Manual Reconstruction of Call Stack from Memory Dump File

  • Have WinDbg warning: “Following frames may be wrong”
  • Don’t have the correct bottom frame like kernel32!BaseThreadStart (in usermode)
  • Have function calls that don’t make any sense
  • Have strange looking disassembled function code or code that doesn’t make any sense from compiler perspective
  • Have ChildEBP and RetAddr addresses that don’t make any sense
0:011> kChildEBP RetAddrWARNING: Frame IP not in any known module. Following frames may be wrong.0184e434 7c830b10 0×184e5bf0184e51c 7c81f832 ntdll!RtlGetFullPathName_Ustr+0×15b0184e5f8 7c83b1dd ntdll!RtlpLowFragHeapAlloc+0xc6a00099d30 00000000 ntdll!RtlpLowFragHeapFree+0xa70184e51c 7c81f832 ntdll!RtlGetFullPathName_Ustr+0×15b0184e5f8 7c83b1dd ntdll!RtlpLowFragHeapAlloc+0xc6a00099d30 00000000 ntdll!RtlpLowFragHeapFree+0xa7
0:011> !tebTEB at 7ffd8000ExceptionList:             0184ebdcStackBase:                 01850000StackLimit:                01841000SubSystemTib:              00000000FiberData:                 00001e00ArbitraryUserPointer:      00000000Self:                      7ffd8000EnvironmentPointer:        00000000ClientId:                  0000061c . 00001b60RpcHandle:                 00000000Tls Storage:               00000000PEB Address:               7ffdf000LastErrorValue:            0LastStatusValue:           c0000034Count Owned Locks:         0HardErrorMode:             0
0:011> dds 01841000 0185000001841000 000000000184eef0 0184ef0c0184eef4 7615dff2 localspl!SplDriverEvent+0×210184eef8 00bc3e080184eefc 000000030184ef00 000000010184ef04 000000000184ef08 0184efb00184ef0c 0184ef300184ef10 7615f9d0 localspl!PrinterDriverEvent+0×460184ef14 00bc3e080184ef18 000000030184ef1c 000000000184ef20 0184efb00184ef24 00b852a80184ef28 00c3ec580184ef2c 00bafcc00184ef30 0184f3f80184ef34 7614a9b4 localspl!SplAddPrinter+0×5f30184ef38 00c3ec580184ef3c 000000030184ef40 000000000184ef44 0184efb00184ef48 00c117f80184ff28 000000000184ff2c 000000000184ff30 0184ff840184ff34 77c75286 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×3a0184ff38 0184ff4c0184ff3c 77c75296 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×4a0184ff40 7c82f2fc ntdll!RtlLeaveCriticalSection0184ff44 000de3780184ff48 00097df00184ff4c 4d2fa2000184ff50 ffffffff0184ff54 ca5b17000184ff58 ffffffff0184ff5c 8082d8210184ff60 0184fe380184ff64 00097df00184ff68 000000aa0184ff6c 800200000184ff70 0184ff540184ff74 800200000184ff78 000b0c780184ff7c 00a501800184ff80 0184fe380184ff84 0184ff8c0184ff88 77c5778f RPCRT4!RecvLotsaCallsWrapper+0xd0184ff8c 0184ffac0184ff90 77c5f7dd RPCRT4!BaseCachedThreadRoutine+0×9d0184ff94 0009c4100184ff98 000000000184ff9c 000000000184ffa0 00097df00184ffa4 00097df00184ffa8 00015f900184ffac 0184ffb80184ffb0 77c5de88 RPCRT4!ThreadStartRoutine+0×1b0184ffb4 000882580184ffb8 0184ffec0184ffbc 77e6608b kernel32!BaseThreadStart+0×340184ffc0 00097df00184ffc4 000000000184ffc8 000000000184ffcc 00097df00184ffd0 8ad848180184ffd4 0184ffc40184ffd8 8980a7000184ffdc ffffffff0184ffe0 77e6b7d0 kernel32!_except_handler30184ffe4 77e66098 kernel32!`string‘+0×980184ffe8 000000000184ffec 000000000184fff0 0000000077c5de6d RPCRT4!ThreadStartRoutine0184fff8 00097df00184fffc 0000000001850000 00000008
