Process Reflection Debugging

O_M · December 15, 2012, 10:25am

I have a dump with the following stack:
0:000> k
ChildEBP RetAddr
0cbdf3bc 7700c752 ntdll!NtWaitForMultipleObjects+0xc
0cbdf540 773d56c0 KERNELBASE!WaitForMultipleObjectsEx+0x10b
0cbdf5b4 773d586a kernel32!WerpReportFaultInternal+0x1c4
0cbdf5c8 773a7828 kernel32!WerpReportFault+0x6d
0cbdf5d4 770907c4 kernel32!BasepReportFault+0x19
0cbdf670 77adc11c KERNELBASE!UnhandledExceptionFilter+0x1f1
0cbdf678 77aa3334 ntdll!__RtlUserThreadStart+0x57
0cbdf68c 77b41fd7 ntdll!_EH4_CallFilterFunc+0x12
0cbdf6b4 77b43612 ntdll!_except_handler4_common+0x8e
0cbdf6d4 77aa30f1 ntdll!_except_handler4+0x20
0cbdf6f8 77aa30c3 ntdll!ExecuteHandler2+0x26
0cbdf7c0 77aa2f2b ntdll!ExecuteHandler+0x24
0cbdf7c0 77b0165c ntdll!KiUserExceptionDispatcher+0xf
0cbdfcf8 77398543 ntdll!RtlpProcessReflectionStartup+0x230
0cbdfd04 77abac69 kernel32!BaseThreadInitThunk+0xe
0cbdfd48 77abac3c ntdll!__RtlUserThreadStart+0x72
0cbdfd60 00000000 ntdll!_RtlUserThreadStart+0x1b

Does anyone know how to analyze a process reflection dump?
Thanks in advance.
O.M.

0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

FAULTING_IP:
ntdll!RtlpProcessReflectionStartup+230
77b0165c 897e1c mov dword ptr [esi+1Ch],edi

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77b0165c (ntdll!RtlpProcessReflectionStartup+0x00000230)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0ca9001c
Attempt to write to address 0ca9001c

DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE

PROCESS_NAME: chrome.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 0ca9001c

WRITE_ADDRESS: 0ca9001c

FOLLOWUP_IP:
ntdll!RtlpProcessReflectionStartup+230
77b0165c 897e1c mov dword ptr [esi+1Ch],edi

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

APP: chrome.exe

FAULTING_THREAD: 00000ee8

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER: from 77398543 to 77b0165c

STACK_TEXT:
0cbdfcf8 77398543 0ca90000 0cbdfd48 77abac69 ntdll!RtlpProcessReflectionStartup+0x230
0cbdfd04 77abac69 0ca90000 2e2dd9be 00000000 kernel32!BaseThreadInitThunk+0xe
0cbdfd48 77abac3c 77b0142c 0ca90000 ffffffff ntdll!__RtlUserThreadStart+0x72
0cbdfd60 00000000 77b0142c 0ca90000 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: ntdll!RtlpProcessReflectionStartup+230

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ntdll

IMAGE_NAME: ntdll.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 5010ae7a

FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_ntdll.dll!RtlpProcessReflectionStartup

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ntdll!RtlpProcessReflectionStartup+230

Followup: MachineOwner

0:000> .dumpdebug
----- User Mini Dump Analysis

MINIDUMP_HEADER:
Version A793 (62F0)
NumberOfStreams 14
Flags 51B25
0001 MiniDumpWithDataSegs
0004 MiniDumpWithHandleData
0020 MiniDumpWithUnloadedModules
0100 MiniDumpWithProcessThreadData
0200 MiniDumpWithPrivateReadWriteMemory
0800 MiniDumpWithFullMemoryInfo
1000 MiniDumpWithThreadInfo
10000 MiniDumpWithPrivateWriteCopyMemory
40000 MiniDumpWithTokenInformation

