All those bugs were found between 20.03-31.03.2017.
To reproduce the crash you will need:
- Windows XP SP3 (I have it on VirtualBox)
- IrfanView 4.44
- Windbg to check what's going on...
- gflags /p /enable irfan's.exe /full
If you need any help... try F1.
Sample#01 - Crash when reading MP4 file
----------------------------------------------------
We will start here:
---<cut>---
(2e4.7c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02ab4041 ebx=02ab2230 ecx=02ab0000 edx=01862498 esi=02ab3339 edi=02ab32ed
eip=748ac310 esp=0012ac74 ebp=0012ad14 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\quartz.dll -
quartz!AMGetErrorTextA+0x90989:
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
748ac310 81780465647473 cmp dword ptr [eax+4],73746465h ds:0023:02ab4045=????????
0:000> g
(2e4.7c): Access violation - code c0000005 (!!! second chance !!!)
eax=02ab4041 ebx=02ab2230 ecx=02ab0000 edx=01862498 esi=02ab3339 edi=02ab32ed
eip=748ac310 esp=0012ac74 ebp=0012ad14 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
quartz!AMGetErrorTextA+0x90989:
748ac310 81780465647473 cmp dword ptr [eax+4],73746465h ds:0023:02ab4045=????????
---<cut>---
Then:
---<cut>---
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ad14 747e87e0 0186254c 0186254c 02ab2340 quartz!AMGetErrorTextA+0x90989
0012b330 747e76b8 01862538 02ab234c 02ab2340 quartz!DllGetClassObject+0x5174
0012b344 747e40a2 01862538 02ab234c 01862540 quartz!DllGetClassObject+0x404c
0012b35c 747edf85 02ab2280 00000000 02ef20a8 quartz!DllGetClassObject+0xa36
0012b37c 747ee7cf 02ab234c 02ef20a8 01862540 quartz!DllGetClassObject+0xa919
0012b3a0 747ee367 02ab234c 00000000 02ef20a8 quartz!DllGetClassObject+0xb163
0012b3cc 747ee2f1 02ab234c 00000000 02a94aa0 quartz!DllGetClassObject+0xacfb
0012b3e4 747ee040 0186247c 02ab234c 00000000 quartz!DllGetClassObject+0xac85
0012b410 747ee563 0186254c 02ab234c 00000000 quartz!DllGetClassObject+0xa9d4
0012b470 747eea6e 0186254c 02ab223c 00000001 quartz!DllGetClassObject+0xaef7
0012b6dc 747e4cb0 0186254c 0012b708 00000001 quartz!DllGetClassObject+0xb402
0012b754 747e4fd9 0186254c 00000001 0012b7a8 quartz!DllGetClassObject+0x1644
0012b770 747e4f38 0186254c 00000000 0012b7a8 quartz!DllGetClassObject+0x196d
*** WARNING: Unable to verify checksum for C:\Program Files\IrfanView\Plugins\VIDEO.DLL
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\IrfanView\Plugins\VIDEO.DLL -
0012b840 02541095 02a94aa0 0012b94c 00000000 quartz!DllGetClassObject+0x18cc
0012bb54 02542934 0012bd4c 7c83644c 00578420 VIDEO+0x1095
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\IrfanView\i_view32.exe
0012bbb0 0043f562 0006014e 00400000 0000d570 VIDEO!PlayVideoShow+0x1c4
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0012bbe8 7c8364a0 00000000 0012bc00 7e36885a i_view32+0x3f562
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
0012bbf4 7e36885a 0012bc10 7e36882a 00000000 kernel32!GetPrivateProfileIntA+0x54
0012bc4c 7e36882a 7e378ea0 00000000 004bbae0 USER32!GetDC+0x193
0012bc50 7e378ea0 00000000 004bbae0 0006014e USER32!GetDC+0x163
---<cut>---
...and...
