One reason of open network folder hanging

 

Why does open network folder hang?  2010-08-23

These days, I have used an old XPSP3 OS (I hadn’t used it for a long time) to test an issue.

But When I have opened a network folder, I have always needed to wait for a long time. It’s strange and I had debugged it after I had fixed my work. Below are my analysis and the root cause.

 

When folder was hanging, I had used Windbg.exe attach the Explorer.exe to debug it.

0:014> !analyze –hang

Probably caused by : SHLWAPI.dll ( SHLWAPI!GetFileAttributesWrapW+51 )

0:014>~*kb

0:014> ~5 s

eax=00000000 ebx=000a6ae0 ecx=00e8dbd8 edx=7c92e514 esi=00000000 edi=00000000

eip=7c92e514 esp=00e8d9b8 ebp=00e8da28 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

ntdll!KiFastSystemCallRet:

7c92e514 c3              ret

0:005> kbn100

 # ChildEBP RetAddr  Args to Child             

00 00e8d974 7c92d71a 7c80b853 00e8d9bc 00e8d994 ntdll!KiFastSystemCallRet

01 00e8d978 7c80b853 00e8d9bc 00e8d994 00000000 ntdll!NtQueryAttributesFile+0xc

02 00e8d9e8 77f47d88 00e8deb0 000eb220 000eb220 kernel32!GetFileAttributesW+0x79

03 00e8dc0c 77f47f24 00e8deb0 00e8de88 00e8deb0 SHLWAPI!GetFileAttributesWrapW+0x51

04 00e8de54 77f52db4 00e8deb0 00e8de88 00000104 SHLWAPI!PathFileExistsAndAttributesW+0x41

05 00e8de6c 77f531e4 00e8deb0 0000006f 00e8de88 SHLWAPI!PathFileExistsDefExtAndAttributesW+0x48

06 00e8de80 77f53131 ffffffff 00000000 02298868 SHLWAPI!_PathExeExists+0x13

07 00e8e0bc 77f5301b 02298868 00e8e3a4 00000000 SHLWAPI!SHEvaluateSystemCommandTemplate+0xcd

08 00e8e2f0 77f52fc3 02298868 00e8e3a4 00000000 SHLWAPI!_ExeFromCmd+0x46

09 00e8e30c 7d5c527b 000e6d64 02298868 00000000 SHLWAPI!CAssocShellVerbElement::QueryString+0xdc

0a 00e8e324 7d5c6c07 000e6d64 02010007 00000000 SHELL32!_QueryString+0x17

0b 00e8e350 7d5c525b 7d5c5264 0011bb4c 02010007 SHELL32!CAssocArray::_QueryElementAny<unsigned long *>+0x79

0c 00e8e370 7d601754 000eca20 0000ffff 02010007 SHELL32!CAssocArray::QueryString+0x20

0d 00e8e39c 7d5d5975 00000000 00000104 00e8ec2c SHELL32!CFileSysItemString::_QueryIconIndex+0xa4

0e 00e8e3b8 7d5d2b5a 00000000 00000001 022914e8 SHELL32!CFileSysItemString::_ClassFlags+0x89

0f 00e8ea28 7d5d2d60 022914ec 022926c0 00000020 SHELL32!CFSFolder::GetIconOf+0x10c

10 00e8ea48 7d5d2db7 022914e8 022914ec 022926c0 SHELL32!SHGetIconFromPIDL+0x20

11 00e8ea74 7d5d2e79 02292be8 022914e8 022926c0 SHELL32!SHMapIDListToImageListIndexAsync+0x43

12 00e8eaa0 7d5d27e0 022926c0 00e8ec2c 00000001 SHELL32!CDefView::_GetIconAsync+0x39

13 00e8ec50 7d5c3323 022926c0 00e8f2a4 000f7218 SHELL32!CDefView::_GetDisplayInfo+0x221

14 00e8eec8 7d5c3053 00e8f2a4 000f7218 000f7218 SHELL32!CDefView::_OnLVNotify+0x260

15 00e8eee0 7d5c2ec4 00e8f2a4 00000000 000f7218 SHELL32!CDefView::_OnNotify+0x7c

16 00e8f054 7d5c2f38 000701ca 0000004e 00000001 SHELL32!CDefView::WndProc+0x860

17 00e8f098 77d18734 000701ca 0000004e 00000001 SHELL32!CDefView::s_WndProc+0x72

18 00e8f0c4 77d18816 7d5c2ee2 000701ca 0000004e USER32!InternalCallWinProc+0x28

19 00e8f12c 77d2927b 0009cef0 7d5c2ee2 000701ca USER32!UserCallWinProcCheckWow+0x150

1a 00e8f168 77d292e3 0061ef98 0063b770 00000001 USER32!SendMessageWorker+0x4a5

1b 00e8f188 7719b001 000701ca 0000004e 00000001 USER32!SendMessageW+0x7f

1c 00e8f220 771c6eb5 00120868 ffffff4f 00e8f2a4 comctl32!CCSendNotify+0xc20

1d 00e8f2e4 771ecad8 00120868 0000001b 00e8f6e4 comctl32!ListView_OnGetItem+0x364

1e 00e8f644 771c7f14 00e8f6cc 00000000 00e8f868 comctl32!ListView_RDrawItem+0x196

1f 00e8f664 771cdd14 00e8f6cc 00010000 00120868 comctl32!ListView_DrawItem+0x225

20 00e8f7ec 771cecba 00000019 5f010d6a 00e8f868 comctl32!ListView_Redraw+0x51e

21 00e8f8a4 771d15ce 00120868 00000000 00e8fa70 comctl32!ListView_OnPaint+0x1cb

22 00e8fa08 77d18734 00080220 0000000f 00000000 comctl32!ListView_WndProc+0x93c

23 00e8fa34 77d18816 771d0c92 00080220 0000000f USER32!InternalCallWinProc+0x28

24 00e8fa9c 77d2a013 0009cef0 771d0c92 00080220 USER32!UserCallWinProcCheckWow+0x150