Streams:
Stream 0: type ThreadListStream (3), size 00000034, RVA 000004E8
1 threads
RVA 000004EC, ID EE8, Teb:000000007EB01000
Stream 1: type ThreadInfoListStream (17), size 0000004C, RVA 0000051C
RVA 00000528, ID EE8
Stream 2: type ModuleListStream (4), size 00001D8C, RVA 00000568
70 modules
RVA 0000056C, 00da0000 - 00ed7000: ‘C:\Program Files (x86)\Google\Chrome\Application\chrome.exe’, 8140
RVA 000005D8, 77a60000 - 77bb7000: ‘C:\Windows\System32\ntdll.dll’, 140
RVA 00000644, 77370000 - 774a0000: ‘C:\Windows\System32\kernel32.dll’, 140
RVA 000006B0, 77000000 - 770a6000: ‘C:\Windows\System32\KERNELBASE.dll’, 140
RVA 00000788, 76670000 - 766b0000: ‘C:\Windows\System32\shlwapi.dll’, 140
RVA 000007F4, 766b0000 - 767c6000: ‘C:\Windows\System32\user32.dll’, 140
RVA 00000860, 74fa0000 - 74fbb000: ‘C:\Windows\System32\userenv.dll’, 1c0
RVA 000008CC, 74f90000 - 74f9e000: ‘C:\Windows\System32\wtsapi32.dll’, 140
RVA 00000938, 74e60000 - 74e68000: ‘C:\Windows\System32\version.dll’, 140
RVA 000009A4, 74920000 - 74941000: ‘C:\Windows\System32\winmm.dll’, 140
RVA 00000A10, 75280000 - 7532e000: ‘C:\Windows\System32\advapi32.dll’, 140
RVA 00000A7C, 76ba0000 - 76c51000: ‘C:\Windows\System32\msvcrt.dll’, 140
RVA 00000AE8, 76570000 - 7666d000: ‘C:\Windows\System32\gdi32.dll’, 140
RVA 00000B54, 75330000 - 753dc000: ‘C:\Windows\System32\rpcrt4.dll’, 140
RVA 00000BC0, 74e40000 - 74e51000: ‘C:\Windows\System32\profapi.dll’, 140
RVA 00000C2C, 748f0000 - 7491a000: ‘C:\Windows\System32\WINMMBASE.dll’, 140
RVA 00000C98, 77590000 - 775c4000: ‘C:\Windows\System32\sechost.dll’, 140
RVA 00000D04, 750f0000 - 7510c000: ‘C:\Windows\System32\sspicli.dll’, 140
RVA 00000D70, 750e0000 - 750e9000: ‘C:\Windows\System32\CRYPTBASE.dll’, 140
RVA 00000DDC, 75080000 - 750d1000: ‘C:\Windows\System32\bcryptPrimitives.dll’, 1c0
RVA 00000E48, 76cf0000 - 76d10000: ‘C:\Windows\System32\imm32.dll’, 140
RVA 00000EB4, 774b0000 - 7758c000: ‘C:\Windows\System32\msctf.dll’, 140
RVA 00000F20, 754a0000 - 76566000: ‘C:\Windows\System32\shell32.dll’, 140
RVA 00000F8C, 76ec0000 - 76ff6000: ‘C:\Windows\System32\combase.dll’, 140
RVA 00000FF8, 74dc0000 - 74e35000: ‘C:\Windows\System32\SHCore.dll’, 140
RVA 00001064, 684d0000 - 6acec000: ‘C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.64\chrome.dll’, 140
RVA 000010D0, 776c0000 - 77703000: ‘C:\Windows\System32\wintrust.dll’, 140
RVA 0000113C, 70910000 - 70924000: ‘C:\Windows\System32\usp10.dll’, 540
RVA 000011A8, 776b0000 - 776b6000: ‘C:\Windows\System32\psapi.dll’, 140
RVA 00001214, 74950000 - 749a0000: ‘C:\Windows\System32\oleacc.dll’, 140
RVA 00001280, 713c0000 - 715b7000: ‘C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_893961408605e985\comctl32.dll’, 140
RVA 000012EC, 71790000 - 71799000: ‘C:\Windows\System32\secur32.dll’, 140
RVA 00001358, 770b0000 - 771c9000: ‘C:\Windows\System32\ole32.dll’, 140
RVA 000013C4, 75410000 - 7549b000: ‘C:\Windows\System32\oleaut32.dll’, 140
RVA 00001430, 76850000 - 769d8000: ‘C:\Windows\System32\crypt32.dll’, 140
RVA 0000149C, 77770000 - 77782000: ‘C:\Windows\System32\msasn1.dll’, 140
RVA 00001508, 70bf0000 - 70d19000: ‘C:\Windows\System32\dbghelp.dll’, 140
RVA 00001574, 67b40000 - 684c1000: ‘C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.64\icudt.dll’, 540
RVA 000015E0, 71150000 - 71373000: ‘C:\ProgramData\Browser Manager\2.5.911.18{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.dll’, 140
RVA 0000164C, 753e0000 - 753f2000: ‘C:\Windows\System32\imagehlp.dll’, 140
RVA 000016B8, 74f00000 - 74f88000: ‘C:\Windows\System32\uxtheme.dll’, 140
RVA 00001724, 10000000 - 10039000: ‘C:\Program Files (x86)\Samsung\Settings\CmdServer\WinCRT.dll’, 0
RVA 00001790, 749d0000 - 74a30000: ‘C:\Windows\System32\winspool.drv’, 140
RVA 000017FC, 748d0000 - 748e9000: ‘C:\Windows\System32\dwmapi.dll’, 140
RVA 00001868, 03ad0000 - 03bbf000: ‘C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.2.0.18_0\npcoplgn.dll’, 100
RVA 00001A84, 77790000 - 777e0000: ‘C:\Windows\System32\ws2_32.dll’, 140
RVA 00001AF0, 77680000 - 77688000: ‘C:\Windows\System32\nsi.dll’, 140
RVA 00001CA0, 74e70000 - 74ef3000: ‘C:\Windows\System32\winhttp.dll’, 140
RVA 00001D0C, 75110000 - 75273000: ‘C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9200.16384_none_ba245425e0986353\GdiPlus.dll’, 140
RVA 00001DE4, 777e0000 - 77999000: ‘C:\Windows\System32\wininet.dll’, 140
RVA 00001E50, 771d0000 - 77370000: ‘C:\Windows\System32\iertutil.dll’, 140
RVA 00002288, 769e0000 - 76a69000: ‘C:\Windows\System32\comdlg32.dll’, 140
Stream 3: type UnloadedModuleListStream (14), size 0000003C, RVA 000022F4
2 unloaded modules
RVA 00002300, 74600000 - 74629000: ‘ccIPC.dll’
RVA 00002318, 72fe0000 - 73047000: ‘Srtsp32.dll’
Stream 4: type TokenInformationStream (19), size 00000280, RVA 00002330
1 Tokens
Token 3ec for 860
Stream 5: type MemoryListStream (5), size 00000A74, RVA 00005618
167 memory ranges
range# RVA Address Size
0 0000608C 0398e000 00002000
1 0000808C 039c8000 00008000
2 0001008C 03ace000 00002000
3 0001208C 7693b000 00003a70
4 00015AFC 03ba5000 00004140
5 00019C3C 7303c000 000013b8
6 0001AFF4 03bc0000 00001000
7 0001BFF4 03c08000 00008000
8 00023FF4 03c40000 0000f000
9 00032FF4 76a41000 000036f8
10 000366EC 76b29000 0000a098
11 00040784 03d4e000 00002000
12 00042784 03da0000 0000a000
13 0004C784 03db0000 000ff000
14 0014B784 76c44000 00005f58
15 001516DC 03ee8000 00008000
16 001596DC 76d07000 00000cfc
17 0015A3D8 76d08000 0000152a
18 0015B902 03fef000 00001000
19 0015C902 73508000 0004e77c
20 001AB07E 04088000 00008000
21 001B307E 040ff000 00080000
22 0023307E 76fcd000 0000418c
