1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Access violation - code c0000005 (!!! second chance !!!) + winlogon

Discussion in 'Legacy Windows' started by fulgenfj, 2005/10/19.

  1. 2005/10/19
    fulgenfj

    fulgenfj Inactive Thread Starter

    Joined:
    2005/10/19
    Messages:
    3
    Likes Received:
    0
    Well. I´m using my own gina to validate users in w2000 SP4 through a smart card. That´s why I wrote it.

    But I´m experiencing some winlogon crashes on my system. These are;

    1.-
    Sas window: Winlogon.exe: The instruction at "0x784ad989" referenced memory at "0x04550306 ". The
    memory could not be "written ".

    2.-
    Dialog: Winlogon.exe: The instruction at "0x784ab333" referenced memory at "0x0054004e ". The
    memory could not be "written ".

    I have debug both with windbg; first through a winlogon.dmp end the second through user.dmp and drwt32.log.

    I´m writting the results at the end of this post.
    But I do think is something about ntdll.dll library

    I have found this link to solve this issue; but I do have right now SP4 installed; and I´m not sure about it cause I´ve found this information.

    So what should I do to solve this issue; should I update to SP4 or not; or should I debug my own Gina accoording to this link?

    Thanks o lot about your replies,and
    these are the results:

    1.-
    Microsoft (R) Windows Debugger Version 6.5.0003.7

    Copyright (c) Microsoft Corporation. All rights reserved.



    Loading Dump File [D:\WINLOGON168.dmp]

    User Dump File: Only application data is available



    Windows 2000 Version 2195 UP Free x86 compatible
    Product: WinNt

    Debug session time: Sun Oct 16 14:14:33.015 2005 (GMT+2)

    System Uptime: 0 days 0:38:18.687

    Process Uptime: not available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

    Executable search path is:

    .................................................................................

    (c0.a8): Access violation - code c0000005 (!!! second chance !!!)

    eax=0f301131 ebx=00070000 ecx=04550306 edx=00137e18 esi=00137df8 edi=00137e18

    eip=784ad989 esp=0006fc4c ebp=0006fc58 iopl=0 nv up ei pl nz ac po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010216

    ntdll!RtlpCoalesceFreeBlocks+0x2fb:

    784ad989 8901 mov [ecx],eax ds:0023:04550306=????????

    0:000> .reload



    2.-

    Microsoft (R) Windows Debugger Version 6.5.0003.7 Copyright (e) Microsoft corporation. All rights reserved.
    Loading Dump File [D:\user.dmp]
    User Dump File: Only applieation data is available
    Windows 2000 Version 2195 UP Free x86 compatible
    product: WinNt
    Debug session time: Mon Oet 17 19:28:32.500 2005 (GMT+2)
    System Uptime: O days 1:16:28.167
    Process Uptime: not available
    Symbol seareh path is: SRV*e:\symbols*http://msdl.mierosoft.eom/download/symbols Exeeutable search path is:
    .
    (c0.a8): Access violation - code C0000005 (!!! seeond chance !!!) eax=004e0049 ebx=00000396 ecx=0054004e edx=00072178 esi=00070000 edi=000704e8
    eip=784ab333 esp=0006f7e8 ebp=0006f9b4 iopl=O nv up ei ng nz na po ey
    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000287
    ntdll!RtlAlloeateHeap+0x649:
    784ab333 8901 mov
    0:000> .reload
    [ecx] ,eax
    ds:0023:0054004e=????????


    Drwtsn32.log (spanish written)


    Excepción de aplicación ocurrida:

    Aplicación: winlogon.exe (pid=192)

    Fecha y hora: 17/10/2005 a las 19:28:32.000

    Número de excepción: c0000005 (infracción de acceso)



    *----> Información del sistema <----*

    Nombre de equipo: FPKRL1J

    Nombre de usuario: SYSTEM

    Número de procesadores: 1

    Tipo de procesador: x86 Family 15 Model 4 Stepping 1

    Versión de Windows 2000 : 5.0

    Versión actual: 2195

    Service Pack: 4

    Tipo actual: Uniprocessor Free

    Organización registrada: UC

    Propietario registrado: BUC



    *----> Lista de tareas <----*

    0 Idle.exe

    8 System.exe

    144 smss.exe

    172 csrss.exe

    192 WINLOGON.exe

    220 SERVICES.exe

    232 LSASS.exe

    352 scardsvr.exe

    420 svchost.exe

    448 spoolsv.exe

    484 client32.exe

    520 svchost.exe

    608 Srvany.exe

    628 inflocal.exe

    636 MDM.exe

    708 regsvc.exe

    744 rtmservice.exe

    756 mstask.exe

    808 stisvc.exe

    868 userdump.exe

    888 winmgmt.exe

    900 svchost.exe

    120 drwtsn32.exe

    0 _Total.exe



    (01000000 - 01031000)

