WinDbg: Ep.4 – Debugging a Windows Crash

Q7: Identify the invalid reference to a memory address that causes the crash. instead of instructions, what characters are shown at this location?

It seems I have issues understanding the question. From WinDbg:

1: kd> !analyze -v
[...]
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff828b0e60658f, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8047dcebb37, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000002, (reserved)

Arg1 has nothing (dc <addr> -> ????????????????)
Arg3 has asm (da <addr> -> ".....D.eH.sD..f....."), (u <addr> -> movzx ebx,word ptr [rsi]). The TRAP_FRAME says both ebx and rsi are 0.

In short, I have no idea what reference I should identify. Can anyone give me a hint?

help & support

Forum Discussion

WinDbg: Ep.4 – Debugging a Windows Crash

Related Content

WinDbg: Ep.3 – Debugging Malware

WinDbg: Ep.5 – Kernel Internals

New CTI Lab: CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive

New CTI Lab: CVE-2024-38112 and CVE-2024-43461 (Windows MSHTML Platform Spoofing): Defensive

This Week in The Human Connection

Recent Discussions

SuperSonic: Ep.6 – TEMPLE

Events & Breaches: Magecart Skimmer

Zeek - Demonstrate Your Skills

CVE-2022-29799/CVE-2022-29800 (Nimbuspwn) – Defensive

Foundational Static Analysis: Analyzing Structures