系统:windows xp sp3
崩溃的exe:insight3_en.exe
版本:3.50.0064
崩溃时的信息:
The stored exception information can be accessed via .ecxr. (5404.5050): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00000000 ecx=7c930323 edx=00000100 esi=00440b6b edi=0006f324 eip=004eb2a8 esp=0006f0f4 ebp=0006f0f4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** ERROR: Module load completed but symbols could not be loaded for Insight3_en.exe Insight3_en+0xeb2a8: 004eb2a8 8b00 mov eax,dword ptr [eax] ds:0023:00000000=????????
堆栈:
0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0006f0f4 0044497a 00000000 0000000c 0006f17c Insight3_en+0xeb2a8 0006f104 004438c0 77d4f980 000f084a 000a0acc Insight3_en+0x4497a 0006f17c 00441160 000f084a 00000116 772011ff Insight3_en+0x438c0 *** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll - 0006f2bc 77d18734 000f084a 00000116 00010bcd Insight3_en+0x41160 0006f2e8 77d18816 00440b6b 000f084a 00000116 user32!GetDC+0x6d 0006f350 77d28ea0 00000000 00440b6b 000f084a user32!GetDC+0x14f 0006f3a4 77d28eec 0185a660 00000116 00010bcd user32!DefWindowProcW+0x180 0006f3cc 7c92e473 0006f3dc 00000018 0185a660 user32!DefWindowProcW+0x1cc 0006f444 77d2c228 000f084a 00000313 00000000 ntdll!KiUserCallbackDispatcher+0x13 0006f460 77d2c1d5 000f084a 00000313 00000000 user32!DefWindowProcA+0xaa 0006f4a8 77d3e56d 000f084a 00000313 00000000 user32!DefWindowProcA+0x57 0006f4c0 77d308e6 0185a660 00000313 00000000 user32!EnumClipboardFormats+0x30 0006f528 77d4f980 000f084a 000a0acc 00000313 user32!DefFrameProcW+0xb3 0006f548 0042e3dc 000f084a 000a0acc 00000313 user32!DefFrameProcA+0x1b 0006f574 0044135d 000f084a 000a0acc 00000313 Insight3_en+0x2e3dc 0006f6c4 77d18734 000f084a 00000313 00000000 Insight3_en+0x4135d 0006f6f0 77d18816 00440b6b 000f084a 00000313 user32!GetDC+0x6d 0006f758 77d28ea0 00000000 00440b6b 000f084a user32!GetDC+0x14f 0006f7ac 77d28eec 0185a660 00000313 00000000 user32!DefWindowProcW+0x180 0006f7d4 7c92e473 0006f7e4 00000018 0185a660 user32!DefWindowProcW+0x1cc
看一下004eb2a8的汇编:
.text:004EB29B sub_4EB29B proc near ; CODE XREF: sub_44485A+11Bp .text:004EB29B ; sub_4E7724+1Dp ... .text:004EB29B .text:004EB29B arg_0 = dword ptr 8 .text:004EB29B .text:004EB29B push ebp .text:004EB29C mov ebp, esp .text:004EB29E mov eax, [ebp+arg_0] .text:004EB2A1 mov eax, dword_5C6B80[eax*4] .text:004EB2A8 mov eax, [eax] .text:004EB2AA mov eax, [eax+1Ch] .text:004EB2AD shr eax, 1 .text:004EB2AF and eax, 1 .text:004EB2B2 neg eax .text:004EB2B4 sbb eax, eax .text:004EB2B6 inc eax .text:004EB2B7 pop ebp .text:004EB2B8 retn 4 .text:004EB2B8 sub_4EB29B endp
看到dword_5C6B80这个全局变量非常眼熟,和
里的一样的。
且这个全局变量的内容和index(即arg_0)如下:
0:000> dd 5C6B80 L 1 005c6b80 00000000 0:000> dd ebp+8 L 1 0006f0fc 00000000
这样定位过程就和
source insight coredump分析
完全一样了。
时间: 2024-10-30 05:25:07