0

So, I see this line in one of the callstacks of a dump (x86/Windows 7) I am looking at. I have heavily snipped it as my question is pertaining only to this call.

Args to Child
01111111 04444444 05555555 ntdll!KiUserExceptionDispatcher+0xf

and going by: http://www.nynaeve.net/Code/KiUserExceptionDispatcher.c

It looks like the first two arguments on the stack must be the context record and the exception record. However with some experimentation I noted that 01111111 is not the first argument. It actually starts from 04444444. So, in this case .cxr 04444444 and .exr 05555555 display sane output.

Now, I understand the debugger might just show whatever is on the stack at that point and I shouldn't probably rely on that alone but if everything below that line is marked with "stack unwind information not available. Following frames may be wrong", how am I to know that I should ignore 01111111?

UPDATE

Lets try a different approach. Here are 2 relevant pieces of information:

Args to Child
0ccccccc 77895ac4 00000000 kernel32!UnhandledExceptionFilter+0x9e
[... various other calls here, leading up to ...]
0eeeeeee 0aaaaaaa 0bbbbbbb ntdll!KiUserExceptionDispatcher+0xf

So, check this out. The lone parameter to UnhandledExceptionFilter is an EXCEPTION_POINTERS* structure, right?

0:010> dd 0ccccccc l2
0ddddddd  0bbbbbbb 0aaaaaaa

In the EXCEPTION_POINTERS struct, the first field is the EXCEPTION_RECORD (0bbbbbbb) while the second is the CONTEXT_RECORD (0aaaaaaa). However in the call to KiUserEceptionDispatcher, these arguments appear in the opposite way. Not to mention the fact 0eeeeeee is NOT the first parameter to KiUserExceptionDispatcher but 0ccccccc IS the first parameter to UnhandledExceptionFilter.

I am SO confused!

Improve this question
11
  • I'm not sure the prototype for KiUserExceptionDispatcher that you linked is correct. I believe it is actually VOID KiUserExceptionDispatcher(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT Context). In that case 01111111 is the exception record and 04444444 is the context record. Commented May 19, 2017 at 17:50
  • This source and this source seem to back that up. Commented May 19, 2017 at 17:51
  • @SeanCline Well, the psuedo-code I linked to is from Ken Johnson, who is not only a Microsoftie but someone very well known in the windows internals world. Anyway, even if you swap these arguments, the issue here is 01111111 is not the first. The first argument starts from 04444444. That is the part I am trying to understand. Commented May 19, 2017 at 18:13
  • From when is that pseudo code? It doesn't have a date. Commented May 19, 2017 at 19:55
  • Would you mind posting a real WinDbg output? The kb command shows much more. Are you sure it's not a copy/paste issue? I also wonder about the +0xf offset. Ain't that too near the beginning of the method? Commented May 19, 2017 at 20:00

1 Answer 1

Reset to default
2

windows 7 x86 32 bit machine
winkey + r -> windbg calc
bp ntdll!KiUserExceptionDispatcher
f5 divide 0/0 in calculator to raise an exception 

(ac8.c8c): C++ EH exception - code e06d7363 (first chance)
Breakpoint 0 hit
eax=0023e1ec ebx=02b12fd0 ecx=00000003 edx=00000000 esi=02b13178 edi=00000001
eip=76e77048 esp=0023dee0 ebp=0023e23c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiUserExceptionDispatcher:
76e77048 fc              cld

your post shows the return address to be + 0xf so lets see whats upto that point 

0:000> u . .+f
ntdll!KiUserExceptionDispatcher:
76e77048 fc              cld
76e77049 8b4c2404        mov     ecx,dword ptr [esp+4]
76e7704d 8b1c24          mov     ebx,dword ptr [esp]
76e77050 51              push    ecx
76e77051 53              push    ebx
76e77052 e85d88fdff      call    ntdll!RtlDispatchException (76e4f8b4)
76e77057 0ac0            or      al,al

so it appears you have broken after entering RtlDispatchException from your call stack

breaking to enter the call 

0:000> tc
eax=0023e1ec ebx=0023dee8 ecx=0023df08 edx=00000000 esi=02b13178 edi=00000001
eip=76e77052 esp=0023ded8 ebp=0023e23c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiUserExceptionDispatcher+0xa:
76e77052 e85d88fdff      call    ntdll!RtlDispatchException (76e4f8b4)