23 0023720A 736a2000 00000b88
24 00237D92 77095000 000021e0
25 00239F72 77098000 000046cc
26 0023E63E 0430e000 00002000
27 0024063E 04348000 00008000
28 0024863E 04388000 00008000
29 0025063E 043a0000 001ff000
30 0044F63E 771a8000 0000161a
31 00450C58 00a70000 00001000
32 00451C58 00a80000 00002000
33 00453C58 00a90000 00001000
34 00454C58 00ae8000 00008000
35 0045CC58 6fff0000 00010000
36 0046CC58 7734f000 000058c8
37 00472520 00be9000 00007000
38 00479520 00c10000 00002000
39 0047B520 00c20000 00001000
40 0047C520 00cb0000 00001000
41 0047D520 00cf8000 00009000
42 00486520 77460000 00001c90
43 004881B0 00d10000 00001000
44 004891B0 00d20000 00001000
45 0048A1B0 0469f000 00001000
46 0048B1B0 00d30000 00001000
47 0048C1B0 00d40000 00001000
48 0048D1B0 00d70000 00010000
49 0049D1B0 00d90000 0000a000
50 004A71B0 7753f000 00001754
51 004A8904 0479e000 00002000
52 004AA904 775bc000 000022ec
53 004ACBF0 047d8000 00008000
54 004B4BF0 00e98000 00007b20
55 004BC710 00ea0000 00000002
56 004BC712 00ee0000 00001000
57 004BD712 77684000 00000014
58 004BD726 776b2000 00000008
59 004BD72E 048de000 00002000
60 004BF72E 048f0000 0006e000
61 0052D72E 776fa000 000009f0
62 0052E11E 00fe0000 00010000
63 0053E11E 01000000 00005000
64 0054311E 7777e000 00000370
65 0054348E 777ca000 000005a4
66 00543A32 01081000 0001f000
67 00562A32 010a1000 0001f000
68 00581A32 7eaff000 00021000
69 005A2A32 010c1000 0001f000
70 005C1A32 010e1000 00020000
71 005E1A32 01148000 00009000
72 005EAA32 01190000 0006a000
73 00654A32 7794d000 00008370
74 0065CDA2 7ec45000 00007000
75 00663DA2 7ec4e000 00001000
76 00664DA2 7403b000 0000dc84
77 00672A26 01290000 00043000
78 006B5A26 77aa1298 00000100
79 006B5B26 77b015dc 00000100
80 006B5C26 013c8000 00008000
81 006BDC26 77b4a000 00007cb8
82 006C58DE 013e0000 00001000
83 006C68DE 65c2e000 00000950
84 006C722E 013f0000 0000c000
85 006D322E 01410000 0000d000
86 006E022E 01420000 00001000
87 006E122E 65c73000 000008d4
88 006E1B02 088f0000 0006e000
89 0074FB02 65fd2000 00020b4c
90 0077064E 74624000 00000808
91 00770E56 70cea000 0001c264
92 0078D0BA 74672000 000041e8
93 007912A2 660d1000 00000c88
94 00791F2A 66293000 00005a18
95 00797942 10027000 00005a18
96 0079D35A 1002d000 00000004
97 0079D35E 662fe000 00003a24
98 007A0D82 748df000 00001f45
99 007A2CC7 74912000 0000161d
100 007A42E4 74936000 00000f28
101 007A520C 74992000 00001d0c
102 007A6F18 74a13000 000010a0
103 007A7FB8 0c8fd000 00081000
104 00828FB8 0c982000 00101000
105 00929FB8 0cad8000 00008000
106 00931FB8 7133b000 000196c8
107 0094B680 71355000 00000002
108 0094B682 0cbde000 00003000
109 0094E682 74e28000 0000097c
110 0094EFFE 74e2c000 00000009
111 0094F007 74e4d000 00000400
112 0094F407 74e64000 00000368
113 0094F76F 668f6000 00003a6c
114 009531DB 7155a000 00002a34
115 00955C0F 7155d000 000042ec
116 00959EFB 74ee3000 00001724
117 0095B61F 74f79000 00002390
118 0095D9AF 74f7c000 000032d8
119 00960C87 74f9a000 00000488
120 0096110F 74fb3000 000005ac
121 009616BB 0cea0000 000a9000
122 00A0A6BB 750cc000 00000770
123 00A0AE2B 66b18000 00012498
124 00A1D2C3 750e5000 0000038c
125 00A1D64F 71795000 00000770
126 00A1DDBF 75106000 00000894
127 00A1E653 75253000 000015c0
128 00A1FC13 75255000 0000265a
129 00A2226D 6a676000 000b555c
130 00AD77C9 752ee000 00003ad6
131 00ADB29F 66da4000 00002040
132 00ADD2DF 6a72c000 00000002
133 00ADD2E1 7ffe0000 000005f0
134 00ADD8D1 753cd000 00000fb0
135 00ADE881 753ce000 00002cb2
136 00AE1533 753ed000 00001970
137 00AE2EA3 0d2a0000 00001000
138 00AE3EA3 0d2b0000 00001000
139 00AE4EA3 0d2c0000 00002000
140 00AE6EA3 0d2d0000 00001000
141 00AE7EA3 0d2e0000 00001000
142 00AE8EA3 75490000 000017e4
143 00AEA687 0d2f0000 00001000
144 00AEB687 0d300000 00001000
145 00AEC687 0d310000 00001000
146 00AED687 75aa9000 00009808
147 00AF6E8F 75abd000 00000009
148 00AF6E98 02e24000 00001000
149 00AF7E98 6794f000 00001c60
150 00AF9AF8 03220000 0000b000
151 00B04AF8 03410000 00010000
152 00B14AF8 03510000 00010000
153 00B24AF8 035d0000 00001000
154 00B25AF8 03620000 00001000
155 00B26AF8 03640000 00009000
156 00B2FAF8 03680000 00002000
157 00B31AF8 03690000 0000f000
158 00B40AF8 037a0000 00001000
159 00B41AF8 6f2fa000 000010a8
160 00B42BA0 76621000 0000240c
161 00B44FAC 76624000 00001b24
162 00B46AD0 03840000 00005000
163 00B4BAD0 03888000 00008000
164 00B53AD0 766a6000 00000b64
165 00B54634 76724000 0000109c
166 00B556D0 76726000 00002d7e
Total memory: b523c2
Stream 6: type MemoryInfoListStream (16), size 00008380, RVA 00B58582
Stream 7: type ExceptionStream (6), size 000000A8, RVA 00000440
ThreadID 3816
ExceptionCode C0000005
ExceptionRecord 0
ExceptionAddress 77b0165c
Context record RVA 427e, size 2cc
Stream 8: type SystemInfoStream (7), size 00000038, RVA 000000C8
ProcessorArchitecture 0000 (PROCESSOR_ARCHITECTURE_INTEL)
ProcessorLevel 0015
ProcessorRevision 1001
NumberOfProcessors 02
MajorVersion 00000006
MinorVersion 00000002
BuildNumber 000023F0 (9200)
PlatformId 00000002 (VER_PLATFORM_WIN32_NT)
CSDVersionRva 000025B0
Length: 0
Product: WinNt, suite: SingleUserTS Personal
Stream 9: type MiscInfoStream (15), size 00000340, RVA 00000100
Stream 10: type HandleDataStream (12), size 000000D8, RVA 00B584AA
5 descriptors, header size is 16, descriptor size is 40
Handle(0000000000000004,“Event”,“”)
Handle(0000000000000008,“Process”,“”)
Handle(000000000000000C,“Event”,“”)
Handle(0000000000000010,“Section”,“”)
Handle(0000000000000018,“Process”,“”)
Stream 11: type UnusedStream (0), size 00000000, RVA 00000000
Stream 12: type UnusedStream (0), size 00000000, RVA 00000000
Stream 13: type UnusedStream (0), size 00000000, RVA 00000000

