转储分析http://advdbg.org/forums/934/ShowForum.aspx从转储文件寻找蛛丝马迹,分析故障原因,追溯曾经发生的故事...zh-CNCommunityServer 1.1 (Build: 2.0.2.21480)APP 死锁问题请教。---- 当我们发现问题,并且有办法解决的时候,这个时候就可以收手了吗???http://advdbg.org/forums/6390/ShowPost.aspxTue, 23 Sep 2014 06:31:51 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6390codingLee4<div><br></div><div><br></div><div><br></div><div><br></div><div>---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</div><div>Microsoft (R) Windows Debugger Version 6.12.0002.633 X86</div><div>Copyright (c) Microsoft Corporation. All rights reserved.</div><div><br></div><div><span>...</span></div><div>This dump file has an exception of interest stored in it.</div><div>The stored exception information can be accessed via .ecxr.</div><div>(e4.bdc): Wake debugger - code 80000007 (first/second chance not available)</div><div>eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000500 edi=00000000</div><div>eip=77baf871 esp=0018f19c ebp=0018f208 iopl=0 &nbsp; &nbsp; &nbsp; &nbsp; nv up ei pl nz na pe nc</div><div>cs=0023 &nbsp;ss=002b &nbsp;ds=002b &nbsp;es=002b &nbsp;fs=0053 &nbsp;gs=002b &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; efl=00000206</div><div>ntdll!NtWaitForSingleObject+0x15:</div><div>77baf871 83c404 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;add &nbsp; &nbsp; esp,4</div><div>0:000&gt; !locks</div><div><br></div><div>CritSec +d60648 at 00d60648</div><div>WaiterWoken &nbsp; &nbsp; &nbsp; &nbsp;No</div><div>LockCount &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0</div><div>RecursionCount &nbsp; &nbsp; 1</div><div>OwningThread &nbsp; &nbsp; &nbsp; bdc</div><div>EntryCount &nbsp; &nbsp; &nbsp; &nbsp; 0</div><div>ContentionCount &nbsp; &nbsp;0</div><div>*** Locked</div><div><br></div><div>CritSec +2d9e8c at 002d9e8c</div><div>WaiterWoken &nbsp; &nbsp; &nbsp; &nbsp;No</div><div>LockCount &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0</div><div>RecursionCount &nbsp; &nbsp; 1</div><div>OwningThread &nbsp; &nbsp; &nbsp; 9b8</div><div>EntryCount &nbsp; &nbsp; &nbsp; &nbsp; 0</div><div>ContentionCount &nbsp; &nbsp;0</div><div>*** Locked</div><div><br></div><div>CritSec +322e62c at 0322e62c</div><div>WaiterWoken &nbsp; &nbsp; &nbsp; &nbsp;No</div><div>LockCount &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;0</div><div>RecursionCount &nbsp; &nbsp; 1</div><div>OwningThread &nbsp; &nbsp; &nbsp; bb8</div><div>EntryCount &nbsp; &nbsp; &nbsp; &nbsp; 0</div><div>ContentionCount &nbsp; &nbsp;0</div><div>*** Locked</div><div><br></div><div>CritSec +322e644 at 0322e644</div><div>WaiterWoken &nbsp; &nbsp; &nbsp; &nbsp;No</div><div>LockCount &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;1</div><div>RecursionCount &nbsp; &nbsp; 1</div><div>OwningThread &nbsp; &nbsp; &nbsp; 9b8</div><div>EntryCount &nbsp; &nbsp; &nbsp; &nbsp; 0</div><div>ContentionCount &nbsp; &nbsp;1</div><div>*** Locked</div><div><br></div><div>Scanned 955 critical sections</div><div>0:000&gt; ~*kb</div><div><br></div><div>省略一些 信息。</div><div><br></div><div><div><br></div><div><div>&nbsp; 13 &nbsp;Id: e4.9b8 Suspend: 1 Teb: 7ef8b000 Unfrozen</div><div>ChildEBP RetAddr &nbsp;Args to Child &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</div><div>0930fcd4 76e80816 000005cc 00000000 00000000 ntdll!NtWaitForSingleObject+0x15</div><div>0930fd40 76cf1184 000005cc ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98</div><div>0930fd58 76cf1138 000005cc ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75</div><div>0930fd6c 03d02db7 000005cc ffffffff 00dc0300 kernel32!WaitForSingleObject+0x12</div><div>0930fd8c 03d0574e ffd4a002 0322e5d0 037e56b4 FileWriterFilter!boost::detail::basic_timed_mutex::lock+0x67 [e:\jenkins\workspace\acq-sdk\3rdparty\boost\include\boost_1_54_0\boost\thread\win32\basic_timed_mutex.hpp @ 88]</div><div>0930fdac 03d065d1 037e5670 03d2479f ffd4a05a