25 00e8facc 77d2a039 771d0c92 00080220 0000000f USER32!CallWindowProcAorW+0x98

26 00e8faec 6c556093 771d0c92 00080220 0000000f USER32!CallWindowProcW+0x1b

27 00e8fb1c 77d18734 00000000 0000000f 00000000 DUSER!WndBridge::RawWndProc+0xa2

28 00e8fb48 77d18816 02090fc0 00080220 0000000f USER32!InternalCallWinProc+0x28

29 00e8fbb0 77d28ea0 0009cef0 02090fc0 00080220 USER32!UserCallWinProcCheckWow+0x150

2a 00e8fc04 77d28eec 00624b88 0000000f 00000000 USER32!DispatchClientMessage+0xa3

2b 00e8fc2c 7c92e473 00e8fc3c 00000018 00624b88 USER32!__fnDWORD+0x24

2c 00e8fc50 77d194d2 77d28f10 00e8fcd8 00000000 ntdll!KiUserCallbackDispatcher+0x13

2d 00e8fc98 77d18a10 00e8fcd8 00000000 00e8fcc0 USER32!NtUserDispatchMessage+0xc

2e 00e8fca8 75f0d875 00e8fcd8 00000000 000bd220 USER32!DispatchMessageW+0xf

2f 00e8fcc0 75f15218 00e8fcd8 00000000 00000000 BROWSEUI!TimedDispatchMessage+0x33

30 00e8ff20 75f15389 000a0530 00000000 00000000 BROWSEUI!BrowserThreadProc+0x336

31 00e8ffb4 7c80b729 000a0530 00000000 00000000 BROWSEUI!BrowserProtectedThreadProc+0x50

32 00e8ffec 00000000 75f15339 000a0530 00000000 kernel32!BaseThreadStart+0x37

0:005> du 02298868

02298868  ""\\NetComputerName\Share\Temp\UserName\AppExe.exe" "%1""

0:005> du 00e8deb0

00e8deb0  "\\NetComputerName\Share\Temp\UserName\ AppExe.exe"

Here, NetComputerName is a network computer name used long time again by company, and it doesn’t exist in current network. So Explorer is hanged when it calls kernel32!GetFileAttributesW interface to get this files’s attribute.

 

But why explorer process needed to get AppExe.exe’s attribute when I had opened this special folder. From string ""\\NetComputerName\Share\Temp\UserName\AppExe.exe" "%1””, I think this exe should be registered in register to open the special file-name extension.

I had searched register and had got below information.

 

[HKEY_CLASSES_ROOT\.log]

@="AppExeView"

 

[HKEY_CLASSES_ROOT\AppExeView\Shell\Open\Command]

@="\"\\\\NetComputerName\\Share\\Temp\\UserName\\AppExe.exe\" \"%1\""

 

From above, we know OS defines .log file opened by AppExeView application  and application path is \\NetComputerName\Share\Temp\UserName\AppExe.exe,  but \\NetComputerName computer already doesn’t exist.

 

Others:

1. If I open local folder (It includes .log file) this hang issue doesn’t happen.
2. If I set default icon for file-name extension of .log in register this hang doesn’t happen.
3. Which file does trigger this action?  We can find it in thread stack.

 

                                                    Written By opqit(opqit@hotmail.com) 08/23/2010

Application crashes in DisconnectSrvIPIDs when application calls CoUninitialize interface

Recently, I got a crash issue. It happened when application calls CoUninitialize interface at the end of application. Finally, I had found the root cause, below is key steps for my debug and analysis.

 

First  Run

 

0:000> kb

ChildEBP RetAddr  Args to Child             

0031eec8 77174070 76fae2c9 0031ef80 00000000 ntdll!DbgBreakPoint

0031eef8 76ad01e5 0031f0a4 0031f0c0 00000000 ntdll!RtlReportException+0x51

0031ef18 76ad0261 0031ef80 0031ef3c 76ad06fd ole32!SilentlyReportExceptions+0x79

0031ef24 76ad06fd 0031ef80 00000000 00000000 ole32!ServerExceptionFilter+0x24

0031ef3c 76a9c82f 0031ef80 043a23a0 76a71514 ole32!AppInvokeExceptionFilterWithMethodAddress+0x11

0031ef58 76e4513f 00000000 0031f410 76a57328 ole32!CStdMarshal::DisconnectSrvIPIDs+0xf0

0031ef6c 76e450cf 00000000 00000000 00000000 msvcrt!_EH4_CallFilterFunc+0x12

0031ef98 76a8be49 76b3f420 76a69411 0031f0a4 msvcrt!_except_handler4_common+0x8e

0031efb8 77145fb9 0031f0a4 0031f400 0031f0c0 ole32!_except_handler4+0x20

0031efdc 77145f8b 0031f0a4 0031f400 0031f0c0 ntdll!ExecuteHandler2+0x26

0031f08c 77145e17 0031f0a4 0031f0c0 0031f0a4 ntdll!ExecuteHandler+0x24

0031f08c 76a572da 0031f0a4 0031f0c0 0031f0a4 ntdll!KiUserExceptionDispatcher+0xf

0031f410 76a57216 00000008 0020547c 0031f464 ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf

0031f444 76a4156d 00000008 00000000 76b41898 ole32!CStdMarshal::Disconnect+0x1b2

0031f458 76a4154e 0031f464 0020547c 00000008 ole32!DisconnectSwitch+0x16

0031f470 76a415db 00000008 00131030 fffffffe ole32!CStdMarshal::DisconnectAndRelease+0x44

0031f620 76a68d27 b3fd0faa 00131030 00000080 ole32!COIDTable::ThreadCleanup+0xcb

0031f664 76a68c68 00000000 0031f6b4 76b4164c ole32!FinishShutdown+0x9d

0031f684 76a68255 00000000 00000000 00131030 ole32!ApartmentUninitialize+0x96

0031f69c 76a6832b 0031f6b4 00000000 00136a40 ole32!wCoUninitialize+0x88

0031f6b8 76b63644 0013bb58 00131030 76b63a3a ole32!CoUninitialize+0x72

0031f6c4 76b63a3a 0031f6e8 76a6e737 0013bb58 IMM32!CtfImmCoUninitialize+0x34

0031f6cc 76a6e737 0013bb58 00000001 00131030 IMM32!ISPY_PostUninitialize+0x51

0031f6e8 76a6d2d4 00000000 00000000 00000000 ole32!NotifyInitializeSpies+0x6a

0031f70c 00b4dae3 00b67080 00000001 0031fcf0 ole32!CoUninitialize+0x99

WARNING: Stack unwind information not available. Following frames may be wrong.

