Interrupts and Exceptions Explained 91
So finally we get our stack trace:
0: kd> k L=0012f968 0012f934 00469583 100
ChildEBP RetAddr
0012f930 00469a16 processA!LPtoDP+0x19
0012f968 0046915d processA!GetColumnWidth+0x45
0012f998 0047cb72 processA!CalculateClientSizeFromPoint+0x5f
0012f9bc 0047cc1d processA!CalculateFromPoint+0x30
0012fa64 0047de83 processA!DrawUsingMemDC+0x1b9
0012fac0 0099fb43 processA!OnDraw+0x13
0012fb5c 7c17332d processA!OnPaint+0x56
0012fbe8 7c16e0b0 MFC71!CWnd::OnWndMsg+0x340
0012fc08 00c6253a MFC71!CWnd::WindowProc+0x22
0012fc24 0096cf9d processA!WindowProc+0x38
0012fcb8 7c16e1b8 MFC71!AfxCallWndProc+0x91
0012fcd8 7c16e1f6 MFC71!AfxWndProc+0x46
0012fd04 7739b6e3 MFC71!AfxWndProcBase+0x39
0012fd30 7739b874 USER32!InternalCallWinProc+0x28
0012fda8 7739c8b8 USER32!UserCallWinProcCheckWow+0x151
0012fe04 7739c9c6 USER32!DispatchClientMessage+0xd9
0012fe2c 7c828536 USER32!__fnDWORD+0x24
0012fe2c 80832dee ntdll!KiUserCallbackDispatcher+0x2e
f44dcbf0 8092d605 nt!KiCallUserMode+0x4
f44dcc48 bf8a26d3 nt!KeUserModeCallback+0x8f
f44dcccc bf89e985 win32k!SfnDWORD+0xb4
f44dcd0c bf89eb27 win32k!xxxDispatchMessage+0x223
f44dcd58 80833bdf win32k!NtUserDispatchMessage+0x4c
f44dcd58 7c8285ec nt!KiFastCallEntry+0xfc
0012fe2c 7c828536 ntdll!KiFastSystemCallRet
0012fe58 7739c57b ntdll!KiUserCallbackDispatcher+0x2e
0012fea8 773a16e5 USER32!NtUserDispatchMessage+0xc

e088bb3e mov fs,bx
e088bb41 mov ebx,dword ptr fs:[0]
e088bb48 push ebx
e088bb49 sub esp,4
e088bb4c push eax
e088bb4d push ecx
e088bb4e push edx
e088bb4f push ds
e088bb50 push es
e088bb51 push gs
e088bb53 mov ax,23h
e088bb57 sub esp,30h
e088bb5a mov ds,ax
e088bb5d mov es,ax
e088bb60 mov ebp,esp
e088bb62 test dword ptr [esp+70h],20000h
e088bb6a jne nt!V86_kite_a (e088bb04)
...
...
...

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Interrupts and Exceptions Explained 93
The saved processor state information (context) forms the so called Windows
kernel trap frame:
3: kd> dt _KTRAP_FRAME
+0x000 DbgEbp : Uint4B
+0x004 DbgEip : Uint4B
+0x008 DbgArgMark : Uint4B
+0x00c DbgArgPointer : Uint4B