FileWriterFilter!boost::detail::future_object&lt;void&gt;::get_state+0x2e [e:\jenkins\workspace\acq-sdk\3rdparty\boost\include\boost_1_54_0\boost\thread\future.hpp @ 838]</div><div>0930fdb4 03d2479f ffd4a05a 037e58b8 0322e5d0 FileWriterFilter!async_worker::is_thread_running+0x21 [e:\jenkins\workspace\acq-sdk\src\utility\async_worker.cpp @ 121]</div><div>0930fe00 03d2bc93 037e58b8 037e5670 02f4fb38 FileWriterFilter!MP4Decoder::Transform+0xbf</div><div>0930fe18 03d2b61d 037e5670 ffd4a3b2 00000000 FileWriterFilter!CTransformFilter::Receive+0x53</div><div>0930fe40 742937fe 0322e644 037e58b8 0930fe84 FileWriterFilter!CTransformInputPin::Receive+0x5d</div><div>0930fe50 742a69ee 037e58b8 037e58b8 002da018 qedit!CBaseOutputPin::Deliver+0x22</div><div>0930fe84 742e10e8 08fd0000 00000000 002d9b20 qedit!CSampleGrabber::Receive+0x19e</div><div>0930fe98 7503e752 002d9e8c 037e58b8 002d9b20 qedit!CTransformInputPin::Receive+0x33</div><div>0930feb4 7503e6cc 037e58b8 0387d988 0387bcd0 ksproxy!CKsOutputPin::Deliver+0x37</div><div>0930fecc 75058f54 002d9c30 037e58b8 00000115 ksproxy!CKsOutputPin::KsDeliver+0x42</div><div>0930ff4c 7503f2f4 002daf94 0387d978 00000003 ksproxy!CStandardInterfaceHandler::KsCompleteIo+0x3fc</div><div>0930ff64 7504aaa7 00000000 002db7c8 00000000 ksproxy!CKsOutputPin::OutputPinBufferHandler+0x19</div><div>0930ff88 76cf3677 017e6760 0930ffd4 77bc9d72 ksproxy!CAsyncItemHandler::AsyncItemProc+0x1c2</div><div>0930ff94 77bc9d72 037e6760 d2abcf63 00000000 kernel32!BaseThreadInitThunk+0xe</div><div>0930ffd4 77bc9d45 7504a8e5 037e6760 00000000 ntdll!__RtlUserThreadStart+0x70</div><div>0930ffec 00000000 7504a8e5 037e6760 00000000 ntdll!_RtlUserThreadStart+0x1b</div></div></div><div><br></div><div><br></div><div>现在我知道 是这个线程没有返回,导致死锁。</div><div><br></div><div><div>0930fcd4 76e80816 000005cc 00000000 00000000 ntdll!NtWaitForSingleObject+0x15</div><div>0930fd40 76cf1184 000005cc ffffffff 00000000 KERNELBASE!WaitForSingleObjectEx+0x98</div><div>0930fd58 76cf1138 000005cc ffffffff 00000000 kernel32!WaitForSingleObjectExImplementation+0x75</div><div>0930fd6c 03d02db7 000005cc ffffffff 00dc0300 kernel32!WaitForSingleObject+0x12</div></div><div><br></div><div>但是我不知道为什么这个地方又在等锁,请叫一下,这种情况应该如何继续分析下去?</div><div><br></div><div><span>000005cc ffffffff &nbsp;我看这个地址不太对,是不是内存释放后,导致这样的问题?</span></div><div><br></div>windbg中怎么得到exception record的地址http://advdbg.org/forums/6788/ShowPost.aspxFri, 25 Dec 2015 09:51:13 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6788zhou xiang1在Windbg中用".exr -1"可以取到最后一次例外发生时的exception record。 <br /> <br />现在想得到最后一次例外发生时的exception record的地址进行分析。 <br /> <br />该用什么命令和方法,请知道的达人指教。 <br />【转存分析】x265 在win10 x64位下的异常崩溃http://advdbg.org/forums/6727/ShowPost.aspxFri, 09 Oct 2015 18:28:05 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6727kice2x265是下一代视频格式HEVC的编码器,速度和质量都比其他编码器好。<br><br>现在的话,这个版本的x265在win8和win7下是没有问题,win10偶尔会崩掉。dump大小是2G左右,压缩之后不到600MB。已经传百度云,有兴趣的可以去调试下。<br><br>链接:http://pan.baidu.com/s/1c0jqFuS 密码:vg92<br>windbg分析lsass转储文件http://advdbg.org/forums/6538/ShowPost.aspxFri, 06 Feb 2015 02:06:09 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6538梦在远方2创建lsass.exe的转储文件之后,可以用mimikatz直接读出其中的密码,那能否用windbg直接调试lsass.dmp文件,读取其中的密码,不知道这个思路是否可行,怎么实现呢?? &nbsp; &nbsp;请各位大大不吝赐教啊分析dump文件时,栈回溯看不明白http://advdbg.org/forums/6488/ShowPost.aspxWed, 07 Jan 2015 14:58:43 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6488zhaohui22今天分析一个蓝屏的dump文件时,栈回溯看不明白.