0:011> k L=0184eef0ChildEBP RetAddrWARNING: Frame IP not in any known module. Following frames may be wrong.0184eef0 7615dff2 0×184e5bf0184ef0c 7615f9d0 localspl!SplDriverEvent+0×210184ef30 7614a9b4 localspl!PrinterDriverEvent+0×460184f3f8 761482de localspl!SplAddPrinter+0×5f30184f424 74067c8f localspl!LocalAddPrinterEx+0×2e0184f874 74067b76 SPOOLSS!AddPrinterExW+0×1510184f890 01007e29 SPOOLSS!AddPrinterW+0×170184f8ac 01006ec3 spoolsv!YAddPrinter+0×750184f8d0 77c70f3b spoolsv!RpcAddPrinter+0×370184f8f8 77ce23f7 RPCRT4!Invoke+0×300184fcf8 77ce26ed RPCRT4!NdrStubCall2+0×2990184fd14 77c709be RPCRT4!NdrServerCall2+0×190184fd48 77c7093f RPCRT4!DispatchToStubInCNoAvrf+0×380184fd9c 77c70865 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×1170184fdc0 77c734b1 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa30184fdfc 77c71bb3 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×42c0184fe20 77c75458 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×1270184ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×4300184ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd
0:011> k L=0184eef0 100ChildEBP RetAddrWARNING: Frame IP not in any known module. Following frames may be wrong.0184eef0 7615dff2 0×184e5bf0184ef0c 7615f9d0 localspl!SplDriverEvent+0×210184ef30 7614a9b4 localspl!PrinterDriverEvent+0×460184f3f8 761482de localspl!SplAddPrinter+0×5f30184f424 74067c8f localspl!LocalAddPrinterEx+0×2e0184f874 74067b76 SPOOLSS!AddPrinterExW+0×1510184f890 01007e29 SPOOLSS!AddPrinterW+0×170184f8ac 01006ec3 spoolsv!YAddPrinter+0×750184f8d0 77c70f3b spoolsv!RpcAddPrinter+0×370184f8f8 77ce23f7 RPCRT4!Invoke+0×300184fcf8 77ce26ed RPCRT4!NdrStubCall2+0×2990184fd14 77c709be RPCRT4!NdrServerCall2+0×190184fd48 77c7093f RPCRT4!DispatchToStubInCNoAvrf+0×380184fd9c 77c70865 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0×1170184fdc0 77c734b1 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa30184fdfc 77c71bb3 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0×42c0184fe20 77c75458 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0×1270184ff84 77c5778f RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0×4300184ff8c 77c5f7dd RPCRT4!RecvLotsaCallsWrapper+0xd0184ffac 77c5de88 RPCRT4!BaseCachedThreadRoutine+0×9d0184ffb8 77e6608b RPCRT4!ThreadStartRoutine+0×1b0184ffec 00000000 kernel32!BaseThreadStart+0×34
STACK_TEXT:WARNING: Stack unwind information not available. Following frames may bewrong.00b2f42c 091607aa mydll!foo+0×833800b2f4cc 7c83ab9e mydll!foo+0×8fe300b2f4ec 7c832d06 ntdll!RtlFindNextActivationContextSection+0×4600b2f538 001a5574 ntdll!RtlFindActivationContextSectionString+0xe100b2f554 7c8302b3 0×1a557400b2f560 7c82f9c1 ntdll!RtlpFreeToHeapLookaside+0×2200b2f640 7c832b7f ntdll!RtlFreeHeap+0×20e001dd000 00080040 ntdll!LdrUnlockLoaderLock+0xad001dd00c 0052005c 0×80040001dd010 00470045 0×52005c0052005c 00000000 0×470045

--

--

--

C++ Programmer at Microsoft

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is the Composite Design Pattern?

Two Sum | Rust

My experience at eCG Tech Hack 2020!

The 15 Best Video Conferencing Apps for 2021: A Breakdown

VPN with Overlapping Networks on GCP using Aviatrix

MQTT for real-time apps

Chat application

Collect Electronic Signatures with Adobe Acrobat Sign and mobile phone delivery.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Amit Kumar Parida

Amit Kumar Parida

C++ Programmer at Microsoft

More from Medium

A simple design calculator on linux command line

Setup SSH and 2SV for Bitbucket in eclipse

Vulnerability Scanning in Microsoft Defender For Server

Setting up haproxy logging with rsyslog