How to resolve code line from Mbed crash dump on Windows 10? - windows

An Mbed code is throwing the crash dump below and I wish to find the line corresponding to the given PC. I'm on Windows though, so the simple "addr2line" is not available. I tried addr2line with Ubuntu shell on Windows, but it gives ??:?
What is the best tool on Windows 10 to perform address-to-line resolution from ARM ELF?
++ MbedOS Fault Handler ++
FaultType: HardFault
Context:
R0: 0
R1: 2000A0C8
R2: 1
R3: 14
R4: 20007854
R5: 2000A0
R6: 68
R7: 0
R8: 0
R9: 0
R10: 0
R11: 0
R12: 29FC1
SP : 2000A8B8
LR : 2C007
PC : 2000A0C8
xPSR : 0
PSP : 2000A898
MSP : 2003FFC0
CPUID: 410FC241
HFSR : 40000000
MMFSR: 0
BFSR : 0
UFSR : 2
DFSR : 0
AFSR : 0
Mode : Thread
Priv : Privileged
Stack: PSP
-- MbedOS Fault Handler --

Related

Library not loaded: #rpath/Toast.framework/Toast when debugging flutter app

Today when I start debugging the flutter(v2.10.3) app with android studio in macOS 12.5 with M1 chip, shows error like this:
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Incident Identifier: 6F929B73-3F57-461A-BC03-F534D610C50E
CrashReporter Key: 4B9AAD75-30E1-0E03-1197-562F10CD6CAA
Hardware Model: MacBookPro18,1
Process: Runner [20899]
Path: /Users/USER/Library/Developer/CoreSimulator/Devices/911ED020-A317-4E0E-AA48-A2369DD9EED8/data/Containers/Bundle/Application/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F/Runner.app/Runner
Identifier: com.earth.dolphin
Version: 1.0.0 (1.0.0)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd_sim [17981]
Coalition: com.apple.CoreSimulator.SimDevice.911ED020-A317-4E0E-AA48-A2369DD9EED8 [4058]
Responsible Process: SimulatorTrampoline [17866]
Date/Time: 2022-07-30 12:28:46.6656 +0800
Launch Time: 2022-07-30 12:28:46.6099 +0800
OS Version: macOS 12.5 (21G72)
Release Type: User
Report Version: 104
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: DYLD 1 Library missing
Library not loaded: #rpath/Toast.framework/Toast
Referenced from: /Users/USER/Library/Developer/CoreSimulator/Devices/911ED020-A317-4E0E-AA48-A2369DD9EED8/data/Containers/Bundle/Application/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F/Runner.app/Runner
Reason: tried: '/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/swift/Toast.framework/Toast' (no such file), '/usr/lib/swift/Toast.framework/Toast' (no such file), '/Users/xiaoqiangjiang/Library/Developer/CoreSimulator/Devices/911ED020-A317-4E0E-AA48-A2369DD9EED8/data/Containers/Bundle/Application/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F/Runner.app/Frameworks/Toast.framework/Toast' (no such file), '/Users/xiaoqiangjiang/Library/Developer/CoreSimulator/Devices/911ED020-A317-4E0E-AA48-A2369DD9EED8/data/Containers/Bundle/Application/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F/Runner.app/Frameworks/Toast.framework/Toast' (no such file), '/Users
(terminated at launch; ignore backtrace)
Triggered by Thread: 0
Thread 0 Crashed:
0 dyld 0x1046efe98 __abort_with_payload + 8
1 dyld 0x1046f7024 abort_with_payload_wrapper_internal + 104
2 dyld 0x1046f7058 abort_with_payload + 16
3 dyld_sim 0x1045d411c abort_with_payload + 40
4 dyld_sim 0x1045a54f4 dyld4::halt(char const*) + 324
5 dyld_sim 0x1045a19d4 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2468
6 dyld_sim 0x1045a1bf4 _dyld_sim_prepare + 376
7 dyld 0x1046aa4c4 dyld4::prepareSim(dyld4::RuntimeState&, char const*) + 1052
8 dyld 0x1046a9274 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 248
9 dyld 0x1046a906c start + 488
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000006 x1: 0x0000000000000001 x2: 0x000000016b9747a0 x3: 0x00000000000000ee
x4: 0x000000016b9743a0 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000
x8: 0x0000000000000020 x9: 0x0000000000000010 x10: 0x0000000000000000 x11: 0x207972617262694c
x12: 0x0000000000000027 x13: 0x0000000000000032 x14: 0x000000000013bc60 x15: 0x0000000000000000
x16: 0x0000000000000209 x17: 0x00000000000fde70 x18: 0x0000000000000000 x19: 0x0000000000000000
x20: 0x000000016b9743a0 x21: 0x00000000000000ee x22: 0x000000016b9747a0 x23: 0x0000000000000001
x24: 0x0000000000000006 x25: 0x000000016b975108 x26: 0x00000001045f00c8 x27: 0x0000000000000000
x28: 0x000000016b975038 fp: 0x000000016b974360 lr: 0x00000001046f7024
sp: 0x000000016b974320 pc: 0x00000001046efe98 cpsr: 0x00001000
far: 0x0000000104624000 esr: 0x56000080 Address size fault
Binary Images:
0x1046a4000 - 0x104703fff dyld (*) <75627683-a780-32ad-ae34-cf86dd23a26b> /usr/lib/dyld
0x1045a0000 - 0x1045dbfff dyld_sim (*) <67298116-bb18-3438-b22e-8d2b9d4618e9> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/dyld_sim
Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed
EOF
-----------
Full Report
-----------
{"app_name":"Runner","timestamp":"2022-07-30 12:28:46.00 +0800","app_version":"1.0.0","slice_uuid":"791b909c-b70e-34e2-9813-fc2da9cfbed7","build_version":"1.0.0","platform":7,"bundleID":"com.earth.dolphin","share_with_app_devs":0,"is_first_party":0,"bug_type":"309","os_version":"macOS 12.5 (21G72)","incident_id":"6F929B73-3F57-461A-BC03-F534D610C50E","name":"Runner"}
{
"uptime" : 6400,
"procLaunch" : "2022-07-30 12:28:46.6099 +0800",
"procRole" : "Foreground",
"version" : 2,
"userID" : 501,
"deployVersion" : 210,
"modelCode" : "MacBookPro18,1",
"procStartAbsTime" : 155477543631,
"coalitionID" : 4058,
"osVersion" : {
"train" : "macOS 12.5",
"build" : "21G72",
"releaseType" : "User"
},
"captureTime" : "2022-07-30 12:28:46.6656 +0800",
"incident" : "6F929B73-3F57-461A-BC03-F534D610C50E",
"bug_type" : "309",
"pid" : 20899,
"procExitAbsTime" : 155477977313,
"translated" : false,
"cpuType" : "ARM-64",
"procName" : "Runner",
"procPath" : "\/Users\/USER\/Library\/Developer\/CoreSimulator\/Devices\/911ED020-A317-4E0E-AA48-A2369DD9EED8\/data\/Containers\/Bundle\/Application\/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F\/Runner.app\/Runner",
"bundleInfo" : {"CFBundleShortVersionString":"1.0.0","CFBundleVersion":"1.0.0","CFBundleIdentifier":"com.earth.dolphin"},
"storeInfo" : {"deviceIdentifierForVendor":"240CB839-BD26-57B4-8B0B-8DD4C99F160A","thirdParty":true},
"parentProc" : "launchd_sim",
"parentPid" : 17981,
"coalitionName" : "com.apple.CoreSimulator.SimDevice.911ED020-A317-4E0E-AA48-A2369DD9EED8",
"crashReporterKey" : "4B9AAD75-30E1-0E03-1197-562F10CD6CAA",
"responsiblePid" : 17866,
"responsibleProc" : "SimulatorTrampoline",
"sleepWakeUUID" : "FEBE014E-816D-4438-913C-962DA1859BCB",
"sip" : "enabled",
"isCorpse" : 1,
"exception" : {"codes":"0x0000000000000000, 0x0000000000000000","rawCodes":[0,0],"type":"EXC_CRASH","signal":"SIGABRT"},
"termination" : {"code":1,"flags":518,"namespace":"DYLD","indicator":"Library missing","details":["(terminated at launch; ignore backtrace)"],"reasons":["Library not loaded: #rpath\/Toast.framework\/Toast","Referenced from: \/Users\/USER\/Library\/Developer\/CoreSimulator\/Devices\/911ED020-A317-4E0E-AA48-A2369DD9EED8\/data\/Containers\/Bundle\/Application\/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F\/Runner.app\/Runner","Reason: tried: '\/Applications\/Xcode.app\/Contents\/Developer\/Platforms\/iPhoneOS.platform\/Library\/Developer\/CoreSimulator\/Profiles\/Runtimes\/iOS.simruntime\/Contents\/Resources\/RuntimeRoot\/usr\/lib\/swift\/Toast.framework\/Toast' (no such file), '\/usr\/lib\/swift\/Toast.framework\/Toast' (no such file), '\/Users\/xiaoqiangjiang\/Library\/Developer\/CoreSimulator\/Devices\/911ED020-A317-4E0E-AA48-A2369DD9EED8\/data\/Containers\/Bundle\/Application\/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F\/Runner.app\/Frameworks\/Toast.framework\/Toast' (no such file), '\/Users\/xiaoqiangjiang\/Library\/Developer\/CoreSimulator\/Devices\/911ED020-A317-4E0E-AA48-A2369DD9EED8\/data\/Containers\/Bundle\/Application\/CA725FC8-C3B4-4FC1-91DD-77DE7A74CC3F\/Runner.app\/Frameworks\/Toast.framework\/Toast' (no such file), '\/Users"]},
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"faultingThread" : 0,