<br>栈回溯内容如下<br>0: kd&gt; kv<br>Child-SP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RetAddr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Args to Child&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Call Site<br>ffffd000`219207f8 fffff802`05a05f65 : 00000000`0000004c 00000000`c000021a ffffd000`633dd538 ffffe000`15621ed0 : nt!KeBugCheckEx<br>ffffd000`21920800 fffff802`05a0003a : ffffe000`13c59900 ffffd000`21920919 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9<br>ffffd000`21920840 fffff802`057d69b3 : ffffe000`13c59600 fffff802`057b3800 00000000`c0000004 fffff802`056f0200 : nt! ?? ::OKHAJAOM::`string'+0x207a<br>ffffd000`21920980 fffff802`057cee00 : fffff802`05c1f8e9 00000000`00000001 ffffd000`21920b98 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`21920980)<br>ffffd000`21920b18 fffff802`05c1f8e9 : 00000000`00000001 ffffd000`21920b98 00000000`c0000004 ffffd000`66eca180 : nt!KiServiceLinkage<br>ffffd000`21920b20 fffff802`05b52727 : 00000000`00000000 00000000`00000000 ffffd000`66eca180 ffffe000`13c59740 : nt! ?? ::NNGAKEGL::`string'+0x74b99<br>ffffd000`21920be0 fffff802`0575004a : fffff802`0574ff90 00000000`00000000 00000000`00000002 ffffe000`13c59600 : nt!PopPolicyWorkerAction+0x63<br>ffffd000`21920c50 fffff802`056eb5e3 : fffff802`00000002 ffffd000`21920d10 00000000`80000000 00000000`00000000 : nt!PopPolicyWorkerThread+0xba<br>ffffd000`21920c90 fffff802`0577ae70 : ffffe000`10938320 ffffe000`13c59600 ffffe000`13c59600 ffffe000`0ff2d640 : nt!ExpWorkerThread+0x293<br>ffffd000`21920d40 fffff802`057d17c6 : ffffd000`66eca180 ffffe000`13c59600 ffffe000`1b651040 00000000`00000000 : nt!PspSystemThreadStartup+0x58<br>ffffd000`21920da0 00000000`00000000 : ffffd000`21921000 ffffd000`2191b000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16<br><br>张老师,我想问一下,<br>nt! ?? ::NNGAKEGL::`string'+0x74b99和nt! ?? ::OKHAJAOM::`string'+0x207a是什么.<br><br>全局变量区有可能被冲掉么?http://advdbg.org/forums/6354/ShowPost.aspxWed, 13 Aug 2014 05:49:55 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6354qiliu31有可能被冲掉的话,能用AppVerifier抓到是谁写越界或者野指针写的它嘛?<div><br></div><div>谢谢!</div>wininet中调用CPubINetworkListManager::GetNetworks导致程序崩溃http://advdbg.org/forums/6169/ShowPost.aspxTue, 07 Jan 2014 07:07:24 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6169troygou5<div><br></div><div>&nbsp; &nbsp;wininet中调用CPubINetworkListManager::GetNetworks导致系统崩溃,请教张老师,这个是什么原因啊</div><div>先面试异常的上下文中的栈信息</div><div>这个导致的程序崩溃太多了,不知道啥原因,网上也查了,没找到原因,求张老师指导下</div><div><br></div><div><div>0:066&gt; r</div><div>Last set context:</div><div>eax=0035ebb0 ebx=0854f2d0 ecx=0035ef48 edx=0854f2a0 esi=75879af4 edi=0854f2c0</div><div>eip=00000000 esp=0854f284 ebp=0854f2c4 iopl=0 &nbsp; &nbsp; &nbsp; &nbsp; nv up ei pl zr na pe nc</div><div>cs=001b &nbsp;ss=0023 &nbsp;ds=0023 &nbsp;es=0023 &nbsp;fs=003b &nbsp;gs=0000 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; efl=00010246</div><div>00000000 ?? &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;???</div></div><div><br></div><div><br></div><div>0:066&gt; k</div><div>&nbsp; *** Stack trace for last set context - .thread/.cxr resets it</div><div>ChildEBP RetAddr &nbsp;</div><div>WARNING: Frame IP not in any known module. Following frames may be wrong.</div><div>0854f280 7587477d 0x0</div><div>0854f2c4 75872f59 ole32!AddPartitionID+0x71 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 198]</div><div>0854fa90 75879e25 ole32!ICoCreateInstanceEx+0x243 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1218]</div><div>0854faf0 75879d86 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343]</div><div>0854fb14 75879d3f ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157]</div><div>0854fb44 6ec72505 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110]</div><div>0854fb70 6ec733fd netprofm!CPubINetworkListManager::EnsureNLPConnected+0x58</div><div>0854fb84 75c215ea netprofm!CPubINetworkListManager::GetNetworks+0x39</div><div>0854fc08 75bfafeb wininet+0x1315ea</div><div>0854fc2c 75c219e6 wininet+0x10afeb</div><div>0854fc4c 75c21c24 wininet+0x1319e6</div><div>0854fcb4 75c2a2a0 wininet+0x131c24</div><div>0854fd50 75c2e25d wininet+0x13a2a0</div><div>0854fda4 75b2dbae wininet+0x13e25d</div><div>0854fdb4 76f2d897 wininet+0x3dbae</div><div>0854fe28 76f30846 ntdll!RtlpTpWorkCallback+0x11d</div><div>0854ff88 769eed5c ntdll!TppWorkerThread+0x572</div><div>0854ff94 76f637eb kernel32!BaseThreadInitThunk+0xe</div><div>0854ffd4 76f637be ntdll!