Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Will a Manifest solve this?

5 views
Skip to first unread message

Hector Santos

unread,
Dec 31, 2009, 2:00:45 AM12/31/09
to
I have an old BC45 GUI utility which we just found out GPFs on OSes
other than 2000, NT. I just verified it on my 2003 machine.

Until we can update/port this utility to VS C/C++, I am wondering if I
can provide a temporary solution using a MANIFEST which some articles
seem to suggest?

It appears it is related to COMCTL32.DLL, COMDLG32.DLL or some
UXTHEME.DLL.

There is a snippet of DR.WATSON. I am just wondering if a manifest
can be created for this.

Application exception occurred:
App: L:\wc5\WCEVENT.EXE (pid=1032)
When: 11/18/2006 @ 05:33:33.093
Exception number: c0000005 (access violation)

*----> System Information <----*
Terminal Session Id: 0
Number of Processors: 2
Processor Type: x86 Family 15 Model 6 Stepping 2
Windows Version: 5.2
Current Build: 3790
Service Pack: 1
Current Type: Multiprocessor Free

*----> Task List <----*
032 WCEVENT.EXE

*----> Module List <----*
0000000000400000 - 00000000004d0000: L:\wc5\WCEVENT.EXE
0000000010000000 - 0000000010018000: D:\Program
Files\UltraVNC\vnchooks.dll
00000000762b0000 - 00000000762fa000: D:\WINDOWS\system32\COMDLG32.dll
0000000077380000 - 0000000077412000: D:\WINDOWS\system32\USER32.dll
0000000077420000 - 0000000077523000:
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.1830_x-ww_7AE38CCF\comctl32.dll
0000000077530000 - 00000000775c7000:
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_5.82.3790.1830_x-ww_1B6F474A\COMCTL32.dll
0000000077b90000 - 0000000077b98000: D:\WINDOWS\system32\VERSION.dll
0000000077ba0000 - 0000000077bfa000: D:\WINDOWS\system32\msvcrt.dll
0000000077c00000 - 0000000077c48000: D:\WINDOWS\system32\GDI32.dll
0000000077c50000 - 0000000077cef000: D:\WINDOWS\system32\RPCRT4.dll
0000000077da0000 - 0000000077df2000: D:\WINDOWS\system32\SHLWAPI.dll
0000000077e40000 - 0000000077f42000: D:\WINDOWS\system32\kernel32.dll
0000000077f50000 - 0000000077fec000: D:\WINDOWS\system32\ADVAPI32.dll
000000007c800000 - 000000007c8c0000: D:\WINDOWS\system32\ntdll.dll
000000007c8d0000 - 000000007d0d4000: D:\WINDOWS\system32\SHELL32.DLL

*----> State Dump for Thread Id 0x13c <----*

eax=00446ce6 ebx=001201bc ecx=0012f50c edx=7c82ed54 esi=009215cc
edi=00000081
eip=009215cc esp=0012f548 ebp=0012f568 iopl=0 nv up ei pl nz
na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206

function: <nosymbols>
No prior disassembly possible
009215cc e808000000 call 009215d9
009215d1 3e9f lahf
009215d3 44 inc esp
009215d4 0054fc12 add [esp+edi*8+0x12],dl
009215d8 00598b add [ecx-0x75],bl
009215db 41 inc ecx
009215dc 04ff add al,0xff
009215de 2100 and [eax],eax
009215e0 1d00000011 sbb eax,0x11000000
FAULT ->009215cc e808000000 call 009215d9
009215d1 3e9f lahf
009215d3 44 inc esp
009215d4 0054fc12 add [esp+edi*8+0x12],dl
009215d8 00598b add [ecx-0x75],bl
009215db 41 inc ecx
009215dc 04ff add al,0xff
009215de 2100 and [eax],eax
009215e0 1d00000011 sbb eax,0x11000000
009215e5 0000 add [eax],al
009215e7 0000 add [eax],al