    (78460000 - 784E2000)

    (78FF0000 - 79055000)

    (79450000 - 7950D000)

    (77120000 - 77198000)

    (77F40000 - 77F7F000)

    (77E10000 - 77E79000)

    (78000000 - 78045000)

    (76970000 - 76977000)

    (68FC0000 - 68FCB000)

    (7CE00000 - 7CE53000)

    (77980000 - 779A4000)

    (75000000 - 75009000)

    (74FE0000 - 74FF4000)

    (74FD0000 - 74FD8000)

    (75170000 - 75176000)

    (77BF0000 - 77C01000)

    (77950000 - 7797C000)

    (790D0000 - 790DF000)

    (75100000 - 75110000)

    (76950000 - 7696B000)

    (67EC0000 - 67FB1000)

    (78DF0000 - 78E55000)

    (10000000 - 1007E000)

    (76930000 - 76947000)

    (79520000 - 79531000)

    (7CF70000 - 7D1CC000)

    (71710000 - 71794000)

    (772A0000 - 77306000)

    (7CE60000 - 7CF61000)

    (779B0000 - 77A4B000)

    (76980000 - 769DC000)

    (655E0000 - 655ED000)

    (77550000 - 77581000)

    (783C0000 - 78451000)

    (72C90000 - 72D20000)

    (69B10000 - 69C32000)

    (4FF90000 - 4FFE4000)

    (74F80000 - 74F9E000)

    (74FC0000 - 74FC7000)

    (77840000 - 7784C000)

    (77320000 - 77333000)

    (77500000 - 77505000)

    (01510000 - 01527000)

    (77390000 - 773BF000)

    (77360000 - 77383000)

    (77830000 - 7783E000)

    (774C0000 - 774F4000)

    (774A0000 - 774B1000)

    (77510000 - 77532000)

    (77340000 - 77359000)

    (777E0000 - 777E8000)

    (777F0000 - 777F5000)

    (77540000 - 77548000)

    (76900000 - 7692B000)

    (79640000 - 796CC000)

    (77410000 - 77421000)

    (77920000 - 77943000)

    (769E0000 - 769E5000)

    (7CA00000 - 7CA23000)

    (77820000 - 77827000)

    (75980000 - 75986000)

    (770A0000 - 770C3000)

    (768F0000 - 76900000)

    (75530000 - 75554000)

    (773C0000 - 773D5000)

    (77800000 - 7781E000)

    (782D0000 - 782F2000)

    (02340000 - 02351000)

    (02360000 - 0236A000)

    (76260000 - 7629E000)

    (74130000 - 74194000)

    (773E0000 - 773E8000)

    (773F0000 - 77403000)

    (79600000 - 79613000)

    (68F70000 - 68F7B000)

    (75A80000 - 75A85000)

    (68210000 - 68218000)

    (75110000 - 7511C000)

    (751C0000 - 751D5000)

    (75180000 - 751B8000)

    (02D40000 - 02D98000)

    (02DA0000 - 02DBE000)

    (11200000 - 11205000)







    Muestra de estado para identificador de subproceso 0xa8


    eax=004e0049 ebx=00000396 ecx=0054004e edx=00072178 esi=00070000 edi=000704c8

    eip=784ab333 esp=0006f7e8 ebp=0006f9b4 iopl=0 nv up ei ng nz na po cy

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000287




    función: RtlAllocateHeap

    784ab30f 884705 mov [edi+0x5],al ds:00b3a3ae=??

    784ab312 ff75d0 push dword ptr [ebp+0xd0] ss:00b3989a=????????

    784ab315 8b75a4 mov esi,[ebp+0xa4] ss:00b3989a=????????

