Dietmar Posted April 6 Author Share Posted April 6 It seems, as if crazy XP reads 00 00 as the hexadecimal representation of the opcode for the instruction add byte ptr [eax], al in .DATA section Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 Take look at 7A3B8. I think there should be enough space to test one relocate function. Try unmodified relocate and see if BSOD. If good, then try modifed and check. Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 (edited) @pappyN4 I succeed to relocate this crazy function!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! First, I relocate to .DATA section the RtlInterlockedFlushSList function. This works. Then I zero out all the place where it has been before. Then I delete the whole crazy function RtlInterlockedPopEntrySList at its original place. This function RtlInterlockedPopEntrySList I relocate after this to the place, where before the Flush function stays. There I copy and past with Winhex this crazy function, set all calls by hand to this place. And voila, with this small setting (relocation) in front of the old crazy function, now I have after her in .TEXT section enough place for modd Dietmar Edited April 6 by Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 @DietmarI think i found instructions on how to add code cave at end of file using CFF explorer. If correct, should have nice clean 512 bytes of .TEXT to add patches. File becomes a little bit bigger than original. https://ufile.io/d8v54m36 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 @pappyN4 Oh..waaaoh, do you have this program for me also, with which you reach this Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 @pappyN4 Can this be used, to put 32 Byte free space direct after EACH function of NTDLL.DLL with cmpxchg8b in it Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 4 minutes ago, Dietmar said: Can this be used, to put 32 Byte free space direct after EACH function of NTDLL.DLL with cmpxchg8b in it @DietmarI do not know. I think it would change position of all code below, make things messy maybe if file expects things to be in specific location. I think simplest would be to replace cmpxchg8b with jump to new code cave then jump back. https://ufile.io/hubab5t2 Link to comment Share on other sites More sharing options...
roytam1 Posted April 6 Share Posted April 6 30 minutes ago, pappyN4 said: I think simplest would be to replace cmpxchg8b with jump to new code cave then jump back. yeah thats how I hacked win2000 boot screen: https://www.betaarchive.com/forum/viewtopic.php?p=432529#p432529 1 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 @pappyN4 I dont know, how to do this. Because for example when I add "Cli" most of the function is "new" Dietmar For the pop function: 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 0C 8D 4A FF 8B 18 F0 0F C7 4D 00 75 F0 5D 5B C3 ==> 53 55 FA 8B E9 8B 55 04 8B 45 00 0B C0 74 18 8D 4A FF 8B 18 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 FB 5D 5B C3 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 (edited) I found out, that this Emulation fails for the crazy function. When I add Cli and Sti, winlogon fails on Cli. Everything with relocation works now for me. Emulation of RtlInterlockedPopEntrySList crashes winlogon.exe, I can see the mouse pointer Dietmar EDIT: With ntdll!RtlpInterlockedFlushSList is all correct, it is here shown, because I changed places with ntdll!RtlInterlockedPopEntrySList , so Windbg shows wrong message. *** An Access Violation occurred in winlogon.exe: The instruction at 00000000 tried to read from a NULL pointer *** enter .exr 0006F964 for the exception record *** enter .cxr 0006F980 for the context *** then kb to get the faulting stack Break instruction exception - code 80000003 (first chance) NTDLL!DbgBreakPoint: 001b:7c91120e cc int 3 kd> .exr 0006F964 ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 kd> cxr 0006F980 Couldn't resolve error at 'xr 0006F980' kd> kb ChildEBP RetAddr Args to Child 0006f568 7c9752ae 00000000 7c885780 010304fd NTDLL!DbgBreakPoint 0006f5a8 7c9759c1 0006f870 7c9759c6 0006f828 NTDLL!RtlUnhandledExceptionFilter2+0x27b 0006f5b8 7c864031 0006f870 c0000005 00261e90 NTDLL!RtlUnhandledExceptionFilter+0x12 WARNING: Frame IP not in any known module. Following frames may be wrong. 