+0x088 V86Gs : Uint4B
This Windows trap frame is not the same as an interrupt frame a processor saves
on the current thread stack when an interrupt occurs in kernel mode. The latter frame is
very small and consists only of EIP, CS, EFLAGS and ErrorCode. When an interrupt occurs
in user mode an x86 processor additionally saves the current stack pointer SS:ESP.
The .trap command finds the trap frame on the current thread stack and sets the
current thread register context using the values from that saved structure. We can see
that command in action for certain bugchecks when we use !analyze –v command:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
94 PART 2: Professional Crash Dump Analysis
3: kd> !analyze -v
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
...
...
...
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: de65190c, The address that the exception occurred at
Arg3: f24f8a74, Trap Frame
Arg4: 00000000
…
…
…
TRAP_FRAME: f24f8a74 — (.trap fffffffff24f8a74)
.trap fffffffff24f8a74
ErrCode = 00000000
eax=dbc128c0 ebx=dbe4a010 ecx=f24f8ac4 edx=00000001 esi=46525356
edi=00000000
eip=de65190c esp=f24f8ae8 ebp=f24f8b18 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Interrupts and Exceptions Explained 95
+0x054 Edi : 0
+0x058 Esi : 0x46525356
+0x05c Ebx : 0xdbe4a010
+0x060 Ebp : 0xf24f8b18
+0x064 ErrCode : 0
+0x068 Eip : 0xde65190c ; driver!foo+0x16
+0x06c SegCs : 8
+0x070 EFlags : 0x10206
+0x074 HardwareEsp : 0xdbc171b0
+0x078 HardwareSegSs : 0xde667677
+0x07c V86Es : 0xdbc128c0
+0x080 V86Ds : 0xdbc171c4
+0x084 V86Fs : 0xf24f8bc4
+0x088 V86Gs : 0
It is good to know how to find a trap frame manually when the stack is corrupt or
WinDbg cannot find a trap frame automatically. In this case we can take the advantage
of the fact that DS and ES segment registers have the same value in Windows flat mem-
ory model:
+0x034 SegEs : 0x23
+0x038 SegDs : 0x23
We need to find 2 consecutive 0×23 values on the stack. There may be several
such places but usually the correct one comes between KiTrapXX address on the stack
and the initial processor trap frame shown below in bold. This is because KiTrapXX ob-
viously calls other functions to further process an interrupt so its return address is saved
on the stack.
3: kd> r
eax=f535713c ebx=de65190c ecx=00000000 edx=e088e1d2 esi=f5357120
edi=00000000

f24f8a64 00000000
f24f8a68 46525372
f24f8a6c 00000000
f24f8a70 e0889686 nt!Kei386EoiHelper+0×186
f24f8a74 f24f8b18
f24f8a78 de65190c driver!foo+0×16
f24f8a7c badb0d00
f24f8a80 00000001
f24f8a84 0b0501cd
f24f8a88 dcc01cd0
f24f8a8c f24f8aa8
f24f8a90 de46c90a win32k!HANDLELOCK::vLockHandle+0×80
f24f8a94 00000000
f24f8a98 00000000
f24f8a9c dbe4a000
f24f8aa0 00000000
f24f8aa4 00000000
f24f8aa8 00000023
f24f8aac 00000023
f24f8ab0 00000001
f24f8ab4 f24f8ac4
f24f8ab8 dbc128c0
f24f8abc dbe4a010
f24f8ac0 ffffffff
f24f8ac4 00000030
f24f8ac8 00000000
f24f8acc 46525356
f24f8ad0 dbe4a010
f24f8ad4 f24f8b18
f24f8ad8 00000000

+0x030 SegGs : 0
+0x034 SegEs : 0x23
+0x038 SegDs : 0x23
+0x03c Edx : 1
+0x040 Ecx : 0xf24f8ac4
+0x044 Eax : 0xdbc128c0
+0x048 PreviousPreviousMode : 0xdbe4a010
+0x04c ExceptionList : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
+0x050 SegFs : 0x30
+0x054 Edi : 0
+0x058 Esi : 0x46525356
+0x05c Ebx : 0xdbe4a010
+0x060 Ebp : 0xf24f8b18
+0x064 ErrCode : 0
+0x068 Eip : 0xde65190c
+0x06c SegCs : 8
+0x070 EFlags : 0x10206
+0x074 HardwareEsp : 0xdbc171b0
+0x078 HardwareSegSs : 0xde667677
+0x07c V86Es : 0xdbc128c0
+0x080 V86Ds : 0xdbc171c4
+0x084 V86Fs : 0xf24f8bc4
+0x088 V86Gs : 0
3: kd> ? f24f8aac-38
Evaluate expression: -229668236 = f24f8a74

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
98 PART 2: Professional Crash Dump Analysis
3: kd> .trap f24f8a74
ErrCode = 00000000

