mssymbols\wntdll.pdb\E9D10FA3EB884A23A5854E04FB7E2F0C2\wntdll.pdb