0006f878 7c9132a8 0006f964 0006ffe4 0006f980 0x7c864031 0006f89c 7c91327a 0006f964 0006ffe4 0006f980 NTDLL!ExecuteHandler2+0x26 0006f94c 7c91e46a 00000000 0006f980 0006f964 NTDLL!ExecuteHandler+0x24 0006f94c 00000000 00000000 0006f980 0006f964 NTDLL!KiUserExceptionDispatcher+0xe 0006fc48 7c943c9f 7c98b4a0 00000000 00000000 0x0 7c98c950 00000000 00000000 00000000 00000000 NTDLL!RtlInterlockedPopEntrySList+0x1c kd> !analyze -v Connected to Windows XP 2600 x86 compatible target at (Sat Apr 6 17:06:47.531 2024 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................. Loading User Symbols ......................... Loading unloaded module list ...... ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Module load completed but symbols could not be loaded for winlogon.exe ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ULONG64 *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ULONG64 *** *** *** ************************************************************************* FAULTING_IP: +368b8e80368b908 001b:00000000 ?? ??? EXCEPTION_RECORD: 0006f964 -- (.exr 0x6f964) .exr 0x6f964 ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 CONTEXT: 0006f980 -- (.cxr 0x6f980;r) .cxr 0x6f980;r eax=00000000 ebx=0006fc78 ecx=7c98c950 edx=00000000 esi=00000000 edi=00000000 eip=00000000 esp=0006fc4c ebp=7c98c950 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 001b:00000000 ?? ??? Last set context: eax=00000000 ebx=0006fc78 ecx=7c98c950 edx=00000000 esi=00000000 edi=00000000 eip=00000000 esp=0006fc4c ebp=7c98c950 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 001b:00000000 ?? ??? .cxr Resetting default scope ERROR_CODE: (NTSTATUS) 0x80000003 - {AUSNAHME} Haltepunkt Im Quellprogramm wurde ein Haltepunkt erreicht. EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Mindestens ein Argument ist ung ltig. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 7c975938 EXCEPTION_PARAMETER3: 00000028 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CHKIMG_EXTENSION: !chkimg -lo 50 -d !ntdll !chkimg -lo 50 -d !ntdll 7c912a6e-7c912a6f 2 bytes - ntdll!RtlpInterlockedFlushSList+2 [ 33 db:8b e9 ] 7c912a71-7c912a9e 46 bytes - ntdll!RtlpInterlockedFlushSList+5 (+0x03) [ e9 8b 55 04 8b 45 00 0b:55 04 8b 45 00 0b c0 74 ] 7c912aa0-7c912aa4 5 bytes - ntdll!ExpInterlockedPopEntrySListEnd+1 (+0x2f) [ 0f c7 4d 00 75:90 90 90 90 90 ] 7c912aa6-7c912aaf 10 bytes - ntdll!ExpInterlockedPopEntrySListEnd+7 (+0x06) [ 5d 5b c3 8d 49 00 8f 04:90 90 90 90 90 90 90 90 ] 7c913420-7c913421 2 bytes - ntdll!$$VProc_ImageExportDirectory+20 (+0x97a) [ b4 48:fa 52 ] 7c913424-7c913425 2 bytes - ntdll!$$VProc_ImageExportDirectory+24 (+0x04) [ 40 5d:b4 48 ] 7c913e64-7c913e66 3 bytes - ntdll!$$VProc_ImageExportDirectory+a64 (+0xa40) [ b5 2e 06:6c ba 07 ] 7c916000-7c916011 18 bytes - ntdll!$$VProc_ImageExportDirectory+2c00 (+0x219c) [ 67 01 68 01 69 01 6a 01:00 00 ff ae 00 00 1b af ] 7c916013-7c9160a9 151 bytes - ntdll!$$VProc_ImageExportDirectory+2c13 (+0x13) [ 01 71 01 72 01 73 01 74:af 00 00 93 af 00 00 ad ] 7c9160ab-7c9160b0 6 bytes - ntdll!$$VProc_ImageExportDirectory+2cab (+0x98) [ 01 bc 01 bd 01 01:b2 00 00 c7 b2 00 ] 7c9160b2-7c9160bc 11 bytes - ntdll!$$VProc_ImageExportDirectory+2cb2 (+0x07) [ be 01 bf 01 c0 01 c1 01:d5 b2 00 00 f1 b2 00 00 ] 7c9160be-7c916137 122 bytes - ntdll!