"threads" : [{"triggered":true,"id":134213,"threadState":{"x":[{"value":6},{"value":1},{"value":6100043680},{"value":238},{"value":6100042656},{"value":0},{"value":0},{"value":0},{"value":32},{"value":16},{"value":0},{"value":2340027244252129612},{"value":39},{"value":50},{"value":1293408},{"value":0},{"value":521},{"value":1039984},{"value":0},{"value":0},{"value":6100042656},{"value":238},{"value":6100043680},{"value":1},{"value":6},{"value":6100046088},{"value":4368302280,"symbolLocation":0,"symbol":"gProcessInfo"},{"value":0},{"value":6100045880}],"flavor":"ARM_THREAD_STATE64","lr":{"value":4369379364},"cpsr":{"value":4096},"fp":{"value":6100042592},"sp":{"value":6100042528},"esr":{"value":1442840704,"description":" Address size fault"},"pc":{"value":4369350296,"matchesCrashFrame":1},"far":{"value":4368515072}},"frames":[{"imageOffset":310936,"symbol":"__abort_with_payload","symbolLocation":8,"imageIndex":0},{"imageOffset":340004,"symbol":"abort_with_payload_wrapper_internal","symbolLocation":104,"imageIndex":0},{"imageOffset":340056,"symbol":"abort_with_payload","symbolLocation":16,"imageIndex":0},{"imageOffset":213276,"symbol":"abort_with_payload","symbolLocation":40,"imageIndex":1},{"imageOffset":21748,"symbol":"dyld4::halt(char const*)","symbolLocation":324,"imageIndex":1},{"imageOffset":6612,"symbol":"dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*)","symbolLocation":2468,"imageIndex":1},{"imageOffset":7156,"symbol":"_dyld_sim_prepare","symbolLocation":376,"imageIndex":1},{"imageOffset":25796,"symbol":"dyld4::prepareSim(dyld4::RuntimeState&, char const*)","symbolLocation":1052,"imageIndex":0},{"imageOffset":21108,"symbol":"dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*)","symbolLocation":248,"imageIndex":0},{"imageOffset":20588,"symbol":"start","symbolLocation":488,"imageIndex":0}]}],
"usedImages" : [
{
"source" : "P",
"arch" : "arm64e",
"base" : 4369039360,
"size" : 393216,
"uuid" : "75627683-a780-32ad-ae34-cf86dd23a26b",
"path" : "\/usr\/lib\/dyld",
"name" : "dyld"
},
{
"source" : "P",
"arch" : "arm64",
"base" : 4367974400,
"size" : 245760,
"uuid" : "67298116-bb18-3438-b22e-8d2b9d4618e9",
"path" : "\/Applications\/Xcode.app\/Contents\/Developer\/Platforms\/iPhoneOS.platform\/Library\/Developer\/CoreSimulator\/Profiles\/Runtimes\/iOS.simruntime\/Contents\/Resources\/RuntimeRoot\/usr\/lib\/dyld_sim",
"name" : "dyld_sim"
}
],
"vmSummary" : "ReadOnly portion of Libraries: Total=4912K resident=0K(0%) swapped_out_or_unallocated=4912K(100%)\nWritable regions: Total=10.0M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=10.0M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nSTACK GUARD 56.0M 1 \nStack 8176K 1 \nVM_ALLOCATE 16K 1 \n__DATA 112K 5 \n__DATA_CONST 384K 4 \n__LINKEDIT 1728K 5 \n__TEXT 3200K 4 \ndyld private memory 2048K 2 \n=========== ======= ======= \nTOTAL 71.3M 23 \n",
"legacyInfo" : {
"threadTriggered" : {
}
},
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "5fb4245a1bbfe8005e33a1e1",
"factorPackIds" : {
},
"deploymentId" : 240000015
},
{
"rolloutId" : "61af99aeda72d16a4beb7756",
"factorPackIds" : {
"SIRI_DIALOG_ASSETS" : "62b9afba7e9ada388efffaa0"
},
"deploymentId" : 240000271
}
],
"experiments" : [
]
},
"reportNotes" : [
"dyld_process_snapshot_get_shared_cache failed"
]
}
Model: MacBookPro18,1, BootROM 7459.141.1, proc 10:8:2 processors, 32 GB, SMC
Graphics: Apple M1 Pro, Apple M1 Pro, Built-In
Display: Color LCD, 3456 x 2234 Retina, Main, MirrorOff, Online
Display: dolphin’s MacBook Pro, 3840 x 2160 (2160p/4K UHD 1 - Ultra High Definition), MirrorOff
Memory Module: LPDDR5
AirPort: Wi-Fi, wl0: Apr 6 2022 05:55:54 version 20.90.45.0.8.7.118 FWID 01-e7138ff2
Bluetooth: Version (null), 0 services, 0 devices, 0 incoming serial ports
Network Service: Wi-Fi, AirPort, en0
USB Device: USB31Bus
USB Device: USB31Bus
USB Device: USB31Bus
Thunderbolt Bus: MacBook Pro, Apple Inc.
Thunderbolt Bus: MacBook Pro, Apple Inc.
Thunderbolt Bus: MacBook Pro, Apple Inc.
The flutter app start on iPhone XR emulator and suddenly exists. I did not change the project code recently, why did this happen? what should I do to fixed this problem? The android studio version is:
Android Studio Chipmunk | 2021.2.1 Patch 1
Build #AI-212.5712.43.2112.8609683, built on May 19, 2022
Runtime version: 11.0.12+0-b1504.28-7817840 aarch64
VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o.
macOS 12.5
GC: G1 Young Generation, G1 Old Generation
Memory: 2280M
Cores: 10
Registry: external.system.auto.import.disabled=true
Non-Bundled Plugins: Dart (212.5744), org.moe.community (1.4.10), com.thoughtworks.gauge (212.4746.52), org.jetbrains.kotlin (212-1.7.10-release-333-AS5457.46), io.flutter (69.0.2)
Finally I found upgrade the ruby-macho version greater than 2.5.1 could fix this problem:
➜ ios git:(main) ✗ sudo gem install ruby-macho
Password:
Fetching ruby-macho-3.0.0.gem
Successfully installed ruby-macho-3.0.0
Parsing documentation for ruby-macho-3.0.0
Installing ri documentation for ruby-macho-3.0.0
Done installing documentation for ruby-macho after 0 seconds
1 gem installed
more information could fetch from here: https://github.com/flutter/flutter/issues/92896

Xcode 13.2.1 Crashes on launch on Monterey

I just did a clean install on my mac with the latest MacOS Monterey, since then I had problems launching Xcode. I try to downgrade to Xcode 12 but it also can't launch with a different set of errors. I have removed the Xcode and reinstalled as well, but keep getting the errors the following errors.
When I launch Xcode I see an error stating that
Xcode quit unexpectedly. Click Reopen to open the application again. Click Report to see more detailed information and send a report to apple. "
The following is the information in the bug report
-------------------------------------
Translated Report (Full Report Below)
-------------------------------------
Process: Xcode [13028]
Path: /Applications/Xcode.app/Contents/MacOS/Xcode
Identifier: com.apple.dt.Xcode
Version: 13.2.1 (19586)
Build Info: IDEFrameworks-19586000000000000~2 (13C100)
App Item ID: 497799835
App External ID: 845961054
Code Type: X86-64 (Native)
Parent Process: launchd [1]
User ID: 501
Date/Time: 2021-12-29 21:05:14.8494 +0800
OS Version: macOS 12.1 (21C52)
Report Version: 12
Anonymous UUID: 761BB2D2-9587-496F-A99B-28153F166DE4
Sleep/Wake UUID: EFC592FD-C240-4939-B494-F1EDB25D5747
Time Awake Since Boot: 29000 seconds
Time Since Wake: 3461 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Application Specific Information:
dlopen(#rpath/libIDEApplicationLoader.dylib, 0x0001): tried:(security policy does not allow # path expansion)
abort() called
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x7ff81d9e5112 __pthread_kill + 10
1 libsystem_pthread.dylib 0x7ff81da1b214 pthread_kill + 263
2 libsystem_c.dylib 0x7ff81d967d10 abort + 123
3 Xcode 0x1019c3537 main.cold.1 + 38
4 Xcode 0x1019c2d42 main + 336
5 dyld 0x1102154fe start + 462
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000110290600 rcx: 0x00007ff7be53f978 rdx: 0x0000000000000000
rdi: 0x0000000000000103 rsi: 0x0000000000000006 rbp: 0x00007ff7be53f9a0 rsp: 0x00007ff7be53f978
r8: 0x00007fe49080a038 r9: 0xfffeffffffffffff r10: 0x0000000000000000 r11: 0x0000000000000246
r12: 0x0000000000000103 r13: 0x00007fe49011f760 r14: 0x0000000000000006 r15: 0x0000000000000016
rip: 0x00007ff81d9e5112 rfl: 0x0000000000000246 cr2: 0x00007ff860821e00
Logical CPU: 0
Error Code: 0x02000148
Trap Number: 133
Binary Images:
0x7ff81d9de000 - 0x7ff81da14fff libsystem_kernel.dylib (*) <5aa1e5be-b5b8-3a02-9885-a8c99e0ca378> /usr/lib/system/libsystem_kernel.dylib
0x7ff81da15000 - 0x7ff81da20fff libsystem_pthread.dylib (*) <6c7561b4-4b92-3f45-921e-abe669299844> /usr/lib/system/libsystem_pthread.dylib
0x7ff81d8e6000 - 0x7ff81d96efff libsystem_c.dylib (*) <e58814cc-dcb7-35a5-badc-e367ed3ac207> /usr/lib/system/libsystem_c.dylib
0x1019c0000 - 0x1019c3fff com.apple.dt.Xcode (13.2.1) <c1d00c9f-cea5-312a-b16d-c9bb36eebb41> /Applications/Xcode.app/Contents/MacOS/Xcode
0x110210000 - 0x11027bfff dyld (*) <cef5a27a-d50b-3020-af03-1734b19bc8c5> /usr/lib/dyld
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=885.5M resident=0K(0%) swapped_out_or_unallocated=885.5M(100%)
Writable regions: Total=155.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=155.1M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Kernel Alloc Once 8K 1
MALLOC 27.1M 14
MALLOC guard page 24K 5
MALLOC_MEDIUM (reserved) 120.0M 1 reserved VM address space (unallocated)
STACK GUARD 56.0M 1
Stack 8192K 1
