Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Usermode and possible paged-out or corrupt data.

37 views
Skip to first unread message

Kjell Gunnar

unread,
Oct 20, 2009, 4:18:02 PM10/20/09
to
Environment: usermode dumps, very big MFC 70 app , XP SP2, Windbg
6.11.1.404.

Yes, I have read the previous thread, and understood from Ivan
Brugiolo that memory corruption is likely cause.

I have also a number of dumps where windbg shows this output.

Here is a sample of output at the end of lm:

Unloaded modules:
00720000 00e1002e Unknown_Module_00720000
00530073 00bc00db ocx
00062e05 006a2e69 x
00000fe1 4266610d _han.ocx
132c0000 132e7000 draft.ocx
Missing image name, possible paged-out or corrupt data.

But where in the dump or memory does windbg read when listing unloaded
modules ?
I want to try to set some traps to catch eventually wild writing
pointers

After little googleing I found RtlGetUnloadEventTrace:
http://msdn.microsoft.com/en-us/library/bb432428%28VS.85%29.aspx

ntdll!RtlGetUnloadEventTrace:
7c950e33 b8c0d8977c mov eax,offset ntdll!RtlpUnloadEventTrace

And examin the data from the array RtlpUnloadEventTrace shows sensible
Names and data:

Also is there chances to figure out what windbg think is corrupt ?

Thank you
Kjell Gunnar
========== See output here : ===========
My output from RtlpUnloadEventTrace is not that garbage as lm shows :

r? $t0 = @@masm(ntdll!RtlpUnloadEventTrace)
.echo Addr Base Size Time Module
.for(r $t2=0; @$t2 < 0n16; r $t2 = @$t2 + 1)
{
as /x $Addr @$t0
as /x $Base poi(@$t0)
as /x $Size poi(@$t0 + 4)
as /x $time poi( @$t0 + 4 * 3 )
as /mu ${/v:$Mod} @$t0 + (5*4)
.block
{
.echo ${$Addr}: ${$Base} ${$Size} ${$time} ${$Mod}

}
ad ${/v:$Addr}
ad ${/v:$Base}
ad ${/v:$Size}
ad ${/v:$time}
ad ${/v:$Mod}

r? $t0 = @$t0+ 0x0054

}

Addr Base Size Time Module
0x7c97d8c0: 0x132c0000 0x27000 0x4331500f draft.ocx
0x7c97d914: 0x13290000 0x1b000 0x4266512c disp_han.ocx
0x7c97d968: 0x13220000 0x63000 0x4a1837b2 ddg_a.ocx
0x7c97d9bc: 0x130c0000 0x36000 0x46666ab3 ctsShipWide.ocx
0x7c97da10: 0x13080000 0x2a000 0x48526a3c cb.ocx
0x7c97da64: 0x13050000 0x1f000 0x436b4e94 cargo_temp.ocx
0x7c97dab8: 0x13010000 0x29000 0x45dd5354 azimctr.ocx
0x7c97db0c: 0x12fd0000 0x22000 0x4845566a autro_pt.ocx
0x7c97db60: 0x12fa0000 0x1c000 0x483ff911 autro_oz.ocx
0x7c97dbb4: 0x12f60000 0x22000 0x48c51c67 autro_lp.ocx
0x7c97dc08: 0x12f20000 0x25000 0x41e27400 asc_upca.ocx
0x7c97dc5c: 0x12a10000 0x1a000 0x3d80544f anadata.ocx
0x7c97dcb0: 0x12420000 0x34000 0x46f29331 meas_dh.ocx
0x7c97dd04: 0x145d0000 0x5c000 0x4a8e9bc5 MMMCON~1.OCX
0x7c97dd58: 0x12a40000 0x38000 0x483e9793 sbmotor1.ocx
0x7c97ddac: 0x73420000 0x154000 0x41109750 MSVBVM60.DLL

kim.k...@googlemail.com

unread,
Oct 22, 2009, 9:15:37 AM10/22/09
to
On Oct 20, 10:18 pm, Kjell Gunnar <ktens...@hotmail.com> wrote:
>
> Also is there chances to figure out what windbg think is corrupt ?
>

Have you tried the !analyze -v command? Take a look at
http://www.dumpanalysis.org/blog/index.php/category/windbg-tips-and-tricks/
.

With best regards,
Kim Kulling

Kjell Gunnar

unread,
Oct 23, 2009, 5:42:03 AM10/23/09
to
Hi,
Yes the !analyze prints out :
OVERLAPPED_MODULE: Address regions for '<One of my dll>' and
'Unknown_Module_00720000' overlap

Yes I regulary reads on www.dumpanalysis.org

Regards
Kjell Gunnar
On Oct 22, 3:15 pm, "kim.kull...@googlemail.com"


<kim.kull...@googlemail.com> wrote:
> On Oct 20, 10:18 pm, Kjell Gunnar <ktens...@hotmail.com> wrote:
>
>
>
> > Also is there chances to figure out what windbg think is corrupt ?
>

> Have you tried the !analyze -v command? Take a look athttp://www.dumpanalysis.org/blog/index.php/category/windbg-tips-and-t...

0 new messages