00000000 00000000 00000000 00000000 00000000 APPEXE+0xdae3

0:000> .exr 0031f0a4

ExceptionAddress: 76a572da (ole32!CStdMarshal::DisconnectSrvIPIDs+0x000000bf)

   ExceptionCode: c0000005 (Access violation)

  ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 00000000

   Parameter[1]: 6eb67b2c

Attempt to read from address 6eb67b2c

0:000> ln 6eb67b2c 

(6eb67b2c)   <Unloaded_AppDllA.dll>+0x7f00

 

0: 000> uf ole32!CStdMarshal::DisconnectSrvIPIDs

……………

ole32!CStdMarshal::DisconnectSrvIPIDs+0xb6:

76fb72d1 895dfc          mov     dword ptr [ebp-4],ebx

76fb72d4 8b4610          mov     eax,dword ptr [esi+10h]

76fb72d7 8b08            mov     ecx,dword ptr [eax]

76fb72d9 50              push    eax

76fb72da ff5108          call    dword ptr [ecx+8]

76fb72dd c745fcfeffffff  mov     dword ptr [ebp-4],0FFFFFFFEh

76fb72e4 8b4614          mov     eax,dword ptr [esi+14h]

76fb72e7 8b08            mov     ecx,dword ptr [eax]

76fb72e9 50              push    eax

76fb72ea ff5110          call    dword ptr [ecx+10h]

………………..

1. From above, we know access violation happened when application reads memory 6eb67b2c. It seems application reads unload module memory address caused this issue.
2. From address 76fb72da, we know ole32 wants to call a virtual function.

 

Second Run

1. To check which code are there on AppDllA+0x7f00.
2. To set breakpoint on ole32!CStdMarshal::DisconnectSrvIPIDs+0x000000bf and to check which functions have been called at that pointer.

 

I use windbg to attach the running application and set breakpoint on ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf

 

0:011> lmm ole32

start    end        module name

76f70000 770b5000   ole32      (deferred)

0: 011> bp 76fb72da "kbL; ln poi(ecx+8);r;g"

0: 011> bl

 0 e 76fb72da     0001 (0001)  0:**** ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf "kbL; ln poi(ecx+8);r;g"

 

I set breakpoint when application loads AppDllA module and get AppDllA+0x7f00 address information.

0:000> lmm AppDllA

start    end        module name

6cbe0000 6cbef000   AppDllA    (deferred)            

0:000> ln 6cbe0000 +7ef8

(6cbe7ef8)   AppDllA!ATL::CComObject<ComInterfaceA>::`vftable’   |  (6cbe7f14)   AppDllA!_entries

Exact matches:

0:000> dds 6cbe7ef8 La

6cbe7ef8  6cbe5175 AppDllA!ATL::CComObject<ComInterfaceA>::QueryInterface

6cbe7efc  6cbe511c AppDllA!ATL::CComObject<ComInterfaceA>::AddRef

6cbe7f00  6cbe5129 AppDllA!ATL::CComObject<ComInterfaceA>::Release

6cbe7f04  6cbe3fc5 AppDllA!ComInterfaceA::StartDocument

6cbe7f08  6cbe3fe0 AppDllA!ComInterfaceA::AddPage

6cbe7f0c  6cbe3ffb AppDllA!ComInterfaceA::EndDocument

6cbe7f10  6cbe518e AppDllA!ATL::CComObject<ComInterfaceA>::`scalar deleting destructor’

6cbe7f14  6cbe7f2c AppDllA!_GUID_8095ddce_ca6e_43f2_ae62_16f32c88fac9

6cbe7f18  00000000

6cbe7f1c  00000001

 

From above information, we know ole32!CStdMarshal::DisconnectSrvIPIDs+0x000000bf is call a com object’s Release interface to decrease 1 com object reference-counting.

From first run crash log, this action still call AppDllA’s com object even if AppDllA was unloaded from memory. It means com object reference-counting  errors when we use this com object. It caused com object doesn’t decrease to 0 when application unload this module.  So let’s see which code has called com object’s AddRef and Release interface.

 

0:000> bp 6cbe511c   "kbL;r;g"; bp 6cbe5129   "kbL;r;g";

0:000> bl

 0 e 76fb72da     0001 (0001)  0:**** ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf "kbL; ln poi(ecx+8);r;g"

 1 e 6cbe511c     0001 (0001)  0:**** AppDllA!ATL::CComObject<ComInterfaceA>::AddRef "kbL;r;g"

 2k e 6cbe5129     0001 (0001)  0:**** AppDllA!ATL::CComObject<ComInterfaceA>::Release "kbL;r;g"

0:000> g

ChildEBP RetAddr  Args to Child             

0024e5c8 6cbe4f9e 01c4f7d8 00000000 01c4f7d8 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef

0024e5e0 6cbe518b 01c4f7d8 00000000 6cbe722c AppDllA!ATL::AtlInternalQueryInterface+0x40

0024e5f4 6cbe541c 01c4f7d8 6cbe722c 0024e684 AppDllA!ATL::CComObject<ComInterfaceA>::QueryInterface+0x16

0024e630 6cbe555f 00000000 6cbe722c 0024e684 AppDllA!ATL::CComCreator<ATL::CComObject<ComInterfaceA> >::CreateInstance+0x72

……………………..

0024e820 6cbe1725 6cbe728c 00000000 00000001 ole32!CoCreateInstance+0x37

0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xba

…………………………

eax=6cbe7ef8 ebx=0024e684 ecx=6cbe722c edx=f31662ae esi=01c4f7d8 edi=00000001

eip=6cbe511c esp=0024e5cc ebp=0024e5e0 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:

6cbe511c 8b442404        mov     eax,dword ptr [esp+4] ss:0023:0024e5d0=01c4f7d8

ChildEBP RetAddr  Args to Child             

0024e1f0 6cbe4f9e 01c4f7d8 00000000 01c4f7d8 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef

0024e208 6cbe518b 01c4f7d8 6cbe7f14 76fd1514 AppDllA!ATL::AtlInternalQueryInterface+0x40

…………..