VM_ALLOCATE 8K 2
__DATA 18.1M 287
__DATA_CONST 13.8M 191
__DATA_DIRTY 736K 109
__FONT_DATA 4K 1
__LINKEDIT 641.0M 7
__OBJC_RO 81.8M 1
__OBJC_RW 3136K 2
__TEXT 244.5M 309
__UNICODE 588K 1
dyld private memory 1024K 1
shared memory 8K 1
=========== ======= =======
TOTAL 1.2G 935
TOTAL, minus reserved VM space 1.1G 935
-----------
Full Report
-----------
{"app_name":"Xcode","timestamp":"2021-12-29 21:05:14.00 +0800","app_version":"13.2.1","slice_uuid":"c1d00c9f-cea5-312a-b16d-c9bb36eebb41","adam_id":"497799835","build_version":"19586","platform":1,"bundleID":"com.apple.dt.Xcode","share_with_app_devs":0,"is_first_party":0,"bug_type":"309","os_version":"macOS 12.1 (21C52)","incident_id":"2E4381E6-5319-48ED-95E1-7B6DE4E39E11","name":"Xcode"}
{
"uptime" : 29000,
"procLaunch" : "2021-12-29 21:05:14.8301 +0800",
"procRole" : "Default",
"version" : 2,
"userID" : 501,
"deployVersion" : 210,
"modelCode" : "iMac15,1",
"procStartAbsTime" : 29888813166473,
"coalitionID" : 4955,
"osVersion" : {
"train" : "macOS 12.1",
"build" : "21C52",
"releaseType" : "User"
},
"captureTime" : "2021-12-29 21:05:14.8494 +0800",
"incident" : "2E4381E6-5319-48ED-95E1-7B6DE4E39E11",
"bug_type" : "309",
"pid" : 13028,
"procExitAbsTime" : 29888831985917,
"cpuType" : "X86-64",
"procName" : "Xcode",
"procPath" : "\/Applications\/Xcode.app\/Contents\/MacOS\/Xcode",
"bundleInfo" : {"CFBundleShortVersionString":"13.2.1","CFBundleVersion":"19586","CFBundleIdentifier":"com.apple.dt.Xcode"},
"buildInfo" : {"ProjectName":"IDEFrameworks","SourceVersion":"19586000000000000","ProductBuildVersion":"13C100","BuildVersion":"2"},
"storeInfo" : {"storeCohortMetadata":"10|date=1640779200000&sf=143473&pgtp=Search&pgid=osx&prpg=Genre_133005&ctxt=Search&issrch=1&imptyp=lockup&kind=macSoftware&lngid=2","itemID":"497799835","deviceIdentifierForVendor":"3397027C-A430-5AB7-960B-AD9958C5155F","thirdParty":true,"softwareVersionExternalIdentifier":"845961054"},
"parentProc" : "launchd",
"parentPid" : 1,
"coalitionName" : "com.apple.dt.Xcode",
"crashReporterKey" : "761BB2D2-9587-496F-A99B-28153F166DE4",
"wakeTime" : 3461,
"sleepWakeUUID" : "EFC592FD-C240-4939-B494-F1EDB25D5747",
"sip" : "enabled",
"isCorpse" : 1,
"exception" : {"codes":"0x0000000000000000, 0x0000000000000000","rawCodes":[0,0],"type":"EXC_CRASH","signal":"SIGABRT"},
"asi" : {"Xcode":["dlopen(#rpath\/libIDEApplicationLoader.dylib, 0x0001): tried:(security policy does not allow # path expansion)"],"libsystem_c.dylib":["abort() called"]},
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"faultingThread" : 0,
"threads" : [{"triggered":true,"id":294397,"threadState":{"r13":{"value":140619646367584},"rax":{"value":0},"rflags":{"value":582},"cpu":{"value":0},"r14":{"value":6},"rsi":{"value":6},"r8":{"value":140619653619768},"cr2":{"value":140704747757056},"rdx":{"value":0},"r10":{"value":0},"r9":{"value":18446462598732840959},"r15":{"value":22},"rbx":{"value":4566091264,"symbolLocation":0,"symbol":"_main_thread"},"trap":{"value":133},"err":{"value":33554760},"r11":{"value":582},"rip":{"value":140703625531666,"matchesCrashFrame":1},"rbp":{"value":140702026824096},"rsp":{"value":140702026824056},"r12":{"value":259},"rcx":{"value":140702026824056},"flavor":"x86_THREAD_STATE","rdi":{"value":259}},"queue":"com.apple.main-thread","frames":[{"imageOffset":28946,"symbol":"__pthread_kill","symbolLocation":10,"imageIndex":0},{"imageOffset":25108,"symbol":"pthread_kill","symbolLocation":263,"imageIndex":1},{"imageOffset":531728,"symbol":"abort","symbolLocation":123,"imageIndex":2},{"imageOffset":13623,"symbol":"main.cold.1","symbolLocation":38,"imageIndex":3},{"imageOffset":11586,"symbol":"main","symbolLocation":336,"imageIndex":3},{"imageOffset":21758,"symbol":"start","symbolLocation":462,"imageIndex":4}]}],
"usedImages" : [
{
"source" : "P",
"arch" : "x86_64",
"base" : 140703625502720,
"size" : 225280,
"uuid" : "5aa1e5be-b5b8-3a02-9885-a8c99e0ca378",
"path" : "\/usr\/lib\/system\/libsystem_kernel.dylib",
"name" : "libsystem_kernel.dylib"
},
{
"source" : "P",
"arch" : "x86_64",
"base" : 140703625728000,
"size" : 49152,
"uuid" : "6c7561b4-4b92-3f45-921e-abe669299844",
"path" : "\/usr\/lib\/system\/libsystem_pthread.dylib",
"name" : "libsystem_pthread.dylib"
},
{
"source" : "P",
"arch" : "x86_64",
"base" : 140703624486912,
"size" : 561152,
"uuid" : "e58814cc-dcb7-35a5-badc-e367ed3ac207",
"path" : "\/usr\/lib\/system\/libsystem_c.dylib",
"name" : "libsystem_c.dylib"
},
{
"source" : "P",
"arch" : "x86_64",
"base" : 4321968128,
"CFBundleShortVersionString" : "13.2.1",
"CFBundleIdentifier" : "com.apple.dt.Xcode",
"size" : 16384,
"uuid" : "c1d00c9f-cea5-312a-b16d-c9bb36eebb41",
"path" : "\/Applications\/Xcode.app\/Contents\/MacOS\/Xcode",
"name" : "Xcode",
"CFBundleVersion" : "19586"
},
{
"source" : "P",
"arch" : "x86_64",
"base" : 4565565440,
"size" : 442368,
"uuid" : "cef5a27a-d50b-3020-af03-1734b19bc8c5",
"path" : "\/usr\/lib\/dyld",
"name" : "dyld"
}
],
"sharedCache" : {
"base" : 140703622500352,
"size" : 15216738304,
"uuid" : "40432a03-88d3-305f-9c0c-e7549e71d927"
},
"vmSummary" : "ReadOnly portion of Libraries: Total=885.5M resident=0K(0%) swapped_out_or_unallocated=885.5M(100%)\nWritable regions: Total=155.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=155.1M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nKernel Alloc Once 8K 1 \nMALLOC 27.1M 14 \nMALLOC guard page 24K 5 \nMALLOC_MEDIUM (reserved) 120.0M 1 reserved VM address space (unallocated)\nSTACK GUARD 56.0M 1 \nStack 8192K 1 \nVM_ALLOCATE 8K 2 \n__DATA 18.1M 287 \n__DATA_CONST 13.8M 191 \n__DATA_DIRTY 736K 109 \n__FONT_DATA 4K 1 \n__LINKEDIT 641.0M 7 \n__OBJC_RO 81.8M 1 \n__OBJC_RW 3136K 2 \n__TEXT 244.5M 309 \n__UNICODE 588K 1 \ndyld private memory 1024K 1 \nshared memory 8K 1 \n=========== ======= ======= \nTOTAL 1.2G 935 \nTOTAL, minus reserved VM space 1.1G 935 \n",
"legacyInfo" : {
"threadTriggered" : {
"queue" : "com.apple.main-thread"
}
},
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "5fc94383418129005b4e9ae0",
"factorPackIds" : {
},
"deploymentId" : 240000196
},
{
"rolloutId" : "601d9415f79519000ccd4b69",
"factorPackIds" : {
"SIRI_TEXT_TO_SPEECH" : "61c11dcd2cb6041dc630dc63"
},
"deploymentId" : 240000357
},
{
"rolloutId" : "607844aa04477260f58a8077",
"factorPackIds" : {
"SIRI_MORPHUN_ASSETS" : "6103050cbfe6dc472e1c982a"
},
"deploymentId" : 240000066
},
{
"rolloutId" : "5ffde50ce2aacd000d47a95f",
"factorPackIds" : {
},
"deploymentId" : 240000090
},
{
"rolloutId" : "602ad4dac86151000cf27e46",
"factorPackIds" : {
"SIRI_DICTATION_ASSETS" : "6193d03f2171a2330e561dfc"
},
"deploymentId" : 240000290
},
{
"rolloutId" : "60da5e84ab0ca017dace9abf",
"factorPackIds" : {
},
"deploymentId" : 240000008
}
],
"experiments" : [
]
}
}
Model: iMac15,1, BootROM 432.40.8.0.1, 4 processors, Quad-Core Intel Core i7, 4 GHz, 32 GB, SMC 2.23f11
Graphics: AMD Radeon R9 M295X, AMD Radeon R9 M295X, PCIe, 4 GB
Display: iMac, Retina 5K (5120 x 2880), Main, MirrorOff, Online
Memory Module: BANK 0/DIMM0, 8 GB, DDR3, 1600 MHz, 0x0000, 0x000000000000000000000000000000000000
Memory Module: BANK 1/DIMM0, 8 GB, DDR3, 1600 MHz, 0x80AD, 0x484D54343147533641465238412D50422020
Memory Module: BANK 0/DIMM1, 8 GB, DDR3, 1600 MHz, 0x0000, 0x000000000000000000000000000000000000
Memory Module: BANK 1/DIMM1, 8 GB, DDR3, 1600 MHz, 0x80AD, 0x484D54343147533641465238412D50422020
AirPort: spairport_wireless_card_type_wifi (0x14E4, 0x142), Broadcom BCM43xx 1.0 (7.77.111.1 AirPortDriverBrcmNIC-1710.3)
AirPort:
Bluetooth: Version (null), 0 services, 0 devices, 0 incoming serial ports
Network Service: Wi-Fi, AirPort, en1
Serial ATA Device: APPLE SSD SD0128F, 121.33 GB
Serial ATA Device: Samsung SSD 850 EVO 500GB, 500.11 GB
USB Device: USB30Bus
USB Device: My Passport 25AA
USB Device: BRCM20702 Hub
USB Device: Bluetooth USB Host Controller
USB Device: FaceTime HD Camera (Built-in)
USB Device: USB2.0 Hub
USB Device: Gaming Mouse G402
USB Device: QuickFire Rapid keyboard
Thunderbolt Bus: iMac, Apple Inc., 26.1

Setting Breakpoint via bp kernelbase!RegOpenKeyExW Doesn't Work in WinDbg

Using WinDbg Preview or WinDbg from Windows 10 SDK, when launching 32-bit process on Windows 10 1909 (build 18363.815) setting a breakpoint on kernelbase!RegOpenKeyExW by name doesn't work.