__RtlUserThreadStart+0x70</div><div>0854ffec 00000000 ntdll!_RtlUserThreadStart+0x1b</div>win8.1挂死后无法强制蓝屏http://advdbg.org/forums/6337/ShowPost.aspxSun, 06 Jul 2014 15:28:07 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6337西海拾贝0按照《软件调试》书中所讲,在注册表中设置好触发蓝屏的热键,当系统正常运行时,按ctrl 和两次scroll lock能够强制蓝屏。。。<div><br></div><div>但是,当系统死机了想触发蓝屏,按这两个键却没有反应..只能按电源键重启。。笔记本电脑,Windows 8.1 &nbsp;x64</div>** Pseudo Context **是怎么回事?http://advdbg.org/forums/6318/ShowPost.aspxTue, 17 Jun 2014 02:14:55 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6318qiliu30<div>使用!analyze -v指令可以看到windbg的分析结果是基于:</div><div>STACK_COMMAND: &nbsp;.ecxr ; kb ; .ecxr ; ~~[1f4c] ; .frame 6 ; ** Pseudo Context ** ; kb</div><div><br></div><div>我们想单步看下各个命令的结果,但是走到<span>** Pseudo Context **的时候,不知道该怎么做了?</span></div><div><span><br></span></div><div><span>这个命令如何模拟出来?</span></div><div><span><br></span></div><div><span>谢谢!</span></div><div><br></div>关于强制蓝屏的问题http://advdbg.org/forums/6303/ShowPost.aspxSun, 01 Jun 2014 13:52:46 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6303零一1<div><span><font color="#444444" face="Tahoma, Microsoft Yahei, Simsun"><span><div><font size="3">张老师,您好!想请教下您,当笔记本上没有scroll lock这个按键,如何强制实现system crash?</font></div><div><font size="3">我想利用ctrl+空格,强制蓝屏,重启后还是不行,不知原因何在。谢谢!</font></div><div><br></div><div><font size="3">设置如下:</font></div></span></font></span></div><div><div><b>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\crashdump</b></div><div><b>Dump1Keys=0x22 (Rightmost CTRL key + Leftmost CTRL key)&nbsp;</b></div><div><b>Dump2Key=0x3d (use space key)&nbsp;</b></div></div><div><br></div><div><br></div>点击“计算机”属性,“分辨率”,“控制面板”等操作都会crash……http://advdbg.org/forums/6295/ShowPost.aspxTue, 27 May 2014 02:13:13 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6295Memory_code3最近朋友的电脑出了问题,就如标题所言的点击都会导致explorer崩溃~<div><br></div><div><div>The stored exception information can be accessed via .ecxr.</div><div>(a10.1a00): Access violation - code c0000005 (first/second chance not available)</div><div>eax=00000000 ebx=00000000 ecx=09c0d478 edx=00000000 esi=09b958e8 edi=00000000</div><div>eip=75de8436 esp=09eff074 ebp=09eff088 iopl=0 &nbsp; &nbsp; &nbsp; &nbsp; nv up ei pl zr na pe nc</div><div>cs=001b &nbsp;ss=0023 &nbsp;ds=0023 &nbsp;es=0023 &nbsp;fs=003b &nbsp;gs=0000 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; efl=00010246</div><div>shell32!CControlPanelCategoryModuleInner::OnItemsLoaded+0xa8:</div><div>75de8436 8b07 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; eax,dword ptr [edi] &nbsp;ds:0023:00000000=????????</div><div>0:067&gt; kvn</div><div>&nbsp;# ChildEBP RetAddr &nbsp;Args to Child &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</div><div>00 09eff088 75de83a2 00000000 00000000 00000000 shell32!CControlPanelCategoryModuleInner::OnItemsLoaded+0xa8 (FPO: [Non-Fpo])</div><div>01 09eff09c 75e50c46 099ab908 09eff0c0 7408e53a shell32!CControlPanelDataWorkItem::Dispatch+0x21 (FPO: [Non-Fpo])</div><div>02 09eff0a8 7408e53a 099ab908 09c0f1d8 09c0f1d8 shell32!CFrameTaskManager::s_DispatchWorkItem+0xe (FPO: [Non-Fpo])</div><div>03 09eff0c0 75e50c13 0431a908 75e50c38 09c0f1d8 comctl32!DPA_EnumCallback+0x25 (FPO: [Non-Fpo])</div><div>04 09eff0e8 75680450 ffffffff 00000202 00000001 shell32!CFrameTaskManager::DispatchCompletedWorkItems+0xd8 (FPO: [Non-Fpo])</div><div>05 09eff100 756e6311 75e50b85 09eff2f0 00000001 rpcrt4!Invoke+0x2a</div><div>06 09eff508 7598d7e6 09c1d9d0 0977dfc0 09765e18 rpcrt4!NdrStubCall2+0x2d6</div><div>07 09eff550 7598d876 09c1d9d0 09765e18 0977dfc0 ole32!CStdStubBuffer_Invoke+0xb6 (CONV: stdcall) [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1590]</div><div>08 09eff598 7598ddd0 09765e18 096a95fc 0964b108 ole32!SyncStubInvoke+0x3c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]</div><div>09 09eff5e4 758a8a43 09765e18 09a57598 