Bronze IIIWinDbg: Ep.4 – Debugging a Windows Crash
Hi
Q7: Identify the invalid reference to a memory address that causes the crash. instead of instructions, what characters are shown at this location?
It seems I have issues understanding the question. From WinDbg:
1: kd> !analyze -v
[...]
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff828b0e60658f, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8047dcebb37, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000002, (reserved)Arg1 has nothing (dc <addr> -> ????????????????)
Arg3 has asm (da <addr> -> ".....D.eH.sD..f....."), (u <addr> -> movzx ebx,word ptr [rsi]). The TRAP_FRAME says both ebx and rsi are 0.
In short, I have no idea what reference I should identify. Can anyone give me a hint?
Solved, just enter the symbol that WinDbg displays when it can't access the memory location or can't disassemble the data. And if you have no idea what symbol is used, you may try to disassemble the memory referenced.
I can't understand why the question contains the wording "instead of instructions", as nobody would disassemble data that is getting unpacked, it just directed my there should be instructions but I shall, for whatever reason, enter the characters representation instead. These vague questions are really a pain. And yes, I know, it's hard to write clear and concise texts and questions.