raj_r · December 15, 2012, 3:11pm

putting processreflection into google

/search?xxxxxx&q=ntdll!Rtl+Process+Reflection+Startup&

google returns this as its first hit

Process Reflection

At its core, Process Reflection is used to make a clone of an existing
process. This clone, also referred to as the reflected process,
contains a single thread and a copy of the original process? address
space. Mark Russinovich talks more about it here (31:00)

http://blogs.msdn.com/b/wer/archive/2010/08/16/xproc-application-hang-cabs-in-windows-7.aspx
http://channel9.msdn.com/shows/Going+Deep/Mark-Russinovich-Inside-Windows-7-Redux/

have you been there ?

On 12/15/12, xxxxx@gmail.com wrote:
> I have a dump with the following stack:
> 0:000> k
> ChildEBP RetAddr
> 0cbdf3bc 7700c752 ntdll!NtWaitForMultipleObjects+0xc
> 0cbdf540 773d56c0 KERNELBASE!WaitForMultipleObjectsEx+0x10b
> 0cbdf5b4 773d586a kernel32!WerpReportFaultInternal+0x1c4
> 0cbdf5c8 773a7828 kernel32!WerpReportFault+0x6d
> 0cbdf5d4 770907c4 kernel32!BasepReportFault+0x19
> 0cbdf670 77adc11c KERNELBASE!UnhandledExceptionFilter+0x1f1
> 0cbdf678 77aa3334 ntdll! __RtlUserThreadStart+0x57
> 0cbdf68c 77b41fd7 ntdll!_EH4_CallFilterFunc+0x12
> 0cbdf6b4 77b43612 ntdll!except_handler4_common+0x8e
> 0cbdf6d4 77aa30f1 ntdll!except_handler4+0x20
> 0cbdf6f8 77aa30c3 ntdll!ExecuteHandler2+0x26
> 0cbdf7c0 77aa2f2b ntdll!ExecuteHandler+0x24
> 0cbdf7c0 77b0165c ntdll!KiUserExceptionDispatcher+0xf
> 0cbdfcf8 77398543 ntdll!RtlpProcessReflectionStartup+0x230
> 0cbdfd04 77abac69 kernel32!BaseThreadInitThunk+0xe
> 0cbdfd48 77abac3c ntdll! RtlUserThreadStart+0x72
> 0cbdfd60 00000000 ntdll!_RtlUserThreadStart+0x1b
>
> Does anyone know how to analyze a process reflection dump?
> Thanks in advance.
> O.M.
>
> 0:000> !analyze -v
> *****
>
>
> * Exception Analysis
>
>
>
>
>
>
> FAULTING_IP:
> ntdll!RtlpProcessReflectionStartup+230
> 77b0165c 897e1c mov dword ptr [esi+1Ch],edi
>
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
> ExceptionAddress: 77b0165c (ntdll!RtlpProcessReflectionStartup+0x00000230)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000001
> Parameter[1]: 0ca9001c
> Attempt to write to address 0ca9001c
>
> DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
>
> PROCESS_NAME: chrome.exe
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
> memory at 0x%08lx. The memory could not be %s.
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
> referenced memory at 0x%08lx. The memory could not be %s.
>
> EXCEPTION_PARAMETER1: 00000001
>
> EXCEPTION_PARAMETER2: 0ca9001c
>
> WRITE_ADDRESS: 0ca9001c
>
> FOLLOWUP_IP:
> ntdll!RtlpProcessReflectionStartup+230
> 77b0165c 897e1c mov dword ptr [esi+1Ch],edi
>
> NTGLOBALFLAG: 0
>
> APPLICATION_VERIFIER_FLAGS: 0
>
> APP: chrome.exe
>
> FAULTING_THREAD: 00000ee8
>
> PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE
>
> BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
>
> LAST_CONTROL_TRANSFER: from 77398543 to 77b0165c
>
> STACK_TEXT:
> 0cbdfcf8 77398543 0ca90000 0cbdfd48 77abac69
> ntdll!RtlpProcessReflectionStartup+0x230
> 0cbdfd04 77abac69 0ca90000 2e2dd9be 00000000
> kernel32!BaseThreadInitThunk+0xe
> 0cbdfd48 77abac3c 77b0142c 0ca90000 ffffffff
> ntdll!__RtlUserThreadStart+0x72
> 0cbdfd60 00000000 77b0142c 0ca90000 00000000 ntdll!_RtlUserThreadStart+0x1b
>
>
> STACK_COMMAND: ~0s; .ecxr ; kb
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: ntdll!RtlpProcessReflectionStartup+230
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: ntdll
>
> IMAGE_NAME: ntdll.dll
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 5010ae7a
>
> FAILURE_BUCKET_ID:
> INVALID_POINTER_WRITE_c0000005_ntdll.dll!RtlpProcessReflectionStartup
>
> BUCKET_ID:
> APPLICATION_FAULT_INVALID_POINTER_WRITE_ntdll!RtlpProcessReflectionStartup+230
>
> Followup: MachineOwner
> ---------
>
> 0:000> .dumpdebug
> ----- User Mini Dump Analysis
>
> MINIDUMP_HEADER:
> Version A793 (62F0)
> NumberOfStreams 14
> Flags 51B25
> 0001 MiniDumpWithDataSegs
> 0004 MiniDumpWithHandleData
> 0020 MiniDumpWithUnloadedModules