$$VProc_ImageExportDirectory+2cbe (+0x0c) [ c3 01 c4 01 c5 01 c6 01:1e b3 00 00 3a b3 00 00 ] 7c916139-7c91625c 292 bytes - ntdll!$$VProc_ImageExportDirectory+2d39 (+0x7b) [ 02 01 02 02 02 03 02 04:00 fd b5 00 00 15 b6 00 ] 7c91625e-7c9163c0 355 bytes - ntdll!$$VProc_ImageExportDirectory+2e5e (+0x125) [ 92 02 93 02 94 02 95 02:20 bb 00 00 3c bb 00 00 ] 7c9163c2-7c9163c5 4 bytes - ntdll!$$VProc_ImageExportDirectory+2fc2 (+0x164) [ 05 00 44 03:2c c2 00 00 ] 7c9163c7-7c916441 123 bytes - ntdll!$$VProc_ImageExportDirectory+2fc7 (+0x05) [ 03 45 03 46 03 47 03 48:c2 00 00 53 c2 00 00 68 ] 7c916443-7c91653f 253 bytes - ntdll!$$VProc_ImageExportDirectory+3043 (+0x7c) [ 03 82 03 83 03 84 03 85:c4 00 00 8b c4 00 00 97 ] 7c916541-7c91673f 511 bytes - ntdll!$$VProc_ImageExportDirectory+3141 (+0xfe) [ 04 01 04 02 04 03 04 04:00 5e c9 00 00 77 c9 00 ] 7c916741-7c916785 69 bytes - ntdll!$$VProc_ImageExportDirectory+3341 (+0x200) [ 05 01 05 02 05 03 05 04:00 be cd 00 00 c7 cd 00 ] 7c9201ea - ntdll!RtlpAllocateFromHeapLookaside+19 (+0x9aa9) [ 9e:7e ] 7c943c9b - ntdll!RtlInterlockedPopEntrySList+18 (+0x23ab1) [ ed:cd ] 7c95e8e2 - ntdll!RtlpLowFragHeapAlloc+436 (+0x1ac47) [ a6:86 ] 1988 errors : !ntdll (7c912a6e-7c95e8e2) APP: winlogon.exe ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre READ_ADDRESS: 00000000 FOLLOWUP_IP: +368b8e80368b908 001b:00000000 ?? ??? FAILED_INSTRUCTION_ADDRESS: +368b8e80368b908 001b:00000000 ?? ??? FAULTING_THREAD: 00000001 ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] LAST_CONTROL_TRANSFER: from 7c943c9f to 00000000 BUGCHECK_STR: APPLICATION_FAULT_MEMORY_CORRUPTION_LARGE PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE DEFAULT_BUCKET_ID: MEMORY_CORRUPTION_LARGE STACK_TEXT: 00000000 00000000 memory_corruption!ntdll+0x0 POSSIBLE_INVALID_CONTROL_TRANSFER: from 7c943c9a to 7c912a6c SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: memory_corruption!ntdll FOLLOWUP_NAME: MachineOwner MODULE_NAME: memory_corruption DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: ** Pseudo Context ** ; kb BUCKET_ID: CPU_CALL_ERROR IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE_80000003_memory_corruption!ntdll ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:memory_corruption_large_80000003_memory_corruption!ntdll FAILURE_ID_HASH: {2c85946d-85e8-c8a7-3c74-93e684cc96ed} Followup: MachineOwner --------- *** Possible invalid call from 7c943c9a ( ntdll!RtlInterlockedPopEntrySList+0x17 ) *** Expected target 7c912a6c ( ntdll!RtlpInterlockedFlushSList+0x0 ) Edited April 6 by Dietmar Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 (edited) ExInterlockedPopEntrySList does not load properly for me in IDA, I cant see graphic view, so this comment is using your ExInterlockedFlushSList as example: goal is to replace 0F C7 4D 00 "cmpxchg8b qword ptr [ebp+0]" with your "cmpxcng_486 ptr [ebp+0]" assuming that 4 bytes not enough space for jump, so needs to steal space from previous code "mov cx,bx" 66 8B CB so existing code replaced to jump new location, and NOP for rest. 66 8B CB 0F C7 4D 00 -> E8 xx xx xx xx 90 90 then in new location add the stolen code, then whatever your code is for cmpxcng_486 then return. 66 8B CB xx xx xx xx xx xx xx xx C3 Or working example for a different DLL if makes more clear https://postlmg.cc/Lq8XdxSf Edited April 6 by pappyN4 Link to comment Share on other sites More sharing options...