    784ab318 56 push esi

    784ab319 e8d120fdff call RtlIsValidIndexHandle+0x182f (7847d3ef)

    784ab31e 8b4dd0 mov ecx,[ebp+0xd0] ss:00b3989a=????????

    784ab321 8b4108 mov eax,[ecx+0x8] ds:01009f34=8ad2335c

    784ab324 8985d4feffff mov [ebp+0xfffffed4],eax ss:0006f888=004e0049

    784ab32a 8b490c mov ecx,[ecx+0xc] ds:01009f34=8ad2335c

    784ab32d 898dd0feffff mov [ebp+0xfffffed0],ecx ss:0006f884=0054004e

    ERROR -> 784ab333 8901 mov [ecx],eax ds:0054004e=????????
    784ab335 894804 mov [eax+0x4],ecx ds:00fa9f2f=????????

    784ab338 3bc1 cmp eax,ecx

    784ab33a 7531 jnz 784b3e6d

    784ab33c 8b45d0 mov eax,[ebp+0xd0] ss:00b3989a=????????

    784ab33f 668b00 mov ax,[eax] ds:004e0049=????

    784ab342 663d8000 cmp ax,0x80

    784ab346 7325 jnb RtlAddRange+0x1e9 (784ac26d)

    784ab348 0fb7c8 movzx ecx,ax

    784ab34b 8bc1 mov eax,ecx

    784ab34d c1e803 shr eax,0x3

    784ab350 8985c8feffff mov [ebp+0xfffffec8],eax ss:0006f87c=0006f8ec
     
    fulgenfj,
    #1
  2. 2005/10/19
    fulgenfj

    fulgenfj Inactive Thread Starter

    Joined:
    2005/10/19
    Messages:
    3
    Likes Received:
    0
    drwtsn32.log about the post

    that´s the second part (spanish written)


    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0006F9B4 77E2C774 00070000 00000000 00000108 77E6D1E0 ntdll!RtlAllocateHeap

    0006F9E8 77E34F0B 003F3B80 00000081 00000000 0006FAB0 user32!GetDesktopWindow

    0006FA0C 77E4158F 00040062 00000081 00000000 0006FAB0 user32!EditWndProc

    0006FA2C 77E3C19D 77E34EB8 00040062 00000081 00000000 user32!GetTopWindow

    0006FA48 77E322C5 003F3B80 00000081 00000000 0006FAB0 user32!DefWindowProcW

    0006FA78 78471BAF 0006FA88 00000060 00000060 00000000 user32!LockWindowUpdate

    0006FBBC 77E340BB 10000000 00000006 00000000 003F1EA0 ntdll!KiUserCallbackDispatcher

    0006FBEC 77E3410F 10000000 1003DF18 00000000 01002230 user32!DestroyWindow

    0006FC0C 77E291C6 10000000 1003DF18 00000000 01002230 user32!DialogBoxIndirectParamAorW

    0006FC30 0100404E 10000000 0000009C 00000000 01002230 user32!DialogBoxParamW

    0006FC6C 0100400E 00075EB8 10000000 0000009C 00000000 winlogon!<nosymbols>

    0006FCA4 10014DB5 00075EB8 10000000 0000009C 00000000 winlogon!<nosymbols>

    0006FCEC 77E4158F 00180050 00000111 00000408 001D0110 !<nosymbols>

    0006FD0C 77E3279C 01002230 00180050 00000111 00000408 user32!GetTopWindow

    0006FD48 77E32BC8 00180050 00000111 00000408 001D0110 user32!SetWindowLongW

    0006FD78 77E3B811 003F1798 00000111 00000408 001D0110 user32!IsDialogMessageW

    0006FD98 77E24A58 00180050 00000111 00000408 001D0110 user32!SendMessageW

    0006FDC8 77E32E67 00180050 003F1D68 00000000 00000000 user32!EnumDesktopWindows

    0006FE04 77E340CE 00180050 00000000 00000001 00000000 user32!IsDialogMessageW

    0006FE28 77E3410F 10000000 1003BCE8 00000000 01002230 user32!DestroyWindow

    0006FE48 77E291C6 10000000 1003BCE8 00000000 01002230 user32!DialogBoxIndirectParamAorW