Example:
Launch C:\windows\syswow64\notepad.exe under WinDbg
.symfix C:\symbols
.reload
bp ntdll!NtOpenKeyEx
g
k
# ChildEBP RetAddr
00 0308f314 74bb5030 ntdll!NtOpenKeyEx
01 0308f3c4 74bb4b87 KERNELBASE!LocalBaseRegOpenKey+0x110
02 0308f42c 74bb4a3c KERNELBASE!RegOpenKeyExInternalW+0x137
03 0308f450 761c34b9 KERNELBASE!RegOpenKeyExW+0x1c
04 0308f488 761c345c combase!ComVerifierSettings::ReadBooleanFromOleKey+0x35 [onecore\com\combase\verifier\verify.cxx # 1046]
05 0308f4a4 76115745 combase!ComVerifierSettings::ComVerifierSettings+0x2f [onecore\com\combase\verifier\verify.cxx # 768]
06 0308f4a8 756a6cd7 combase!`dynamic initializer for 'ComVerifierSettings::s_singleton''+0x5 [onecore\com\combase\verifier\verify.cxx # 626]
07 0308f4c0 761e1801 ucrtbase!_initterm+0x37
08 0308f500 761e175d combase!dllmain_crt_process_attach+0x8c [vccrt\vcstartup\src\startup\dll_dllmain.cpp # 64]
09 0308f510 761e196a combase!dllmain_crt_dispatch+0x3d [vccrt\vcstartup\src\startup\dll_dllmain.cpp # 138]
0a 0308f550 761e1a6e combase!dllmain_dispatch+0x59 [vccrt\vcstartup\src\startup\dll_dllmain.cpp # 195]
0b 0308f564 77071de6 combase!_DllMainCRTStartup+0x1e [vccrt\vcstartup\src\startup\dll_dllmain.cpp # 253]
0c 0308f584 77035608 ntdll!LdrxCallInitRoutine+0x16
0d 0308f5d0 77043f8f ntdll!LdrpCallInitRoutine+0x51
0e 0308f658 77044836 ntdll!LdrpInitializeNode+0x133
0f 0308f67c 7704484d ntdll!LdrpInitializeGraphRecurse+0x5d
10 0308f6a4 770a9542 ntdll!LdrpInitializeGraphRecurse+0x74
11 0308f6b4 770a9382 ntdll!LdrpInitializeGraph+0x13
12 0308f914 77051dd1 ntdll!LdrpInitializeProcess+0x1cc2
13 0308f96c 77051cc1 ntdll!_LdrpInitialize+0xba
14 0308f978 00000000 ntdll!LdrInitializeThunk+0x11
.restart
bc *
bp KERNELBASE!RegOpenKeyExW
g
No breakpoint hit
.restart
bc *
x kernelbase!RegOpenKeyExW*
74bc64b0 KERNELBASE!RegOpenKeyExW (void)
74bb4a20 KERNELBASE!RegOpenKeyExW (_RegOpenKeyExW#20)
uf 74bc64b0
KERNELBASE!EventAccessControl:
74bc64b0 6a7f push 7Fh
74bc64b2 58 pop eax
74bc64b3 c21400 ret 14h
uf 74bb4a20
KERNELBASE!RegOpenKeyExW:
74bb4a20 8bff mov edi,edi
74bb4a22 55 push ebp
74bb4a23 8bec mov ebp,esp
74bb4a25 51 push ecx
74bb4a26 6a00 push 0
74bb4a28 ff7518 push dword ptr [ebp+18h]
74bb4a2b ff7514 push dword ptr [ebp+14h]
74bb4a2e ff7510 push dword ptr [ebp+10h]
74bb4a31 ff750c push dword ptr [ebp+0Ch]
74bb4a34 ff7508 push dword ptr [ebp+8]
74bb4a37 e814000000 call KERNELBASE!RegOpenKeyExInternalW (74bb4a50)
74bb4a3c 59 pop ecx
74bb4a3d 5d pop ebp
74bb4a3e c21400 ret 14h
bp 74bb4a20
g
Breakpoint hit - why do I have to use this address not name? Why the duplicate names?
Breakpoint 0 hit
eax=0308f478 ebx=00000000 ecx=760de820 edx=00000000 esi=760de820 edi=760c8d98
eip=74bb4a20 esp=0308f454 ebp=0308f488 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
KERNELBASE!RegOpenKeyExW:
74bb4a20 8bff mov edi,edi
Checking import table of process, the address referenced is 74bb4a20.
0:000> lmvm notepad
Browse full module list
start end module name
00fe0000 0100b000 notepad (deferred)
Image path: notepad.exe
Image name: notepad.exe
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 93B4E8FA (This is a reproducible build file hash, not a timestamp)
CheckSum: 00032822
ImageSize: 0002B000
File version: 10.0.18362.693
Product version: 10.0.18362.693
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: Notepad
OriginalFilename: NOTEPAD.EXE
ProductVersion: 10.0.18362.693
FileVersion: 10.0.18362.693 (WinBuild.160101.0800)
FileDescription: Notepad
LegalCopyright: © Microsoft Corporation. All rights reserved.
0:000> !dh 00fe0000
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
6 number of sections
93B4E8FA time date stamp
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
14.15 linker version
1FC00 size of code
7400 size of initialized data
0 size of uninitialized data
1F8D0 address of entry point
1000 base of code
----- new -----
00fe0000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
10.00 operating system version
10.00 image version
10.00 subsystem version
2B000 size of image
400 size of headers
32822 checksum
00040000 size of stack reserve
00011000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
C140 DLL characteristics
Dynamic base
NX compatible
Guard
Terminal server aware
0 [ 0] address [size] of Export Directory
234B8 [ 370] address [size] of Import Directory
27000 [ BE0] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
28000 [ 21A8] address [size] of Base Relocation Directory
4A80 [ 54] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
13D4 [ 18] address [size] of Thread Storage Directory
1330 [ A4] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
23000 [ 4B4] address [size] of Import Address Table Directory
207A4 [ E0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
1FB50 virtual size
1000 virtual address
1FC00 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
Debug Directories(3)
Type Size Address Pointer
cv 24 5078 4478 Format: RSDS, guid, 1, notepad.pdb
( 13) 3a4 509c 449c
( 16) 24 5440 4840
SECTION HEADER #2
.data name
1DB0 virtual size
21000 virtual address
800 size of raw data
20000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
(no align specified)
Read Write
SECTION HEADER #3
.idata name
2472 virtual size
23000 virtual address
2600 size of raw data
20800 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only
SECTION HEADER #4
.didat name
78 virtual size
26000 virtual address
200 size of raw data
22E00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
(no align specified)
Read Write
SECTION HEADER #5
.rsrc name
BE0 virtual size
27000 virtual address
C00 size of raw data
23000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only
SECTION HEADER #6
.reloc name
21A8 virtual size
28000 virtual address
2200 size of raw data
23C00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
0:000> dps 00fe0000+23000 00fe0000+23000+4B4
01003000 639b5690 COMCTL32!CreateStatusWindowW
01003004 63a48240 COMCTL32!TaskDialogIndirect
01003008 00000000
0100300c 76f04680 GDI32!SelectObject
01003010 76f07930 GDI32!GetTextFaceW
01003014 76f077a0 GDI32!EnumFontsW
01003018 76f079b0 GDI32!TextOutW
0100301c 76f06a80 GDI32!GetTextExtentPoint32WStub
01003020 76f05790 GDI32!SetMapModeStub
01003024 76f060e0 GDI32!SetViewportExtExStub
01003028 76f060a0 GDI32!SetWindowExtExStub
0100302c 76f05540 GDI32!LPtoDPStub
01003030 76f03660 GDI32!DeleteObject
01003034 76f07950 GDI32!GetTextMetricsW
01003038 76f06370 GDI32!EndPage
0100303c 76f0b990 GDI32!AbortDoc
01003040 76f068c0 GDI32!EndDoc
01003044 76f03290 GDI32!DeleteDC
01003048 76f0b000 GDI32!SetAbortProc
0100304c 76f06840 GDI32!StartDocW
01003050 76f06340 GDI32!StartPage
01003054 76f06c60 GDI32!CreateDCW
01003058 76f04940 GDI32!CreateFontIndirectW
0100305c 76f047f0 GDI32!SetBkMode
01003060 76f041e0 GDI32!GetDeviceCaps
01003064 00000000
01003068 75450180 USER32!SetThreadDpiAwarenessContext
0100306c 7543e3f0 USER32!PostMessageW
