Minidump Analysis 61
0: kd> lmv m dxg
start end module name
bf9c3000 bf9d4580 dxg (pdb symbols)
Loaded symbol image file: dxg.sys
Mapped memory image file: c:\websymbols\dxg.sys\41107B9311580\dxg.sys
Image path: dxg.sys
Image name: dxg.sys
Timestamp: Wed Aug 04 07:00:51 2004 (41107B93)
CheckSum: 0001D181
ImageSize: 00011580
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: dxg.sys
OriginalFilename: dxg.sys
ProductVersion: 5.1.2600.2180
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileDescription: DirectX Graphics Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
0: kd> lmv m win32k
start end module name
bf800000 bf9c2180 win32k # (pdb symbols)
Loaded symbol image file: win32k.sys
Mapped memory image file:

following stack trace and crash address pointing to driver.sys module:
1: kd> kL
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
ba0fd0e4 bfabd64b driver+0×2df2a
ba0fd1c8 bf8b495d driver+0×1f64b
ba0fd27c bf9166ae win32k!NtGdiBitBlt+0×52d
ba0fd2d8 bf9168d0 win32k!TileWallpaper+0xd4
ba0fd2f8 bf826c83 win32k!xxxDrawWallpaper+0×50
ba0fd324 bf8651df win32k!xxxDesktopPaintCallback+0×48
ba0fd388 bf8280f3 win32k!xxxEnumDisplayMonitors+0×13a
ba0fd3d4 bf8283ab win32k!xxxInternalPaintDesktop+0×66
ba0fd3f8 80833bdf win32k!NtUserPaintDesktop+0×41
ba0fd3f8 7c9485ec nt!KiFastCallEntry+0xfc
1: kd> r
eax=000007d0 ebx=000007d0 ecx=00000086 edx=bfb371a3 esi=bc492000
edi=bfb3775b
eip=bfacbf2a esp=ba0fd0b8 ebp=ba0fd0e4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
driver+0×2df2a:
bfacbf2a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
es:0023:bfb3775b=e4405a64 ds:0023:bc492000=????????
Let’s get the timestamp of this module too:
1: kd> lmv m driver
start end module name
bfa9e000 bfb42a00 driver T (no symbols)
Loaded symbol image file: driver.sys
Image path: driver.sys
Image name: driver.sys

ba0fd324 bf8651df win32k!xxxDesktopPaintCallback+0×48
ba0fd388 bf8280f3 win32k!xxxEnumDisplayMonitors+0×13a
ba0fd3d4 bf8283ab win32k!xxxInternalPaintDesktop+0×66
ba0fd3f8 80833bdf win32k!NtUserPaintDesktop+0×41
ba0fd3f8 7c9485ec nt!KiFastCallEntry+0xfc
1: kd> r
eax=000007d0 ebx=000007d0 ecx=00000086 edx=bfb371a3 esi=bc492000
edi=bfb3775b
eip=bfacbf2a esp=ba0fd0b8 ebp=ba0fd0e4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
driver!ProcessBytes+0×18:
bfacbf2a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
es:0023:bfb3775b=e4405a64 ds:0023:bc492000=????????
Because WinDbg reports that it was unable to verify timestamp for driver.sys we
might want to double check the return address saved when ProcessBytes function was
called. If symbols are correct then disassembling the return address backwards will most
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Minidump Analysis 65
likely show ProcessObject function code and “call” instruction with ProcessBytes
address. Unfortunately minidumps don’t have code except for the currently executing
function:
1: kd> ub bfabc399
^ Unable to find valid previous instruction for 'ub
bfabc399'
1: kd> uf driver!ProcessObject
No code found, aborting
Therefore we need to point WinDbg to our driver.sys which contains executable
code. This can be done by specifying a path in Executable Image Search Path dialog
(File -> Image File Path …) or using .exepath WinDbg command.


bfabc387 57 push edi
bfabc388 40 inc eax
bfabc389 50 push eax
bfabc38a e861fb0000 call driver!convert (bfacbef0)
bfabc38f ff7508 push dword ptr [ebp+8]
bfabc392 57 push edi
bfabc393 50 push eax
bfabc394 e879fb0000 call driver!ProcessBytes (bfacbf12) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Minidump Analysis 67

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
68 PART 2: Professional Crash Dump Analysis
INTERRUPTS AND EXCEPTIONS EXPLAINED
EXCEPTIONS AB INITIO
Where do native exceptions come from? How do they propagate from hardware
and eventually result in crash dumps? I was asking these questions when I started doing
crash dump analysis more than four years ago and I tried to find answers using IA-32
Intel® Architecture Software Developer’s Manual, WinDbg and complete memory
dumps. Let’s look at some findings.

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Interrupts and Exceptions Explained 69
X86 INTERRUPTS
How do exceptions happen in the first place and how does the execution flow
reach KiDispatchException function? When some abnormal condition happens such as a
breakpoint, division by zero or memory protection violation then the normal CPU execu-
tion flow (code stream) is interrupted (I use the terms “interrupt” and “exception”

808347d6 push edi
808347d7 push fs
808347d9 mov ebx,30h
808347de mov fs,bx
808347e0 mov ebx,dword ptr fs:[0]
808347e7 push ebx
...
...
...
...
Bf972586: idiv eax, ebx ; ebx = 0
...
1. Exception (Vector 0)
3. Transfer execution
2: Interrupt dIspatch
...
...
Vector 52
Vector b2
Vector 72Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Interrupts and Exceptions Explained 71
When an exception happens, for example, divide by zero, CPU gets the address
of the procedure table from IDTR (Interrupt Descriptor Table Register). This IDT (Inter-
rupt Descriptor Table) is a zero-based array of 8-byte descriptors (x86) or 16-byte
descriptors (x64). CPU calculates the location of the necessary procedure to call and
does some necessary steps like saving appropriate registers before the call.
The same happens when some external I/O device interrupts. For I/O devices the

push EFLAGS
push CS
push EIP
push ErrorCode
EIP :=
IDT[VectorNumber].ExtendedOffset<<16 +
IDT[VectorNumber].Offset

Let’s see all this in some kernel memory dump. The address of IDT can be found
by using !pcr [processor number] command. Every processor on a multiprocessor ma-
chine has its own IDT:
0: kd> !pcr 0
KPCR for Processor 0 at ffdff000:
Major 1 Minor 1
NtTib.ExceptionList: f2178b8c
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80042000
NtTib.Version: 0005c645
NtTib.UserPointer: 00000001
NtTib.SelfTib: 7ffdf000
SelfPcr: ffdff000
Prcb: ffdff120
Irql: 0000001f
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 8003f400
GDT: 8003f000
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.