    0006FE6C 0100404E 10000000 00000067 00000000 01002230 user32!DialogBoxParamW

    0006FEA8 0100400E 00075EB8 10000000 00000067 00000000 winlogon!<nosymbols>

    0006FEE0 100013F0 00075EB8 10000000 00000067 00000000 winlogon!<nosymbols>

    0006FF20 01007E8C 00075EB8 00000005 0007360C 00000001 !<nosymbols>

    0006FF58 0100AF70 00071FC8 00000000 0007360C 0000000A winlogon!<nosymbols>

    0006FFF4 00000000 7FFDF000 000000C8 00000100 EEFFEEFF winlogon!<nosymbols>



    *----> Muestra de pilas sin procesar <----*

    0006f7e8 e0 d1 e6 77 00 00 00 00 - e0 d3 e6 77 54 72 61 63 ...w.......wTrac

    0006f7f8 65 2b 3a 3d 44 45 47 55 - 47 3e 28 44 69 73 70 6c e+:=DEGUG>(Displ

    0006f808 61 79 53 41 53 4e 6f 74 - 69 63 65 44 6c 67 50 72 aySASNoticeDlgPr

    0006f818 6f 63 29 49 44 43 5f 52 - 45 53 45 52 56 41 53 0d oc)IDC_RESERVAS.

    0006f828 0a 00 32 00 35 00 00 00 - 01 00 00 00 80 b0 f7 77 ..2.5..........w

    0006f838 38 95 14 00 08 fa 06 00 - 00 00 00 00 00 00 00 00 8...............

    0006f848 e0 c7 11 00 d0 88 14 00 - 98 fb 06 00 08 fa 06 00 ................

    0006f858 4a df 03 10 9d 6f f4 77 - 64 f8 06 00 f5 ff ff ff J....o.wd.......

    0006f868 80 b0 f7 77 70 05 3a 00 - 08 fa 06 00 00 00 00 00 ...wp.:.........

    0006f878 19 06 0a c7 ec f8 06 00 - b6 73 f4 77 4e 00 54 00 .........s.wN.T.

    0006f888 49 00 4e 00 9d 03 01 c6 - 08 fa 06 00 d3 73 f4 77 I.N..........s.w

    0006f898 80 b0 f7 77 9d 03 01 c6 - 50 4b f4 77 a0 e7 12 00 ...w....PK.w....

    0006f8a8 d2 fe ff ff ff ff df ff - 01 00 00 00 68 d4 e2 77 ............h..w

    0006f8b8 d0 f8 06 00 ff ff ff ff - 00 00 00 00 ff ff df ff ................

    0006f8c8 00 00 00 00 a0 e7 12 00 - 01 00 00 00 00 00 00 00 ................

    0006f8d8 28 79 f4 77 77 00 00 00 - 01 00 00 00 c0 03 07 00 (y.ww...........

    0006f8e8 c0 03 07 00 e4 f9 06 00 - 4a d7 e2 77 9d 03 01 c6 ........J..w....

    0006f8f8 08 fa 06 00 3c e8 12 00 - 00 00 00 00 4c 01 18 00 ....<.......L...

    0006f908 10 00 00 00 0d 00 00 00 - 03 00 00 00 03 00 00 00 ................

    0006f918 00 00 00 00 07 00 00 00 - 0e 00 00 00 bc 02 00 00 ................



    Muestra de estado para identificador de subproceso 0xd0



    eax=000000c0 ebx=0006fe60 ecx=00000101 edx=00000000 esi=00000000 edi=00000000

    eip=784683a3 esp=0078ffa0 ebp=0078ffb4 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246





    función: NtDelayExecution

    78468398 b832000000 mov eax,0x32

    7846839d 8d542404 lea edx,[esp+0x4] ss:01259e87=????????

    784683a1 cd2e int 2e

    784683a3 c20800 ret 0x8

    784683a6 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0078FFB4 7945B388 0006FE60 00000000 00000000 0006FE60 ntdll!NtDelayExecution

    0078FFEC 00000000 78482348 0006FE60 00000000 00000000 kernel32!lstrcmpiW



    *----> Muestra de pilas sin procesar <----*

    0078ffa0 8a 23 48 78 01 00 00 00 - ac ff 78 00 00 00 00 00 .#Hx......x.....

    0078ffb0 00 00 00 80 ec ff 78 00 - 88 b3 45 79 60 fe 06 00 ......x...Ey`...

