12/08/2008

Dumping NT_TIB

When a thread is crashed without any clue at all(eg. all registers are set to invalid value or something), you might try to get stack trace by manually pointing esp/ebp to some probable value inside stack. In that case, you need to get valid stack range. It can be achieved with following windbg command. Check out StackBase,StackLimit field from NT_TIB structure.

0:005> dt -r ntdll!_NT_TIB poi(fs:18h)

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3ff2c _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB




댓글 없음:

댓글 쓰기