> 0100 MiniDumpWithProcessThreadData
> 0200 MiniDumpWithPrivateReadWriteMemory
> 0800 MiniDumpWithFullMemoryInfo
> 1000 MiniDumpWithThreadInfo
> 10000 MiniDumpWithPrivateWriteCopyMemory
> 40000 MiniDumpWithTokenInformation
>
> Streams:
> Stream 0: type ThreadListStream (3), size 00000034, RVA 000004E8
> 1 threads
> RVA 000004EC, ID EE8, Teb:000000007EB01000
> Stream 1: type ThreadInfoListStream (17), size 0000004C, RVA 0000051C
> RVA 00000528, ID EE8
> Stream 2: type ModuleListStream (4), size 00001D8C, RVA 00000568
> 70 modules
> RVA 0000056C, 00da0000 - 00ed7000: ‘C:\Program Files
> (x86)\Google\Chrome\Application\chrome.exe’, 8140
> RVA 000005D8, 77a60000 - 77bb7000: ‘C:\Windows\System32\ntdll.dll’, 140
> RVA 00000644, 77370000 - 774a0000: ‘C:\Windows\System32\kernel32.dll’,
> 140
> RVA 000006B0, 77000000 - 770a6000: ‘C:\Windows\System32\KERNELBASE.dll’,
> 140
> RVA 00000788, 76670000 - 766b0000: ‘C:\Windows\System32\shlwapi.dll’, 140
> RVA 000007F4, 766b0000 - 767c6000: ‘C:\Windows\System32\user32.dll’, 140
> RVA 00000860, 74fa0000 - 74fbb000: ‘C:\Windows\System32\userenv.dll’, 1c0
> RVA 000008CC, 74f90000 - 74f9e000: ‘C:\Windows\System32\wtsapi32.dll’,
> 140
> RVA 00000938, 74e60000 - 74e68000: ‘C:\Windows\System32\version.dll’, 140
> RVA 000009A4, 74920000 - 74941000: ‘C:\Windows\System32\winmm.dll’, 140
> RVA 00000A10, 75280000 - 7532e000: ‘C:\Windows\System32\advapi32.dll’,
> 140
> RVA 00000A7C, 76ba0000 - 76c51000: ‘C:\Windows\System32\msvcrt.dll’, 140
> RVA 00000AE8, 76570000 - 7666d000: ‘C:\Windows\System32\gdi32.dll’, 140
> RVA 00000B54, 75330000 - 753dc000: ‘C:\Windows\System32\rpcrt4.dll’, 140
> RVA 00000BC0, 74e40000 - 74e51000: ‘C:\Windows\System32\profapi.dll’, 140
> RVA 00000C2C, 748f0000 - 7491a000: ‘C:\Windows\System32\WINMMBASE.dll’,
> 140
> RVA 00000C98, 77590000 - 775c4000: ‘C:\Windows\System32\sechost.dll’, 140
> RVA 00000D04, 750f0000 - 7510c000: ‘C:\Windows\System32\sspicli.dll’, 140
> RVA 00000D70, 750e0000 - 750e9000: ‘C:\Windows\System32\CRYPTBASE.dll’,
> 140
> RVA 00000DDC, 75080000 - 750d1000:
> ‘C:\Windows\System32\bcryptPrimitives.dll’, 1c0
> RVA 00000E48, 76cf0000 - 76d10000: ‘C:\Windows\System32\imm32.dll’, 140
> RVA 00000EB4, 774b0000 - 7758c000: ‘C:\Windows\System32\msctf.dll’, 140
> RVA 00000F20, 754a0000 - 76566000: ‘C:\Windows\System32\shell32.dll’, 140
> RVA 00000F8C, 76ec0000 - 76ff6000: ‘C:\Windows\System32\combase.dll’, 140
> RVA 00000FF8, 74dc0000 - 74e35000: ‘C:\Windows\System32\SHCore.dll’, 140
> RVA 00001064, 684d0000 - 6acec000: ‘C:\Program Files
> (x86)\Google\Chrome\Application\23.0.1271.64\chrome.dll’, 140
> RVA 000010D0, 776c0000 - 77703000: ‘C:\Windows\System32\wintrust.dll’,
> 140
> RVA 0000113C, 70910000 - 70924000: ‘C:\Windows\System32\usp10.dll’, 540
> RVA 000011A8, 776b0000 - 776b6000: ‘C:\Windows\System32\psapi.dll’, 140
> RVA 00001214, 74950000 - 749a0000: ‘C:\Windows\System32\oleacc.dll’, 140
> RVA 00001280, 713c0000 - 715b7000:
> ‘C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_893961408605e985\comctl32.dll’,
> 140
> RVA 000012EC, 71790000 - 71799000: ‘C:\Windows\System32\secur32.dll’, 140
> RVA 00001358, 770b0000 - 771c9000: ‘C:\Windows\System32\ole32.dll’, 140
> RVA 000013C4, 75410000 - 7549b000: ‘C:\Windows\System32\oleaut32.dll’,
> 140
> RVA 00001430, 76850000 - 769d8000: ‘C:\Windows\System32\crypt32.dll’, 140
> RVA 0000149C, 77770000 - 77782000: ‘C:\Windows\System32\msasn1.dll’, 140
> RVA 00001508, 70bf0000 - 70d19000: ‘C:\Windows\System32\dbghelp.dll’, 140
> RVA 00001574, 67b40000 - 684c1000: ‘C:\Program Files
> (x86)\Google\Chrome\Application\23.0.1271.64\icudt.dll’, 540
> RVA 000015E0, 71150000 - 71373000: ‘C:\ProgramData\Browser
> Manager\2.5.911.18{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\mngr.dll’, 140
> RVA 0000164C, 753e0000 - 753f2000: ‘C:\Windows\System32\imagehlp.dll’,
> 140
> RVA 000016B8, 74f00000 - 74f88000: ‘C:\Windows\System32\uxtheme.dll’, 140
> RVA 00001724, 10000000 - 10039000: ‘C:\Program Files
> (x86)\Samsung\Settings\CmdServer\WinCRT.dll’, 0