    0078ffc0 00 00 00 00 00 00 00 00 - 60 fe 06 00 00 c0 fd 7f ........`.......

    0078ffd0 00 00 00 00 c0 ff 78 00 - 00 00 00 00 ff ff ff ff ......x.........

    0078ffe0 54 1f 4a 79 08 2b 45 79 - 00 00 00 00 00 00 00 00 T.Jy.+Ey........

    0078fff0 00 00 00 00 48 23 48 78 - 60 fe 06 00 00 00 00 00 ....H#Hx`.......

    00790000 00 00 00 00 00 00 00 00 - 68 00 79 00 00 00 00 00 ........h.y.....

    00790010 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    00790020 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 10 00 ................

    00790030 00 00 00 00 34 12 fa 00 - 00 00 00 00 00 00 00 00 ....4...........

    00790040 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    00790050 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    00790060 00 00 00 00 00 00 00 00 - c8 00 79 00 08 00 79 00 ..........y...y.

    00790070 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    00790080 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 10 00 ................

    00790090 00 00 00 00 34 12 fa 00 - 00 00 00 00 00 00 00 00 ....4...........

    007900a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    007900b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    007900c0 00 00 00 00 00 00 00 00 - 28 01 79 00 68 00 79 00 ........(.y.h.y.

    007900d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................



    Muestra de estado para identificador de subproceso 0xd4



    eax=00000000 ebx=00007530 ecx=0013efc4 edx=00000000 esi=0007b208 edi=00007530

    eip=78468af7 esp=007dfebc ebp=007dfee4 iopl=0 nv up ei ng nz ac po cy

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000297





    función: NtRemoveIoCompletion

    78468aec b8a8000000 mov eax,0xa8

    78468af1 8d542404 lea edx,[esp+0x4] ss:012a9da3=????????

    78468af5 cd2e int 2e

    78468af7 c21400 ret 0x14

    78468afa 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    007DFEE4 7713FA03 0000009C 007DFF1C 007DFF0C 007DFF14 ntdll!NtRemoveIoCompletion

    007DFF20 7713F964 00007530 007DFF60 007DFF5C 007DFF70 rpcrt4!PerformRpcInitialization

    007DFF74 77133DD7 7713E003 0007B208 0006FA82 78466775 rpcrt4!PerformRpcInitialization

    007DFFA8 7713AF16 0007BB18 007DFFEC 7945B388 000799D0 rpcrt4!RpcBindingSetOption

    007DFFB4 7945B388 000799D0 0006FA82 78466775 000799D0 rpcrt4!RpcMgmtSetCancelTimeout

    007DFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0xe0



    eax=000000c0 ebx=0000003f ecx=00147684 edx=00000000 esi=0081ebfc edi=00000001

    eip=78468f03 esp=0081ebe4 ebp=0081ffb4 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:012e8acb=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0081FFB4 7945B388 0006FE08 00000000 00000000 0006FE08 ntdll!NtWaitForMultipleObjects

    0081FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    *----> Muestra de pilas sin procesar <----*

    0081ebe4 f5 0f 48 78 08 00 00 00 - 18 ec 81 00 01 00 00 00 ..Hx............

    0081ebf4 01 00 00 00 00 00 00 00 - 08 09 4b 78 08 09 4b 78 ..........Kx..Kx

    0081ec04 c4 00 00 00 e0 00 00 00 - 08 00 00 00 08 00 00 00 ................

    0081ec14 07 00 00 00 c8 00 00 00 - b8 00 00 00 bc 00 00 00 ................

    0081ec24 40 01 00 00 f0 03 00 00 - 04 06 00 00 18 06 00 00 @...............

    0081ec34 14 06 00 00 4c 00 00 00 - 5c 03 00 00 58 04 00 00 ....L...\...X...

    0081ec44 f8 07 00 00 4c 00 00 00 - 4c 00 00 00 4c 00 00 00 ....L...L...L...

    0081ec54 4c 00 00 00 4c 00 00 00 - 4c 00 00 00 4c 00 00 00 L...L...L...L...

    0081ec64 4c 00 00 00 4c 00 00 00 - 4c 00 00 00 4c 00 00 00 L...L...L...L...

    0081ec74 4c 00 00 00 4c 00 00 00 - 4c 00 00 00 50 07 00 00 L...L...L...P...

