none
How to use !analyse in WinDbg?

    Question

  • I am experimenting with windows 10 (32-bit) notepad (32 bit). The experimentation subject is chosen arbitrarily. The subject is sent a kernel APC that instigates a call to LdrLoadDll. It fails with the following WinDbg messages. For some reason I am unable to use !analyse. Anyone knows why !analyse isn't working or knows why notepad is running into access denied? Notepad is started by a standalone WinDbg x86 via File->OpenExecutable. Thanks.

    (444.17f8): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=06800000 ebx=001b0000 ecx=77259a60 edx=06800000 esi=02a5f6b4 edi=02a5f35c
    eip=06800841 esp=02a5f330 ebp=02a5f348 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
    06800841 9a609a25770000  call    0000:77259A60
    0:000> !analyse
    No export analyse found
    0:000> !analyse -v
    No export analyse found

    Disassembly of the called address:

    ntdll!LdrLoadDll:
    77259a60 8bff            mov     edi,edi
    77259a62 55              push    ebp
    77259a63 8bec            mov     ebp,esp
    77259a65 83e4f8          and     esp,0FFFFFFF8h
    77259a68 83ec64          sub     esp,64h
    77259a6b a160c23477      mov     eax,dword ptr [ntdll!LdrSystemDllInitBlock+0x2108 (7734c260)]
    77259a70 33c4            xor     eax,esp
    77259a72 89442460        mov     dword ptr [esp+60h],eax
    77259a76 f6058047347709  test    byte ptr [ntdll!RtlFreeMemoryBlockLookaside+0x1650 (77344780)],9
    77259a7d 8b4514          mov     eax,dword ptr [ebp+14h]
    77259a80 53              push    ebx
    77259a81 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
    77259a84 56              push    esi
    ...


    Sunday, August 5, 2018 5:04 PM

Answers

  • Why unable to use !analyse ?  Because it's name is !analyze. Yep, it's made to confuze.

    -- pa

    • Marked as answer by Dev10110110 Sunday, August 5, 2018 7:06 PM
    Sunday, August 5, 2018 6:22 PM

All replies

  • Why unable to use !analyse ?  Because it's name is !analyze. Yep, it's made to confuze.

    -- pa

    • Marked as answer by Dev10110110 Sunday, August 5, 2018 7:06 PM
    Sunday, August 5, 2018 6:22 PM
  • Many thanks. Top notch spotting right there ;)
    Sunday, August 5, 2018 7:05 PM
  • Where did you get your far call with code segment 0 from?

    06800841 9a609a25770000  call    0000:77259A60

    Do not think this is allowed. For details you may probably want to consult the Intel manuals.

    Even in case you reach your destination with something like

     call    001b:77259A60 -> opcode 9a609a25771b00

    you then have the segment (1b)  pushed on the stack, which may come as a surprise for ntdll!LdrLoadDll.

    With kind regards


    Monday, August 6, 2018 8:25 AM
  • Thank you for your comment MaybeCompletelyW.

    At a gut level I thought code segment zero was problematic too. I got that from a bit of random programming. It was a first stab and needn't be correct. I just needed to get something out of WinDbg/testing.

    Please disregard the code presented because I no longer use it. The improved code is found here: https://social.msdn.microsoft.com/Forums/en-US/e9569092-8291-458d-b859-e22365ac4eb5/interpretation-of-odd-compiled-code?forum=windowsgeneraldevelopmentissues . Along with that is a simple question (in my view) for the experts.


    Monday, August 6, 2018 9:36 AM