The availability of direct dump modification raises the possibility of such memory dumps specifically modified to alter structural and behavioral diagnostic patterns. For example, to suppress certain module involvement or introduce fictitious past objects and interaction traces such as Execution Residue (Volume 2, page 239) and Module Hints (Volume 6, page 92). There can be 2 types of such artifacts: strong tampering with new or altered information completely integrated into memory fabric and weak tampering to confuse inexperienced software support engineers and memory forensics analysts.
For example, in one such experimental process memory dump we see Exception Stack Trace (Volume 4. Page 337) pointing to a problem in calc module:
0:003> k Child-SP RetAddr Call Site 00000000`0244e858 000007fe`fd061430 ntdll!NtWaitForMultipleObjects+0xa 00000000`0244e860 00000000`76ec1723 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`0244e960 00000000`76f3b5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`0244e9f0 00000000`76f3b767 kernel32!WerpReportFaultInternal+0x215 00000000`0244ea90 00000000`76f3b7bf kernel32!WerpReportFault+0x77 00000000`0244eac0 00000000`76f3b9dc kernel32!BasepReportFault+0x1f 00000000`0244eaf0 00000000`77153398 kernel32!UnhandledExceptionFilter+0x1fc 00000000`0244ebd0 00000000`770d85c8 ntdll! ?? ::FNODOBFM::`string'+0x2365 00000000`0244ec00 00000000`770e9d2d ntdll!_C_specific_handler+0x8c 00000000`0244ec70 00000000`770d91cf ntdll!RtlpExecuteHandlerForException+0xd 00000000`0244eca0 00000000`77111248 ntdll!RtlDispatchException+0x45a 00000000`0244f380 00000000`ffdbdb27 ntdll!KiUserExceptionDispatch+0×2e 00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2 00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd 00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0×1d
The default analysis command (!analyse -v) diagnoses “stack corruption”:
FAULTING_IP: kernel32!UnhandledExceptionFilter+1fc 00000000`76f3b9dc 448bf0 mov r14d,eax EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000076f3b9dc (kernel32!UnhandledExceptionFilter+0x00000000000001fc) ExceptionCode: 0244e9f0 ExceptionFlags: 00000000 NumberParameters: 0
DEFAULT_BUCKET_ID: STACK_CORRUPTION PRIMARY_PROBLEM_CLASS: STACK_CORRUPTION BUGCHECK_STR: APPLICATION_FAULT_STACK_CORRUPTION IP_ON_HEAP: 8d483674c33bfffa The fault address in not in any loaded module, please check your build's rebase log at <releasedir>inuild_logs imebuild trebase.log for module which may contain the address if it were loaded. UNALIGNED_STACK_POINTER: 0000000076f3b767 STACK_TEXT: 00000000`00000000 00000000`00000000 calc!CTimedCalc::WatchDogThread+0x0 FOLLOWUP_IP: calc!CTimedCalc::WatchDogThread+0 00000000`ffd92254 48895c2408 mov qword ptr [rsp+8],rbx
Stored Exception (Volume 6, page 119) resembles signs of Local Buffer Overflow (Volume 1, page 461): segment register values and CPU flags have suspiciously invalid values, possibly from Lateral Damage (Volume 1, page 264):
0:003> .ecxr rax=0000000000000000 rbx=0000000000000001 rcx=000000000244ec30 rdx=000000000244ec30 rsi=0100000000000080 rdi=0000000000000158 rip=0000000076f3b9dc rsp=0000000076f3b767 rbp=0000000000000000 r8=0000000000000000 r9=ffffffffffffffff r10=0000000076f3b7bf r11=000000000244ec30 r12=0000000000000001 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up di pl nz na pe nc cs=0000 ss=0000 ds=0266 es=0000 fs=0000 gs=0154 efl=00000000 kernel32!UnhandledExceptionFilter+0×1fc: 00000000`76f3b9dc 448bf0 mov r14d,eax 0:003> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`76f3b767 8d483674`c33bfffa kernel32!UnhandledExceptionFilter+0x1fc 00000000`76f3b847 5aa3e800`05bfac0d 0x8d483674`c33bfffa 00000000`76f3b84f ebffcf83`48ccfff9 0x5aa3e800`05bfac0d 00000000`76f3b857 8348c000`0409ba27 0xebffcf83`48ccfff9 00000000`76f3b85f 54dfe8cf`8b48ffcf 0x8348c000`0409ba27 00000000`76f3b867 4c02778d`db33fff9 