Reputation: 6911
WinDbg: Colon in address, what does it mean?
I have a crash dump which shows the following exception info:
0:000> .ecxr
eax=00000000 ebx=00000001 ecx=000000dc edx=000032f0 esi=00000020 edi=78746341
eip=00000000 esp=00000007 ebp=00000020 iopl=0 nv up di pl nz na po cy
cs=0014 ss=0034 ds=0000 es=1000 fs=df5c gs=0000 efl=00000001
0014:00000000 ?? ???
Why is the exeption address displayed as 0014:00000000, and not just 00000000? As far as I understand, 0014 is the code segment, but I didn't find any documentation about the syntax.
Also, is there a way to translate this syntax to a plain, absolute address?
Upvotes: 0
Views: 322
Answers (1)
Reputation: 365247
Yes, seg:off is 100% standard notation. It's just showing you the full CS:EIP value.
CS base is 0 unless you did something really weird (e.g. retf popping something into CS that happened to index a GDT entry with a non-zero base, if there even is one).
So the linear address is just 00000000. e.g. you tried to jump to a NULL function-pointer or something, or tried to ret when ESP was pointing at a 0 instead of your return address.
Upvotes: 2
Related Questions
- WinDbg Address Summary
- GDB 'Addresses'. What are they?
- what does <unclassified> mean in windbg !address output
- what this value mean in address with ' symbol
- What's the Allocation Base shown in the "address" command of windbg?
- Address and Address Range Syntax search memory when using windbg to do debug
- anything specific about the addresses (0x40000000, 0x80000000 and 0xBF000000)
- Windbg !address command result
- Is this a memory address?
- What does the memory address mean?