{"id":138,"date":"2009-08-26T03:46:31","date_gmt":"2009-08-26T07:46:31","guid":{"rendered":"http:\/\/www.cchsu.com\/art-en\/?p=138"},"modified":"2009-08-26T04:24:52","modified_gmt":"2009-08-26T08:24:52","slug":"the-first-step-of-windows-post-mortem-debugging","status":"publish","type":"post","link":"http:\/\/www.cchsu.com\/art-en\/2009\/08\/26\/138\/","title":{"rendered":"The First Step of Windows Post-Mortem Debugging"},"content":{"rendered":"<p>I&#8217;m starting a new series of posts talking about something I&#8217;ve learned in past few years with respect to debugging.  You can find the sample code used in these articles in <a href=\"http:\/\/peonsamples.codeplex.com\" target=\"_blank\">Codeplex<\/a>.  (I use Codeplex instead of SourceForge simply because it is much faster for my network.  There is no endorsement nor affiliation with Microsoft.)<\/p>\n<p>Let&#8217;s start with the simplest program, HelloCrash.  Compile and run this program introduces a crash.<\/p>\n<p><a href=\"http:\/\/www.flickr.com\/photos\/24238190@N00\/3858664820\/\" class=\"tt-flickr tt-flickr-Small\" title=\"hellocrash1\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"http:\/\/farm4.static.flickr.com\/3548\/3858664820_8481b0ded8_m.jpg\" alt=\"hellocrash1\" width=\"240\" height=\"120\" \/><\/a><\/p>\n<p>Most users will click Close here, but that&#8217;s ok.  We can still find some traces in the Windows Logs, Application:<\/p>\n<p><a href=\"http:\/\/www.flickr.com\/photos\/24238190@N00\/3857876093\/\" class=\"tt-flickr tt-flickr-Medium\" title=\"hellocrash2\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"http:\/\/farm3.static.flickr.com\/2588\/3857876093_f915cb07d5.jpg\" alt=\"hellocrash2\" width=\"500\" height=\"349\" \/><\/a> <\/p>\n<p>This actually gives out quite a few important information as highlighted.  We can do some work here before jumping into dump collection and analysis.  Interestingly, I&#8217;ve seen so many people has blind belief of memory dump analysis so that they forgot there are still <em>easy<\/em> ways of doing things \ud83d\ude42<\/p>\n<p>In this case, we have the module name and offset, which means we could directly find out the crashing line from map files and assembly outputs.  Although these information could be misleading, but it&#8217;s worth a try.  We know the faulting module is HelloCrash.exe, and offset is 0x1002.  The map file said<\/p>\n<blockquote><p>\nPreferred load address is <b><font color=\"blue\">00400000<\/font><\/b><br \/>\n&#8230;<\/p>\n<p>Address         Publics by Value              Rva+Base       Lib:Object<\/p>\n<p>0000:00000001       ___safe_se_handler_count   00000001     <absolute><br \/>\n0000:00000000       ___ImageBase               00400000     <linker-defined>\n0001:00000000       _wmain                     <b><font color=\"blue\">00401000<\/font><\/b> f   HelloCrash.obj<br \/>\n0001:00000017       @__security_check_cookie@4 <b><font color=\"blue\">00401017<\/font><\/b> f   MSVCRT:secchk.obj<br \/>\n&#8230;\n<\/p><\/blockquote>\n<p>So it seems that the crash is from _wmain function (offset 0x1000 to 0x1016), and the offset within the function is 0x2.  If your project has assembly file generated, it&#8217;s almost immediate that you can find the line<\/p>\n<blockquote><p>\n; 9    :     TCHAR* p = NULL;<\/p>\n<p>  00000\t33 c0\t\t xor\t eax, eax<\/p>\n<p>; 10   :     _tprintf(_T(&#8220;Hello, crash: %s\\n&#8221;), *p); \/\/ deref NULL pointer<\/p>\n<p>  <b><font color=\"blue\">00002<\/font><\/b>\t0f b7 00\t movzx\t eax, WORD PTR [eax]\n<\/p><\/blockquote>\n<p>This example is so simple that we can see a deref of NULL pointer from assembly output directly, and then we can correct the error.<\/p>\n<p>I&#8217;ll discuss some more ways of getting to the crashing point in coming articles.  Stay tuned \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to use map file and assembly listing to find the crash point.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,13,2,6],"tags":[],"_links":{"self":[{"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/posts\/138"}],"collection":[{"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":12,"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":150,"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/posts\/138\/revisions\/150"}],"wp:attachment":[{"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/media?parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/categories?post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.cchsu.com\/art-en\/wp-json\/wp\/v2\/tags?post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}