pappyN4 Posted April 6 Share Posted April 6 (edited) 3 hours ago, Dietmar said: @pappyN4 I dont know, how to do this. Because for example when I add "Cli" most of the function is "new" 53 55 8B E9 8B 55 04 8B 45 00 0B C0 74 0C 8D 4A FF 8B 18 F0 0F C7 4D 00 75 F0 5D 5B C3 ==> E8 xx xx xx xx 90 90 ........ 90 90 C3 at original location CodeCave 53 55 FA 8B E9 8B 55 04 8B 45 00 0B C0 74 18 8D 4A FF 8B 18 F0 0F B1 5D 00 75 F0 50 8B C2 F0 0F B1 4D 04 58 75 F5 FB 5D 5B C3 If more change is needed for original function to work properly and simple replacement of cmpxchg8b with cmpxchg_486 is not enough. Then I guess you are stuck moving entire function and NOP old location. A lot more byte change compared to simple replacement. I do not follow assembly code logic for cmpxchg_486, so trust up to you if simple change is good, or if need to change more and need total replacement to work properly. I do not trust any code in .DATA. From quick research, executable code is supposed to be in TEXT Edited April 6 by pappyN4 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 @pappyN4 I make a new try with your idea. Because in NTDLL.DLL appears 5 times cmpxchg8b, I reserve 64 Byte for each of their modd. So, the 512 Byte are enough. For to understand everything, I use in the beginning the original ntoskrnl.exe. And I try to emulate first only one function in NTDLL.DLL, only the part of RtlInterlockedPopEntrySList with cmpxchg8b, .text:7C912A8C sub_7C912A8C proc near. This is the most crazy function, when this is done, the rest is easy Dietmar 1 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 (edited) @pappyN4 First I put the whole crazy function to this place and 90 90.. out her old place. And voila, this relocation works, just until now with the original function, Dietmar .text:7C9C6000 .text:7C9C6000 ; =============== S U B R O U T I N E ======================================= .text:7C9C6000 .text:7C9C6000 .text:7C9C6000 sub_7C9C6000 proc near ; CODE XREF: sub_7C9201D1+18p .text:7C9C6000 ; RtlInterlockedPopEntrySList+17p ... .text:7C9C6000 push ebx .text:7C9C6001 push ebp .text:7C9C6002 mov ebp, ecx .text:7C9C6004 mov edx, [ebp+4] .text:7C9C6007 mov eax, [ebp+0] .text:7C9C600A .text:7C9C600A loc_7C9C600A: ; CODE XREF: sub_7C9C6000+18j .text:7C9C600A or eax, eax .text:7C9C600C jz short loc_7C9C601A .text:7C9C600E lea ecx, [edx-1] .text:7C9C6011 mov ebx, [eax] .text:7C9C6013 lock cmpxchg8b qword ptr [ebp+0] .text:7C9C6018 jnz short loc_7C9C600A .text:7C9C601A .text:7C9C601A loc_7C9C601A: ; CODE XREF: sub_7C9C6000+Cj .text:7C9C601A pop ebp .text:7C9C601B pop ebx .text:7C9C601C nop .text:7C9C601D nop .text:7C9C601E nop .text:7C9C601F retn .text:7C9C601F sub_7C9C6000 endp .text:7C9C601F .text:7C9C601F ; --------------------------------------------------------------------------- Edited April 6 by Dietmar 1 Link to comment Share on other sites More sharing options...
Dietmar Posted April 6 Author Share Posted April 6 But the Emulator for this crazy function, just now also with Cli, Sti is not good enough until now. Here we have the log of Windbg Dietmar Break instruction exception - code 80000003 (first chance) nt!DbgBreakPoint: 804e3586 cc int 3 kd> g *** Unhandled exception 0xc0000096, hit in winlogon.exe: *** enter .exr 0006F964 for the exception record *** enter .cxr 0006F978 for the context *** then kb to get the faulting stack Break instruction exception - code 80000003 (first chance) NTDLL!`string'+0x12: 001b:7c91120e cc int 3 kd> .exr 0006F964 ExceptionAddress: 7c9c6002 (NTDLL!BaseStaticServerData <PERF> (NTDLL+0xb6002)) ExceptionCode: c0000096 ExceptionFlags: 00000000 NumberParameters: 0 kd> .cxr 0006F978 eax=7c95d8ec ebx=00000000 ecx=7c98c950 edx=00000000 esi=00000000 edi=00000000 eip=7c9c6002 esp=0006fc44 ebp=0006fc78 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 NTDLL!BaseStaticServerData <PERF> (NTDLL+0xb6002): 001b:7c9c6002 fa cli kd> kb *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child 0006fc78 7c943c6c 7c98c950 7c98b4a0 00000000 NTDLL!BaseStaticServerData <PERF> (NTDLL+0xb6002) 0006fc90 7c944676 7c885858 7c885854 00000000 NTDLL!