0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4

…………………

eax=6cbe7ef8 ebx=0024e234 ecx=0024e234 edx=8095ddce esi=01c4f7d8 edi=00000000

eip=6cbe511c esp=0024e1f4 ebp=0024e208 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:

6cbe511c 8b442404        mov     eax,dword ptr [esp+4] ss:0023:0024e1f8=01c4f7d8

ChildEBP RetAddr  Args to Child             

0024e170 76faa8a5 01c4f7d8 00000000 004b0fd8 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef

0024e1b8 76f9ab2e 00000000 000014b4 00000000 ole32!CStdIdentity::CStdIdentity+0x172

………………….

0024e828 6cbe173f 03aee6dc 01c4f7d8 6cbec4a0 RPCRT4!ObjectStubless+0xf

0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4

WARNING: Stack unwind information not available. Following frames may be wrong.

0024ec9c 6c431313 00000001 a6c8d6a3 04188df0 AppDllC+0xf10d

0024eed0 6c43143d 04188ed0 04188ed0 00500052 AppDllB!CXXXRPContainer::InitRPComponent+0x88

0024f0ec 5ad92c04 04188df0 00000008 000000ac AppDllB!RPCallBack+0xb9

…………………………..

eax=01c4f7d8 ebx=03ac5d40 ecx=6cbe7ef8 edx=00000000 esi=76fc96b0 edi=00000000

eip=6cbe511c esp=0024e174 ebp=0024e1b8 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:

6cbe511c 8b442404        mov     eax,dword ptr [esp+4] ss:0023:0024e178=01c4f7d8

ChildEBP RetAddr  Args to Child             

0024e21c 76f9aa55 01c4f7d8 00000000 00000000 AppDllA!ATL::CComObject<ComInterfaceA>::Release

0024e238 76f9aef9 004b0fd8 000014b4 00421938 ole32!ObtainStdIDFromUnk+0xc2

………………..

0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4

………………

eax=01c4f7d8 ebx=00000000 ecx=6cbe7ef8 edx=00000001 esi=00000001 edi=770a1898

eip=6cbe5129 esp=0024e220 ebp=0024e238 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

AppDllA!ATL::CComObject<ComInterfaceA>::Release:

6cbe5129 8b4c2404        mov     ecx,dword ptr [esp+4] ss:0023:0024e224=01c4f7d8

ChildEBP RetAddr  Args to Child             

00234a80 6cbe4f9e 04181138 00000000 04181138 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef

00234a98 6cbe518b 04181138 6cbe7f14 76fd1514 AppDllA!ATL::AtlInternalQueryInterface+0x40

00234aac 76f9a9cf 04181138 76fd1514 00234ac4 AppDllA!ATL::CComObject<ComInterfaceA>::QueryInterface+0x16

00234ac8 76f9aef9 04181138 000014b4 00421938 ole32!ObtainStdIDFromUnk+0x30

………..

002350e0 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4

WARNING: Stack unwind information not available. Following frames may be wrong.

00235530 6c424937 00000001 a6cf630b 6c870f28 AppDllC+0xf10d

00235960 6c42bf88 6c870f28 00000001 01c4a2a8 AppDllB!DllBClassA::SetXXXValue+0x161

00235970 6c85a706 6c870f28 00000001 a6c617ac AppDllB!DllBGFuncA+0x62

00235ba4 6c84e226 6c870f28 00000001 01c4a21c AppDllD!DllDClassA::SetXXXValue+0xc6

00235bb4 00ab3676 00000008 00000001 aa79a53f AppDllD!DllDClassB::DllDClassBFuncA+0x26

…………………..

eax=6cbe7ef8 ebx=00234ac4 ecx=00234ac4 edx=8095ddce esi=04181138 edi=00000000

eip=6cbe511c esp=00234a84 ebp=00234a98 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:

6cbe511c 8b442404        mov     eax,dword ptr [esp+4] ss:0023:00234a88=04181138

ChildEBP RetAddr  Args to Child             

00234a00 76faa8a5 04181138 00000000 004b1298 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef

00234a48 76f9ab2e 00000000 000014b4 00000000 ole32!CStdIdentity::CStdIdentity+0x172

…………….

002350e0 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4

WARNING: Stack unwind information not available. Following frames may be wrong.

00235530 6c424937 00000001 a6cf630b 6c870f28 AppDllC+0xf10d

00235960 6c42bf88 6c870f28 00000001 01c4a2a8 AppDllB!DllBClassA::SetXXXValue+0x161

00235970 6c85a706 6c870f28 00000001 a6c617ac AppDllB!DllBGFuncA+0x62

00235ba4 6c84e226 6c870f28 00000001 01c4a21c AppDllD!DllDClassA::SetXXXValue+0xc6

00235bb4 00ab3676 00000008 00000001 aa79a53f AppDllD!DllDClassB::DllDClassBFuncA+0x26

0024f000 00ab69f5 00000008 00000001 00000001 APPEXE!CAppDllDMgr::AppExeClassAFuncA+0x186

0024f21c 00ab6c6e 00000008 00000001 0024f2b0 APPEXE!AppExeClassA::AppExeClassAFuncA+0xd5

0024f234 77dafd72 00270134 000002b1 00000008 APPEXE!AppExeClassA:: AppExeClassAFuncAB+0x2e

……………….

eax=04181138 ebx=03ac55c0 ecx=6cbe7ef8 edx=00000000 esi=76fc96b0 edi=00000000

eip=6cbe511c esp=00234a04 ebp=00234a48 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:

6cbe511c 8b442404        mov     eax,dword ptr [esp+4] ss:0023:00234a08=04181138

ChildEBP RetAddr  Args to Child             

00234aac 76f9aa55 04181168 00000000 00000000 AppDllA!ATL::CComObject<ComInterfaceA>::Release

00234ac8 76f9aef9 004b1138 000014b4 00421938 ole32!ObtainStdIDFromUnk+0xc2

……………

002350bc 6cbe173f 03ad2204 04181168 6cbec4a0 RPCRT4!ObjectStubless+0xf

002350e0 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4

WARNING: Stack unwind information not available. Following frames may be wrong.