---<cut>---
0:000> u eip-10 L15
quartz!AMGetErrorTextA+0x90979:
748ac300 04ff add al,0FFh
748ac302 4d dec ebp
748ac303 b075 mov al,75h
748ac305 ef out dx,eax
748ac306 ff4db4 dec dword ptr [ebp-4Ch]
748ac309 8bc6 mov eax,esi
748ac30b 75df jne quartz!AMGetErrorTextA+0x90965 (748ac2ec)
748ac30d 8b45c8 mov eax,dword ptr [ebp-38h]
748ac310 81780465647473 cmp dword ptr [eax+4],73746465h
748ac317 7573 jne quartz!AMGetErrorTextA+0x90a05 (748ac38c)
748ac319 6865647473 push 73746465h
748ac31e ff75c0 push dword ptr [ebp-40h]
748ac321 8d45b8 lea eax,[ebp-48h]
748ac324 50 push eax
748ac325 8d45cc lea eax,[ebp-34h]
748ac328 50 push eax
748ac329 8d45d0 lea eax,[ebp-30h]
748ac32c 50 push eax
748ac32d e83be7ffff call quartz!AMGetErrorTextA+0x8f0e6 (748aaa6d)
748ac332 85c0 test eax,eax
748ac334 0f848d050000 je quartz!AMGetErrorTextA+0x90f40 (748ac8c7)
---<cut>---
So finally we're here:
---<cut>---
0:000> dd ebp
0012ad14 0012b330 747e87e0 0186254c 0186254c
0012ad24 02ab2340 747e43aa 747ee811 747ee367
0012ad34 747ee2f1 00000050 00605a84 0060d950
0012ad44 6bb92cd2 0012ac9c 747e4f38 0012ade8
0012ad54 7c90e900 7c9115e0 ffffffff 7c9115d9
0012ad64 7c969976 00000070 02ef20a8 00000048
0012ad74 0012ad98 7c9699f2 00151000 02ef20a8
0012ad84 00000048 00000070 00000000 00000048
0:000> dd ebp-38
0012acdc 02ab4041 00000d54 02ab4041 02ab2230
0012acec 0012acf8 747d72a6 01862428 0012ad04
0012acfc 747d70d1 01862434 0012ad10 747d9e3c
0012ad0c 01862540 00006b50 0012b330 747e87e0
0012ad1c 0186254c 0186254c 02ab2340 747e43aa
0012ad2c 747ee811 747ee367 747ee2f1 00000050
0012ad3c 00605a84 0060d950 6bb92cd2 0012ac9c
0012ad4c 747e4f38 0012ade8 7c90e900 7c9115e0
0:000> u ebp-38
<Unloaded_dll.dll>+0x12acdb:
0012acdc 41 inc ecx
0012acdd 40 inc eax
0012acde ab stos dword ptr es:[edi]
0012acdf 02540d00 add dl,byte ptr [ebp+ecx]
0012ace3 004140 add byte ptr [ecx+40h],al
0012ace6 ab stos dword ptr es:[edi]
0012ace7 0230 add dh,byte ptr [eax]
0012ace9 22ab02f8ac12 and ch,byte ptr <Unloaded_dll.dll>+0x12acf801 (12acf802)[ebx]
0:000> dd ecx
02ab0000 00000000 00000002 00000000 e0e0e0e0
02ab0010 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
02ab0020 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
02ab0030 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
02ab0040 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
02ab0050 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
02ab0060 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
02ab0070 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
0:000> dd eax
02ab4041 ???????? ???????? ???????? ????????
02ab4051 ???????? ???????? ???????? ????????
02ab4061 ???????? ???????? ???????? ????????
02ab4071 ???????? ???????? ???????? ????????
02ab4081 ???????? ???????? ???????? ????????
02ab4091 ???????? ???????? ???????? ????????
02ab40a1 ???????? ???????? ???????? ????????
02ab40b1 ???????? ???????? ???????? ????????
---<cut>---
Now our "quick summary" from !analyze -v looks a bit diffrent than before:
---<cut>---
FAULTING_IP:
quartz!AMGetErrorTextA+90989
748ac310 81780465647473 cmp dword ptr [eax+4],73746465h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 748ac310 (quartz!AMGetErrorTextA+0x00090989)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 02ab4045
Attempt to read from address 02ab4045
FAULTING_THREAD: 0000007c
PROCESS_NAME: i_view32.exe
MODULE_NAME: quartz
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 480391a8
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 02ab4045
READ_ADDRESS: 02ab4045
FOLLOWUP_IP:
quartz!AMGetErrorTextA+90989
748ac310 81780465647473 cmp dword ptr [eax+4],73746465h
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 747e87e0 to 748ac310
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ad14 747e87e0 0186254c 0186254c 02ab2340 quartz!AMGetErrorTextA+0x90989
0012b330 747e76b8 01862538 02ab234c 02ab2340 quartz!DllGetClassObject+0x5174