*----> Stack Back Trace <----*
*** WARNING: Unable to verify checksum for L:\wc5\WCEVENT.EXE
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for L:\wc5\WCEVENT.EXE -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for D:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for D:\WINDOWS\system32\ntdll.dll -
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f544 00446d4d 001201bc 00000081 00000000 0x9215cc
0012f568 7739c3b7 001201bc 00000081 00000000
WCEVENT!InitWndProc$qp6HWND__uiuil+0x67
0012f594 7739c484 00446ce6 001201bc 00000081 USER32!EnableMenuItem+0x4cd4
0012f60c 7739ca68 00000000 00446ce6 001201bc USER32!EnableMenuItem+0x4da1
0012f668 773948bf 005f2e00 00000081 00000000
USER32!TranslateMessageEx+0xd5
0012f698 7c82ec9e 0012f6b0 00000070 0012fb00
USER32!EnumDisplayMonitors+0xc5
0012f9bc 77394a07 80000008 0012fa40 0012fa54
ntdll!KiUserCallbackDispatcher+0x2e
0012fa68 7738e988 80000008 00474337 0012fa54 USER32!SetWindowLongW+0xd3
0012faa4 0044a829 00000008 00474337 009215e8 USER32!CreateWindowExA+0x33
0012fae0 0044a8d6 0012fc54 00000000 00000000
WCEVENT!InitWndProc$qp6HWND__uiuil+0x3b43
0012fb40 0041ea68 0012fc54 0012fbd8 0012fb9c
WCEVENT!InitWndProc$qp6HWND__uiuil+0x3bf0
0012fb50 004319c7 0012fc54 00000000 00000002
WCEVENT!_GetExceptDLLinfo+0xe9fa
0012fb9c 00431eaa 0012fbd8 00000000 00400000
WCEVENT!PropdlgKbdProc$qiuil+0x293b
0012ff44 0045dd92 00000001 00920008 00000000
WCEVENT!PropdlgKbdProc$qiuil+0x2e1e
0012ff88 0046c5f1 00400000 00000000 0014205f
WCEVENT!StdDlgProc$qp6HWND__uiuil+0xd5e3
0012ffb8 00000000 0047002c 77e523e5 00000000
WCEVENT!StdDlgProc$qp6HWND__uiuil+0x1be42

TIA


--
HLS

Tim Roberts

unread,
Jan 3, 2010, 7:53:46 PM1/3/10
to
Hector Santos <sant...@nospam.gmail.com> wrote:
>
>I have an old BC45 GUI utility which we just found out GPFs on OSes
>other than 2000, NT. I just verified it on my 2003 machine.
>
>Until we can update/port this utility to VS C/C++, I am wondering if I
>can provide a temporary solution using a MANIFEST which some articles
>seem to suggest?
>...

>There is a snippet of DR.WATSON. I am just wondering if a manifest
>can be created for this.
>
>function: <nosymbols>
>No prior disassembly possible
> 009215cc e808000000 call 009215d9
> 009215d1 3e9f lahf
> 009215d3 44 inc esp
> 009215d4 0054fc12 add [esp+edi*8+0x12],dl
> 009215d8 00598b add [ecx-0x75],bl
> 009215db 41 inc ecx
> 009215dc 04ff add al,0xff
> 009215de 2100 and [eax],eax
> 009215e0 1d00000011 sbb eax,0x11000000
>FAULT ->009215cc e808000000 call 009215d9
> 009215d1 3e9f lahf
> 009215d3 44 inc esp
> 009215d4 0054fc12 add [esp+edi*8+0x12],dl
> 009215d8 00598b add [ecx-0x75],bl
> 009215db 41 inc ecx
> 009215dc 04ff add al,0xff
> 009215de 2100 and [eax],eax
> 009215e0 1d00000011 sbb eax,0x11000000
> 009215e5 0000 add [eax],al
> 009215e7 0000 add [eax],al

This code is garbage. You are executing data. There's no way for us to
offer advice on this.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.

Ivan Brugiolo [MSFT]

unread,
Jan 3, 2010, 9:35:52 PM1/3/10
to
I think Hector later on explained that the code below might be
a JIT-ed piece of code, a-la `ATL-WndProc-Thunk`s, but created by the OWL
framework.

I think he might want to loon into SetProcessDEPPolicy.

--

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Tim Roberts" <ti...@probo.com> wrote in message
news:pue2k5512l7s279lv...@4ax.com...

Tim Roberts

unread,
Jan 6, 2010, 1:14:17 AM1/6/10
to
"Ivan Brugiolo [MSFT]" <ivan...@online.microsoft.com> wrote:
>
>I think Hector later on explained that the code below might be
>a JIT-ed piece of code, a-la `ATL-WndProc-Thunk`s, but created by the OWL
>framework.

The instructions include "lahf" and "inc esp". No compiler of any kind
will every generate those instructions.

Now, it's POSSIBLE that this is some kind of threaded interpreter, where
the "call" instruction expects to find a bunch of data immediately after it
and adjusts the return address to skip over it, but that part is certainly
not executable code.

0 new messages