00235530 6c424937 00000001 a6cf630b 6c870f28 AppDllC+0xf10d

00235960 6c42bf88 6c870f28 00000001 01c4a2a8 AppDllB!DllBClassA::SetXXXValue+0x161

00235970 6c85a706 6c870f28 00000001 a6c617ac AppDllB!DllBGFuncA+0x62

00235ba4 6c84e226 6c870f28 00000001 01c4a21c AppDllD!DllDClassA::SetXXXValue+0xc6

00235bb4 00ab3676 00000007 00000001 aa79a53f AppDllD!DllDClassB::DllDClassBFuncA+0x26

0024f000 00ab69f5 00000007 00000001 00000001 APPEXE!CAppDllDMgr::AppExeClassAFuncA+0x186

0024f21c 00ab6c6e 00000007 00000001 0024f2b0 APPEXE!AppExeClassA::AppExeClassAFuncA+0xd5

0024f234 77dafd72 00270134 000002b1 00000007 APPEXE!AppExeClassA::WtsWndProc+0x2e

0024f260 77dafe4a 00ab6c40 00270134 000002b1 USER32!InternalCallWinProc+0x23

……………………

eax=04181168 ebx=00000000 ecx=6cbe7ef8 edx=00000001 esi=00000001 edi=770a1898

eip=6cbe5129 esp=00234ab0 ebp=00234ac8 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

AppDllA!ATL::CComObject<ComInterfaceA>::Release:

6cbe5129 8b4c2404        mov     ecx,dword ptr [esp+4] ss:0023:00234ab4=04181168

ChildEBP RetAddr  Args to Child             

0024d8c0 76fb7216 00000001 00000000 03ac55c4 ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf

0024d8f4 76f9dae4 00000001 00000000 0024d954 ole32!CStdMarshal::Disconnect+0x1b2

…………………..

0024ea3c 6cbe1646 03ad248c 003b68d4 009b6a78 RPCRT4!ObjectStubless+0xf

0024ea50 6cbe2ca8 19c5a7a2 009b6a78 744c3607 AppDllA!XXXCapture::DllAFuncA+0x3e

0024ea78 6cbe5cee 6cbe6f0f 00000000 00000000 AppDllA!XXXCapture::~XXXCapture+0x20

…………..

0024ec0c 5ad8f5dd 6cbe0000 04188e80 5adaaad8 kernel32!FreeLibrary+0x76

…………..

(6cbe5129)   AppDllA!ATL::CComObject<ComInterfaceA>::Release   |  (6cbe5147)   AppDllA!ComInterfaceA::_InternalQueryInterface

Exact matches:

    AppDllA!ATL::CComObject<ComInterfaceA>::Release (void)

eax=04181138 ebx=00000000 ecx=6cbe7ef8 edx=f31662ae esi=0024d85c edi=03ac55c4

eip=76fb72da esp=0024d83c ebp=0024d8c0 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf:

76fb72da ff5108          call    dword ptr [ecx+8]    ds:0023:6cbe7f00={AppDllA!ATL::CComObject<ComInterfaceA>::Release (6cbe5129)}

ChildEBP RetAddr  Args to Child             

0024d834 76fb72dd 04181138 00000004 00000000 AppDllA!ATL::CComObject<ComInterfaceA>::Release

0024d8c0 76fb7216 00000001 00000000 03ac55c4 ole32!CStdMarshal::DisconnectSrvIPIDs+0xc2

………………….

0024ea50 6cbe2ca8 19c5a7a2 009b6a78 744c3607 AppDllA!XXXCapture::DllAFuncA+0x3e

0024ea78 6cbe5cee 6cbe6f0f 00000000 00000000 AppDllA!XXXCapture::~XXXCapture+0x20

……………

0024ec0c 5ad8f5dd 6cbe0000 04188e80 5adaaad8 kernel32!FreeLibrary+0x76

……………..

eax=04181138 ebx=00000000 ecx=6cbe7ef8 edx=f31662ae esi=0024d85c edi=03ac55c4

eip=6cbe5129 esp=0024d838 ebp=0024d8c0 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

AppDllA!ATL::CComObject<ComInterfaceA>::Release:

6cbe5129 8b4c2404        mov     ecx,dword ptr [esp+4] ss:0023:0024d83c=04181138

 

Unable to remove breakpoint 3 at 6cbe5129, Win32 error 0n487

    "Attempt to access invalid address."

The breakpoint was set with BP.  If you want breakpoints

to track module load/unload state you must use BU.

Unable to remove breakpoint 2 at 6cbe511c, Win32 error 0n487

    "Attempt to access invalid address."

The breakpoint was set with BP.  If you want breakpoints

to track module load/unload state you must use BU.

 

eax=7ffd4000 ebx=00000000 ecx=00000000 edx=77c5cacc esi=00000000 edi=00000000

eip=77c18aee esp=044efaf8 ebp=044efb24 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

ntdll!DbgBreakPoint:

77c18aee cc              int     3

0:012> bl

 0 e 76fb72da     0001 (0001)  0:**** ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf "kbL; ln poi(ecx+8);r;g"

 1 d 6cbe511c     0001 (0001)  0:**** <Unloaded_atgpcdec.dll>+0x1511c "kbL;r;g"

 2 d 6cbe5129     0001 (0001)  0:**** <Unloaded_atgpcdec.dll>+0x15129 "kbL;r;g"

 

0:012> g

ChildEBP RetAddr  Args to Child              

0024f2a4 76fb7216 00000008 03ac5d44 0024f2f8 ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf

0024f2d8 76fa156d 00000008 00000000 770a1898 ole32!CStdMarshal::Disconnect+0x1b2

0024f2ec 76fa154e 0024f2f8 03ac5d44 00000008 ole32!DisconnectSwitch+0x16

0024f304 76fa15db 00000008 00421030 fffffffe ole32!CStdMarshal::DisconnectAndRelease+0x44

