none
How can I find out a user mode process call stack when analyzing a kernel crash dump? RRS feed

  • Pergunta

  • I'm analyzing a BSOD on a kernel crash dump. By using !analyze -v, I'm able to confirm it's my test tool which triggered the crash (seen in PROCESS_NAME). But in kernel call stack, I cannot find anything about the test tool (a user mode application).

    I want to find out what the test tool was doing when the crash happened, so that I might be able to find a clue.

    But how can I find the call stack (or something else) of the test tool?

    =========================================================

    PROCESS_NAME:  WriteImageE.ex

    =========================================================

    STACK_TEXT:  

    fffff880`09aa7410 fffff800`032b50fe : 00000000`0000016c fffff880`09aa74f0 fffff880`00000000 00000000`0000016c : nt!CcSetDirtyInMask+0x10e
    fffff880`09aa74b0 fffff800`032b5644 : fffffa80`0c092e00 00000000`02aefb58 fffff880`09aa75f0 fffff880`00000000 : nt!CcMapAndCopyInToCache+0x27e
    fffff880`09aa75a0 fffff880`016a3d99 : 00000000`1945b16c fffffa80`06fdfa00 fffff880`09aa7690 fffffa80`06fdfa90 : nt!CcCopyWrite+0x194
    fffff880`09aa7630 fffff880`01201102 : fffffa80`06fdfa90 fffff880`012044f2 00000000`00001004 00000000`00001001 : Ntfs!NtfsCopyWriteA+0x1e9
    fffff880`09aa7830 fffff880`012048ba : fffff880`09aa7900 fffffa80`070e5e78 00000000`02aedc00 00000000`00001000 : fltmgr!FltpPerformFastIoCall+0xf2
    fffff880`09aa7890 fffff880`0122283e : 00000000`00001004 00000000`00000000 fffffa80`06fdfa90 fffff880`09aa7a00 : fltmgr!FltpPassThroughFastIo+0xda
    fffff880`09aa78d0 fffff800`035a140e : fffffa80`06fdfb04 fffffa80`06fdfa90 00000000`00000000 fffffa80`06fdfb04 : fltmgr!FltpFastIoWrite+0x1ce
    fffff880`09aa7970 fffff800`0328be53 : 00000000`74152401 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x5ad
    fffff880`09aa7a70 00000000`74152e09 : 00000000`741529f5 00000000`753760e2 00000000`00000023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0275efe8 00000000`741529f5 : 00000000`753760e2 00000000`00000023 00000000`00000246 00000000`02aefc04 : wow64cpu!CpupSyscallStub+0x9
    00000000`0275eff0 00000000`741cd286 : 00000000`00000000 00000000`74151920 00000000`00000000 00000000`00000000 : wow64cpu!ReadWriteFileFault+0x31
    00000000`0275f0b0 00000000`741cc69e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa
    00000000`0275f100 00000000`76e7d447 : 00000000`00000000 00000000`7efdf000 00000000`7efad000 00000000`00000000 : wow64!Wow64LdrpInitialize+0x42a
    00000000`0275f650 00000000`76e2c34e : 00000000`0275f710 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x29134
    00000000`0275f6c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe

    =========================================================

    • Editado Alex Gui sexta-feira, 31 de outubro de 2014 05:27
    sexta-feira, 31 de outubro de 2014 05:25

Respostas