01003070 75474170 USER32!DialogBoxParamW
01003074 7543ea10 USER32!GetFocus
01003078 75491370 USER32!MessageBoxW
0100307c 75432fe0 USER32!GetMenu
01003080 75446e40 USER32!CheckMenuItem
01003084 75447a10 USER32!GetSubMenu
01003088 75445f90 USER32!EnableMenuItem
0100308c 75455bd0 USER32!NtUserShowWindow
01003090 7543e8b0 USER32!GetDC
01003094 7543e290 USER32!ReleaseDC
01003098 754544dc USER32!SetCursorStub
0100309c 75451760 USER32!GetDpiForWindow
010030a0 75455840 USER32!NtUserSetActiveWindow
010030a4 7543f580 USER32!LoadStringW
010030a8 770882e0 ntdll!NtdllDefWindowProc_W
010030ac 7543b6f0 USER32!IsIconic
010030b0 75455980 USER32!NtUserSetFocus
010030b4 754543c0 USER32!PostQuitMessage
010030b8 75454ae0 USER32!NtUserDestroyWindow
010030bc 7549f1b0 USER32!MessageBeep
010030c0 75455470 USER32!NtUserMoveWindow
010030c4 75431cb0 USER32!GetDlgCtrlID
010030c8 75455b70 USER32!NtUserSetWindowPos
010030cc 754556c0 USER32!NtUserRedrawWindow
010030d0 7543f040 USER32!GetKeyboardLayout
010030d4 75453dc0 USER32!CharNextWStub
010030d8 7543fd40 USER32!SetWinEventHook
010030dc 7543e730 USER32!GetMessageW
010030e0 7544b790 USER32!TranslateAcceleratorW
010030e4 75437fe0 USER32!IsDialogMessageW
010030e8 754383c0 USER32!TranslateMessage
010030ec 75433eb0 USER32!DispatchMessageW
010030f0 75455c80 USER32!NtUserUnhookWinEvent
010030f4 75430620 USER32!SetWindowTextW
010030f8 7544fbd0 USER32!OpenClipboard
010030fc 7544f420 USER32!IsClipboardFormatAvailableStub
01003100 75450e80 USER32!CloseClipboardStub
01003104 75451380 USER32!SetDlgItemTextW
01003108 75450cf0 USER32!GetDlgItemTextW
0100310c 75450630 USER32!EndDialog
01003110 75440720 USER32!SendDlgItemMessageW
01003114 75441400 USER32!SetScrollPos
01003118 75455300 USER32!NtUserInvalidateRect
0100311c 75432f60 USER32!UpdateWindow
01003120 754551a0 USER32!NtUserGetWindowPlacement
01003124 75455b60 USER32!NtUserSetWindowPlacement
01003128 7543fca0 USER32!CharUpperWStub
0100312c 754550b0 USER32!NtUserGetSystemMenu
01003130 75453020 USER32!LoadAcceleratorsW
01003134 75438800 USER32!SetWindowLongW
01003138 7542f6c0 USER32!CreateWindowExW
0100313c 754306f0 USER32!MonitorFromWindow
01003140 7543f5b0 USER32!RegisterWindowMessageW
01003144 754313a0 USER32!LoadCursorW
01003148 7542e4c0 USER32!RegisterClassExW
0100314c 75430680 USER32!GetWindowTextLengthW
01003150 75433470 USER32!GetWindowLongW
01003154 75439da0 USER32!PeekMessageW
01003158 754312c0 USER32!GetWindowTextW
0100315c 7543fc80 USER32!EnableWindow
01003160 75451400 USER32!CreateDialogParamW
01003164 754531f0 USER32!DrawTextExW
01003168 75433b50 USER32!GetClientRect
0100316c 754342e0 USER32!SendMessageW
01003170 75454e10 USER32!NtUserGetForegroundWindow
01003174 7542e440 USER32!LoadIconW
01003178 75453220 USER32!LoadImageW
0100317c 00000000
01003180 7604ded0 advapi32!IsTextUnicode
01003184 00000000
01003188 76177de0 combase!CoCreateFreeThreadedMarshaler [onecore\com\combase\dcomrem\ipmrshl.cxx # 201]
0100318c 761a79d0 combase!CoWaitForMultipleHandles [onecore\com\combase\dcomrem\sync.cxx # 87]
01003190 761534c0 combase!PropVariantClear [onecore\com\combase\util\propvar.cxx # 278]
01003194 76182860 combase!CoTaskMemAlloc [onecore\com\combase\class\memapi.cxx # 428]
01003198 761440a0 combase!CoCreateGuid [onecore\com\combase\class\cocrguid.cxx # 49]
0100319c 761829e0 combase!CoTaskMemFree [onecore\com\combase\class\memapi.cxx # 444]
010031a0 76159910 combase!CoCreateInstance [onecore\com\combase\objact\actapi.cxx # 109]
010031a4 76195f60 combase!CoInitializeEx [onecore\com\combase\class\compobj.cxx # 3792]
010031a8 76195fb0 combase!CoUninitialize [onecore\com\combase\class\compobj.cxx # 3851]
010031ac 00000000
010031b0 74bcb460 KERNELBASE!GetTimeFormatW
010031b4 74bcf0d0 KERNELBASE!GetDateFormatW
010031b8 00000000
010031bc 74bc4bb0 KERNELBASE!IsDebuggerPresent
010031c0 74c0e2d0 KERNELBASE!wil::details::DebugBreak
010031c4 74c524b0 KERNELBASE!OutputDebugStringW
010031c8 00000000
010031cc 74c4d510 KERNELBASE!DelayLoadFailureHook
010031d0 00000000
010031d4 74bc1630 KERNELBASE!ResolveDelayLoadedAPI
010031d8 00000000
010031dc 74bc43a0 KERNELBASE!RaiseException
010031e0 74ba27a0 KERNELBASE!GetLastError
010031e4 77060240 ntdll!RtlSetLastWin32Error
010031e8 74bc0640 KERNELBASE!SetUnhandledExceptionFilter
010031ec 74c5b8f0 KERNELBASE!UnhandledExceptionFilter
010031f0 00000000
010031f4 74bbf770 KERNELBASE!FindClose
010031f8 74bc48d0 KERNELBASE!SetEndOfFile
010031fc 74b9ffb0 KERNELBASE!DeleteFileW
01003200 74bbc2d0 KERNELBASE!GetFullPathNameW
01003204 74ba1540 KERNELBASE!WriteFile
01003208 74b9f9e0 KERNELBASE!FindFirstFileW
0100320c 74bc0c50 KERNELBASE!GetFileAttributesExW
01003210 74b9f860 KERNELBASE!GetFileAttributesW
01003214 74ba20b0 KERNELBASE!CreateFileW
01003218 74ba1ee0 KERNELBASE!ReadFile
0100321c 74bc1750 KERNELBASE!GetFileInformationByHandle
01003220 00000000
01003224 74ba26f0 KERNELBASE!CloseHandle
01003228 00000000
0100322c 74b9b0b0 KERNELBASE!GetProcessHeap
01003230 7703ae50 ntdll!RtlAllocateHeap
01003234 7703dc70 ntdll!RtlFreeHeap
01003238 74bc4d20 KERNELBASE!HeapSetInformation
0100323c 00000000
01003240 74ba5210 KERNELBASE!LocalFree
01003244 74bbf030 KERNELBASE!GlobalAlloc
01003248 74ba5340 KERNELBASE!LocalAlloc
0100324c 74bb7c50 KERNELBASE!LocalUnlock
01003250 74b9b760 KERNELBASE!LocalReAlloc
01003254 74bb7aa0 KERNELBASE!LocalLock
01003258 74bbf820 KERNELBASE!GlobalFree
0100325c 00000000
01003260 757b4050 KERNEL32!GlobalLock
01003264 757b7b00 KERNEL32!LocalSize
01003268 757b4740 KERNEL32!GlobalUnlock
0100326c 00000000
01003270 74be0d80 KERNELBASE!MulDiv
01003274 00000000
01003278 74ba0420 KERNELBASE!GetModuleHandleW
0100327c 74ba1700 KERNELBASE!LoadLibraryExW
01003280 74b9ea60 KERNELBASE!GetProcAddress
01003284 74ba0320 KERNELBASE!FreeLibrary
01003288 74bbe8b0 KERNELBASE!GetModuleFileNameW
0100328c 74bbe7c0 KERNELBASE!GetModuleFileNameA
01003290 74b9f3b0 KERNELBASE!GetModuleHandleExW
01003294 00000000
01003298 74ba9a60 KERNELBASE!GetACP
0100329c 74b9b450 KERNELBASE!FormatMessageW
010032a0 74ba36e0 KERNELBASE!GetLocaleInfoW
010032a4 74c109a0 KERNELBASE!FindNLSString
010032a8 00000000
010032ac 74bbde70 KERNELBASE!GetUserDefaultUILanguage
010032b0 00000000
010032b4 74bbf740 KERNELBASE!UnmapViewOfFile
010032b8 74bbe6f0 KERNELBASE!MapViewOfFile
010032bc 74ba0910 KERNELBASE!CreateFileMappingW
010032c0 00000000
010032c4 74bc5000 KERNELBASE!GetCommandLineW
010032c8 00000000
010032cc 757b1a60 KERNEL32!GetCurrentThreadId
010032d0 757c3bf0 KERNEL32!GetCurrentProcess
010032d4 74bbf520 KERNELBASE!OpenProcessToken
010032d8 757c3c00 KERNEL32!GetCurrentProcessId
010032dc 757b9aa0 KERNEL32!GetStartupInfoWStub
010032e0 757bf420 KERNEL32!TerminateProcessStub
010032e4 00000000
010032e8 74bc0940 KERNELBASE!GetProcessMitigationPolicy
010032ec 00000000
010032f0 77060550 ntdll!RtlQueryPerformanceCounter
010032f4 00000000
010032f8 74bb4a20 KERNELBASE!RegOpenKeyExW
010032fc 74bb5800 KERNELBASE!RegCloseKey