0024f4b4 76fc8d27 aa79052e 00421030 00000080 ole32!COIDTable::ThreadCleanup+0xcb

0024f4f8 76fc8c68 00000000 0024f548 770a164c ole32!FinishShutdown+0x9d

0024f518 76fc8255 00000000 00000000 00421030 ole32!ApartmentUninitialize+0x96

0024f530 76fc832b 0024f548 00000000 00491610 ole32!wCoUninitialize+0x88

0024f54c 77d73644 0042bcc8 00421030 77d73a3a ole32!CoUninitialize+0x72

0024f558 77d73a3a 0024f57c 76fce737 0042bcc8 IMM32!CtfImmCoUninitialize+0x34

0024f560 76fce737 0042bcc8 00000001 00421030 IMM32!ISPY_PostUninitialize+0x51

0024f57c 76fcd2d4 00000000 00000000 00000000 ole32!NotifyInitializeSpies+0x6a

0024f5a0 00aadae3 00ac7080 00000001 0024fb84 ole32!CoUninitialize+0x99

0024faf0 00ab8ddc 00aa0000 00000000 004022ac APPEXE!wWinMain+0x343

0024fb84 76aad0e9 7ffd5000 0024fbd0 77c11963 APPEXE!__tmainCRTStartup+0x150

0024fb90 77c11963 7ffd5000 76ff38b3 00000000 kernel32!BaseThreadInitThunk+0xe

0024fbd0 77c11936 00ab8faa 7ffd5000 00000000 ntdll!__RtlUserThreadStart+0x23

0024fbe8 00000000 00ab8faa 7ffd5000 00000000 ntdll!_RtlUserThreadStart+0x1b

Memory access error at ‘);r;g’

eax=01c4f7d8 ebx=00000000 ecx=6cbe7ef8 edx=00000002 esi=0024f23c edi=03ac5d44

eip=76fb72da esp=0024f21c ebp=0024f2a4 iopl=0         nv up ei pl nz na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf:

76fb72da ff5108          call    dword ptr [ecx+8]    ds:0023:6cbe7f00=????????

 

From above log, we know AppDllA!ATL::CComObject<ComInterfaceA>::AddRef calls 5 times, but  AppDllA!ATL::CComObject<ComInterfaceA>::Release only calls 3 times during AppExe loads AppDllA and unloads AppDllA.  I find 2 of AddRef are not needed after check every AddRef call stack and read code logic, so I notify another team to fix it.

 

                                      ^{Written By opqit(opqit@hotmail.com) 08/12/2010}

Method of troubleshooting service running in svchost

 ^{I have read some topics about SVCHOST.EXE Troubleshooting recently. Below is key method to implement it.}

^{1.       Isolate services from svchost.exe before troubleshoot.}

^{1.1    To use tasklist /SVC /FI "IMAGENAME eq svchost.exe" command to list which services belong to which instance.}

^{1.2   To isolate your service from svshost.exe.}

^{Method 1: Creating an Isolated Process}

^{What this method really does is modify one of the registry parameters for the service in question from a shared process to an isolated process.  The command syntax is fairly straightforward and uses the sc configcommand set: sc config <service name> type= own.  So for Windows Updates (wuauserv), the command would be: sc config wuauserv type= own.  Note that there is a space between the ‘=’ and ‘own’ – you must insert that space.  Behind the scenes, what happens is that theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Type registry value is changed from 0x20 (which denotes a shared process) to 0x10 (indicating it has its own process).  You can read more about these particular values on the MSDN Article about SERVICE_STATUS_PROCESS Structure.  In order to complete the change, you need to stop and restart the service.  To change this service back to being a shared service, run the following command: sc config wuauserv type= share.  For this change to complete, the machine itself needs to be rebooted.  No other parameters are being modified with respect to this service, however when you change the type to isolated, restart the service and then run the tasklist command to get the list of services, you will notice that there is an SVCHOST.EXE process that only contains the Windows Update service.}

^{Method 2: Creating an isolated Service Group}

^{This method is a bit more involved, and involves directly editing the registry.  Please remember to back up the registry before making any changes!  The process is below:}

·         ^{Create a new REG_MULTI_SZ value named WindowsUpdates in theHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key.} 

·         ^{Add the name of the service (in this case wuauserv) to the value.  You also need to remove thewuauserv from the list in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\Netsvcs value to prevent conflicts.}

·         ^{Now navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\wuauserv key and change the ImagePath value from %systemroot%\system32\svchost.exe -k netsvcs to:%systemroot%\system32\svchost.exe -k WindowsUpdates}

·         ^{Restart the Automatic Updates service and you should now see a new instance of SVCHOST.EXE that only contains the Automatic Updates service.}

·         ^{This method can be repeated to isolate multiple services into their own groups.}

·         ^{To revert back to the original configurations, reverse the steps above and restart the machine.  Use the backup of the registry to ensure that you get the right services back into the proper groups.}

 

^{2.       Debug svchost.exe in kernel debugger}

      ^{If we debug service in kernel, we needn’t to isolate services because of  svchost.exe won’t load the DLL until it’s time to start the service, so we can set correct breakpoint to catch the service starting up.}

^{2.1   kd> !process  0 0 svchost.exe}

^{To list all of svchost.exe in OS.}

^{2.2   kd> .process -i PROCESS_ADDRESS}

       ^{.process –i sets an invasive breakpoint so we can get into the active context of the process.}

      ^{When the debugger breaks in again, you will be in the new process context.}

^{2.3   kd> .reload /user and kd> bp svchost!GetServiceMainFunctions}

^{After we set the breakpoint, we can start our service using “net start Service_Name” command  When process breake ,using gu command and let it breaked again. At that time, the service dll are loaded(Here breakpint is set on all process’s interface in entire OS, any of process call this interface will touch this breakpoint.).}

^{2.4   .reload /user and  bp service_dll!ServiceMain}

^{Now, we can set break on service’s entry point to start debug service code(Here, any process calls service_dll’s ServiceMain iinterface will touch this breakpoint).}

 

^{3.     I think it’s easy more for us to use user mode debugger to debug this issue.}

  

^{The detail, please click here.}

                                                                     

                                                                                                ^{Written By opqit(opqit@hotmail.com) 07/23/2010}

 

 

hh.exe doesn’t use Unicode format in Vista when it opens a new file

Today, I got below error when I run a chm in Vista.

 

At first, I think the local file has corrupted. So I had downloaded a new file from Internet. Yeah, new file can open successfully.

Sudden, I had noticed old file and new file have the same size. It means old file hasn’t corrupted I think. Why?