ErrCode = 00000000
eax=7ffff000 ebx=00000000 ecx=00000000 edx=7c94ed54 esi=00532e68
edi=0002002c
eip=7c94ed54 esp=0006e490 ebp=0006e53c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
001b:7c94ed54 c3 ret

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Interrupts and Exceptions Explained 99
3: kd> kL
ChildEBP RetAddr
0006e48c 77e34f1d ntdll!KiFastSystemCallRet
0006e53c 77e2f12f USER32!NtUserShowWindow+0xc
0006e570 77e2b0fe USER32!InternalDialogBox+0xa9
0006e590 77e29005 USER32!DialogBoxIndirectParamAorW+0x37
0006e5b4 0103d569 USER32!DialogBoxParamW+0x3f
0006e5d8 0102d2f5 winlogon!Fusion_DialogBoxParam+0x24

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
100 PART 2: Professional Crash Dump Analysis
TRAP COMMAND ON X64
Now I show how to simulate .trap WinDbg command when we have x64 Win-
dows kernel and complete memory dumps.
When we have a fault an x64 processor saves some registers on the current
thread stack as explained in x64 Interrupts article (page 76). Then an interrupt handler
saves _KTRAP_FRAME on the stack:
6: kd> uf nt!KiPageFault
nt!KiPageFault:
fffff800`0102d400 push rbp

+0x060 R11 : Uint8B
+0x068 GsBase : Uint8B
+0x068 GsSwap : Uint8B
+0x070 Xmm0 : _M128A
+0x080 Xmm1 : _M128A
+0x090 Xmm2 : _M128A
+0x0a0 Xmm3 : _M128A
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Interrupts and Exceptions Explained 101
+0x0b0 Xmm4 : _M128A
+0x0c0 Xmm5 : _M128A
+0x0d0 FaultAddress : Uint8B
+0x0d0 ContextRecord : Uint8B
+0x0d0 TimeStamp : Uint8B
+0x0d8 Dr0 : Uint8B
+0x0e0 Dr1 : Uint8B
+0x0e8 Dr2 : Uint8B
+0x0f0 Dr3 : Uint8B
+0x0f8 Dr6 : Uint8B
+0x100 Dr7 : Uint8B
+0x108 DebugControl : Uint8B
+0x110 LastBranchToRip : Uint8B
+0x118 LastBranchFromRip : Uint8B
+0x120 LastExceptionToRip : Uint8B
+0x128 LastExceptionFromRip : Uint8B
+0x108 LastBranchControl : Uint8B
+0x110 LastBranchMSR : Uint4B
+0x130 SegDs : Uint2B
+0x132 SegEs : Uint2B
+0x134 SegFs : Uint2B

6: kd> r ss
ss=0018
6: kd> k
Child-SP RetAddr Call Site
fffffadc`6e02b9e8 fffff800`013731b1 nt!KeBugCheckEx
…
…
…
fffffadc`6e02cd70 fffff800`010202d6 nt!PspSystemThreadStartup+0×3e
fffffadc`6e02cdd0 00000000`00000000 nt!KxStartSystemThread+0×16
6: kd> dqs fffffadc`6e02b9e8 fffffadc`6e02cd70
...
...
...
fffffadc`6e02c938 fffff800`0102d5e1 nt!KiPageFault+0x1e1
...
...
...
fffffadc`6e02ca70 fffff97f`f3937a8c
fffffadc`6e02ca78 fffff97f`ff57d28b driver+0x3028b
fffffadc`6e02ca80 00000000`00000000
fffffadc`6e02ca88 fffff97f`f3937030
fffffadc`6e02ca90 fffff97f`ff5c2990 driver+0x75990
fffffadc`6e02ca98 00000000`00000000
fffffadc`6e02caa0 00000000`00000000 ; ErrorCode
fffffadc`6e02caa8 fffff97f`ff591ed3 driver+0x44ed3 ; RIP
fffffadc`6e02cab0 00000000`00000010 ; CS
fffffadc`6e02cab8 00000000`00010282 ; RFLAGS
fffffadc`6e02cac0 fffffadc`6e02cad0 ; RSP
fffffadc`6e02cac8 00000000`00000018 ; SS