0012b344 747e40a2 01862538 02ab234c 01862540 quartz!DllGetClassObject+0x404c
0012b35c 747edf85 02ab2280 00000000 02ef20a8 quartz!DllGetClassObject+0xa36
0012b37c 747ee7cf 02ab234c 02ef20a8 01862540 quartz!DllGetClassObject+0xa919
0012b3a0 747ee367 02ab234c 00000000 02ef20a8 quartz!DllGetClassObject+0xb163
0012b3cc 747ee2f1 02ab234c 00000000 02a94aa0 quartz!DllGetClassObject+0xacfb
0012b3e4 747ee040 0186247c 02ab234c 00000000 quartz!DllGetClassObject+0xac85
0012b410 747ee563 0186254c 02ab234c 00000000 quartz!DllGetClassObject+0xa9d4
0012b470 747eea6e 0186254c 02ab223c 00000001 quartz!DllGetClassObject+0xaef7
0012b6dc 747e4cb0 0186254c 0012b708 00000001 quartz!DllGetClassObject+0xb402
0012b754 747e4fd9 0186254c 00000001 0012b7a8 quartz!DllGetClassObject+0x1644
0012b770 747e4f38 0186254c 00000000 0012b7a8 quartz!DllGetClassObject+0x196d
0012b840 02541095 02a94aa0 0012b94c 00000000 quartz!DllGetClassObject+0x18cc
0012bb54 02542934 0012bd4c 7c83644c 00578420 VIDEO+0x1095
0012bbb0 0043f562 0006014e 00400000 0000d570 VIDEO!PlayVideoShow+0x1c4
0012bbe8 7c8364a0 00000000 0012bc00 7e36885a i_view32+0x3f562
0012bbf4 7e36885a 0012bc10 7e36882a 00000000 kernel32!GetPrivateProfileIntA+0x54
0012bc4c 7e36882a 7e378ea0 00000000 004bbae0 USER32!GetDC+0x193
0012bc50 7e378ea0 00000000 004bbae0 0006014e USER32!GetDC+0x163
0012bc70 7e378eab 7c83644c 0006014e 00000002 USER32!DefWindowProcW+0x180
0012bca0 7e378eab 7e378eec 01a9e150 0000000f USER32!DefWindowProcW+0x18b
0012bca4 7e378eec 01a9e150 0000000f 00000000 USER32!DefWindowProcW+0x18b
0012bcb4 7e378efc 00000000 00000000 00000000 USER32!DefWindowProcW+0x1cc
00000000 00000000 00000000 00000000 00000000 USER32!DefWindowProcW+0x1dc
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: quartz!AMGetErrorTextA+90989
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: quartz.dll
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_quartz.dll!AMGetErrorTextA
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/i_view32_exe/4_4_4_0/5857b80a/quartz_dll/6_5_2600_5512/480391a8/c0000005/000ec310.htm?Retriage=1
---<cut>---
Sample#02 - Crash when reading TIF/TIFF
-------------------------------------------------------------
We will start here:
---<cut>---
FAULTING_IP:
ntdll!RtlAllocateHeap+24a
7c9102ee 813850450000 cmp dword ptr [eax],4550h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c9102ee (ntdll!RtlAllocateHeap+0x0000024a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 02b5a001
Attempt to read from address 02b5a001
FAULTING_THREAD: 000003f8
PROCESS_NAME: i_view32.exe
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 02b5a001
READ_ADDRESS: 02b5a001
FOLLOWUP_IP:
ntdll!RtlAllocateHeap+24a
7c9102ee 813850450000 cmp dword ptr [eax],4550h
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Enable Pageheap/AutoVerifer
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 7c91726f to 7c9102ee
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012b6ec 7c91726f 02780000 7c97bfda 7ffdfd12 ntdll!RtlAllocateHeap+0x24a
0012b9a0 7c916866 002de6c8 0012b9c8 0012b900 ntdll!RtlDosSearchPath_U+0x296
0012ba1c 7c916698 00000001 002de6c8 00000000 ntdll!LdrGetDllHandleEx+0x1c5
0012ba38 7c801d23 002de6c8 00000000 0012ba64 ntdll!LdrGetDllHandle+0x18
0012baa0 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x22e
0012bab4 02541c45 00578200 00000000 00000002 kernel32!LoadLibraryExA+0x1f
0012bc04 0254223b 00578200 0012bc1c ffffffff TOOLS!CreateTextEffect+0x515
0012bc20 0049592c 00578200 0056602c 00578200 TOOLS!ScanResourceImages+0x1b
0012bc24 00578200 0056602c 00578200 00000019 i_view32+0x9592c
0012bc28 0056602c 00578200 00000019 4c4f4f54 i_view32+0x178200
0012bc2c 00578200 00000019 4c4f4f54 4c442e53 i_view32+0x16602c
0012bc30 00000000 4c4f4f54 4c442e53 0000004c i_view32+0x178200
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/i_view32_exe/4_4_4_0/5857b80a/ntdll_dll/5_1_2600_5512/48039211/c0000005/000102ee.htm?Retriage=1
---<cut>---
...and...
---<cut>---
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012b6ec 7c91726f 02780000 7c97bfda 7ffdfd12 ntdll!RtlAllocateHeap+0x24a
0012b9a0 7c916866 002de6c8 0012b9c8 0012b900 ntdll!RtlDosSearchPath_U+0x296
0012ba1c 7c916698 00000001 002de6c8 00000000 ntdll!LdrGetDllHandleEx+0x1c5
0012ba38 7c801d23 002de6c8 00000000 0012ba64 ntdll!LdrGetDllHandle+0x18
0012baa0 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x22e
0012bab4 02541c45 00578200 00000000 00000002 kernel32!LoadLibraryExA+0x1f
0012bc04 0254223b 00578200 0012bc1c ffffffff TOOLS!CreateTextEffect+0x515
0012bc20 0049592c 00578200 0056602c 00578200 TOOLS!ScanResourceImages+0x1b
0012bc24 00578200 0056602c 00578200 00000019 i_view32+0x9592c
0012bc28 0056602c 00578200 00000019 4c4f4f54 i_view32+0x178200
0012bc2c 00578200 00000019 4c4f4f54 4c442e53 i_view32+0x16602c
0012bc30 00000000 4c4f4f54 4c442e53 0000004c i_view32+0x178200
0:000> u TOOLS!CreateTextEffect+0x515
TOOLS!CreateTextEffect+0x515:
02541c45 8bf8 mov edi,eax
02541c47 85ff test edi,edi
02541c49 0f8406010000 je TOOLS!CreateTextEffect+0x625 (02541d55)
02541c4f 391d086b5602 cmp dword ptr [TOOLS!IVLoadImage+0x1b268 (02566b08)],ebx
02541c55 752e jne TOOLS!CreateTextEffect+0x555 (02541c85)
02541c57 53 push ebx
02541c58 ff35f0785602 push dword ptr [TOOLS!IVLoadImage+0x1c050 (025678f0)]
02541c5e 53 push ebx
0:000> dd edi
00361ebc 00361f10 00363680 00361f18 00363688
00361ecc 00361fa8 00363360 00000000 a0a0a0a0
00361edc a0a0a0a0 00000000 00000000 000c0011
00361eec 00100329 abcdaaaa 815c1000 00000050
00361efc 00000078 00000000 00000000 00000000
00361f0c dcbaaaaa 00361f98 00361ebc 00361fa0
00361f1c 00361ec4 00000000 00000000 00400000
00361f2c 005ae870 001bc000 0050004e 0002060c
---<cut>---
Sample #03 - (another) TIF/TIFF crash
------------------------------------------------------------
We will start here:
---<cut>---
FAULTING_IP:
ntdll!RtlpImageNtHeader+35
7c9102ee 813850450000 cmp dword ptr [eax],4550h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c9102ee (ntdll!RtlpImageNtHeader+0x00000035)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 029da001
Attempt to read from address 029da001
FAULTING_THREAD: 000000fc
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: image00400000
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 029da001
READ_ADDRESS: 029da001
FOLLOWUP_IP:
TOOLS!CreateTextEffect+515
024b1c45 8bf8 mov edi,eax
NTGLOBALFLAG: 2000000
APPLICATION_VERIFIER_FLAGS: 0
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 7c91726f to 7c9102ee
STACK_TEXT:
0012b6ec 7c91726f 02600000 7c97bfda 7ffdfd12 ntdll!RtlpImageNtHeader+0x35
0012b9a0 7c916866 002b7d40 0012b9c8 0012b900 ntdll!LdrpCheckForLoadedDll+0x4cd
0012ba1c 7c916698 00000001 002b7d40 00000000 ntdll!LdrGetDllHandleEx+0x258
0012ba38 7c801d23 002b7d40 00000000 0012ba64 ntdll!LdrGetDllHandle+0x18
0012baa0 7c801d72 7ffdfc00 00000000 00000002 kernel32!LoadLibraryExW+0x161
0012bab4 024b1c45 00578200 00000000 00000002 kernel32!LoadLibraryExA+0x1f
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bc04 024b223b 00578200 0012bc1c ffffffff TOOLS!CreateTextEffect+0x515
0012bc20 0049592c 00578200 0056602c 00578200 TOOLS!ScanResourceImages+0x1b
0012bc24 00578200 0056602c 00578200 00000019 image00400000+0x9592c
0012bc28 0056602c 00578200 00000019 4c4f4f54 image00400000+0x178200
0012bc2c 00578200 00000019 4c4f4f54 4c442e53 image00400000+0x16602c
0012bc30 00000000 4c4f4f54 4c442e53 0000004c image00400000+0x178200
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: TOOLS!CreateTextEffect+515
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: TOOLS
IMAGE_NAME: TOOLS.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 56a6297a
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_TOOLS.DLL!CreateTextEffect
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_TOOLS!CreateTextEffect+515
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_4_4_0/5857b80a/ntdll_dll/5_1_2600_5512/48039211/c0000005/000102ee.htm?Retriage=1
---<cut>---
Sample#04 - Parsing EXE file
-------------------------------------------------
We will start here:
---<cut>---
eip=7c85ffd0 esp=0012ba58 ebp=0012bab4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
kernel32!EnumResourceTypesA+0x8c:
7c85ffd0 0fb706 movzx eax,word ptr [esi] ds:0023:117be1f0=????