01003300 74bb4460 KERNELBASE!RegQueryValueExW
01003304 74bd4530 KERNELBASE!RegSetValueExW
01003308 00000000
0100330c 7604efe0 advapi32!RegCreateKeyW
01003310 00000000
01003314 74b9f2c0 KERNELBASE!PathFileExistsW
01003318 74bd25a0 KERNELBASE!PathIsFileSpecW
0100331c 74bbebd0 KERNELBASE!PathFindExtensionW
01003320 00000000
01003324 74bb1de0 KERNELBASE!WideCharToMultiByte
01003328 74bd1490 KERNELBASE!FoldStringW
0100332c 74bb0390 KERNELBASE!CompareStringOrdinal
01003330 74ba6350 KERNELBASE!MultiByteToWideChar
01003334 00000000
01003338 757b7740 KERNEL32!lstrcmpiWStub
0100333c 00000000
01003340 770360b0 ntdll!RtlEnterCriticalSection
01003344 7705c380 ntdll!RtlDeleteCriticalSection
01003348 74ba0cb0 KERNELBASE!CreateMutexExW
0100334c 74bbeba0 KERNELBASE!SetEvent
01003350 77058680 ntdll!RtlLeaveCriticalSection
01003354 77053b40 ntdll!RtlReleaseSRWLockShared
01003358 74bbeac0 KERNELBASE!InitializeCriticalSectionEx
0100335c 74b9d850 KERNELBASE!OpenSemaphoreW
01003360 74bc1720 KERNELBASE!ReleaseSemaphore
01003364 74baef90 KERNELBASE!WaitForSingleObject
01003368 770384a0 ntdll!RtlAcquireSRWLockExclusive
0100336c 74baef10 KERNELBASE!ReleaseMutex
01003370 74b9f320 KERNELBASE!CreateSemaphoreExW
01003374 7703ec20 ntdll!RtlReleaseSRWLockExclusive
01003378 74baefb0 KERNELBASE!WaitForSingleObjectEx
0100337c 74bbe9c0 KERNELBASE!CreateEventExW
01003380 77053c10 ntdll!RtlAcquireSRWLockShared
01003384 00000000
01003388 74bbf590 KERNELBASE!Sleep
0100338c 77068e00 ntdll!RtlWakeAllConditionVariable
01003390 74bc3f70 KERNELBASE!SleepConditionVariableSRW
01003394 00000000
01003398 74bbe020 KERNELBASE!GetLocalTime
0100339c 74bbc6a0 KERNELBASE!GetSystemTimeAsFileTime
010033a0 74bb1a20 KERNELBASE!GetTickCount
010033a4 00000000
010033a8 77053ee0 ntdll!TpSetTimer
010033ac 77052580 ntdll!TpWaitForTimer
010033b0 770524f0 ntdll!TpReleaseTimer
010033b4 74bc3350 KERNELBASE!CreateThreadpoolTimer
010033b8 00000000
010033bc 761d39b0 combase!SetRestrictedErrorInfo [onecore\com\combase\winrt\error\restrictederror.cpp # 125]
010033c0 00000000
010033c4 761ddef0 combase!RoGetMatchingRestrictedErrorInfo [onecore\com\combase\winrt\error\restrictederror.cpp # 205]
010033c8 00000000
010033cc 7615ec90 combase!RoGetActivationFactory [onecore\com\combase\winrtbase\winrtbase.cpp # 1062]
010033d0 761d1b80 combase!RoInitialize [onecore\com\combase\winrtbase\winrtbase.cpp # 329]
010033d4 761db3e0 combase!RoUninitialize [onecore\com\combase\winrtbase\winrtbase.cpp # 454]
010033d8 00000000
010033dc 761626a0 combase!WindowsCreateStringReference [onecore\com\combase\winrt\string\string.cpp # 70]
010033e0 761bcf30 combase!WindowsDeleteString [onecore\com\combase\winrt\string\string.cpp # 146]
010033e4 7619c530 combase!WindowsGetStringRawBuffer [onecore\com\combase\winrt\string\string.cpp # 226]
010033e8 7614b690 combase!WindowsCreateString [onecore\com\combase\winrt\string\string.cpp # 30]
010033ec 00000000
010033f0 77044d10 ntdll!EtwEventUnregister
010033f4 77065d70 ntdll!EtwEventWriteTransfer
010033f8 7705e180 ntdll!EtwEventSetInformation
010033fc 7705f800 ntdll!EtwEventRegister
01003400 00000000
01003404 74ba10d0 KERNELBASE!GetTokenInformation
01003408 00000000
0100340c 756095b0 shcore!SHStrDupW
01003410 00000000
01003414 755ffea0 shcore!PathIsNetworkPathW
01003418 00000000
0100341c 75618a90 shcore!GetDpiForMonitor
01003420 00000000
01003424 74a46dd0 msvcrt!__dllonexit
01003428 74a373a0 msvcrt!free
0100342c 74a216c0 msvcrt!iswdigit
01003430 74aa5ba0 msvcrt!_acmdln
01003434 74a566f0 msvcrt!exit
01003438 74a88540 msvcrt!__setusermatherr
0100343c 74a56fe0 msvcrt!_unlock
01003440 74a25c50 msvcrt!__getmainargs
01003444 74a56e30 msvcrt!_lock
01003448 74a46eb0 msvcrt!_onexit
0100344c 74a561b0 msvcrt!_amsg_exit
01003450 74a7ab30 msvcrt!wcsnlen
01003454 74a3eb40 msvcrt!_ismbblead
01003458 74a47600 msvcrt!__set_app_type
0100345c 74a56230 msvcrt!_cexit
01003460 74a25d60 msvcrt!__p__commode
01003464 74a56110 msvcrt!_exit
01003468 74a44c40 msvcrt!_XcptFilter
0100346c 74a564c0 msvcrt!_initterm
01003470 74a77f60 msvcrt!_wcsicmp
01003474 74a23db0 msvcrt!_wtol
01003478 74a79910 msvcrt!memmove_s
0100347c 74a48bc0 msvcrt!_purecall
01003480 74a79500 msvcrt!memcpy_s
01003484 74a66ef0 msvcrt!_vsnwprintf
01003488 74a2b000 msvcrt!__CxxFrameHandler
0100348c 74a89fc0 msvcrt!_controlfp
01003490 74a2a670 msvcrt!terminate
01003494 74a48370 msvcrt!_except_handler4_common
01003498 74a25db0 msvcrt!__p__fmode
0100349c 74a37580 msvcrt!malloc
010034a0 74a34d70 msvcrt!_callnewh
010034a4 74a79130 msvcrt!memcmp
010034a8 74a79190 msvcrt!memcpy
010034ac 74a79970 msvcrt!memset
010034b0 00000000
010034b4 77088cb0 ntdll!LdrpValidateUserCallTarget
Reloading symbols made no difference:
0:007> .reload /f kernelbase.dll
SYMSRV: BYINDEX: 0x49
C:\symbols*https://msdl.microsoft.com/download/symbols
wkernelbase.pdb
017FA9C5278235B7E6BFBA74A9A5AAD91
SYMSRV: PATH: C:\symbols\wkernelbase.pdb\017FA9C5278235B7E6BFBA74A9A5AAD91\wkernelbase.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: KERNELBASE - public symbols
C:\symbols\wkernelbase.pdb\017FA9C5278235B7E6BFBA74A9A5AAD91\wkernelbase.pdb
I can set breakpoint via bm using wildcard, but in the past I have never had to do this:
0:000> bm kernelbase!RegOpenKeyExW*
1: 74bc64b0 #!"KERNELBASE!RegOpenKeyExW"
2: 74bb4a20 #!"KERNELBASE!RegOpenKeyExW"
Wondering if there is any specific change causing this, or is problem with symbols, etc?
well one is CLRTYPE private symbol I don't know how it crept in but iirc there are few more symbols like this
use .symopt+4000 to load only public symbols
then your breakpoint will be set correctly
0:000> .symopt
Symbol options are 0x30337:
0x00000001 - SYMOPT_CASE_INSENSITIVE
0x00000002 - SYMOPT_UNDNAME
0x00000004 - SYMOPT_DEFERRED_LOADS
0x00000010 - SYMOPT_LOAD_LINES
0x00000020 - SYMOPT_OMAP_FIND_NEAREST
0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
0x00010000 - SYMOPT_AUTO_PUBLICS
0x00020000 - SYMOPT_NO_IMAGE_SEARCH
0:000> x /v /f /t kernelbase!RegOpenKeyExW*
prv func 00007fff`582a3120 6 <CLR type> KERNELBASE!RegOpenKeyExW (void)
pub func 00007fff`58248c60 0 <NoType> KERNELBASE!RegOpenKeyExW (<no parameter info>)
0:000> .symopt+4000
Symbol options are 0x34337:
0x00000001 - SYMOPT_CASE_INSENSITIVE
0x00000002 - SYMOPT_UNDNAME
0x00000004 - SYMOPT_DEFERRED_LOADS
0x00000010 - SYMOPT_LOAD_LINES
0x00000020 - SYMOPT_OMAP_FIND_NEAREST
0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
0x00004000 - SYMOPT_PUBLICS_ONLY
0x00010000 - SYMOPT_AUTO_PUBLICS
0x00020000 - SYMOPT_NO_IMAGE_SEARCH
0:000> x /v /f /t kernelbase!RegOpenKeyExW*
pub func 00007fff`58248c60 0 <NoType> KERNELBASE!RegOpenKeyExW (<no parameter info>)
0:000> bp KERNELBASE!RegOpenKeyExW
0:000> bl
0 e Disable Clear 00007fff`58248c60 0001 (0001) 0:**** KERNELBASE!RegOpenKeyExW
0:000> g
ModLoad: 00007fff`59140000 00007fff`5916e000 C:\WINDOWS\System32\IMM32.DLL
Breakpoint 0 hit
KERNELBASE!RegOpenKeyExW:
00007fff`58248c60 4883ec38 sub rsp,38h
0:000> uf .