09c1d9d0 ole32!StubInvoke+0xb9 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]</div><div>0a 09eff6c0 758a8938 0977dfc0 00000000 09c1d9d0 ole32!CCtxComChnl::ContextInvoke+0xfa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]</div><div>0b 09eff6dc 758a950a 09765e18 00000001 09c1d9d0 ole32!MTAInvoke+0x1a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105]</div><div>0c 09eff708 7598dccd 09765e18 00000001 09c1d9d0 ole32!STAInvoke+0x46 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 1924]</div><div>0d 09eff73c 7598db41 d0908070 0977dfc0 09c1d9d0 ole32!AppInvoke+0xab (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]</div><div>0e 09eff81c 7598e1fd 09765dc0 09653f28 00000000 ole32!ComInvokeWithLockAndIPID+0x372 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724]</div><div>0f 09eff844 758a9367 09765dc0 00000400 096d62f0 ole32!ComInvoke+0xc5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1469]</div><div>10 09eff858 758a9326 09765dc0 09eff918 00000400 ole32!ThreadDispatch+0x23 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 298]</div><div>11 09eff89c 7547c4e7 00060174 00000400 0000babe ole32!ThreadWndProc+0x161 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 654]</div><div>12 09eff8c8 7547c5e7 758a9286 00060174 00000400 user32!InternalCallWinProc+0x23</div><div>13 09eff940 7547cc19 00000000 758a9286 00060174 user32!UserCallWinProcCheckWow+0x14b (FPO: [Non-Fpo])</div><div>14 09eff9a0 7547cc70 758a9286 00000000 09eff9f4 user32!DispatchMessageWorker+0x35e (FPO: [Non-Fpo])</div><div>15 09eff9b0 6f82c76b 09eff9c8 00000004 00000000 user32!DispatchMessageW+0xf (FPO: [Non-Fpo])</div><div>16 09eff9f4 6f830cb3 00000000 00000000 09effa1c EXPLORERFRAME!CExplorerFrame::FrameMessagePump+0x4c3 (FPO: [Non-Fpo])</div><div>17 09effa04 6f830f5d 02babe88 75468203 0971d260 EXPLORERFRAME!BrowserThreadProc+0x49 (FPO: [Non-Fpo])</div><div>18 09effa1c 6f830f0a 09a30548 0971d260 09effa4c EXPLORERFRAME!BrowserNewThreadProc+0x43 (FPO: [Non-Fpo])</div><div>19 09effa2c 6f8008f6 0971d260 01000000 80000000 EXPLORERFRAME!CExplorerTask::InternalResumeRT+0x11 (FPO: [Non-Fpo])</div><div>1a 09effa4c 75d862fb 0971d274 7fffffff 09bd3db8 EXPLORERFRAME!CRunnableTask::Run+0xce (FPO: [Non-Fpo])</div><div>1b 09effa68 75d88b77 09effaa4 00000000 00000000 shell32!CShellTask::TT_Run+0x167 (FPO: [Non-Fpo])</div><div>1c 09effab0 75d88cab 09effb40 771543c0 09bd3db8 shell32!CShellTaskThread::ThreadProc+0xa3 (FPO: [Non-Fpo])</div><div>1d 09effab8 771543c0 09bd3db8 00000000 00000000 shell32!CShellTaskThread::s_ThreadProc+0x1b (FPO: [Non-Fpo])</div><div>1e 09effb40 75c4ee1c 001ff0d0 09effb8c 770437eb shlwapi!WrapperThreadProc+0x1b5 (FPO: [Non-Fpo])</div><div>1f 09effb4c 770437eb 001ff0d0 7ee409ba 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])</div><div>20 09effb8c 770437be 771542ed 001ff0d0 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])</div><div>21 09effba4 00000000 771542ed 001ff0d0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])</div></div><div><br></div><div>我自己尝试跟了一下不一会就迷失了……找到了几个GUID去注册表翻了一下也没找到~</div><div><br></div><div><br></div><div>dump已经上传,如果张老师有闲暇时间希望能帮帮忙哈~</div><div><br></div><div>http://pan.baidu.com/s/1jGqm3jg</div>程序crash了,但是堆栈都是系统文件mshtml和ole32http://advdbg.org/forums/6211/ShowPost.aspxWed, 05 Mar 2014 02:06:46 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6211qiliu31<div>请教一下张老师,程序crash了,但是堆栈都是系统文件mshtml和ole32,像这种情况需要怎么继续查找线索呢?谢谢!</div><div><br></div><div>0961f618 77d474ff 0961f648 77d473dc 00000000 kernel32!UnhandledExceptionFilter+0x127</div><div>0961f620 77d473dc 00000000 0961fba0 77cfc550 ntdll!__RtlUserThreadStart+0x62</div><div>0961f634 77d47281 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12</div><div>0961f65c 77d2b499 fffffffe 0961fb90 0961f798 ntdll!