Dev.K.
Reputation: 2488
Crash Debugging Win32 Application
I'm spending lot of time doing crash debugging of Win32 apps. One thing i'm very curious to know about is, How to find whether any address belongs to stack / heap or program code section. Is there any windbg/ollydbg plugin available for this purpose? Or I've to to it manually from memory map? Ex:
0:000> r
eax=00930264 ebx=008e0000 ecx=41414592 edx=00930000 esi=41414141 edi=008e0441
eip=00407289 esp=0012fae0 ebp=0012faf4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
MyApp+0x7289:
00407289 8b1437 mov edx,dword ptr [edi+esi] ds:0023:41cf4582=????????
0:000> u eip
MyApp+0x7289:
00407289 8b1437 mov edx,dword ptr [edi+esi]
0040728c 8b4c3704 mov ecx,dword ptr [edi+esi+4]
00407290 57 push edi
00407291 e89ae8ffff call MyApp+0x5b30 (00405b30)
00407296 897d14 mov dword ptr [ebp+14h],edi
00407299 5f pop edi
0040729a 85c0 test eax,eax
0040729c 741e je MyApp+0x72bc (004072bc)
In this case i wanna know which register pointing to which section (code/stack/heap )so that i can proceed further to the root cause.
Thanks in Advance.
Upvotes: 1
Views: 246
Answers (1)
xwlan
Reputation: 564
0:000> ?@esi+@edi
Evaluate expression: 36278408 = 02299088
0:000> !address 02299088
ProcessParametrs 00311020 in range 00310000 00410000
Environment 02294848 in range 02290000 02390000
02290000 : 02290000 - 00100000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageHeap
Handle 00310000
Upvotes: 2
Related Questions
- Analysing crash dump in windbg
- Dump File analysis
- Windows Debugger Road-Map
- How to debug BSOD crash caused indirectly by .NET application
- Windows crash dump analysis
- .NET dump analysis using windbg
- Analysis of application crash dump
- Crash Debugging Win32 App
- How to find root cause of Application Crash in Windbg?
- Crash dump - resolve unmanaged code crash in a .NET application using WinDbg