> RVA 00001790, 749d0000 - 74a30000: ‘C:\Windows\System32\winspool.drv’,
> 140
> RVA 000017FC, 748d0000 - 748e9000: ‘C:\Windows\System32\dwmapi.dll’, 140
> RVA 00001868, 03ad0000 - 03bbf000:
> ‘C:\Users\Marco\AppData\Local\Google\Chrome\User
> Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.2.0.18_0\npcoplgn.dll’,
> 100
> RVA 00001A84, 77790000 - 777e0000: ‘C:\Windows\System32\ws2_32.dll’, 140
> RVA 00001AF0, 77680000 - 77688000: ‘C:\Windows\System32\nsi.dll’, 140
> RVA 00001CA0, 74e70000 - 74ef3000: ‘C:\Windows\System32\winhttp.dll’, 140
> RVA 00001D0C, 75110000 - 75273000:
> ‘C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9200.16384_none_ba245425e0986353\GdiPlus.dll’,
> 140
> RVA 00001DE4, 777e0000 - 77999000: ‘C:\Windows\System32\wininet.dll’, 140
> RVA 00001E50, 771d0000 - 77370000: ‘C:\Windows\System32\iertutil.dll’,
> 140
> RVA 00002288, 769e0000 - 76a69000: ‘C:\Windows\System32\comdlg32.dll’,
> 140
> Stream 3: type UnloadedModuleListStream (14), size 0000003C, RVA 000022F4
> 2 unloaded modules
> RVA 00002300, 74600000 - 74629000: ‘ccIPC.dll’
> RVA 00002318, 72fe0000 - 73047000: ‘Srtsp32.dll’
> Stream 4: type TokenInformationStream (19), size 00000280, RVA 00002330
> 1 Tokens
> Token 3ec for 860
> Stream 5: type MemoryListStream (5), size 00000A74, RVA 00005618
> 167 memory ranges
> range# RVA Address Size
> 0 0000608C 0398e000 00002000
> 1 0000808C 039c8000 00008000
> 2 0001008C 03ace000 00002000
> 3 0001208C 7693b000 00003a70
> 4 00015AFC 03ba5000 00004140
> 5 00019C3C 7303c000 000013b8
> 6 0001AFF4 03bc0000 00001000
> 7 0001BFF4 03c08000 00008000
> 8 00023FF4 03c40000 0000f000
> 9 00032FF4 76a41000 000036f8
> 10 000366EC 76b29000 0000a098
> 11 00040784 03d4e000 00002000
> 12 00042784 03da0000 0000a000
> 13 0004C784 03db0000 000ff000
> 14 0014B784 76c44000 00005f58
> 15 001516DC 03ee8000 00008000
> 16 001596DC 76d07000 00000cfc
> 17 0015A3D8 76d08000 0000152a
> 18 0015B902 03fef000 00001000
> 19 0015C902 73508000 0004e77c
> 20 001AB07E 04088000 00008000
> 21 001B307E 040ff000 00080000
> 22 0023307E 76fcd000 0000418c
> 23 0023720A 736a2000 00000b88
> 24 00237D92 77095000 000021e0
> 25 00239F72 77098000 000046cc
> 26 0023E63E 0430e000 00002000
> 27 0024063E 04348000 00008000
> 28 0024863E 04388000 00008000
> 29 0025063E 043a0000 001ff000
> 30 0044F63E 771a8000 0000161a
> 31 00450C58 00a70000 00001000
> 32 00451C58 00a80000 00002000
> 33 00453C58 00a90000 00001000
> 34 00454C58 00ae8000 00008000
> 35 0045CC58 6fff0000 00010000
> 36 0046CC58 7734f000 000058c8
> 37 00472520 00be9000 00007000
> 38 00479520 00c10000 00002000
> 39 0047B520 00c20000 00001000
> 40 0047C520 00cb0000 00001000
> 41 0047D520 00cf8000 00009000
> 42 00486520 77460000 00001c90
> 43 004881B0 00d10000 00001000
> 44 004891B0 00d20000 00001000
> 45 0048A1B0 0469f000 00001000
> 46 0048B1B0 00d30000 00001000
> 47 0048C1B0 00d40000 00001000
> 48 0048D1B0 00d70000 00010000
> 49 0049D1B0 00d90000 0000a000
> 50 004A71B0 7753f000 00001754
> 51 004A8904 0479e000 00002000
> 52 004AA904 775bc000 000022ec
> 53 004ACBF0 047d8000 00008000
> 54 004B4BF0 00e98000 00007b20
> 55 004BC710 00ea0000 00000002
> 56 004BC712 00ee0000 00001000
> 57 004BD712 77684000 00000014
> 58 004BD726 776b2000 00000008
> 59 004BD72E 048de000 00002000
> 60 004BF72E 048f0000 0006e000
> 61 0052D72E 776fa000 000009f0
> 62 0052E11E 00fe0000 00010000
> 63 0053E11E 01000000 00005000
> 64 0054311E 7777e000 00000370
> 65 0054348E 777ca000 000005a4
> 66 00543A32 01081000 0001f000
> 67 00562A32 010a1000 0001f000
> 68 00581A32 7eaff000 00021000
> 69 005A2A32 010c1000 0001f000
> 70 005C1A32 010e1000 00020000
> 71 005E1A32 01148000 00009000
> 72 005EAA32 01190000 0006a000
> 73 00654A32 7794d000 00008370
> 74 0065CDA2 7ec45000 00007000
> 75 00663DA2 7ec4e000 00001000
> 76 00664DA2 7403b000 0000dc84
> 77 00672A26 01290000 00043000
> 78 006B5A26 77aa1298 00000100
> 79 006B5B26 77b015dc 00000100
> 80 006B5C26 013c8000 00008000
> 81 006BDC26 77b4a000 00007cb8
> 82 006C58DE 013e0000 00001000
> 83 006C68DE 65c2e000 00000950