_ValidateEH3RN+0x11e 0006fcb0 7c93dbde 7c885854 00000000 0006fce0 NTDLL!LdrpAccessResourceData+0x58 0006fcc0 7c82cbd2 7c885770 7c80b731 000725a4 NTDLL!RtlpGetAssemblyStorageMapRootLocation+0x1c8 WARNING: Frame IP not in any known module. Following frames may be wrong. 0006fd14 7c92b00a 7c91d04c 7c91e43f 00000000 0x7c82cbd2 0006fd18 7c91d04c 7c91e43f 00000000 00000001 NTDLL!LdrpInitializeProcess+0x136e 7c92b00a ffff9090 0000ffff f1580000 00007c94 NTDLL!RtlpCheckRelativeDrive+0x10a 7c92b012 f1580000 00007c94 f0f60000 f10c7c94 0xffff9090 7c92b016 00000000 f0f60000 f10c7c94 90907c94 0xf1580000 kd> !analyze -v Connected to Windows XP 2600 x86 compatible target at (Sat Apr 6 21:16:27.406 2024 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................. Loading User Symbols ......................... Loading unloaded module list ...... ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Module load completed but symbols could not be loaded for winlogon.exe ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ULONG64 *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: ULONG64 *** *** *** ************************************************************************* FAULTING_IP: ntdll!`string'+12 001b:7c91120e cc int 3 EXCEPTION_RECORD: 0006f964 -- (.exr 0x6f964) ExceptionAddress: 7c9c6002 (ntdll!BaseStaticServerData <PERF> (ntdll+0xb6002)) ExceptionCode: c0000096 ExceptionFlags: 00000000 NumberParameters: 0 CONTEXT: 0006f978 -- (.cxr 0x6f978;r) eax=7c95d8ec ebx=00000000 ecx=7c98c950 edx=00000000 esi=00000000 edi=00000000 eip=7c9c6002 esp=0006fc44 ebp=0006fc78 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!BaseStaticServerData <PERF> (ntdll+0xb6002): 001b:7c9c6002 fa cli Last set context: eax=7c95d8ec ebx=00000000 ecx=7c98c950 edx=00000000 esi=00000000 edi=00000000 eip=7c9c6002 esp=0006fc44 ebp=0006fc78 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!BaseStaticServerData <PERF> (ntdll+0xb6002): 001b:7c9c6002 fa cli Resetting default scope ERROR_CODE: (NTSTATUS) 0x80000003 - {AUSNAHME} Haltepunkt Im Quellprogramm wurde ein Haltepunkt erreicht. EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Mindestens ein Argument ist ung ltig. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 7c975938 EXCEPTION_PARAMETER3: 00000028 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: winlogon.exe ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre DEFAULT_BUCKET_ID: STATUS_BREAKPOINT FAULTING_THREAD: 00000001 PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT LAST_CONTROL_TRANSFER: from 7c943c6c to 7c9c6002 STACK_TEXT: 0006fc78 7c943c6c 7c98c950 7c98b4a0 00000000 ntdll!BaseStaticServerData <PERF> (ntdll+0xb6002) 0006fc90 7c944676 7c885858 7c885854 00000000 ntdll!_ValidateEH3RN+0x11e 0006fcb0 7c93dbde 7c885854 00000000 0006fce0 ntdll!LdrpAccessResourceData+0x58 0006fcc0 7c82cbd2 7c885770 7c80b731 000725a4 ntdll!RtlpGetAssemblyStorageMapRootLocation+0x1c8 0006fce0 7c82b26f 0006ff50 01031700 00000000 kernel32!BasepCreateDefaultTimerQueue+0x66 0006fce8 01031700 00000000 01030ed0 00000000 kernel32!SetTimerQueueTimer+0x19 WARNING: Stack unwind information not available. Following frames may be wrong. 0006ff50 0103e75e 01000000 00000000 000725a4 winlogon+0x31700 0006fff4 00000000 7ffdd000 000000c8 00000129 winlogon+0x3e75e FOLLOWUP_IP: winlogon+31700 001b:01031700 56 push esi SYMBOL_STACK_INDEX: 6 SYMBOL_NAME: winlogon+31700 FOLLOWUP_NAME: MachineOwner MODULE_NAME: winlogon IMAGE_NAME: winlogon.exe DEBUG_FLR_IMAGE_TIMESTAMP: 48027549 STACK_COMMAND: .cxr 0x6f978 ; kb FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_winlogon.exe!Unknown BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_winlogon+31700 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:status_breakpoint_80000003_winlogon.exe!unknown FAILURE_ID_HASH: {f71cf305-2a12-4f5c-c480-6ae6676460a2} Followup: MachineOwner --------- Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now