以
為例:Data Abort: Thread=9352cc9c Proc=90876ea0 'shell32.exe'
AKY=00000005 PC=03f74680(coredll.dll+0x00014680) RA=03257104(aygshell.dll+0x00037104)
BVA=060000e0 FSR=00000007
AKY 是 "Access Key" 這個 value是bitmask,上例 AKY=00000005 ,代表access 這個region 的thread 有 00000001 和 00000004。
配合下面這個table (build map ?)
Name VMBase AccessKey TrustLevel hProcess就是 nk.exe 和 shell32.exe
btstereoappui.exe 0x1A000000 0x00001000 Full 0xB30E2766
connmgr.exe 0x16000000 0x00000400 Full 0x5311091E
cprog.exe 0x1C000000 0x00002000 Full 0xF3030772
device.exe 0x0A000000 0x00000010 Full 0xB3CEC78E
filesys.exe 0x04000000 0x00000002 Full 0x13EEE762
gwes.exe 0x0C000000 0x00000020 Full 0x737A498A
nk.exe 0xC2000000 0x00000001 Full 0x13EFF002
pmsnserver.exe 0x10000000 0x00000080 Full 0x5333CD86
poutlook.exe 0x14000000 0x00000200 Full 0xD308FA02
sddaemon.exe 0x12000000 0x00000100 Full 0x7314C62A
services.exe 0x0E000000 0x00000040 Full 0x7352CFAA
shell.exe 0x08000000 0x00000008 Full 0xD3CD7A82
shell32.exe 0x06000000 0x00000004 Full 0xD352CEDE
srvtrust.exe 0x18000000 0x00000800 Full 0x33105BCA
PC 就是 Program Counter
如果找得報,他會print出該位址的module和 offset coredll.dll+0x00014680
所以去找 coredll的map file,可以找到..
0001:00013638 GetWindowLongW 10014638 f coredll_ALL:twinuser.obj知道是 BeginPaint 這裡有問題。
0001:00013648 BeginPaint 10014648 f coredll_ALL:twinuser.obj
0001:000136cc EndPaint 100146cc f coredll_ALL:twinuser.obj
0001:00013750 GetDC 10014750 f coredll_ALL:twinuser.obj
0001:000137d4 ReleaseDC 100147d4 f coredll_ALL:twinuser.obj
0001:00013858 GetParent 10014858 f coredll_ALL:twinuser.obj
RA 是 Return Address
所以,知道這一篇重要了吧,其他的部份到原文去看看...
沒有留言:
張貼留言