Friday, February 17, 2012

Find COM call’s target process/thread info

 

Last month, one of my colleague found his program just stuck in some out-of-proc COM call, but not knowing who is the target process/thread. After getting a dump, and try to apply the siepubext!comcalls, the output is:

 

   1: 0:000> !comcalls
   2:     Thread 0 - STA
   3: Target Process ID: 24b83444 = 616051780
   4: Target Thread  ID: 1591da22  (STA - Possible junk values)

Obviously unreasonable output. Since the extension has been too old, may not correct any more, we need to find another way.


The original callstack is:


 



   1: ChildEBP RetAddr  Args to Child              
   2: 0084f054 758e0bdd 00000002 0084f0a4 00000001 ntdll!NtWaitForMultipleObjects+0x15
   3: 0084f0f0 76c21a2c 0084f0a4 0084f118 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100
   4: 0084f138 76b3086a 00000002 fffde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0
   5: 0084f18c 755d2bf1 00000048 0084f1d8 000003e8 user32!RealMsgWaitForMultipleObjectsEx+0x14d
   6: 0084f1b8 755d2d31 0084f1d8 000003e8 0084f1e8 ole32!CCliModalLoop::BlockFn+0xa1
   7: 0084f1e0 756ed2f6 ffffffff 19eab9d0 0ec2c48c ole32!ModalLoop+0x5b
   8: 0084f1fc 756ed098 00000000 0084f304 00000000 ole32!ThreadSendReceive+0x12d
   9: 0084f228 756ecef0 0084f2f0 0eca2670 0084f34c ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x1a7
  10: 0084f308 755d2cba 0eca2670 0084f434 0084f41c ole32!CRpcChannelBuffer::SendReceive2+0xef
  11: 0084f324 755e9aa1 0084f434 0084f41c 0eca2670 ole32!CCliModalLoop::SendReceive+0x1e
  12: 0084f3a0 755e9b24 0eca2670 0084f434 0084f41c ole32!CAptRpcChnl::SendReceive+0x73

The CRpcChannelBuffer:: SendReceiver2’s argument can be used to find the target process/thread info.



   1: 0:000>; dd 0eca2670
   2: 0eca2670  75607c08 755e92c0 00000003 0000000a
   3: 0eca2680  00000000 00000000 0027a960 0027c340
   4: 0eca2690  0ec2c488 0b4ede60 75606e70 00070005
   5: 0eca26a0  00000000 000024b8 00002c28 00000000
   6: 0eca26b0  75607c08 755e92c0 00000001 00000001
   7: 0eca26c0  00000000 00000000 0027a960 00000000
   8: 0eca26d0  00000000 0b4edf50 75606e70 00070005
   9: 0eca26e0  00000000 000024b8 00002c28 00000000
  10: 0:000>; dd 0027a960
  11: 0027a960  0ef674f0 0027a8e0 00003444 000024b8
  12: 0027a970  744021e9 eb1dc45b e6e85a30 79543058

The above “00003444 000024b8” are process ID and thread ID.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)