> 84 006C722E 013f0000 0000c000
> 85 006D322E 01410000 0000d000
> 86 006E022E 01420000 00001000
> 87 006E122E 65c73000 000008d4
> 88 006E1B02 088f0000 0006e000
> 89 0074FB02 65fd2000 00020b4c
> 90 0077064E 74624000 00000808
> 91 00770E56 70cea000 0001c264
> 92 0078D0BA 74672000 000041e8
> 93 007912A2 660d1000 00000c88
> 94 00791F2A 66293000 00005a18
> 95 00797942 10027000 00005a18
> 96 0079D35A 1002d000 00000004
> 97 0079D35E 662fe000 00003a24
> 98 007A0D82 748df000 00001f45
> 99 007A2CC7 74912000 0000161d
> 100 007A42E4 74936000 00000f28
> 101 007A520C 74992000 00001d0c
> 102 007A6F18 74a13000 000010a0
> 103 007A7FB8 0c8fd000 00081000
> 104 00828FB8 0c982000 00101000
> 105 00929FB8 0cad8000 00008000
> 106 00931FB8 7133b000 000196c8
> 107 0094B680 71355000 00000002
> 108 0094B682 0cbde000 00003000
> 109 0094E682 74e28000 0000097c
> 110 0094EFFE 74e2c000 00000009
> 111 0094F007 74e4d000 00000400
> 112 0094F407 74e64000 00000368
> 113 0094F76F 668f6000 00003a6c
> 114 009531DB 7155a000 00002a34
> 115 00955C0F 7155d000 000042ec
> 116 00959EFB 74ee3000 00001724
> 117 0095B61F 74f79000 00002390
> 118 0095D9AF 74f7c000 000032d8
> 119 00960C87 74f9a000 00000488
> 120 0096110F 74fb3000 000005ac
> 121 009616BB 0cea0000 000a9000
> 122 00A0A6BB 750cc000 00000770
> 123 00A0AE2B 66b18000 00012498
> 124 00A1D2C3 750e5000 0000038c
> 125 00A1D64F 71795000 00000770
> 126 00A1DDBF 75106000 00000894
> 127 00A1E653 75253000 000015c0
> 128 00A1FC13 75255000 0000265a
> 129 00A2226D 6a676000 000b555c
> 130 00AD77C9 752ee000 00003ad6
> 131 00ADB29F 66da4000 00002040
> 132 00ADD2DF 6a72c000 00000002
> 133 00ADD2E1 7ffe0000 000005f0
> 134 00ADD8D1 753cd000 00000fb0
> 135 00ADE881 753ce000 00002cb2
> 136 00AE1533 753ed000 00001970
> 137 00AE2EA3 0d2a0000 00001000
> 138 00AE3EA3 0d2b0000 00001000
> 139 00AE4EA3 0d2c0000 00002000
> 140 00AE6EA3 0d2d0000 00001000
> 141 00AE7EA3 0d2e0000 00001000
> 142 00AE8EA3 75490000 000017e4
> 143 00AEA687 0d2f0000 00001000
> 144 00AEB687 0d300000 00001000
> 145 00AEC687 0d310000 00001000
> 146 00AED687 75aa9000 00009808
> 147 00AF6E8F 75abd000 00000009
> 148 00AF6E98 02e24000 00001000
> 149 00AF7E98 6794f000 00001c60
> 150 00AF9AF8 03220000 0000b000
> 151 00B04AF8 03410000 00010000
> 152 00B14AF8 03510000 00010000
> 153 00B24AF8 035d0000 00001000
> 154 00B25AF8 03620000 00001000
> 155 00B26AF8 03640000 00009000
> 156 00B2FAF8 03680000 00002000
> 157 00B31AF8 03690000 0000f000
> 158 00B40AF8 037a0000 00001000
> 159 00B41AF8 6f2fa000 000010a8
> 160 00B42BA0 76621000 0000240c
> 161 00B44FAC 76624000 00001b24
> 162 00B46AD0 03840000 00005000
> 163 00B4BAD0 03888000 00008000
> 164 00B53AD0 766a6000 00000b64
> 165 00B54634 76724000 0000109c
> 166 00B556D0 76726000 00002d7e
> Total memory: b523c2
> Stream 6: type MemoryInfoListStream (16), size 00008380, RVA 00B58582
> Stream 7: type ExceptionStream (6), size 000000A8, RVA 00000440
> ThreadID 3816
> ExceptionCode C0000005
> ExceptionRecord 0
> ExceptionAddress 77b0165c
> Context record RVA 427e, size 2cc
> Stream 8: type SystemInfoStream (7), size 00000038, RVA 000000C8
> ProcessorArchitecture 0000 (PROCESSOR_ARCHITECTURE_INTEL)
> ProcessorLevel 0015
> ProcessorRevision 1001
> NumberOfProcessors 02
> MajorVersion 00000006
> MinorVersion 00000002
> BuildNumber 000023F0 (9200)
> PlatformId 00000002 (VER_PLATFORM_WIN32_NT)
> CSDVersionRva 000025B0
> Length: 0
> Product: WinNt, suite: SingleUserTS Personal
> Stream 9: type MiscInfoStream (15), size 00000340, RVA 00000100
> Stream 10: type HandleDataStream (12), size 000000D8, RVA 00B584AA
> 5 descriptors, header size is 16, descriptor size is 40
> Handle(0000000000000004,“Event”,“”)
> Handle(0000000000000008,“Process”,“”)
> Handle(000000000000000C,“Event”,“”)
> Handle(0000000000000010,“Section”,“”)
> Handle(0000000000000018,“Process”,“”)
> Stream 11: type UnusedStream (0), size 00000000, RVA 00000000
> Stream 12: type UnusedStream (0), size 00000000, RVA 00000000
> Stream 13: type UnusedStream (0), size 00000000, RVA 00000000
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

