Simple Debugging problem

WINDBG
1

Hi

I opened notepad with windbg put a breakpoint to SHELL32!ShellAboutW and clicked about menu, windbg worked fine.

But when I put a breakpoint to notepad!_imp__ShellAboutW and hit about menu I get this:

(7e4.53c): Unknown exception - code c0000096 (first chance)
(7e4.53c): Unknown exception - code c0000096 (!!! second chance !!!)
eax=0096029d ebx=00000000 ecx=0000e160 edx=7c90eb94 esi=00000000 edi=00000041
eip=7ca5f8cc esp=0007fb3c ebp=0007fdbc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
SHELL32!`string’+0x1c:
7ca5f8cc 6d ins dword ptr es:[edi],dx es:0023:00000041=???

0:000> kv
ChildEBP RetAddr Args to Child
0007fdbc 01003927 000a01d6 00000041 00000000 SHELL32!`string’+0x1c
0007fde0 77d48709 000a01d6 00000111 00000041 notepad!NPWndProc+0x4fe (FPO: [4,2,0])
0007fe0c 77d487eb 01003429 000a01d6 00000111 USER32!InternalCallWinProc+0x28
0007fe74 77d489a5 00000000 01003429 000a01d6 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
0007fed4 77d489e8 0007fefc 00000000 0007ff1c USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
0007fee4 01002a12 0007fefc 00000000 7c80b529 USER32!DispatchMessageW+0xf (FPO: [1,0,0])
0007ff1c 01007511 01000000 00000000 000a1ef6 notepad!WinMain+0xdc (FPO: [4,8,0])
0007ffc0 7c816d4f 00d2f6f2 00d2f73a 7ffdf000 notepad!WinMainCRTStartup+0x174 (FPO: [Non-Fpo])
0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

I am curious about the reason of this output

Thanks

2

Because notepad!_imp_ShellAboutW is not actual code; instead it is a function pointer to the actual shell32!ShellAboutW.

0:000> dps notepad!_imp__ShellAboutW
0048137c 75dea129 SHELL32!ShellAboutW
00481380 00000000

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, March 13, 2011 05:38 AM
To: Kernel Debugging Interest List
Subject: [windbg] Simple Debugging problem

Hi

I opened notepad with windbg put a breakpoint to SHELL32!ShellAboutW and clicked about menu, windbg worked fine.

But when I put a breakpoint to notepad!_imp__ShellAboutW and hit about menu I get this:

(7e4.53c): Unknown exception - code c0000096 (first chance)
(7e4.53c): Unknown exception - code c0000096 (!!! second chance !!!) eax=0096029d ebx=00000000 ecx=0000e160 edx=7c90eb94 esi=00000000 edi=00000041
eip=7ca5f8cc esp=0007fb3c ebp=0007fdbc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
SHELL32!`string’+0x1c:
7ca5f8cc 6d ins dword ptr es:[edi],dx es:0023:00000041=???

0:000> kv
ChildEBP RetAddr Args to Child
0007fdbc 01003927 000a01d6 00000041 00000000 SHELL32!`string’+0x1c
0007fde0 77d48709 000a01d6 00000111 00000041 notepad!NPWndProc+0x4fe (FPO: [4,2,0]) 0007fe0c 77d487eb 01003429 000a01d6 00000111 USER32!InternalCallWinProc+0x28
0007fe74 77d489a5 00000000 01003429 000a01d6 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
0007fed4 77d489e8 0007fefc 00000000 0007ff1c USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
0007fee4 01002a12 0007fefc 00000000 7c80b529 USER32!DispatchMessageW+0xf (FPO: [1,0,0]) 0007ff1c 01007511 01000000 00000000 000a1ef6 notepad!WinMain+0xdc (FPO: [4,8,0])
0007ffc0 7c816d4f 00d2f6f2 00d2f73a 7ffdf000 notepad!WinMainCRTStartup+0x174 (FPO: [Non-Fpo])
0007fff0 00000000 0100739d 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

I am curious about the reason of this output

Thanks

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

xxxxx@gmail.com wrote:

I opened notepad with windbg put a breakpoint to SHELL32!ShellAboutW and clicked about menu, windbg worked fine.

But when I put a breakpoint to notepad!_imp__ShellAboutW and hit about menu I get this:

(7e4.53c): Unknown exception - code c0000096 (first chance)
(7e4.53c): Unknown exception - code c0000096 (!!! second chance !!!)
eax=0096029d ebx=00000000 ecx=0000e160 edx=7c90eb94 esi=00000000 edi=00000041
eip=7ca5f8cc esp=0007fb3c ebp=0007fdbc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
SHELL32!`string’+0x1c:
7ca5f8cc 6d ins dword ptr es:[edi],dx es:0023:00000041=???

I am curious about the reason of this output

Very simple. __imp__ShellAboutW is not a function. It is a data item
that contains the ADDRESS of a function. Jumps into a DLL are normally
done with an indirect jump. That way, the addresses that need to be
patched when a DLL loads are all gathered together, so the system
doesn’t have to patch instructions (hence invalidating pages) all over
the place.

Notice the bottom byte of the address in your dump? “cc” is the x86
breakpoint instruction. You replaced the low-order byte of the address
with “cc”, and so Notepad happily jumped into the middle of an instruction.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

Thanks.