0x54dfe8cf`8b48ffcf 00000000`76f3b86f 4c000000`e024a48b 0x4c02778d`db33fff9 00000000`76f3b877 ffcf8348`04ebeb8b 0x4c000000`e024a48b 00000000`76f3b87f fffc59e9`e8cc8b49 0xffcf8348`04ebeb8b 00000000`76f3b887 42e9c78b`0775c73b 0xfffc59e9`e8cc8b49 00000000`76f3b88f fffa6fa9`e8000003 0x42e9c78b`0775c73b 00000000`76f3b897 32e9c033`0774c33b 0xfffa6fa9`e8000003 00000000`76f3b89f fa7f3d8d`4c000003 0x32e9c033`0774c33b 00000000`76f3b8a7 de15ffcf`8b490006 0xfa7f3d8d`4c000003 00000000`76f3b8af f9370d8b`4800000e 0xde15ffcf`8b490006 00000000`76f3b8b7 000014a1`15ff0006 0xf9370d8b`4800000e 00000000`76f3b8bf 840fc33b`48f08b4c 0x000014a1`15ff0006 00000000`76f3b8c7 f6158b48`00000099 0x840fc33b`48f08b4c 00000000`76f3b8cf 0238c281`480006f3 0xf6158b48`00000099 00000000`76f3b8d7 48cfe8c8`8b480000 0x0238c281`480006f3 00000000`76f3b8df 8b4c7f74`c33bfff9 0x48cfe8c8`8b480000 00000000`76f3b8e7 888b4900`06f3dc05 0x8b4c7f74`c33bfff9 00000000`76f3b8ef 75083949`00000238 0x888b4900`06f3dc05 00000000`76f3b8f7 00000240`808b496c 0x75083949`00000238 00000000`76f3b8ff 8b415f75`08403949 0x00000240`808b496c 00000000`76f3b907 00024880`3b411040 0x8b415f75`08403949 00000000`76f3b90f 01040000`a9527500 0x00024880`3b411040 00000000`76f3b917 00025090`8d491874 0x01040000`a9527500 00000000`76f3b91f c68a4418`488d4900 0x00025090`8d491874 00000000`76f3b927 c33a0000`117315ff 0xc68a4418`488d4900 00000000`76f3b92f 4e15ffcf`8b493374 0xc33a0000`117315ff 00000000`76f3b937 ff41cc8b`4900000e 0x4e15ffcf`8b493374 00000000`76f3b93f 00028c84`0fc63bd6 0xff41cc8b`4900000e 00000000`76f3b947 00028484`0fc73b00 0x00028c84`0fc63bd6 00000000`76f3b94f 6ee7e819`75c33b00 0x00028484`0fc73b00 00000000`76f3b957 c0331074`c33bfffa 0x6ee7e819`75c33b00 00000000`76f3b95f cf8b4900`000270e9 0xc0331074`c33bfffa 00000000`76f3b967 8b490000`0e1b15ff 0xcf8b4900`000270e9 00000000`76f3b96f 3b000013`e215ffcc 0x8b490000`0e1b15ff 00000000`76f3b977 0253e9c7`8b0775c7 0x3b000013`e215ffcc 00000000`76f3b97f 41fff959`4ae80000 0x0253e9c7`8b0775c7 00000000`76f3b987 c6844100`000002be 0x41fff959`4ae80000 00000000`76f3b98f 15ff0000`023d850f 0xc6844100`000002be 00000000`76f3b997 850f20a8`00000f65 0x15ff0000`023d850f 00000000`76f3b99f 245c8948`0000022f 0x850f20a8`00000f65 00000000`76f3b9a7 448d4c3e`4e8d4520 0x245c8948`0000022f 00000000`76f3b9af ffc933d6`8b416024 0x448d4c3e`4e8d4520 00000000`76f3b9b7 7cc33b00`0009f415 0xffc933d6`8b416024 00000000`76f3b9bf 730a7024`64ba0f0f 0x7cc33b00`0009f415 00000000`76f3b9c7 00000205`e9c68b07 0x730a7024`64ba0f0f 00000000`76f3b9cf cc8b49d6`8bfb8b44 0x00000205`e9c68b07 00000000`76f3b9d7 f08b44ff`fffdc4e8 0xcc8b49d6`8bfb8b44 00000000`76f3b9df e9c03307`7508f883 0xf08b44ff`fffdc4e8 00000000`76f3b9e7 7506f883`000001e9 0xe9c03307`7508f883 00000000`76f3b9ef c33bfffa`6e4be810 0x7506f883`000001e9 00000000`76f3b9f7 0001d4e9`c0330774 0xc33bfffa`6e4be810 00000000`76f3b9ff 86850f04`fe834100 0x0001d4e9`c0330774 00000000`76f3ba07 0000024a`ba000001 0x86850f04`fe834100 00000000`76f3ba0f 00b841ce`8b45c933 0x0000024a`ba000001 00000000`76f3ba17 fff7a249`e8000010 0x00b841ce`8b45c933 00000000`76f3ba1f 0775c33b`48e88b4c 0xfff7a249`e8000010 00000000`76f3ba27 48000001`a6e9c033 0x0775c33b`48e88b4c 00000000`76f3ba2f 24448948`3024448d 0x48000001`a6e9c033 00000000`76f3ba37 0000f024`8c8d4c20 0x24448948`3024448d 00000000`76f3ba3f 49000001`25b84100 0x0000f024`8c8d4c20 00000000`76f3ba47 8a0fe8cf`8b48d58b 0x49000001`25b84100 00000000`76f3ba4f 4166097c`c33bfffe 0x8a0fe8cf`8b48d58b 00000000`76f3ba57 39fe450f`44005d39 0x4166097c`c33bfffe 00000000`76f3ba5f 850f0000`00f0249c 0x39fe450f`44005d39 00000000`76f3ba67 240c8b49`000000bc 0x850f0000`00f0249c 00000000`76f3ba6f 40244489`48016348 0x240c8b49`000000bc 00000000`76f3ba77 24448948`10418b48 0x40244489`48016348 00000000`76f3ba7f 75c00000`06398148 0x24448948`10418b48 00000000`76f3ba87 480b7203`18798318 0x75c00000`06398148 00000000`76f3ba8f 50244489`4830418b 0x480b7203`18798318 00000000`76f3ba97 eb50245c`89481ceb 0x50244489`4830418b 00000000`76f3ba9f 8b480b72`18713915 0xeb50245c`89481ceb 00000000`76f3baa7 eb502444`89482041 0x8b480b72`18713915 00000000`76f3baaf 02ba5024`5c894805 0xeb502444`89482041 00000000`76f3bab7 0b721851`39000000 0x02ba5024`5c894805 00000000`76f3babf 24448948`28418b48 0x0b721851`39000000 00000000`76f3bac7 58245c89`4805eb58 0x24448948`28418b48 00000000`76f3bacf ba1d3808`74fb3b44 0x58245c89`4805eb58 00000000`76f3bad7 48d68b02`740006fd 0xba1d3808`74fb3b44 00000000`76f3badf 48000000`e824848d 0x48d68b02`740006fd 00000000`76f3bae7 20245489`28244489 0x48000000`e824848d 00000000`76f3baef c0334540`244c8d4c 0x20245489`28244489 00000000`76f3baf7 000144b9`04508d41 0xc0334540`244c8d4c 00000000`76f3baff ba00000d`7215ffd0 0x000144b9`04508d41 00000000`76f3bb07 8c8bc223`c0000000 0xba00000d`7215ffd0 00000000`76f3bb0f b8c23b00`0000e824 0x8c8bc223`c0000000 00000000`76f3bb17 89c8440f`00000006 0xb8c23b00`0000e824 00000000`76f3bb1f 07eb0000`00e8248c 0x89c8440f`00000006 00000000`76f3bb27 44000000`e8248c8b 0x07eb0000`00e8248c 00000000`76f3bb2f 7403f983`5d74fb3b 0x44000000`e8248c8b 00000000`76f3bb37 000000f0`249c3909 0x7403f983`5d74fb3b 00000000`76f3bb3f 0006fd4d`058a4f74 0x000000f0`249c3909 00000000`76f3bb47 f85f5ce8`4b75c33a 0x0006fd4d`058a4f74 00000000`76f3bb4f 448b3b75`5c5838ff 0xf85f5ce8`4b75c33a 00000000`76f3bb57 894c2824`44893024 0x448b3b75`5c5838ff 00000000`76f3bb5f 08244c8b`4d20246c 0x894c2824`44893024 00000000`76f3bb67 fec2c748`24048b4d 0x08244c8b`4d20246c 00000000`76f3bb6f b6e8cf8b`48ffffff 0xfec2c748`24048b4d 00000000`76f3bb77 fd130db6`0fffffea 0xb6e8cf8b`48ffffff 00000000`76f3bb7f 88ce4c0f`c33b0006 0xfd130db6`0fffffea 00000000`76f3bb87 ebfb8b00`06fd080d 0x88ce4c0f`c33b0006 00000000`76f3bb8f 3a0006fc`fe058a29 0xebfb8b00`06fd080d 00000000`76f3bb97 8b240c8b`491874c3 0x3a0006fc`fe058a29 00000000`76f3bb9f 060f15ff`cf8b4811 0x8b240c8b`491874c3 00000000`76f3bba7 0000f824`bc8b0000 0x060f15ff`cf8b4811 00000000`76f3bbaf 00f824bc`8b07eb00 0x0000f824`bc8b0000 00000000`76f3bbb7 331074eb`3b4c0000 0x00f824bc`8b07eb00 00000000`76f3bbbf 49000080`00b841d2 0x331074eb`3b4c0000 00000000`76f3bbc7 8bfff74b`5ae8cd8b 0x49000080`00b841d2 00000000`76f3bbcf c48148c6`8b02ebc7 0x8bfff74b`5ae8cd8b 00000000`76f3bbd7 5e415f41`000000a0 0xc48148c6`8b02ebc7 00000000`76f3bbdf c35b5e5f`5c415d41 0x5e415f41`000000a0 00000000`76f3bbe7 158ead00`00000090 0xc35b5e5f`5c415d41 00000000`76f3bbef 00000200`00000053 0x158ead00`00000090 00000000`76f3bbf7 09bc2400`00002500 0x00000200`00000053 00000000`76f3bbff 00000000`09b42400 0x09bc2400`00002500 00000000`76f3bc07 7e023553`158ead00 0x9b42400 00000000`76f3bc0f 00000400`00000a19 0x7e023553`158ead00 00000000`76f3bc17 09b42000`09bc2000 0x00000400`00000a19 00000000`76f3bc1f 445352bb`03197e00 0x09b42000`09bc2000 00000000`76f3bc27 4c886225`48e28953 0x445352bb`03197e00 00000000`76f3bc2f 4fb29af4`dfbb8344 0x4c886225`48e28953 00000000`76f3bc37 72656b00`0000020e 0x4fb29af4`dfbb8344 00000000`76f3bc3f 64702e32`336c656e 0x72656b00`0000020e 00000000`76f3bc47 00000000`00000062 0x64702e32`336c656e
We check for any Hidden Exceptions (Volume 1, page 271) and find it was NULL Data Pointer (Volume 3, page 131):
0:003> .cxr Resetting default scope 0:003> k Child-SP RetAddr Call Site 00000000`0244e858 000007fe`fd061430 ntdll!NtWaitForMultipleObjects+0xa 00000000`0244e860 00000000`76ec1723 KERNELBASE!WaitForMultipleObjectsEx+0xe8 00000000`0244e960 00000000`76f3b5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3 00000000`0244e9f0 00000000`76f3b767 kernel32!WerpReportFaultInternal+0x215 00000000`0244ea90 00000000`76f3b7bf kernel32!WerpReportFault+0x77 00000000`0244eac0 00000000`76f3b9dc kernel32!BasepReportFault+0x1f 00000000`0244eaf0 00000000`77153398 kernel32!UnhandledExceptionFilter+0x1fc 00000000`0244ebd0 00000000`770d85c8 ntdll! ?? ::FNODOBFM::`string'+0x2365 00000000`0244ec00 00000000`770e9d2d ntdll!