O_M · December 15, 2012, 6:36pm

Hi Raj;
I did the same google search and listened to Mark’s interview. While it gives great insight into this technique of producing a “reflection” it does noting more than states that “you can get valuable information” from these dumps. Well, if this is true it looks like this is so valuable that MSFT wants to keep it a secret since it is not mentioned anywhere else.
What I’m looking for is some guideline about how to take a this large BLOB of memory with no apparent state information (no threads, locks or handles) and figure out what was the problem with the actual process and why Windows decided to reflect it. Some KB article which tells you what to do when you find one of these beasts in the wild. I’d like to hear suggestions from anyone who has an idea.

Thanks,
O.M.

Prokash_Sinha · December 16, 2012, 2:20pm

I think the article mentioned at the top of the link is what you might
want to look for why(s)?

If one or more of the components are default systems provided service
( one form or another), then it make sense to have such reflection (
shadowing etc).

If both of them are designed by developers ( and only minimally used
the APIs provided by the libraries for IPC), then there are debugging
techniques available _basically add information(s) and infrastructure
within the program to nail-down the region of code execution where
something possibly went wrong to make the hang to occur in the first
place. I’ve done this to nail down hang when I was using named pipe
based IPC between 10 to 20 processes…

-pro

On Sat, Dec 15, 2012 at 5:35 PM, wrote:
> Hi Raj;
> I did the same google search and listened to Mark’s interview. While it gives great insight into this technique of producing a “reflection” it does noting more than states that “you can get valuable information” from these dumps. Well, if this is true it looks like this is so valuable that MSFT wants to keep it a secret since it is not mentioned anywhere else.
> What I’m looking for is some guideline about how to take a this large BLOB of memory with no apparent state information (no threads, locks or handles) and figure out what was the problem with the actual process and why Windows decided to reflect it. Some KB article which tells you what to do when you find one of these beasts in the wild. I’d like to hear suggestions from anyone who has an idea.
>
> Thanks,
> O.M.
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer