Reading Notebook: 11-August-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
SEH for 64-bit (p. 116) - here is an example from x64 W2K8
0:000> kn
# Child-SP RetAddr Call Site
00 00000000`0016f358 00000000`76d8679a ntdll!ZwReadFile+0xa
01 00000000`0016f360 000007fe`fdedfc9a kernel32!ReadFile+0×8a
02 00000000`0016f3f0 000007fe`fdedfa3b advapi32!ScGetPipeInput+0×3a
03 00000000`0016f440 000007fe`fdede00d advapi32!ScDispatcherLoop+0×9a
04 00000000`0016f540 00000000`ffa11dca advapi32!StartServiceCtrlDispatcherW+0×176
05 00000000`0016f7e0 00000000`ffa124b2 svchost!wmain+0×110
06 00000000`0016f810 00000000`76d8be3d svchost!ScCreateWellKnownSids+0×301
07 00000000`0016f850 00000000`76ec6a51 kernel32!BaseThreadInitThunk+0xd
08 00000000`0016f880 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
0:000> !exchain
9 stack frames, scanning for handlers...
Frame 0×01: kernel32!ReadFile+0×8a (00000000`76d8679a)
ehandler kernel32!_C_specific_handler (00000000`76d7dcbc)
Frame 0×04: advapi32!StartServiceCtrlDispatcherW+0×176 (000007fe`fdede00d)
ehandler advapi32!_GSHandlerCheck_SEH (000007fe`fdf6ab88)
Frame 0×06: svchost!ScCreateWellKnownSids+0×301 (00000000`ffa124b2)
ehandler svchost!_C_specific_handler (00000000`ffa13ea4)
Frame 0×08: ntdll!RtlUserThreadStart+0×1d (00000000`76ec6a51)
ehandler ntdll!_C_specific_handler (00000000`76ed9518)
VEH is user-mode only (p. 116) - Here is an article from Matt Pietrek about vectored exception handling: http://msdn.microsoft.com/en-us/magazine/cc301714.aspx
Debug object (p. 116) - coincidentally, today I wrote a case study where we can see how an exception dispatcher sends a message: http://www.dumpanalysis.org/blog/index.php/2009/08/11/stack-trace-collection-suspended-threads-not-my-version-special-process-main-thread-and-blocked-lpc-chain-threads-pattern-cooperation/. Also here is another case study showing the flow of exception processing originated from user mode and space: http://www.dumpanalysis.org/blog/index.php/2007/12/07/interrupts-and-exceptions-explained-part-6/
First and second chance exception handling (p. 117) - some time ago I was interested in this mystery and wrote this post: http://www.dumpanalysis.org/blog/index.php/2008/05/22/demystifying-first-chance-exceptions-part-1/
Wercon.exe (p. 120)
WER processing overview (pp. 120 - 125) - some time ago when Vista appeared I did experiments with TestDefaultDebugger.exe (similar to Accvio.exe): http://www.dumpanalysis.org/blog/index.php/2007/05/19/inside-vista-error-reporting-part-1/
LocalDumps registry key values (p. 123)
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