_C_specific_handler+0x8c 00000000`0244ec70 00000000`770d91cf ntdll!RtlpExecuteHandlerForException+0xd 00000000`0244eca0 00000000`77111248 ntdll!RtlDispatchException+0×45a 00000000`0244f380 00000000`ffdbdb27 ntdll!KiUserExceptionDispatch+0×2e 00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2 00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd 00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0×1d 0:003> dps 00000000`0244eca0 00000000`0244fab0 00000000`0244eca0 00000000`02450000 00000000`0244eca8 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0) 00000000`0244ecb0 00000000`00012f00 00000000`0244ecb8 00000000`7711920a ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3da 00000000`0244ecc0 00000000`00000005 00000000`0244ecc8 00000000`00000000 00000000`0244ecd0 00000000`00000000 00000000`0244ecd8 00000000`00000000 00000000`0244ece0 00000000`0244fb20 00000000`0244ece8 00000000`00000000 00000000`0244ecf0 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`0244ecf8 00000000`00000000 00000000`0244ed00 00000000`00000000 00000000`0244ed08 00000000`02450000 00000000`0244ed10 00000000`771e8180 ntdll!`string'+0xc040 00000000`0244ed18 00000000`0244b000 00000000`0244ed20 00000000`0244f250 00000000`0244ed28 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`0244ed30 00000000`770ec541 ntdll!RtlUserThreadStart+0x1d 00000000`0244ed38 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`0244ed40 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`0244ed48 00000000`0244fb20 00000000`0244ed50 00000000`771d7718 ntdll!LdrpDefaultExtension 00000000`0244ed58 00000000`0244ed80 00000000`0244ed60 00000000`770d852c ntdll!_C_specific_handler 00000000`0244ed68 00000000`771e8180 ntdll!`string'+0xc040 00000000`0244ed70 00000000`0244f250 00000000`0244ed78 00000000`00000000 00000000`0244ed80 00000000`00000000 00000000`0244ed88 00000000`00000000 00000000`0244ed90 00000000`00000000 00000000`0244ed98 00000000`00000000 00000000`0244eda0 00000000`00000000 00000000`0244eda8 00000000`00000000 00000000`0244edb0 00001f80`00000000 00000000`0244edb8 00000000`00000033 00000000`0244edc0 00010246`002b0000 00000000`0244edc8 00000000`00000000 00000000`0244edd0 00000000`00000000 00000000`0244edd8 00000000`00000000 00000000`0244ede0 00000000`00000000 00000000`0244ede8 000007fe`ff3625c0 msctf!s_szCompClassName 00000000`0244edf0 00000000`00200000 00000000`0244edf8 00000000`0244ee40 00000000`0244ee00 00000000`0244ee40 00000000`0244ee08 00000000`0244ee40 00000000`0244ee10 00000000`00000000 00000000`0244ee18 00000000`0244fb70 00000000`0244ee20 00000000`00000000 00000000`0244ee28 00000000`00000000 00000000`0244ee30 00000000`00000000 00000000`0244ee38 000007fe`fd602790 ole32!`string' 00000000`0244ee40 00000000`00292170 00000000`0244ee48 00000000`770e7a33 ntdll!LdrpFindOrMapDll+0x138 00000000`0244ee50 00000000`0244ef68 00000000`0244ee58 00000000`00000000 00000000`0244ee60 00000000`00000000 00000000`0244ee68 00000000`00000000 00000000`0244ee70 00000000`00000000 00000000`0244ee78 00000000`00000000 00000000`0244ee80 00000000`0000027f 00000000`0244ee88 00000000`00000000 00000000`0244ee90 00000000`00000000 00000000`0244ee98 0000ffff`00001f80 00000000`0244eea0 00000000`00000000 00000000`0244eea8 00000000`00000000 00000000`0244eeb0 00000000`00000000 00000000`0244eeb8 00000000`00000000 00000000`0244eec0 00000000`00000000 00000000`0244eec8 00000000`00000000 00000000`0244eed0 00000000`00000000 00000000`0244eed8 00000000`00000000 00000000`0244eee0 00000000`00000000 00000000`0244eee8 00000000`00000000 00000000`0244eef0 00000000`00000000 00000000`0244eef8 00000000`00000000 00000000`0244ef00 00000000`00000000 00000000`0244ef08 00000000`00000000 00000000`0244ef10 00000000`00000000 00000000`0244ef18 00000000`00000000 00000000`0244ef20 00000000`00000000 00000000`0244ef28 00000000`771192a8 ntdll!LdrpApplyFileNameRedirection+0x2d3 00000000`0244ef30 00000000`00000000 00000000`0244ef38 00000000`00000000 00000000`0244ef40 00000000`00000000 00000000`0244ef48 00000000`02080000 00000000`0244ef50 00000000`0244f028 00000000`0244ef58 00000000`0244f020 00000000`0244ef60 00000000`00000000 00000000`0244ef68 00000000`00000000 00000000`0244ef70 00000000`00000000 00000000`0244ef78 000007fe`fd602848 ole32!`string' 00000000`0244ef80 00000000`00000000 00000000`0244ef88 00000000`00000000 00000000`0244ef90 00000000`00000000 00000000`0244ef98 00000000`00000000 00000000`0244efa0 00000000`00000000 00000000`0244efa8 00000000`00000000 00000000`0244efb0 00000000`00000000 00000000`0244efb8 00000000`00000000 00000000`0244efc0 00000000`00000000 00000000`0244efc8 00000000`00000000 00000000`0244efd0 00000000`00000000 00000000`0244efd8 00000000`00000000 00000000`0244efe0 00000000`00000000 00000000`0244efe8 00000000`00000000 00000000`0244eff0 00000000`00000000 00000000`0244eff8 00000000`00000000 00000000`0244f000 00000000`00000000 00000000`0244f008 00000000`00000000 00000000`0244f010 00000000`00000000 00000000`0244f018 00000000`00000000 00000000`0244f020 00000000`0244f038 00000000`0244f028 00000000`0000011b 00000000`0244f030 00000000`024d0000 00000000`0244f038 00000080`001a024d 00000000`0244f040 00000000`01c0c8a0 00000000`0244f048 00000000`002f0101 00000000`0244f050 00000000`00000000 00000000`0244f058 00000000`00000022 00000000`0244f060 00000000`002f9b00 00000000`0244f068 00000000`01bd5390 00000000`0244f070 00000000`002f7c00 00000000`0244f078 00000000`01bd5580 00000000`0244f080 00000000`01bd57b0 00000000`0244f088 00000000`002f9b00 00000000`0244f090 00000000`00000000 00000000`0244f098 00000024`00000003 00000000`0244f0a0 00000000`002e91b0 00000000`0244f0a8 00000000`00000022 00000000`0244f0b0 00000000`771d5430 ntdll!RtlpInterceptorRoutines 00000000`0244f0b8 00000000`00000000 00000000`0244f0c0 00000000`00000010 00000000`0244f0c8 00000000`01bd0000 00000000`0244f0d0 00000000`00000008 00000000`0244f0d8 00000000`00000001 00000000`0244f0e0 00000000`01bd0288 00000000`0244f0e8 00000000`77113448 ntdll!RtlAllocateHeap+0xe4 00000000`0244f0f0 00000000`00000000 00000000`0244f0f8 00000000`00000001 00000000`0244f100 000002b2`000f002f 00000000`0244f108 00000000`01bd5780 00000000`0244f110 00000000`00250230 00000000`0244f118 00000000`000000df 00000000`0244f120 00000000`002551a0 00000000`0244f128 00000000`00255210 00000000`0244f130 00000000`002f9b00 00000000`0244f138 00000000`002551a0 00000000`0244f140 00000000`000000df 00000000`0244f148 00000000`10000010 00000000`0244f150 00000000`00250230 00000000`0244f158 00000000`00000000 00000000`0244f160 00000000`00250498 00000000`0244f168 00000000`0025026c 00000000`0244f170 00000000`002f9b00 00000000`0244f178 00000000`002551a0 00000000`0244f180 00000000`00000022 00000000`0244f188 00000000`76fd88b8 user32!GetPropW+0x4d 00000000`0244f190 00000000`00002974 00000000`0244f198 00000000`76fd88b8 user32!GetPropW+0x4d 00000000`0244f1a0 00000000`00250230 00000000`0244f1a8 00000000`76fd7931 user32!IsWindow+0x9 00000000`0244f1b0 00000000`002ed6d0 00000000`0244f1b8 00000000`76fd7931 user32!IsWindow+0x9 00000000`0244f1c0 00000000`00000000 00000000`0244f1c8 00000000`01c0c8d0 00000000`0244f1d0 00000000`01c0c8a0 00000000`0244f1d8 00000000`00000000 00000000`0244f1e0 00000000`00000008 00000000`0244f1e8 00000000`01bd0000 00000000`0244f1f0 00000000`00000000 00000000`0244f1f8 00000000`770f41c8 ntdll!RtlpReAllocateHeap+0x178 00000000`0244f200 00000000`00000002 00000000`0244f208 00000000`00000002 00000000`0244f210 00000000`00000000 00000000`0244f218 000007fe`4f00024d 00000000`0244f220 00000000`00000000 00000000`0244f228 000007fe`fb601381 uxtheme!CThemeWnd::_PreDefWindowProc+0x31 00000000`0244f230 00000000`00000082 00000000`0244f238 00000000`00000000 00000000`0244f240 00000000`7a337100 00000000`0244f248 00000000`01c0c8c0 00000000`0244f250 00000000`00000003 00000000`0244f258 00000000`76eb59e0 kernel32!BaseThreadInitThunk 00000000`0244f260 00000000`ffdbdb32 calc!CTimedCalc::Start+0xa9 00000000`0244f268 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0x0) 00000000`0244f270 00000000`ffe0ac64 calc!_dyn_tls_init_callback <PERF> (calc+0x7ac64) 00000000`0244f278 00000000`76ea0000 kernel32!TestResourceDataMatchEntry <PERF> (kernel32+0x0) 00000000`0244f280 00000000`76fadda0 kernel32!__PchSym_ <PERF> (kernel32+0x10dda0) 00000000`0244f288 00000000`770c0000 ntdll!RtlDeactivateActivationContext <PERF> (ntdll+0x0) 00000000`0244f290 00000000`77202dd0 ntdll!CsrPortMemoryRemoteDelta <PERF> (ntdll+0x142dd0) 00000000`0244f298 00000000`76fd760e user32!RealDefWindowProcW+0x5a 00000000`0244f2a0 00000000`00000001 00000000`0244f2a8 000007fe`fb600037 uxtheme!operator delete <PERF> (uxtheme+0x37) 00000000`0244f2b0 00000000`01bd0158 00000000`0244f2b8 00000000`00000082 00000000`0244f2c0 00000000`00000000 00000000`0244f2c8 00000000`00000003 00000000`0244f2d0 00000000`000111f2 00000000`0244f2d8 00000000`00000054 00000000`0244f2e0 00000000`00000000 00000000`0244f2e8 00000000`00000000 00000000`0244f2f0 00000000`00000001 00000000`0244f2f8 00000000`01c11c60 00000000`0244f300 00000000`0244f462 00000000`0244f308 00000000`01bd0230 00000000`0244f310 00000000`00000000 00000000`0244f318 00000000`00000000 00000000`0244f320 00000000`00000000 00000000`0244f328 00000000`14010015 00000000`0244f330 00000000`01c11570 00000000`0244f338 00000000`00000000 00000000`0244f340 00000000`00000000 00000000`0244f348 00000000`00000000 00000000`0244f350 00000000`00009c40 00000000`0244f358 00000000`00000000 00000000`0244f360 00000000`00000000 00000000`0244f368 00000000`00000000 00000000`0244f370 00000000`00002710 00000000`0244f378 00000000`77111248 ntdll!KiUserExceptionDispatch+0×2e 00000000`0244f380 00000000`0244f870 00000000`0244f388 00000000`0244f380 00000000`0244f390 00000000`00000000 00000000`0244f398 00000000`00000000 00000000`0244f3a0 000007fe`fb63fb40 uxtheme!$$VProc_ImageExportDirectory 00000000`0244f3a8 00000000`00000ad5 00000000`0244f3b0 00001f80`0010005f 00000000`0244f3b8 0053002b`002b0033 00000000`0244f3c0 00010246`002b002b 00000000`0244f3c8 00000000`00000000 00000000`0244f3d0 00000000`00000000 00000000`0244f3d8 00000000`00000000 00000000`0244f3e0 00000000`00000000 00000000`0244f3e8 00000000`00000000 00000000`0244f3f0 00000000`00000000 00000000`0244f3f8 00000000`0012c770 00000000`0244f400 00000000`00000000 00000000`0244f408 00000000`00000000 00000000`0244f410 00000000`00002710 00000000`0244f418 00000000`0244fab0 00000000`0244f420 00000000`00000000 00000000`0244f428 00000000`00000000 00000000`0244f430 00000000`00000000 00000000`0244f438 00000000`0244f938 00000000`0244f440 00000000`00962210 00000000`0244f448 00000000`00000000 00000000`0244f450 00000000`0244f9a0 00000000`0244f458 00000000`00009c40 00000000`0244f460 00000000`00000000 00000000`0244f468 00000000`00000000 00000000`0244f470 00000000`00000000 00000000`0244f478 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2 00000000`0244f480 00000000`0000027f 00000000`0244f488 00000000`00000000 00000000`0244f490 00000000`00000000 00000000`0244f498 0000ffff`00001f80 00000000`0244f4a0 00000000`00000000 00000000`0244f4a8 00000000`00000000 00000000`0244f4b0 00000000`00000000 00000000`0244f4b8 00000000`00000000 00000000`0244f4c0 00000000`00000000 00000000`0244f4c8 00000000`00000000 00000000`0244f4d0 00000000`00000000 00000000`0244f4d8 00000000`00000000 00000000`0244f4e0 00000000`00000000 00000000`0244f4e8 00000000`00000000 00000000`0244f4f0 00000000`00000000 00000000`0244f4f8 00000000`00000000 00000000`0244f500 00000000`00000000 00000000`0244f508 00000000`00000000 00000000`0244f510 00000000`00000000 00000000`0244f518 00000000`00000000 00000000`0244f520 00000000`00000000 00000000`0244f528 00000000`00000000 00000000`0244f530 00000000`00000000 00000000`0244f538 00000000`00000000 00000000`0244f540 00000000`00000000 00000000`0244f548 