Analyzing a dump file using WinDbg

2

I've been asked to explore a dump file (no source files given) using windbg and to extract some information from it:

  • determine what is the issue (hang/crash)
  • what module causes the hang.
  • What is the root cause of the hang/crash.
  • Enumerate all company modules injected to the process
  • Enumerate all the hooks done in the process by Company modules

The only file I have is this dmp file. I am working on Windows10 64bit.

I am working on it for a while already:

  1. First of all, I used .sympath and .reload to verify microsoft symbols are being loaded.
  2. Then I used .analyze! -v to create an analysis of the file.

  3. In this analysis I found the following:

    a. There was a Break instruction exception 80000003 on thread 7030

    b. The exception was on a power point process of Microsoft Office 2010.

    c. The exception was on CpupSyscallStub method

    d. The module is wow64cpu.

    e. Because it is a 0x80000003 exception, it is an indication of a manually generated application dump.

    f. I used ~ command to see the list of threads in the process. All of them were unfrozen. g. However – I used !runaway and saw that thread 7030 was up for more than 7 minutes and much more than other threads in the process.

    i. So maybe it is an hang situation. I am not sure since I guess also that the first thread in list is the main thread, and naturally it may have more process time.

    h. The root cause is probably “One or more arguments are invalid” as set in the value of EXCEPTION_CODE key.

    i. Using ~# should have given me the thread that caused the exception:

     .  0  Id: 5cf8.7030 Suspend: 0 Teb: 00000000`00c5b000 Unfrozen Start:
 *** ERROR: Symbol file could not be found.  Defaulted to export  symbols for POWERPNT.EXE -    POWERPNT+0x10c8 (00000000`2d7710c8)
 Priority: 0  Priority class: 32  Affinity: f

    j. But, calling -ecxr plotted: “Minidump doesn't have an exception context”, so I am confused…

  4. To find injections:

    a. I used .hideinjectedcode off hoping now !analyze -v will give me injection information. But I got the same analysis logs…

    b. Using lm -v gave me a list of all modules in the process. So the injected modules are likely to be all the 14 DLLs which has the attribute “CompanyName: ”, and maybe also the 2 “OpenSSL Project” DLLs which the injecting company might be a partner of it.

    But I am not sure of that...

  5. And to find out hook functions I tried to view all injecting company DLLs import tables to find hook functions, After 6-7 DLL’s I didn’t find such. So I gave up this method…

Here you can find an !analize command output.

As you can see, I did invested much time on this drill. But reached no clear conclusions. Your assistance will be most valuable.

Thanks!!!

windows
dump
windbg
hook
asked on Super User Dec 12, 2017 by dushkin • edited Dec 12, 2017 by dushkin

1 Answer

0

First try running CMD and then -
SC for service control command
SYSTEMINFO - List system configuration

See what is in output and is there something for your crash

answered on Super User Dec 12, 2017 by Stef

User contributions licensed under CC BY-SA 3.0