_except_handler4+0x8e</div><div>0961f680 77d2b46b 0961f748 0961fb90 0961f798 ntdll!ExecuteHandler2+0x26</div><div>0961f6a4 77d2b40e 0961f748 0961fb90 0961f798 ntdll!ExecuteHandler+0x24</div><div>0961f730 77ce0133 0061f748 0961f798 0961f748 ntdll!RtlDispatchException+0x127</div><div>0961f730 76e4f02d 0061f748 0961f798 0961f748 ntdll!KiUserExceptionDispatcher+0xf</div><div>0961fa8c 76f3d6e0 006b7ec8 0961fb38 06cacb00 ole32!GetCurrentComApartment+0x5e [d:\w7rtm\com\ole32\com\dcomrem\aprtmnt.cxx @ 74]</div><div>0961faa0 76e161e5 00000000 006949e8 006949e8 ole32!InitChannelIfNecessary+0x10 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1018]</div><div>0961fb14 69aa98c6 00000000 000927c0 00000001 ole32!CoWaitForMultipleHandles+0x81 [d:\w7rtm\com\ole32\com\dcomrem\sync.cxx @ 98]</div><div>0961fb3c 69b14988 00000000 69920000 0961fb54 mshtml!CDwnTaskExec::ThreadExec+0x11e</div><div>0961fb4c 69d6a6f3 0961fb60 76cc336a 006949e8 mshtml!CExecFT::ThreadProc+0x3f</div><div>0961fb54 76cc336a 006949e8 0961fba0 77d09f72 mshtml!CExecFT::StaticThreadProc+0xd</div><div>0961fb60 77d09f72 006949e8 6581e7f7 00000000 kernel32!BaseThreadInitThunk+0xe</div><div>0961fba0 77d09f45 69d6a6e6 006949e8 00000000 ntdll!__RtlUserThreadStart+0x70</div><div>0961fbb8 00000000 69d6a6e6 006949e8 00000000 ntdll!_RtlUserThreadStart+0x1b</div><div><br></div><div>切换context到<span>0961f798,堆栈就是下面的这一段,包括!analyze -v分析结果和堆栈都是匹配的,就是这一段</span></div><div><div>0961fa8c 76f3d6e0 006b7ec8 0961fb38 06cacb00 ole32!GetCurrentComApartment+0x5e [d:\w7rtm\com\ole32\com\dcomrem\aprtmnt.cxx @ 74]</div><div>0961faa0 76e161e5 00000000 006949e8 006949e8 ole32!InitChannelIfNecessary+0x10 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1018]</div><div>0961fb14 69aa98c6 00000000 000927c0 00000001 ole32!CoWaitForMultipleHandles+0x81 [d:\w7rtm\com\ole32\com\dcomrem\sync.cxx @ 98]</div><div>0961fb3c 69b14988 00000000 69920000 0961fb54 mshtml!CDwnTaskExec::ThreadExec+0x11e</div><div>0961fb4c 69d6a6f3 0961fb60 76cc336a 006949e8 mshtml!CExecFT::ThreadProc+0x3f</div><div>0961fb54 76cc336a 006949e8 0961fba0 77d09f72 mshtml!CExecFT::StaticThreadProc+0xd</div><div>0961fb60 77d09f72 006949e8 6581e7f7 00000000 kernel32!BaseThreadInitThunk+0xe</div><div>0961fba0 77d09f45 69d6a6e6 006949e8 00000000 ntdll!__RtlUserThreadStart+0x70</div><div>0961fbb8 00000000 69d6a6e6 006949e8 00000000 ntdll!_RtlUserThreadStart+0x1b</div></div>发现一条!gle -all指令http://advdbg.org/forums/6209/ShowPost.aspxTue, 04 Mar 2014 08:46:41 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6209qiliu31今天看Memory_Dump_Analysis_Anthology_Volume_2.pdf这本电子书<div>发现讲了一条!gle -all指令,测试了一下,发现效果和以前看张老师的《格蠹汇编》里面的一条复杂指令类似</div><div><br></div><div>~*e ? @$tid;!gle&nbsp;其中~*是对每个线程,e是执行一系列命令,如果没有e就只能执行最后一个命令,合起来就是针对每条线程显示线程ID和Last Error值(相当于调用GetLastError() API)。</div><div><br></div><div>但是使用起来比表达式方便多了,特意上来共享一下这一个小知识点</div>请教张老师一个我觉得好奇的地方GetUrlPageData2 (WinHttp) failed: 12029.http://advdbg.org/forums/6204/ShowPost.aspxThu, 20 Feb 2014 06:21:30 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6204qiliu30<div>0:000&gt; !analyze -v</div><div>*******************************************************************************</div><div>* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; *</div><div>* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Exception Analysis &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; *</div><div>* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; *</div><div>*******************************************************************************</div><div><br></div><div>Unable to load image C:\WINDOWS\system32\ieframe.dll, Win32 error 0n2</div><div>*** WARNING: Unable to verify timestamp for ieframe.dll</div><div>GetUrlPageData2 (WinHttp) failed: 12029.</div><div><br></div><div>FAULTING_IP:&nbsp;</div><div>kernel32!UnicodeToUTF8+43</div><div>7c821559 668b1f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; bx,word ptr [edi]</div><div><br></div><div>-----------------------------------------------------------------------------------</div><div>GetUrlPageData2 (WinHttp) failed: 12029.