[CaseStudy][WinDbg] Crash - Break instruction exception ~ 賈格的神秘古堡

2014-03-22

[CaseStudy][WinDbg] Crash - Break instruction exception

[Scenario]
User 從Agent打開log 立即發生了Crash

[開始查案]
根據收到的Dump

0:000> !analyze -v

FAULTING_IP: 

+ff79600

00000000`00000000 ??              ???

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)

ExceptionAddress: 0000000000000000

   ExceptionCode: 80000003 (Break instruction exception)

  ExceptionFlags: 00000000

NumberParameters: 0

STACK_TEXT:  

00000000`0011f9f8 000007fe`fd8b1430 : 00000000`01e975d0 00000000`7752300a 00000000`01e975d0 00000000`01e9d868 : ntdll!NtWaitForMultipleObjects+0xa

00000000`0011fa00 00000000`77511220 : 00000000`0011fb40 00000000`0011fb30 00000000`00000000 00000000`00000000 : KERNELBASE!WaitForMultipleObjectsEx+0xe8

00000000`0011fb00 00000001`40034e09 : 00000000`00000000 7fffffff`fffffffe 00000001`4012d390 00000000`00000000 : kernel32!WaitForMultipleObjects+0xb0

00000000`0011fb90 00000001`4002afc7 : 00000001`40137fc0 00000000`00000000 00000000`00000000 00000000`001c3a00 : XXX!CWindowManagerClient::Run+0xe9

...(Ignore)

只知道原因是Break instruction exception 但是從這個Stack看起來卻沒有幫助因為這條Stack就是顯示主程式起來之後在等結束

正常我們會從FOLLOWUP_IP來看預計下一步會執行的點

FOLLOWUP_IP: 

XXX!CWindowManagerClient::Run+e9 
00000001`40034e09 3d81000000      cmp     eax,81h

0:000> uf 00000001`40034e09
XXX!CWindowManagerClient::Run+0xd1 [XXX\windowmanagerclient.cpp @ 168]:
  168 00000001`40034df1 41b901000000    mov     r9d,1
  168 00000001`40034df7 4533c0          xor     r8d,r8d
  168 00000001`40034dfa 488d542468      lea     rdx,[rsp+68h]
  168 00000001`40034dff 418d4901        lea     ecx,[r9+1]
  168 00000001`40034e03 ff1537080a00    call    qword ptr [XXX!_imp_WaitForMultipleObjects (00000001`400d5640)]
  169 00000001`40034e09 3d81000000      cmp     eax,81h
  169 00000001`40034e0e 7775            ja      XXX!CWindowManagerClient::Run+0x165 (00000001`40034e85)

可以看出就是在00000001`40034e03 Call _imp_WaitForMultipleObjects時出了問題

但是這樣還是看不出什麼端倪

所以先列出所有的thread 看是否有異狀

0:000> ~*knb
...(Ignore)
...
22  Id: 6b98.1eb0 Suspend: 0 Teb: 000007ff`fff7c000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 00000000`09cb89c8 000007fe`fd8b1430 ntdll!NtWaitForMultipleObjects+0xa
01 00000000`09cb89d0 00000000`77522ce3 KERNELBASE!WaitForMultipleObjectsEx+0xe8
02 00000000`09cb8ad0 00000000`77599105 kernel32!WaitForMultipleObjectsExImplementation+0xb3
03 00000000`09cb8b60 00000000`77599287 kernel32!WerpReportFaultInternal+0x215
04 00000000`09cb8c00 00000000`775992df kernel32!WerpReportFault+0x77
05 00000000`09cb8c30 00000000`775994fc kernel32!BasepReportFault+0x1f
06 00000000`09cb8c60 00000000`60201ad5 kernel32!UnhandledExceptionFilter+0x1fc
07 00000000`09cb8d40 00000000`60203547 XXX!_invalid_parameter+0xc5 [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\invarg.c @ 88]
08 00000000`09cb9300 00000000`6006758b XXX!wcscpy_s+0x97 [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl @ 30]
09 00000000`09cb9340 00000000`600502d7 XXX!CLogQueryEntry::FillDlpData+0x11bb [XXX\logcl_logquery.cpp @ 3211]
0a 00000000`09cb9510 00000000`60049349 XXX!CLogQueryEntry::OnLogviewVirus+0x17f7 [XXX\logcl_logquery.cpp @ 900]

結果在第22條thread 發現了UnhandledException
很明顯
在做wcscpy_s 時參數錯誤
來看看定義

errno_t wcscpy_s(
   wchar_t *strDestination,
   size_t numberOfElements,
   const wchar_t *strSource 
);

這題的答案是
wcscpy_s 時的Src size 比Des大所以造成Crash

0 意見:

張貼留言

賈格的神秘古堡

[公告] 網誌搬家囉搬到 Medium 囉 : https://medium.com/juggernauts-agile-stories

Settings

Tags

About Juggernaut

2014-03-22

[CaseStudy][WinDbg] Crash - Break instruction exception

0 意見:

搜尋此網誌

Total Pageviews

Popular Posts

Categories

標籤

Blog Archive