00000000`00000000 00000000`0244f550 00000000`00000000 00000000`0244f558 00000000`00000000 00000000`0244f560 00000000`00000000 00000000`0244f568 00000000`00000000 00000000`0244f570 00000000`00000000 00000000`0244f578 00000000`00000000 00000000`0244f580 00000000`00000000 00000000`0244f588 00000000`00000000 00000000`0244f590 00000000`00000000 00000000`0244f598 00000000`00000000 00000000`0244f5a0 00000000`00000000 00000000`0244f5a8 00000000`00000000 00000000`0244f5b0 00000000`00000000 00000000`0244f5b8 00000000`00000000 00000000`0244f5c0 00000000`00000000 00000000`0244f5c8 00000000`00000000 00000000`0244f5d0 00000000`00000000 00000000`0244f5d8 00000000`00000000 00000000`0244f5e0 00000000`00000000 00000000`0244f5e8 00000000`00000000 00000000`0244f5f0 00000000`00000000 00000000`0244f5f8 00000000`00000000 00000000`0244f600 00000000`00000000 00000000`0244f608 00000000`00000000 00000000`0244f610 00000000`00000000 00000000`0244f618 00000000`00000000 00000000`0244f620 00000000`00000000 00000000`0244f628 00000000`00000000 00000000`0244f630 00000000`00000000 00000000`0244f638 00000000`00000000 00000000`0244f640 00000000`00000000 00000000`0244f648 00000000`00000000 00000000`0244f650 00000000`00000000 00000000`0244f658 00000000`00000000 00000000`0244f660 00000000`00000000 00000000`0244f668 fffff800`032d5e53 00000000`0244f670 00000000`00000002 00000000`0244f678 00000000`00000000 00000000`0244f680 00000000`01c11580 00000000`0244f688 00000000`00000082 00000000`0244f690 00000000`00000082 00000000`0244f698 00000000`000111e4 00000000`0244f6a0 00000000`00000002 00000000`0244f6a8 00000000`0244f6f0 00000000`0244f6b0 00000000`00000002 00000000`0244f6b8 00000000`00000000 00000000`0244f6c0 00000000`000111e4 00000000`0244f6c8 00000000`00000000 00000000`0244f6d0 00000000`00000082 00000000`0244f6d8 00000000`00000000 00000000`0244f6e0 00000000`00000000 00000000`0244f6e8 00000000`76fe76c2 user32!DefDlgProcW+0×36 00000000`0244f6f0 00000000`00000000 00000000`0244f6f8 00000000`00000000 00000000`0244f700 00000000`000111e4 00000000`0244f708 00000000`00000000 00000000`0244f710 00000000`00000082 00000000`0244f718 00000000`00000000 00000000`0244f720 00000000`0244f908 00000000`0244f728 00000000`76fd9bef user32!UserCallWinProcCheckWow+0×1cb 00000000`0244f730 00000000`00962210 00000000`0244f738 00000000`00000001 00000000`0244f740 00000000`00000000 00000000`0244f748 00000000`00000000 00000000`0244f750 00000000`0244f768 00000000`0244f758 00000000`0244f778 00000000`0244f760 00000000`00000001 00000000`0244f768 00000000`00000000 00000000`0244f770 00000000`00000000 00000000`0244f778 00000000`00000000 00000000`0244f780 00000000`00000048 00000000`0244f788 00000000`00000001 00000000`0244f790 00000000`00000000 00000000`0244f798 00000000`00000000 00000000`0244f7a0 00000000`00000070 00000000`0244f7a8 ffffffff`ffffffff 00000000`0244f7b0 ffffffff`ffffffff 00000000`0244f7b8 00000000`76fd9b43 user32!UserCallWinProcCheckWow+0×99 00000000`0244f7c0 00000000`76fd9bef user32!UserCallWinProcCheckWow+0×1cb 00000000`0244f7c8 00000000`00000000 00000000`0244f7d0 00000000`00000000 00000000`0244f7d8 00000000`00000000 00000000`0244f7e0 00000000`00000000 00000000`0244f7e8 00000000`76fd72cb user32!DispatchClientMessage+0xc3 00000000`0244f7f0 00000000`00000000 00000000`0244f7f8 00000000`770e46b4 ntdll!NtdllDialogWndProc_W 00000000`0244f800 00000000`00000000 00000000`0244f808 00000000`00000000 00000000`0244f810 00000000`00000000 00000000`0244f818 00000000`00000000 00000000`0244f820 00000000`00962238 00000000`0244f828 00000000`00000001 00000000`0244f830 00000000`00000000 00000000`0244f838 00000000`00000000 00000000`0244f840 00000000`00000000 00000000`0244f848 00000000`00000000 00000000`0244f850 00000730`fffffb30 00000000`0244f858 000004d0`fffffb30 00000000`0244f860 00000170`000000f0 00000000`0244f868 0000002c`00000001 00000000`0244f870 00000000`c0000005 00000000`0244f878 00000000`00000000 