</div><div>这句是什么意思呢?程序崩溃和ieframe没有关系啊</div>明明调的不是我们的函数,怎么会跑到我们的模块里面了呢?http://advdbg.org/forums/6198/ShowPost.aspxFri, 14 Feb 2014 07:39:55 GMTe4f42b2c-e28e-435b-8fbe-636f8fa9f0b8:6198qiliu35<div>windbg分析结果为SOFTWARE_NX_FAULT,我知道这是堆栈越界,执行到数据区的代码导致的</div><div><br></div><div>堆栈如下:</div><div>15b2f03c 559a568f 2ea4344c 2ebb1e80 00000000 0x33c9256c</div><div>15b2f078 76b5b57d 2ebb1eb0 15b2f0b0 15b2f0ac XXXXXXXXXX!std::_Tree&lt;std::_Tmap_traits&lt;std::basic_string&lt;wchar_t,std::char_traits&lt;wchar_t&gt;,std::allocator&lt;wchar_t&gt; &gt;,_LoadwayInfo,std::less&lt;std::basic_string&lt;wchar_t,std::char_traits&lt;wchar_t&gt;,std::allocator&lt;wchar_t&gt; &gt; &gt;,std::allocator&lt;std::pair&lt;std::basic_string&lt;wchar_t,std::char_traits&lt;wchar_t&gt;,std::allocator&lt;wchar_t&gt; &gt; const ,_LoadwayInfo&gt; &gt;,0&gt; &gt;::erase+0x20</div><div>//XXXXXXXXXXXX是我们自己的模块,也是这个堆栈中唯一存在与我们相关的一项</div><div>15b2f0a4 76b5b4a9 2ebb1e80 2e9c7248 76c77430 ole32!CStdMarshal::ConnectSrvIPIDEntry+0x26 [d:\w7rtm\com\ole32\com\dcomrem\marshal.cxx @ 1989]</div><div>15b2f0e4 76b52a18 17f24a5c 00000005 00000000 ole32!CStdMarshal::MarshalServerIPID+0x78 [d:\w7rtm\com\ole32\com\dcomrem\marshal.cxx @ 1146]</div><div>15b2f154 753c592c 08e610b0 17f24a40 00000005 ole32!CRemoteUnknown::RemQueryInterface+0x17c [d:\w7rtm\com\ole32\com\dcomrem\remoteu.cxx @ 421]</div><div>15b2f180 754405f1 76b528f0 15b2f368 00000006 rpcrt4!Invoke+0x2a</div><div>15b2f584 76c6d7e6 08eec8f0 08eee810 17ee6158 rpcrt4!NdrStubCall2+0x2ea</div><div>15b2f5cc 76c6d876 08eec8f0 17ee6158 08eee810 ole32!CStdStubBuffer_Invoke+0xb6 [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1590]</div><div>15b2f614 76c6ddd0 17ee6158 08e40390 00000000 ole32!SyncStubInvoke+0x3c [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]</div><div>15b2f660 76b88a43 17ee6158 08e94d88 08eec8f0 ole32!StubInvoke+0xb9 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]</div><div>15b2f73c 76b88938 08eee810 00000000 08eec8f0 ole32!CCtxComChnl::ContextInvoke+0xfa [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]</div><div>15b2f758 76c6a44c 17ee6158 00000001 08eec8f0 ole32!MTAInvoke+0x1a [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105]</div><div>15b2f788 76c6db41 d0908070 08eee810 08eec8f0 ole32!AppInvoke+0xab [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]</div><div>15b2f868 76c6a45c 17ee6100 08eeec20 08e40378 ole32!ComInvokeWithLockAndIPID+0x372 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724]</div><div>15b2f8b4 753c5eba 25b14120 559afb5c 08e40378 ole32!ThreadInvoke+0x302 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4751]</div><div>15b2f8ec 753c624c 76c6df76 25b14120 15b2f9d0 rpcrt4!DispatchToStubInCNoAvrf+0x46</div><div>15b2f944 753c67f5 00000000 00000000 00000000 rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x141</div><div>15b2f968 753c6796 25b14120 00000000 00000000 rpcrt4!RPC_INTERFACE::DispatchToStub+0x90</div><div>15b2f9a4 753c66b1 25b14120 25b14184 00000000 rpcrt4!RPC_INTERFACE::DispatchToStubWithObject+0xbc</div><div>15b2f9f0 753c65c3 15b2fa08 00000000 17f249b0 rpcrt4!LRPC_SCALL::DispatchRequest+0x214</div><div>15b2fa10 753c6581 25b14068 17f249d8 1800d538 rpcrt4!LRPC_SCALL::QueueOrDispatchCall+0xc7</div><div>15b2fa2c 753c6425 17f249b0 08e40378 00000000 rpcrt4!LRPC_SCALL::HandleRequest+0x305</div><div>15b2fa5c 753c6398 17f249b0 08626d18 00000000 rpcrt4!LRPC_SASSOCIATION::HandleRequest+0x153</div><div>15b2fa90 753c4abf 17f249b0 15b2fad0 08626d18 rpcrt4!LRPC_ADDRESS::HandleRequest+0xc4</div><div>15b2fb18 753c49ac 00000000 15b2fb34 753c480f rpcrt4!LRPC_ADDRESS::ProcessIO+0x44c</div><div>15b2fb24 753c480f 006cd49c 00000000 15b2fb5c rpcrt4!LrpcServerIoHandler+0x16</div><div>15b2fb34 77cb47a6 15b2fba0 006cd49c 085744c0 rpcrt4!LrpcIoComplete+0x16</div><div>15b2fb5c 77ca345f 15b2fba0 00000000 00000000 ntdll!TppAlpcpExecuteCallback+0x1c5</div><div>15b2fcc4 76d4336a 0069d0b0 15b2fd10 77c89f72 ntdll!TppWorkerThread+0x5a4</div><div>15b2fcd0 77c89f72 0069d0b0 5c1fa653 00000000 kernel32!BaseThreadInitThunk+0xe</div><div>15b2fd10 77c89f45 77ca3e85 0069d0b0 00000000 ntdll!