I had run windbg and attached hh.exe.

Stack:

000ef438 7656073f 76573c9f 00000000 00000000 ntdll!KiFastSystemCallRet

000ef43c 76573c9f 00000000 00000000 00000000 USER32!NtUserWaitMessage+0xc

000ef470 76572dc0 00120a7c 00000000 00000001 USER32!DialogBox2+0x202

000ef498 7659cd48 76540000 002f7108 00000000 USER32!InternalDialogBox+0xd0

000ef538 7659d2ca 00000000 00000000 ffffffff USER32!SoftModalMessageBox+0x69f

000ef688 7659d3fc 000ef694 00000028 00000000 USER32!MessageBoxWorker+0x2c7

000ef6e0 7659d4a6 00000000 002f6fb8 002f79b8 USER32!MessageBoxTimeoutW+0x7f

000ef714 7659d654 00000000 000a7000 000a70b0 USER32!MessageBoxTimeoutA+0xa1

000ef734 7659d6c6 00000000 000a7000 000a70b0 USER32!MessageBoxExA+0x1b

000ef750 61ad6b2f 00000000 000a7000 000a70b0 USER32!MessageBoxA+0x45

000ef784 61aa4ba5 0000101b 000a7000 00000000 hhctrl!MsgBox+0x4a

000ef9b8 61aa4ed9 001d0000 002d2bc4 764894dc hhctrl!doInternalWinMain+0x587

000ef9d0 001d17f2 001d0000 002d2bc4 001d3378 hhctrl!doWinMain+0x39

000efafc 001d19b9 001d0000 00000000 002d2bc4 hh!WinMain+0xb3

000efb8c 764ad0e9 7ffdb000 000efbd8 777f19bb hh!_initterm_e+0x1a1

000efb98 777f19bb 7ffdb000 76ef126d 00000000 kernel32!BaseThreadInitThunk+0xe

000efbd8 777f198e 001d1b2f 7ffdb000 00000000 ntdll!__RtlUserThreadStart+0x23

000efbf0 00000000 001d1b2f 7ffdb000 00000000 ntdll!_RtlUserThreadStart+0x1b

0:000> da 002d2bc4

002d2bc4  "D:\document\Core\Microsoft? Wind"

002d2be4  "ows? Internals, Fourth Edition M"

002d2c04  "icrosoft Windows Server? 2003, W"

002d2c24  "indows XP, and Windows 2000-Mark"

002d2c44  "-2004.chm"

 

But Local old file name is Microsoft® Windows® Internals, Fourth Edition Microsoft Windows Server™ 2003, Windows XP, and Windows 2000-Mark-2004.chm in the directory. From here, we know MS converts ® and ™ to native code failed and uses ? replace it. The result is OS finds file Microsoft? Windows? Internals, Fourth Edition Microsoft Windows Server? 2003, Windows XP, and Windows 2000-Mark-2004.chm failed, and popups above dialog.I had downloaded new file name is Microsoft – Microsoft Windows Internals Fourth Edition(2004).chm.  So it hasn’t convert character set issue.

 

0:000> lmvm hh

start    end        module name

001d0000 001d7000   hh         (pdb symbols)          e:\symsvr\hh.pdb\2A0A84E460CA47D7B78C14B65EDBD2F31\hh.pdb

    Loaded symbol image file: C:\Windows\hh.exe

    Image path: C:\Windows\hh.exe

    Image name: hh.exe

    Timestamp:        Thu Nov 02 17:11:18 2006 (4549B636)

    CheckSum:         0001019E

    ImageSize:        00007000

    File version:     6.0.6000.16386

    Product version:  6.0.6000.16386

    File flags:       0 (Mask 3F)

    File OS:          40004 NT Win32

    File type:        1.0 App

    File date:        00000000.00000000

    Translations:     0409.04b0

    CompanyName:      Microsoft Corporation

    ProductName:      HTML Help

    InternalName:     HH 1.41

    OriginalFilename: HH.exe

    ProductVersion:   6.0.6000.16386

    FileVersion:      6.0.6000.16386 (vista_rtm.061101-2205)

    FileDescription:  Microsoft® HTML Help Executable

    LegalCopyright:   © Microsoft Corporation. All rights reserved.

 

MS social MSDN site has people ask this issue too.

I had checked other common modules provided in default Vista.  All of them hadn’t developed in Unicode mode.

Compared with develop a new OS it’s easy. But MS hasn’t done it.

What is UE? It’s UE I think.  

                                                                       Written By opqit(opqit@hotmail.com) 06/29/2010

MS Banned APIs and Extending in Visual Studio 2010 Editor

 

MS Security Development Lifecycle (SDL) Banned Function Calls

 

The code for the SDL Banned API IDE Visual Studio extension is available in SDLBanned.zip.

There are two folders in the ZIP file: src and bin. The source code folder includes the necessary C# code and VS2010 project to tweak the code. The binary code folder includes a single file: BannedAPIextension.vsix.

Double-clicking this file will install it into Visual Studio 2010. You can enable, disable and uninstall extensions from the Visual Studio Tools | Extension Manager menu.

More detail Information, click here.

Crash caused by MS variable argument function

Several months ago, we got a crash issue.

At last, we had found that MS didn’t check variable argument function’s argument is valid.

Here is debug information in VS2008 and VC6.

 

Below is detail analysis for this issue in VC6.

