Last month, one of my colleague found his program just stuck in some out-of-proc COM call, but not knowing who is the target process/thread. After getting a dump, and try to apply the siepubext!comcalls, the output is:
1: 0:000> !comcalls
2: Thread 0 - STA
3: Target Process ID: 24b83444 = 616051780
4: Target Thread ID: 1591da22 (STA - Possible junk values)
Obviously unreasonable output. Since the extension has been too old, may not correct any more, we need to find another way.
The original callstack is:
1: ChildEBP RetAddr Args to Child
2: 0084f054 758e0bdd 00000002 0084f0a4 00000001 ntdll!NtWaitForMultipleObjects+0x15
3: 0084f0f0 76c21a2c 0084f0a4 0084f118 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100
4: 0084f138 76b3086a 00000002 fffde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0
5: 0084f18c 755d2bf1 00000048 0084f1d8 000003e8 user32!RealMsgWaitForMultipleObjectsEx+0x14d
6: 0084f1b8 755d2d31 0084f1d8 000003e8 0084f1e8 ole32!CCliModalLoop::BlockFn+0xa1
7: 0084f1e0 756ed2f6 ffffffff 19eab9d0 0ec2c48c ole32!ModalLoop+0x5b
8: 0084f1fc 756ed098 00000000 0084f304 00000000 ole32!ThreadSendReceive+0x12d
9: 0084f228 756ecef0 0084f2f0 0eca2670 0084f34c ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x1a7
10: 0084f308 755d2cba 0eca2670 0084f434 0084f41c ole32!CRpcChannelBuffer::SendReceive2+0xef
11: 0084f324 755e9aa1 0084f434 0084f41c 0eca2670 ole32!CCliModalLoop::SendReceive+0x1e
12: 0084f3a0 755e9b24 0eca2670 0084f434 0084f41c ole32!CAptRpcChnl::SendReceive+0x73
The CRpcChannelBuffer:: SendReceiver2’s argument can be used to find the target process/thread info.
1: 0:000>; dd 0eca2670
2: 0eca2670 75607c08 755e92c0 00000003 0000000a
3: 0eca2680 00000000 00000000 0027a960 0027c340
4: 0eca2690 0ec2c488 0b4ede60 75606e70 00070005
5: 0eca26a0 00000000 000024b8 00002c28 00000000
6: 0eca26b0 75607c08 755e92c0 00000001 00000001
7: 0eca26c0 00000000 00000000 0027a960 00000000
8: 0eca26d0 00000000 0b4edf50 75606e70 00070005
9: 0eca26e0 00000000 000024b8 00002c28 00000000
10: 0:000>; dd 0027a960
11: 0027a960 0ef674f0 0027a8e0 00003444 000024b8
12: 0027a970 744021e9 eb1dc45b e6e85a30 79543058
The above “00003444 000024b8” are process ID and thread ID.
No comments:
Post a Comment