0:000> t
eax=0023e1ec ebx=0023dee8 ecx=0023df08 edx=00000000 esi=02b13178 edi=00000001
eip=76e4f8b4 esp=0023ded4 ebp=0023e23c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!RtlDispatchException:
76e4f8b4 8bff            mov     edi,edi

looking at stack if you ask windbg to be verbose it will even decipher the context for you 

0:000> kb 3
 # ChildEBP RetAddr  Args to Child              
00 0023ded0 76e77057 0023dee8 0023df08 0023dee8 ntdll!RtlDispatchException
01 0023ded0 7521b760 0023dee8 0023df08 0023dee8 ntdll!KiUserExceptionDispatcher+0xf
02 0023e23c 7579359c e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
0:000> kv 3
 # ChildEBP RetAddr  Args to Child              
00 0023ded0 76e77057 0023dee8 0023df08 0023dee8 ntdll!RtlDispatchException (FPO: [Non-Fpo])
01 0023ded0 7521b760 0023dee8 0023df08 0023dee8 ntdll!KiUserExceptionDispatcher+0xf (FPO: [2,0,0]) (CONTEXT @ 0023df08)
02 0023e23c 7579359c e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58 (FPO: [Non-Fpo])

exr output

0:000> .exr poi(@esp+4)
ExceptionAddress: 7521b760 (KERNELBASE!RaiseException+0x00000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 19930520
   Parameter[1]: 0023e294
   Parameter[2]: 007c15b4
unable to find C-Runtime symbols, even with unqualified search

context record output

0:000> dt ntdll!_CONTEXT poi(@esp+8)
   +0x000 ContextFlags     : 0x1003f
   +0x004 Dr0              : 0
   +0x008 Dr1              : 0
   +0x00c Dr2              : 0
   +0x010 Dr3              : 0
   +0x014 Dr6              : 0
   +0x018 Dr7              : 0
   +0x01c FloatSave        : _FLOATING_SAVE_AREA
   +0x08c SegGs            : 0
   +0x090 SegFs            : 0x3b
   +0x094 SegEs            : 0x23
   +0x098 SegDs            : 0x23
   +0x09c Edi              : 1
   +0x0a0 Esi              : 0x2b13178
   +0x0a4 Ebx              : 0x2b12fd0
   +0x0a8 Edx              : 0
   +0x0ac Ecx              : 3
   +0x0b0 Eax              : 0x23e1ec
   +0x0b4 Ebp              : 0x23e23c
   +0x0b8 Eip              : 0x7521b760
   +0x0bc SegCs            : 0x1b
   +0x0c0 EFlags           : 0x202
   +0x0c4 Esp              : 0x23e1ec
   +0x0c8 SegSs            : 0x23
   +0x0cc ExtendedRegisters : [512]  "???"

you can even get both by use .extptr (note you may need to reset context to default scope using .cxr after using this command) 

0:000> .exptr (@esp+4)

----- Exception record at 0023dee8:
ExceptionAddress: 7521b760 (KERNELBASE!RaiseException+0x00000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 19930520
   Parameter[1]: 0023e294
   Parameter[2]: 007c15b4
unable to find C-Runtime symbols, even with unqualified search

----- Context record at 0023df08:
eax=0023e1ec ebx=02b12fd0 ecx=00000003 edx=00000000 esi=02b13178 edi=00000001
eip=7521b760 esp=0023e1ec ebp=0023e23c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
KERNELBASE!RaiseException+0x58:
7521b760 c9              leave


0:000> kb 3
 # ChildEBP RetAddr  Args to Child              
00 0023e23c 7579359c e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
01 0023e274 0079eee0 0023e294 007c15b4 02b13178 msvcrt!_CxxThrowException+0x48
02 0023e288 0079146e 02b13178 80000002 c87a3f02 calc!divrat+0x69

0:000> .cxr
Resetting default scope

0:000> kb 3
 # ChildEBP RetAddr  Args to Child              
00 0023ded0 76e77057 0023dee8 0023df08 0023dee8 ntdll!RtlDispatchException
01 0023ded0 7521b760 0023dee8 0023df08 0023dee8 ntdll!KiUserExceptionDispatcher+0xf
02 0023e23c 7579359c e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58

hope this suffices to research on your own for your specific situation for which you cant divulge the actual windbg stack trace

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

blabb (you should really change your name :-)): thanks a ton for this! I was doing similar experimentation to understand this better but I like your short cuts (poi(@esp+4)). Thanks once again!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.