KERNELBASE!RegOpenKeyExW:
00007fff`58248c60 4883ec38 sub rsp,38h
00007fff`58248c64 488b442460 mov rax,qword ptr [rsp+60h]
00007fff`58248c69 488364242800 and qword ptr [rsp+28h],0
00007fff`58248c6f 4889442420 mov qword ptr [rsp+20h],rax
00007fff`58248c74 e817000000 call KERNELBASE!RegOpenKeyExInternalW (00007fff`58248c90)
00007fff`58248c79 4883c438 add rsp,38h
00007fff`58248c7d c3 ret
As stated there are quiet a few symbols that all point to this Address
windbg -c ".logopen d:\syms.txt;x /v /t kernelbase!*
;.logclose;q" windbg
D:\>wc -l syms.txt
41405 syms.txt
D:\>grep -i RegOpenKeyExW syms.txt
prv func 00007fff`582a3120 6 <CLR type> KERNELBASE!RegOpenKeyExW (void)
pub func 00007fff`58248c60 0 <NoType> KERNELBASE!RegOpenKeyExW (<no parameter info>)
D:\>grep -i 00007fff`582a3120 syms.txt | wc -l
1935
D:\>grep -i prv.*00007fff`582a3120 syms.txt | wc -l
1935
D:\>grep -i pub.*00007fff`582a3120 syms.txt | wc -l
0

Interpreting Section object in kernel dump

I'm trying to track down issues with a 3thParty application. The path currently being investigated is to look into a Section object that get's created in each process: rpsPdf10.mutex.
If the name of the object is any indication for it's intended usage, I'm not sure why they choose a Section object and use it as a Mutex but that's likely largely irrelevant.
Using LiveKd I've issued following command's trying to get detailed info of the Section object
0: kd>!process 0 0 3thParty.exe
...
PROCESS fffffa800ea80060
SessionId: 0 Cid: 0a00 Peb: fffdf000 ParentCid: 014c
DirBase: 99349000 ObjectTable: fffff8a004448bf0 HandleCount: 338.
Image: 3thParty.exe
...
0: kd> !handle 0 7 fffffa800ea80060
...
08 fffff8a012e26710 Section rpsPdf10.mutex
...
0: kd> !object fffff8a012e26710
Object: fffff8a012e26710 Type: (fffffa800cd7cea0) Section
ObjectHeader: fffff8a012e266e0 (new version)
HandleCount: 38 PointerCount: 39
Directory Object: fffff8a00a980080 Name: rpsPdf10.mutex
0: kd> dt nt!_FILE_OBJECT fffff8a012e26710
+0x000 Type : 0n256
+0x002 Size : 0n0
+0x008 DeviceObject : 0x000000000008dfb0 _DEVICE_OBJECT
+0x010 Vpb : 0xfffffa80c0000001 _VPB
+0x018 FsContext : (null)
+0x020 FsContext2 : 0xfffffa8000000034 Void
+0x028 SectionObjectPointer : 0xfffff8a0102d7820 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap : 0x0000000000001000 Void
+0x038 FinalStatus : 0n73728
+0x040 RelatedFileObject : 0x63536153030a040c _FILE_OBJECT
+0x048 LockOperation : 0x74 't'
+0x049 DeletePending : 0 ''
+0x04a ReadAccess : 0x65 'e'
+0x04b WriteAccess : 0 ''
+0x04c DeleteAccess : 0x73 's'
+0x04d SharedRead : 0 ''
+0x04e SharedWrite : 0x74 't'
The string 't' 'e' 's' 't' in the output definitely sticks out so
either I'm following a wrong path -> tx to Blabb, this is certain. It's not a fileobject but the question remains how to find out more information about the Section object. It's still curious and/or a rather unfortunate coincidence that following the section and control area pointers I derived from the fileobject info do seem correct?!
or there's something wrong with the Section object
or ... ?
tldr;
Following the _SECTION_OBJECT_POINTERS of the _FILE_OBJECT structure above, I arrive at a
NumberOfMappedViews of 0x26 (= HandleCount: 38)
NumberOfUserReferences of 0x27 (= PointerCount: 39)
so for the moment I assume the path I've followed is correct.
0: kd> dt nt!_SECTION_OBJECT_POINTERS 0xfffff8a0102d7820
+0x000 DataSectionObject : 0xfffffa800fbed900 Void
+0x008 SharedCacheMap : 0x0008000000000001 Void
+0x010 ImageSectionObject : 0x0000000000000001 Void
0: kd> dt nt!_CONTROL_AREA 0xfffffa800fbed900
+0x000 Segment : 0xfffff8a0102d7820 _SEGMENT
+0x008 DereferenceList : _LIST_ENTRY [ 0x0000000000000000 - 0x0000000000000000 ]
+0x018 NumberOfSectionReferences : 1
+0x020 NumberOfPfnReferences : 0
+0x028 NumberOfMappedViews : 0x26
+0x030 NumberOfUserReferences : 0x27
Edit
The object header looks like this
0: kd> dt nt!_OBJECT_HEADER fffff8a012e266e0
+0x000 PointerCount : 0n39
+0x008 HandleCount : 0n38
+0x008 NextToFree : 0x00000000`00000026 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : 0x21 '!'
+0x019 TraceFlags : 0 ''
+0x01a InfoMask : 0xa ''
+0x01b Flags : 0 ''
+0x020 ObjectCreateInfo : 0xfffffa80`0e505140 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xfffffa80`0e505140 Void
+0x028 SecurityDescriptor : 0xfffff8a0`1ba076a8 Void
+0x030 Body : _QUAD
Edit 2
following #blabb's answer adjusting for architecture
0: kd> ? #$proc
Evaluate expression: -6047068061600 = fffffa80`0ea80060
0: kd> dx (char *)#$proc->ImageFileName
(char *)#$proc->ImageFileName : 0xfffffa800ea80340 : [Type: char *] : "3thParty.exe"
0: kd> !handle 0 0 #$proc section
...
0474: Object: fffff8a012e26710 GrantedAccess: 000f0007
...
0: kd> !object fffff8a012e26710
Object: fffff8a012e26710 Type: (fffffa800cd7cea0) Section
ObjectHeader: fffff8a012e266e0 (new version)
HandleCount: 38 PointerCount: 39
Directory Object: fffff8a00a980080 Name: rpsPdf10.mutex
0: kd> ?? (unsigned long) (#FIELD_OFFSET(nt!_OBJECT_HEADER, Body))
unsigned long 0x30
0: kd> dt nt!_object_header 0xfffff8a012e26710-0x30
+0x000 PointerCount : 0n39
+0x008 HandleCount : 0n38
+0x008 NextToFree : 0x00000000`00000026 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : 0x21 '!'
+0x019 TraceFlags : 0 ''
+0x01a InfoMask : 0xa ''
+0x01b Flags : 0 ''
+0x020 ObjectCreateInfo : 0xfffffa80`0e505140 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : 0xfffffa80`0e505140 Void
+0x028 SecurityDescriptor : 0xfffff8a0`1ba076a8 Void
+0x030 Body : _QUAD
0: kd> x nt!ObTypeIndexTable
fffff800`01a70c00 nt!ObTypeIndexTable = <no type information>
0: kd> dt -r1 nt!_SECTION_OBJECT 0xfffff8a012e26710
+0x000 StartingVa : 0x00000022`00000100 Void
+0x008 EndingVa : 0x00000000`0008dfb0 Void
+0x010 Parent : 0xfffffa80`c0000001 Void
+0x018 LeftChild : (null)
+0x020 RightChild : 0xfffffa80`00000034 Void
+0x028 Segment : 0xfffff8a0`102d7820 _SEGMENT_OBJECT
+0x000 BaseAddress : 0xfffffa80`0fbed900 Void
+0x008 TotalNumberOfPtes : 1
+0x010 SizeOfSegment : _LARGE_INTEGER 0x1
+0x018 NonExtendedPtes : 0x1000
+0x01c ImageCommitment : 0
+0x020 ControlArea : (null)
+0x028 Subsection : (null)
+0x030 MmSectionFlags : 0xfffffa80`10987b10 _MMSECTION_FLAGS
+0x038 MmSubSectionFlags : 0x00000000`03400000 _MMSUBSECTION_FLAGS
0: kd> dc 0xfffff8a012e26710-0x30-0x50
fffff8a0`12e26690 030c0408 f4636553 0e1a02e0 fffffa80 ....Sec.........
fffff8a0`12e266a0 00000048 000000b8 0000001c fffffa80 H...............
fffff8a0`12e266b0 0e505140 fffffa80 00000000 00000000 #QP.............
fffff8a0`12e266c0 0a980080 fffff8a0 001c001c 00000000 ................
fffff8a0`12e266d0 10eb8770 fffff8a0 00000000 00000008 p...............
fffff8a0`12e266e0 00000027 00000000 00000026 00000000 '.......&.......
fffff8a0`12e266f0 00000000 00000000 000a0021 fffff8a0 ........!.......
fffff8a0`12e26700 0e505140 fffffa80 1ba076a8 fffff8a0 #QP......v......
0: kd> !pool 0xfffff8a012e26710-0x30-0x50 2
Pool page fffff8a012e26690 region is Paged pool
*fffff8a012e26690 size: c0 previous size: 80 (Allocated) *Sect (Protected)
Pooltag Sect : Section objects
This is a 32 bit machine running windows 7
Commands used are architecture agnostic but pointer arithmetic are arch dependent
Current process
kd> ? #$proc
Evaluate expression: -2061895528 = 8519f898
Process Name From EPROCESS->ImageFileName
kd> dx (char *)#$proc->ImageFileName
(char *)#$proc->ImageFileName : 0xffffffff8519fa04 : "windbg.exe" [Type: char *]
lets Search For Some Section Handles in this process
the TypeName is CaseSensitive
kd> !handle 0 3 #$proc Section
Searching for handles of type Section
PROCESS 8519f898 SessionId: 1 Cid: 0138 Peb: 7ffd8000 ParentCid: 0d04
DirBase: 7e257560 ObjectTable: b91a3520 HandleCount: 254.