 

Source Code:

int APIENTRY WinMain(HINSTANCE hInstance,

                     HINSTANCE hPrevInstance,

                     LPSTR     lpCmdLine,

                     int       nCmdShow)

{

       VADemo(_T("|%s|%x|%s|%x|%s|%x|"), _T("aaaa"),0x1234,_T("bbbb"));

       return 0;

}

 

void VADemo(LPCTSTR lpszFormat,…)

{

       const UINT iSize=1024;

       TCHAR lpszData[iSize]={0};

      

       va_list argptr;

       va_start(argptr,lpszFormat);

       _vsntprintf(lpszData,iSize-1,lpszFormat,argptr);

      va_end(argptr);

}

 

 

Debug and Analysis for VC6 build:

0:000> uf VADemo! VADemo

VADemo!VADemo [..VADemo\VADemo.cpp @ 27]:

   27 00401030 81ec00080000    sub     esp,800h

   27 00401036 57              push    edi

   29 00401037 b9ff010000      mov     ecx,1FFh

   29 0040103c 33c0            xor     eax,eax

   29 0040103e 8d7c2406        lea     edi,[esp+6]

   29 00401042 66c74424040000  mov     word ptr [esp+4],0

   33 00401049 8d542404        lea     edx,[esp+4]

   33 0040104d f3ab            rep stos dword ptr es:[edi]

   33 0040104f 8b8c2408080000  mov     ecx,dword ptr [esp+808h]

   33 00401056 66ab            stos    word ptr es:[edi]

 

   //The valist start address, controlled by va_start(argptr,lpszFormat) code;

 

   33 00401058 8d84240c080000  lea     eax,[esp+80Ch]

   33 0040105f 50              push    eax

   33 00401060 51              push    ecx

   33 00401061 68ff030000      push    3FFh

   33 00401066 52              push    edx

   33 00401067 e814000000      call    VADemo!_vsnwprintf (00401080)

   33 0040106c 83c410          add     esp,10h

   33 0040106f 5f              pop     edi

   35 00401070 81c400080000    add     esp,800h

   35 00401076 c3              ret

0:000> uf VADemo!WinMain

VADemo!WinMain [..\VADemo\VADemo.cpp @ 16]:

   16 00401000 6864904000      push    offset VADemo!`string’ (00409064)

   16 00401005 6834120000      push    1234h

   16 0040100a 6858904000      push    offset VADemo!`string’ (00409058)

   16 0040100f 6830904000      push    offset VADemo!`string’ (00409030)

   16 00401014 e817000000      call    VADemo!VADemo (00401030)

   16 00401019 83c410          add     esp,10h

   23 0040101c 33c0            xor     eax,eax

   24 0040101e c21000          ret     10h

 

0:000> g

Breakpoint 0 hit

eax=00400000 ebx=7ffdf000 ecx=00000000 edx=00000003 esi=00000000 edi=00000000

eip=00401030 esp=0012feec ebp=0012ff88 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

VADemo!VADemo:

00401030 81ec00080000    sub     esp,800h

0:000> ddu esp L9

0012feec  00401019 "쒃.싀.邐邐邐邐邐邐邐膐ì.圀ﾹ..跀.昆䓇Ф"

0012fef0  00409030 "|%s|%x|%s|%x|%s|%x|"

 

//The valist start address, controlled by va_start(argptr,lpszFormat) code;

 

0012fef4  00409058 "aaaa"

0012fef8  00001234

0012fefc  00409064 "bbbb"

 

//How many offset memorys wre read and information was read are controlled by numbers of ‘%’ in lpszFormat. Here, it includes 5  ‘%’ . So the below two memory address were read and got type value even if we only provide 3 parameters.

From the end of this topic, we know if below address points to an invalid address and its type define in lpszFormat is string, an access violation are reported when it try to read this invalid address. The result is a crash issue happened.

 

0012ff00  004011bd "䖉傠.      謀..ঋ䶉傘.."

0012ff04  00400000 "婍.."

0012ff08  00000000

0012ff0c  002d2a96 "….ﺫ"

0:000> bp 0040105f

0:000> g

Breakpoint 1 hit

eax=0012fef4 ebx=7ffdf000 ecx=00409030 edx=0012f6ec esi=00000000 edi=0012feec

eip=0040105f esp=0012f6e8 ebp=0012ff88 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

VADemo!VADemo+0x2f:

0040105f 50              push    eax

0:000> dd eax L4

0012fef4  00409058 00001234 00409064 004011bd

0:000> bp 00401067

0:000> g

Breakpoint 2 hit

eax=0012fef4 ebx=7ffdf000 ecx=00409030 edx=0012f6ec esi=00000000 edi=0012feec

eip=00401067 esp=0012f6d8 ebp=0012ff88 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

VADemo!VADemo+0x37:

00401067 e814000000      call    VADemo!_vsnwprintf (00401080)

 

//A memory address to save format result. Here, it’s initialized to zero fristly.

 

0:000> du edx

0012f6ec  ""

 

0:000> bp 0040106c

0:000> g

Breakpoint 3 hit

eax=0000001d ebx=7ffdf000 ecx=0012f6b0 edx=00000020 esi=00000000 edi=0012feec

eip=0040106c esp=0012f6d8 ebp=0012ff88 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

VADemo!VADemo+0x3c:

0040106c 83c410          add     esp,10h

 

//The memory address to save format result. Here, all of memory can accessible, so it doesn’t crash in this demo.

 

0:000> du 0012f6ec   L100

0012f6ec  "|aaaa|1234|bbbb|4011bd|婍..|0|" //Do you see them on above?

                                                                                                              Written By opqit(opqit@hotmail.com) 01/05/2010

Ben Fathi

今天在公司Snapshot邮件上看到给《Windows® Internals, Fifth Edition 》做forword的Ben Fathi已经加入了Cisco.

看来Security真的是无处不在了。

Functions by Release for MS Windows OS

Here provides a list of additions to the Windows application programming interface (API), grouped by operating system release.

 

• Windows 7
• Windows Server 2008
• Windows Vista
• Windows Server 2003 SP1
• Windows Server 2003
• Windows XP SP1
• Windows XP
• 64-bit Windows
• Windows 2000

FAQ about HeapSetInformation in Windows Vista and Heap Based Buffer Overruns

Below content copy from Michael Howard’s blog, detail information, please click here.

Q: What does the HeapSetInformation function do?
A: It lets your application configure the Windows heap manager with a small number of options. The only security-related setting kills your application in case of heap corruption.

Q: What do you mean by "heap corruption"?
A: Anything that messes with data in the Windows heap, for example damaged caused by a buffer overrun, writing to a stray pointer or a double-free are examples.

Q: How do I use the function?
A: Like this:

BOOL f=HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);

nt!NtShutdownSystem

The Windows OS will call nt!NtShutdownSystem()  interface at last when OS showdown system.

We can set a breakpoint on nt!NtShutdownSystem() to debug system shutdown process. 

It is useful for us when we want to know which application send the showdown command.

Who is restarting my server is a better sample on how to use nt!NtShutdownSystem() to debug strange system reboot issue.