    0081ec84 68 07 00 00 6c 07 00 00 - 00 00 00 00 00 00 00 00 h...l...........

    0081ec94 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081eca4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ecb4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ecc4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ecd4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ece4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ecf4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ed04 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0081ed14 00 00 00 00 00 00 00 00 - 98 c2 07 00 d0 c3 07 00 ................



    Muestra de estado para identificador de subproceso 0x110



    eax=00000219 ebx=0000014c ecx=00410c38 edx=00000000 esi=00dbff98 edi=77e41ebb

    eip=77e41eb3 esp=00dbff34 ebp=00dbff4c iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: DispatchMessageW

    77e41e99 e8349dffff call GetFocus+0x50 (77e3bbd2)

    77e41e9e e93effffff jmp GetWindowLongW+0x681 (77e41de1)

    77e41ea3 90 nop

    77e41ea4 90 nop

    77e41ea5 90 nop

    77e41ea6 90 nop

    77e41ea7 90 nop

    77e41ea8 b89a110000 mov eax,0x119a

    77e41ead 8d542404 lea edx,[esp+0x4] ss:01889e1b=????????

    77e41eb1 cd2e int 2e

    77e41eb3 c21000 ret 0x10

    77e41eb6 90 nop

    77e41eb7 90 nop

    77e41eb8 90 nop

    77e41eb9 90 nop

    77e41eba 90 nop



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    00DBFF4C 77551435 00DBFF98 00000000 00000000 00000000 user32!DispatchMessageW

    00DBFFB4 7945B388 00000000 00000000 00000000 00000000 winmm!<nosymbols>

    00DBFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x1dc



    eax=00000000 ebx=00000103 ecx=00000000 edx=00000000 esi=003c3788 edi=0000015c

    eip=78468a87 esp=00dffd54 ebp=00dffdc4 iopl=0 nv up ei pl nz na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206





    función: NtReadFile

    78468a7c b8a1000000 mov eax,0xa1

    78468a81 8d542404 lea edx,[esp+0x4] ss:018c9c3b=????????

    78468a85 cd2e int 2e

    78468a87 c22400 ret 0x24

    78468a8a 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    00DFFDC4 7693B45D 0000015C 00DFFE20 00000008 00DFFDFC ntdll!NtReadFile

    00DFFE04 7693B587 00DFFE20 00000008 003C3718 00000000 winscard!<nosymbols>

    00DFFE2C 769368D8 003C3770 00000000 7693143C 003C3718 winscard!<nosymbols>

    00DFFEBC 769359F6 000840B8 00084040 00000002 FFFFFFFF winscard!<nosymbols>

    00DFFEF4 76934E05 003C8B88 00084040 00000002 FFFFFFFF winscard!<nosymbols>

    00DFFF40 0101C1A8 003C36C0 FFFFFFFF 00084040 00000002 winscard!SCardGetStatusChangeW

    00DFFFB4 7945B388 00081D60 0006FAEC 00000200 00081D60 winlogon!<nosymbols>

    00DFFFEC 00000000 0101C00B 00081D60 00000000 000000C1 kernel32!lstrcmpiW



    *----> Muestra de pilas sin procesar <----*

    00dffd54 d9 62 46 79 5c 01 00 00 - 68 01 00 00 00 00 00 00 .bFy\...h.......

    00dffd64 88 37 3c 00 88 37 3c 00 - 20 fe df 00 08 00 00 00 .7<..7<. .......

    00dffd74 90 fd df 00 00 00 00 00 - 58 89 3c 00 70 37 3c 00 ........X.<.p7<.

    00dffd84 00 00 00 00 50 16 46 78 - ff ff ff ff 00 00 00 00 ....P.Fx........

    00dffd94 00 00 00 00 00 00 3c 00 - 00 00 00 00 30 00 00 00 ......<.....0...

    00dffda4 18 37 3c 00 28 00 00 00 - 7c fd df 00 20 fe df 00 .7<.(...|... ...

    00dffdb4 b0 fe df 00 54 1f 4a 79 - 80 1e 45 79 ff ff ff ff ....T.Jy..Ey....

    00dffdc4 04 fe df 00 5d b4 93 76 - 5c 01 00 00 20 fe df 00 ....]..v\... ...

    00dffdd4 08 00 00 00 fc fd df 00 - 88 37 3c 00 00 00 00 00 .........7<.....