00000000`0244f880 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2 00000000`0244f888 00000000`00000002 00000000`0244f890 00000000`00000000 00000000`0244f898 00000000`00000000 00000000`0244f8a0 00000000`00000000 00000000`0244f8a8 00000000`00000000 00000000`0244f8b0 00000000`00000000 00000000`0244f8b8 00000000`00000000 00000000`0244f8c0 00000000`00000000 00000000`0244f8c8 00000000`00000000 00000000`0244f8d0 00000000`00000000 00000000`0244f8d8 00000000`00000000 00000000`0244f8e0 00000000`00000000 00000000`0244f8e8 00000000`00000000 00000000`0244f8f0 00000000`00000000 00000000`0244f8f8 00000000`00000000 00000000`0244f900 00000000`00000000 00000000`0244f908 00000000`00962210 00000000`0244f910 00000000`ffdbdb27 calc!CTimedCalc::WatchDogThread+0xb2 00000000`0244f918 00000000`00000000 00000000`0244f920 00000000`00000000 00000000`0244f928 00000000`0244fab0 00000000`0244f930 00000000`77101530 ntdll!NtdllDispatchMessage_W 00000000`0244f938 00000000`76fe505b user32!DialogBox2+0×2ec 00000000`0244f940 00000000`00000000 00000000`0244f948 00000000`00000000 00000000`0244f950 00000000`00000000 00000000`0244f958 00000000`00000000 00000000`0244f960 00000000`00000000 00000000`0244f968 00000000`00000000 00000000`0244f970 00000000`00000000 00000000`0244f978 00000000`00000000 00000000`0244f980 00000000`00000002 00000000`0244f988 00000000`000111f0 00000000`0244f990 00000271`0f689359 00000000`0244f998 00000000`00000030 00000000`0244f9a0 00000000`00000000 00000000`0244f9a8 00000000`00000000 00000000`0244f9b0 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0) 00000000`0244f9b8 00000000`001a17e0 00000000`0244f9c0 00000000`00000000 00000000`0244f9c8 00000000`76fe4edd user32!InternalDialogBox+0×135 00000000`0244f9d0 00000000`00000000 00000000`0244f9d8 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`0244f9e0 00000000`00000000 00000000`0244f9e8 00000000`00000000 00000000`0244f9f0 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`0244f9f8 00000000`00000000 00000000`0244fa00 00000000`00000001 00000000`0244fa08 00000000`00000000 00000000`0244fa10 00000000`00000000 00000000`0244fa18 00000000`00009c40 00000000`0244fa20 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0) 00000000`0244fa28 00000000`76fe4f52 user32!DialogBoxIndirectParamAorW+0×58 00000000`0244fa30 00000000`001a17e0 00000000`0244fa38 00000000`00000000 00000000`0244fa40 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`0244fa48 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`0244fa50 00000000`00000000 00000000`0244fa58 00000000`00000001 00000000`0244fa60 00000000`ffd90000 calc!CCalculatorController::CCalculatorController <PERF> (calc+0×0) 00000000`0244fa68 00000000`76fdd476 user32!DialogBoxParamW+0×66 00000000`0244fa70 ffffffff`ffffffff 00000000`0244fa78 00000000`00000000 00000000`0244fa80 00000000`ffdcedb0 calc!CTimedCalc::TimeOutDlgProc 00000000`0244fa88 00000000`00000000 00000000`0244fa90 00000000`00000000 00000000`0244fa98 00000000`00000000 00000000`0244faa0 00000000`00000000 00000000`0244faa8 00000000`ffdbdafa calc!CTimedCalc::WatchDogThread+0×72 00000000`0244fab0 00000000`00002710
Segment registers and flags look normal now:
0:003> .cxr 00000000`0244f380 rax=000000000012c770 rbx=0000000000002710 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=00000000ffdbdb27 rsp=000000000244fab0 rbp=0000000000000000 r8=000000000244f938 r9=0000000000962210 r10=0000000000000000 r11=000000000244f9a0 r12=0000000000009c40 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 calc!CTimedCalc::WatchDogThread+0xb2: 00000000`ffdbdb27 488b01 mov rax,qword ptr [rcx] ds:00000000`00000000=???????????????? 0:003> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0244fab0 00000000`76eb59ed calc!CTimedCalc::WatchDogThread+0xb2 00000000`0244faf0 00000000`770ec541 kernel32!BaseThreadInitThunk+0xd 00000000`0244fb20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
3.128.171.243