0:000> kb
*** WARNING: Unable to verify checksum for C:\Program Files\IrfanView\Plugins\TOOLS.DLL
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\IrfanView\Plugins\TOOLS.DLL -
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bab4 02541d19 02780001 02541bd0 0012baec kernel32!EnumResourceTypesA+0x8c
0012bc04 0254223b 00578200 0012bc1c ffffffff TOOLS!CreateTextEffect+0x5e9
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\IrfanView\i_view32.exe
0012bc20 0049592c 00578200 0056602c 00578200 TOOLS!ScanResourceImages+0x1b
0012bc24 00578200 0056602c 00578200 00000019 i_view32+0x9592c
0012bc28 0056602c 00578200 00000019 4c4f4f54 i_view32+0x178200
0012bc2c 00578200 00000019 4c4f4f54 4c442e53 i_view32+0x16602c
0012bc30 00000000 4c4f4f54 4c442e53 0000004c i_view32+0x178200
FAULTING_IP:
kernel32!EnumResourceTypesA+8c
7c85ffd0 0fb706 movzx eax,word ptr [esi]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c85ffd0 (kernel32!EnumResourceTypesA+0x0000008c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 117be1f0
Attempt to read from address 117be1f0
FAULTING_THREAD: 00000730
PROCESS_NAME: i_view32.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: TOOLS
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 56a6297a
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 117be1f0
READ_ADDRESS: 117be1f0
FOLLOWUP_IP:
TOOLS!CreateTextEffect+5e9
02541d19 8b85e8feffff mov eax,dword ptr [ebp-118h]
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 02541d19 to 7c85ffd0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bab4 02541d19 02780001 02541bd0 0012baec kernel32!EnumResourceTypesA+0x8c
0012bc04 0254223b 00578200 0012bc1c ffffffff TOOLS!CreateTextEffect+0x5e9
0012bc20 0049592c 00578200 0056602c 00578200 TOOLS!ScanResourceImages+0x1b
0012bc24 00578200 0056602c 00578200 00000019 i_view32+0x9592c
0012bc28 0056602c 00578200 00000019 4c4f4f54 i_view32+0x178200
0012bc2c 00578200 00000019 4c4f4f54 4c442e53 i_view32+0x16602c
0012bc30 00000000 4c4f4f54 4c442e53 0000004c i_view32+0x178200
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: TOOLS!CreateTextEffect+5e9
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: TOOLS.DLL
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_TOOLS.DLL!CreateTextEffect
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/i_view32_exe/4_4_4_0/5857b80a/kernel32_dll/5_1_2600_5512/48039212/c0000005/0005ffd0.htm?Retriage=1
---</cut>---
Sample#05 - Parsing WMV file
--------------------------------------------------
Just checking...
---<cut>---
FAULTING_IP:
VIDEO!GetFirstVideoFrame+22d
024b349d 8b03 mov eax,dword ptr [ebx]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 024b349d (VIDEO!GetFirstVideoFrame+0x0000022d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
FAULTING_THREAD: 0000076c
PROCESS_NAME: image00400000
MODULE_NAME: VIDEO
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 577cf836
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod "0x%08lx" odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
VIDEO!GetFirstVideoFrame+22d
024b349d 8b03 mov eax,dword ptr [ebx]
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ
DEFAULT_BUCKET_ID: NULL_POINTER_READ
LAST_CONTROL_TRANSFER: from 00000000 to 024b349d
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 VIDEO!GetFirstVideoFrame+0x22d
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: VIDEO!GetFirstVideoFrame+22d
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: VIDEO.DLL
STACK_COMMAND: ~4s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_VIDEO.DLL!GetFirstVideoFrame
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_4_4_0/5857b80a/VIDEO_DLL/4_4_0_0/577cf836/c0000005/0000349d.htm?Retriage=1
---<cut>---
* - samples for requests.
Remember to use it only for legal purposes.
Cheers.
Brak komentarzy:
Prześlij komentarz