to find something out of blue you would need a bit of patience to
decipher what appears to be gibberish 
anyway i dont know if what i post makes any meaning
but tracing back edi in a known function isnt all that difficult
so it crashes here
(ndis!NdisAllocateCloneNetBufferList+0x000000da
lets try dissassembling the whole function
(win7 ent eval output)
you can use this one liner to have a file that could always be open
independent of windbg
its bit of cryptic old dos usage it simply calls a copy file utility
to grab a locked file from temp folder dont ask me why i dont use -o
outfile param it didnt give me a datelinked folder name when i played
with it may be some one could simply and cut out all this dooz
aS resfol “.\scripts\hobocopy %tmp%
.\scriptresults\%DATE:~6,4%%date:~3,2%%date:~0,2%_%TIME:~1,1%Hr%TIME:~3,2%Min%TIME:~6,2%Sec
shl*.tmp”
.block
{
.shell -ci “uf /D ${$arg1}” ${resfol}
}
ad /q resfol
you get a file with control flow disassembly
F:\WINDBG\612WINDBG\SCRIPTRESULTS\2011_08_11_8HR51MIN11SEC
shl1.tmp
F:\windbg\612windbg\scriptresults\2011_08_11_8Hr51Min11Sec>grep -i “edx.*14” sh
l1.tmp
861eb948 8b5514 mov edx,dword ptr [ebp+14h]
861eba10 8b5714 mov edx,dword ptr [edi+14h]
F:\windbg\612windbg\scriptresults\2011_08_11_8Hr51Min11Sec>
so the line seems to be there
it takes a bit of time to look for patterns
if you back track the function
looking for edi a bit above
ndis!NdisAllocateCloneNetBufferList+0xda:
861eba10 8b5714 mov edx,dword ptr [edi+14h]
you can see edi is set up by ebx
861eb9e3 8b7b10 mov edi,dword ptr [ebx+10h]
since it is ebx + 10 we can try assuming ebx can be a pointer to
structure ??? structure ??
so if you go back a bit you can see ebx is initialized here
861eb952 8b5d08 mov ebx,dword ptr [ebp+8]
so it is taking some thing from stack that was passed on by an earlier
calls arguments
so this function takes 4 params
ndis!NdisAllocateCloneNetBufferList =
OffStart: 00004936
ProcSize: 0x28e
Prologue: 0x2b
Params: 0n4 (0x10 bytes)
Locals: 0n26 (0x68 bytes)
Non-FPO
lets google and see if we have a prototype
msdn has it
PNET_BUFFER_LIST NdisAllocateCloneNetBufferList(
in PNET_BUFFER_LIST OriginalNetBufferList,
in_opt NDIS_HANDLE NetBufferListPoolHandle,
in_opt NDIS_HANDLE NetBufferPoolHandle,
in ULONG AllocateCloneFlags
);
so ebp+8 is PNET_BUFFER_LIST OriginalNetBufferList,
kd> dt ndis!_NET_BUFFER_LIST
+0x000 Next : Ptr32 _NET_BUFFER_LIST
+0x004 FirstNetBuffer : Ptr32 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x008 Context : Ptr32 _NET_BUFFER_LIST_CONTEXT
+0x00c ParentNetBufferList : Ptr32 _NET_BUFFER_LIST
+0x010 NdisPoolHandle : Ptr32 Void
+0x018 NdisReserved : [2] Ptr32 Void
+0x020 ProtocolReserved : [4] Ptr32 Void
+0x030 MiniportReserved : [2] Ptr32 Void
+0x038 Scratch : Ptr32 Void
+0x03c SourceHandle : Ptr32 Void
+0x040 NblFlags : Uint4B
+0x044 ChildRefCount : Int4B
+0x048 Flags : Uint4B
+0x04c Status : Int4B
+0x050 NetBufferListInfo : [19] Ptr32 Void
ndis!NdisAllocateCloneNetBufferList+0x98:
861eb9ce 8b5b04 mov ebx,dword ptr [ebx+4]
ebx+4 should be
kd> dt ndis!_NET_BUFFER_LIST FirstNetBuffer->*
+0x004 FirstNetBuffer :
+0x000 Next : Ptr32 _NET_BUFFER
+0x004 CurrentMdl : Ptr32 _MDL
+0x008 CurrentMdlOffset : Uint4B
+0x00c DataLength : Uint4B
+0x00c stDataLength : Uint4B
+0x010 MdlChain : Ptr32 _MDL
+0x014 DataOffset : Uint4B
+0x000 Link : _SLIST_HEADER
+0x018 ChecksumBias : Uint2B
+0x01a Reserved : Uint2B
+0x01c NdisPoolHandle : Ptr32 Void
+0x020 NdisReserved : [2] Ptr32 Void
+0x028 ProtocolReserved : [6] Ptr32 Void
+0x040 MiniportReserved : [4] Ptr32 Void
+0x050 DataPhysicalAddress : _LARGE_INTEGER
+0x058 SharedMemoryInfo : Ptr32 _NET_BUFFER_SHARED_MEMORY
+0x058 ScatterGatherList : Ptr32 _SCATTER_GATHER_LIST
861eb9e3 8b7b10 mov edi,dword ptr [ebx+10h]
so edi should hold probably a pointer to
+0x010 MdlChain : Ptr32 _MDL
mdl pointer is corrupt in this crash
btw if you cant find patterns in txt file you can use IdaFree 5.0 to
generate a graph you would need to dump the bytes of this function and
load the raw bytes as bin file in metapc disassemble as 32 bit set up
entry point and then create function
you can use this script to dump the bytes
(dumping like this should normally be safe if uf worked
if uf borked earlier then function isnt contigious so dumping and ida
may not give correct results
here is the one liner to dump function bytes
.foreach /pS 7 /ps 100 (place {.shell -ci ".fnent ${$arg1} " grep -i
offstart} ) { r $t0 = ${$arg2} + place};
.foreach /pS 7 /ps 100 (place {.shell -ci ".fnent ${$arg1} " grep -i
procsize} ) { r $t1 = $t0 + place }
.writemem scriptresults${$arg1}dump.bin $t0 $t1
usage $$>a< scripts\callgraph.txt ndis!NdisAllocateCloneNetBufferList ndis
hope you can follow the methodology i hope my anlysis is correct
if some one finds some thing wrong please correct it so that this
thread doesnt contain
wrong info
On 8/11/11, xxxxx@osr.com wrote:
> Scott teaches seminars on debugging and cash dump analysis…
>
> Just sayin’
>
> Peter
> OSR
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
thanks and regards
raj_r