__RtlUserThreadStart+0x70</div><div>15b2fd28 00000000 77ca3e85 0069d0b0 00000000 ntdll!_RtlUserThreadStart+0x1b</div><div><br></div><div><br></div><div>其中<span>XXXXXXXXXX!std::_Tree&lt;std::_Tmap_traits&lt;std::basic_string&lt;wchar_t,std::char_traits&lt;wchar_t&gt;,std::allocator&lt;wchar_t&gt; &gt;,_LoadwayInfo,std::less&lt;std::basic_string&lt;wchar_t,std::char_traits&lt;wchar_t&gt;,std::allocator&lt;wchar_t&gt; &gt; &gt;,std::allocator&lt;std::pair&lt;std::basic_string&lt;wchar_t,std::char_traits&lt;wchar_t&gt;,std::allocator&lt;wchar_t&gt; &gt; const ,_LoadwayInfo&gt; &gt;,0&gt; &gt;::erase+0x20,这个是我们自己的模块,但是后面的方法,某一个map的erase方法,根本没有地方调用过</span></div><div><span><br></span></div><div><span>我反编译XXXXXXX::erase这一行的返回地址</span><span>76b5b57d所在的函数,如下:</span></div><div><br></div><div>0:082&gt; u 76b5b57d-0x26 L30</div><div>ole32!CStdMarshal::ConnectSrvIPIDEntry [d:\w7rtm\com\ole32\com\dcomrem\marshal.cxx @ 1978]:</div><div>76b5b557 8bff &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; edi,edi</div><div>76b5b559 55 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;ebp</div><div>76b5b55a 8bec &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; ebp,esp</div><div>76b5b55c 51 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;ecx</div><div>76b5b55d 53 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;ebx</div><div>76b5b55e 56 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;esi</div><div>76b5b55f 8b7508 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; esi,dword ptr [ebp+8]</div><div>76b5b562 57 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;edi</div><div>76b5b563 ff750c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;dword ptr [ebp+0Ch]</div><div>76b5b566 8d45fc &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lea &nbsp; &nbsp; eax,[ebp-4]</div><div>76b5b569 50 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;eax</div><div>76b5b56a 8d4508 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lea &nbsp; &nbsp; eax,[ebp+8]</div><div>76b5b56d 50 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;eax</div><div>76b5b56e 8d450c &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lea &nbsp; &nbsp; eax,[ebp+0Ch]</div><div>76b5b571 50 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;eax</div><div>76b5b572 8d4630 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;lea &nbsp; &nbsp; eax,[esi+30h]</div><div>76b5b575 50 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;push &nbsp; &nbsp;eax</div><div>76b5b576 8bf9 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; edi,ecx</div><div>76b5b578 e818000000 &nbsp; &nbsp; &nbsp;call &nbsp; &nbsp;ole32!CStdMarshal::CreateStub (76b5b595)</div><div>//反汇编代码来看,明明掉的是这个,怎么会跑到我们的XXXXXXXX模块的某一个map的erase呢?</div><div>76b5b57d 8bd8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; ebx,eax</div><div>76b5b57f 85db &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test &nbsp; &nbsp;ebx,ebx</div><div>76b5b581 0f8d6e020000 &nbsp; &nbsp;jge &nbsp; &nbsp; ole32!CStdMarshal::ConnectSrvIPIDEntry+0x2c (76b5b7f5)</div><div>76b5b587 5f &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pop &nbsp; &nbsp; edi</div><div>76b5b588 5e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pop &nbsp; &nbsp; esi</div><div>76b5b589 8bc3 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mov &nbsp; &nbsp; eax,ebx</div><div>76b5b58b 5b &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pop &nbsp; &nbsp; ebx</div><div>76b5b58c c9 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;leave</div><div>76b5b58d c20800 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ret &nbsp; &nbsp; 8</div>