Image: windbg.exe
Handle table at b91a3520 with 254 entries in use
00c0: Object: 9a10bc58 GrantedAccess: 00000004 Entry: 9945b180
Object: 9a10bc58 Type: (84eb6040) Section
ObjectHeader: 9a10bc40 (new version)
HandleCount: 6 PointerCount: 6
!handle 0 3 flag dumps object specific information which can be reverified using !object {object address}
kd> !object 9a10bc58
Object: 9a10bc58 Type: (84eb6040) Section
ObjectHeader: 9a10bc40 (new version)
HandleCount: 6 PointerCount: 6
each object has an objectheader in 32 bit it is 18 bytes prior to object address that is sizeof(nt!_OBJECT_HEADER- sizeof(obheader->Body)) body is embedded in HEADER as the last member and is variable sized
kd> ?? (unsigned long ) (#FIELD_OFFSET(nt!_OBJECT_HEADER , Body))
unsigned long 0x18
_OBJECT_HEADER is as follows (though sizes haven't changed there are differences between new version header and old version header)
kd> dt nt!_object_header 9a10bc58-0x18
+0x000 PointerCount : 0n6
+0x004 HandleCount : 0n6
+0x004 NextToFree : 0x00000006 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : 0x21 '!'
+0x00d TraceFlags : 0 ''
+0x00e InfoMask : 0x8 ''
+0x00f Flags : 0 ''
+0x010 ObjectCreateInfo : 0x82f7aa00 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x82f7aa00 Void
+0x014 SecurityDescriptor : (null)
+0x018 Body : _QUAD
the old version header had _OBJECT_TYPE directly in the header
the new version is an index into an array
here the type index is 0x21
the array of Type is at
kd> x nt!ObTypeIndexTable
82f88580 nt!ObTypeIndexTable = <no type information>
you can write a script like this to dump all the types
function log(instr)
{
host.diagnostics.debugLog(instr + "\n");
}
function exec (cmdstr)
{
return host.namespace.Debugger.Utility.Control.ExecuteCommand(cmdstr);
}
function dumptypeindex()
{
var cpob = host.createPointerObject
var titab = exec("x nt!ObTypeIndexTable").First().substr(0,8)
var obtype = cpob(host.parseInt64(titab , 16),"nt","_OBJECT_TYPE **")
var i = 2
while(obtype[i] !=0 )
{
log("index = "+i+"\t"+ host.memory.readWideString(obtype[i].Name.Buffer))
i++
}
}
executing this script would yield the types as follows
kd> .scriptload c:\wdscr\dumptypeindex.js
JavaScript script successfully loaded from 'c:\dumptypeindex.js'
kd> dx #$scriptContents.dumptypeindex()
index = 2 Type
index = 3 Directory
index = 4 SymbolicLink
index = 5 Token
index = 6 Job
index = 7 Process
index = 8 Thread
index = 9 UserApcReserve
index = 10 IoCompletionReserve
index = 11 DebugObject
index = 12 Event
index = 13 EventPair
index = 14 Mutant
index = 15 Callback
index = 16 Semaphore
index = 17 Timer
index = 18 Profile
index = 19 KeyedEvent
index = 20 WindowStation
index = 21 Desktop
index = 22 TpWorkerFactory
index = 23 Adapter
index = 24 Controller
index = 25 Device
index = 26 Driver
index = 27 IoCompletion
index = 28 File
index = 29 TmTm
index = 30 TmTxȂ؃扏楄
index = 31 TmRm
index = 32 TmEn
index = 33 Section
index = 34 Session
index = 35 Key
index = 36 ALPC Port
index = 37 PowerRequest
index = 38 WmiGuid
index = 39 EtwRegistration
index = 40 EtwConsumer
index = 41 FilterConnectionPort
index = 42 FilterCommunicationPort
index = 43 PcwObject
notice 0x21 = 0n33 = Section
given that we have a Section
we can dump the Section Object
kd> dt -r1 nt!_SECTION_OBJECT 9a10bc58
+0x000 StartingVa : 0x90f87b44 Void
+0x004 EndingVa : 0x82efb58a Void
+0x008 Parent : 0xc0802000 Void
+0x00c LeftChild : (null)
+0x010 RightChild : 0xc0c0a280 Void
+0x014 Segment : 0x995ed8d8 _SEGMENT_OBJECT
+0x000 BaseAddress : 0x86b65740 Void
+0x004 TotalNumberOfPtes : 0xdf
+0x008 SizeOfSegment : _LARGE_INTEGER 0x000000df`00080000
+0x010 NonExtendedPtes : 0xdf000
+0x014 ImageCommitment : 0
+0x018 ControlArea : (null)
+0x01c Subsection : (null)
+0x020 MmSectionFlags : 0x869f52a8 _MMSECTION_FLAGS
+0x024 MmSubSectionFlags : 0x02ea0000 _MMSUBSECTION_FLAGS
an object is preceded by object header which is preceded by the pool_header
kd> dc 9a10bc58-0x18-0x18
9a10bc28 060b0204 f4636553 00000720 00000070 ....Sec. ...p...
9a10bc38 00000000 00000000 00000006 00000006 ................
9a10bc48 00000000 00080021 82f7aa00 00000000 ....!...........
9a10bc58 90f87b44 82efb58a c0802000 00000000 D{....... ......
9a10bc68 c0c0a280 995ed8d8 000df000 00000000 ......^.........
9a10bc78 00012000 00000004 0670020b 6666744e . ........p.Ntff
9a10bc88 00f00702 00000a48 0000c0fe 00020000 ....H...........
9a10bc98 00000000 00000002 00000000 00000000 ................
notice the Sec tag Sect is used by SectionObjects
d> !pool 9a10bc58-0x18-0x18 2
Pool page 9a10bc28 region is Paged pool
*9a10bc28 size: 58 previous size: 20 (Allocated) *Sect (Protected)
Pooltag Sect : Section objects

Dump All VAD of a process in Windows

I wanna get some memory dump of a specific process.
I've found each windows process contain VadRoot in a EPROCESS.
I used windbg to get some information of this structure...
kd> dt nt!_MMVAD fffffa801b7011d0
+0x000 u1 : <unnamed-tag>
+0x008 LeftChild : (null)
+0x010 RightChild : (null)
+0x018 StartingVpn : 0x7fefe440
+0x020 EndingVpn : 0x7fefe4b0
+0x028 u : <unnamed-tag>
+0x030 PushLock : _EX_PUSH_LOCK
+0x038 u5 : <unnamed-tag>
+0x040 u2 : <unnamed-tag>
+0x048 Subsection : 0xfffffa80`19f62640 _SUBSECTION
+0x048 MappedSubsection : 0xfffffa80`19f62640 _MSUBSECTION
+0x050 FirstPrototypePte : 0xfffff8a0`00b3ac28 _MMPTE
+0x058 LastContiguousPte : 0xffffffff`fffffffc _MMPTE
+0x060 ViewLinks : _LIST_ENTRY [ 0xfffffa80`1b7a38c0 - 0xfffffa80`1aa6d6a0 ]
+0x070 VadsProcess : 0xfffffa80`1b7e8941 _EPROCESS
Its Win7 64bit.
I guess StartingVpn: 0x7fefe440 has contain the memory contents of this block.
But is that a virtual address? or physical address? i don't know
what it stands for...
Thanks.
locate process
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
set process context
lkd> .process /p /r 8a1908d0
view reqd module
lkd> lm m explorer
start end module name
01000000 010ff000 Explorer (deferred)
get the vadroot for a virtual address in the current process context
lkd> !vad explorer 1
VAD # 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea # 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment # e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
dump all the vads for a current process context
lkd> !vad 8a120ed0 0
VAD level start end commit
8a03b1d8 ( 3) e50 e51 0 Mapped READONLY Pagefile-backed section
8a6fe240 ( 4) e60 e6f 0 Mapped READWRITE Pagefile-backed section
................................
89c86600 ( 5) ff0 ff0 1 Private READWRITE
8a120ed0 ( 0) 1000 10fe 3 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\explorer.exe
.................................
8a87bb18 ( 7) 26d0 2733 0 Mapped READWRITE \Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
8a74b420 ( 0) 3e1c0 3ec52 10 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\system32\ieframe.dll
8abfa398 ( 1) 7ffde 7ffde 1 Private READWRITE
Total VADs: 1231, average level: 5, maximum depth: 4294967295
VAD is short for virtual address descriptor and VPN is short for virtual page number. So it's a virtual address, not a physical address.
It needs to be translated to a physical address using PTEs (page table entry).
Given a user mode address I found with a user mode debugging session:
0:032> !address
[...]
+ 7ff`fffdc000 7ff`fffde000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~1; 13ec.10fc]
0:032> dd 7ff`fffde000 L8
000007ff`fffde000 00000000 00000000 00240000 00000000
000007ff`fffde010 0022b000 00000000 00000000 00000000
I can do this in a kernel debugging session using LiveKd (SysInternals):
0: kd> !process 0 0 explorer.exe
PROCESS fffffa8012ce5b10
SessionId: 1 Cid: 13ec Peb: 7fffffd6000 ParentCid: 13c0
DirBase: 3029e8000 ObjectTable: fffff8a006139d60 HandleCount: 1078.
Image: explorer.exe
0: kd> .process /p /r fffffa8012ce5b10
Implicit process is now fffffa80`12ce5b10
Loading User Symbols
[...]
0: kd> !vtop 0 7fffffde000
Amd64VtoP: Virt 000007ff`fffde000, pagedir 00000003`029e8000
Amd64VtoP: PML4E 00000003`029e8078
Amd64VtoP: PDPE 00000003`00ebcff8
Amd64VtoP: PDE 00000003`0203dff8
Amd64VtoP: PTE 00000003`01ebeef0
Amd64VtoP: Mapped phys 00000002`ff44f000
Virtual address 7fffffde000 translates to physical address 2ff44f000.
0: kd> dd /p 2ff44f000 L8
00000002`ff44f000 00000000 00000000 00240000 00000000
00000002`ff44f010 0022b000 00000000 00000000 00000000
Note how the content of the virtual address (dd) is identical to the physical address (dd /p).

Resources