    00dffde4 58 89 3c 00 44 fe df 00 - bc fe df 00 37 7b 93 76 X.<.D.......7{.v

    00dffdf4 20 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ...............

    00dffe04 2c fe df 00 87 b5 93 76 - 20 fe df 00 08 00 00 00 ,......v .......

    00dffe14 18 37 3c 00 00 00 00 00 - 00 00 00 00 0b 00 00 00 .7<.............

    00dffe24 20 00 00 00 7a 6a 93 76 - bc fe df 00 d8 68 93 76 ...zj.v.....h.v

    00dffe34 70 37 3c 00 00 00 00 00 - 3c 14 93 76 18 37 3c 00 p7<.....<..v.7<.

    00dffe44 a0 14 93 76 5c fe df 00 - 3c 14 93 76 a0 5c 3c 00 ...v\...<..v.\<.

    00dffe54 60 00 00 00 68 00 00 00 - 3c 14 93 76 58 89 3c 00 `...h...<..vX.<.

    00dffe64 20 00 00 00 28 00 00 00 - 3c 14 93 76 28 82 3c 00 ...(...<..v(.<.

    00dffe74 22 00 00 00 22 00 00 00 - 3c 14 93 76 40 8b 3c 00 "... "...<..v@.<.

    00dffe84 38 00 00 00 38 00 00 00 - 3c 14 93 76 48 5b 3c 00 8...8...<..vH[<.



    Muestra de estado para identificador de subproceso 0x1ec



    eax=00000102 ebx=80020000 ecx=80020000 edx=00000000 esi=0007c2d8 edi=0007c318

    eip=78468b37 esp=00e8fe28 ebp=00e8ff74 iopl=0 nv up ei pl nz na pe nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202





    función: ZwReplyWaitReceivePortEx

    78468b2c b8ac000000 mov eax,0xac

    78468b31 8d542404 lea edx,[esp+0x4] ss:01959d0f=????????

    78468b35 cd2e int 2e

    78468b37 c21400 ret 0x14

    78468b3a 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    00E8FF74 7713E0C0 7713E003 0007C2D8 7713F701 00070000 ntdll!ZwReplyWaitReceivePortEx

    00E8FFA8 7713AF16 00089A38 00E8FFEC 7945B388 00089D78 rpcrt4!UuidCreate

    00E8FFB4 7945B388 00089D78 7713F701 00070000 00089D78 rpcrt4!RpcMgmtSetCancelTimeout

    00E8FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x1f4



    eax=00000001 ebx=00000004 ecx=00000101 edx=00000000 esi=78468ef8 edi=00000004

    eip=78468f03 esp=0157fd24 ebp=0157fd70 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:02049c0b=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0157FD70 7947A10E 0157FD48 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

    0157FFB4 7945B388 00000005 000B000A 790480D0 000B53F8 kernel32!WaitForMultipleObjects

    0157FFEC 00000000 778321FE 000B53F8 00000000 00000000 kernel32!lstrcmpiW



    *----> Muestra de pilas sin procesar <----*

    0157fd24 fb a1 47 79 04 00 00 00 - 48 fd 57 01 01 00 00 00 ..Gy....H.W.....

    0157fd34 00 00 00 00 00 00 00 00 - 01 00 00 00 f8 53 0b 00 .............S..

    0157fd44 01 00 00 00 c0 02 00 00 - c4 02 00 00 d4 02 00 00 ................

    0157fd54 8c 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0157fd64 00 00 00 00 00 00 00 00 - 00 00 00 00 b4 ff 57 01 ..............W.

    0157fd74 0e a1 47 79 48 fd 57 01 - 01 00 00 00 00 00 00 00 ..GyH.W.........

    0157fd84 00 00 00 00 00 00 00 00 - b2 22 83 77 04 00 00 00 ......... ".w....

    0157fd94 b0 fe 57 01 00 00 00 00 - ff ff ff ff f8 53 0b 00 ..W..........S..

    0157fda4 d0 80 04 79 0a 00 0b 00 - 00 00 00 00 00 00 00 00 ...y............

    0157fdb4 00 02 00 00 00 00 00 00 - 01 00 00 00 38 00 00 00 ............8...

    0157fdc4 23 00 00 00 23 00 00 00 - 0a 00 0b 00 d0 80 04 79 #...#..........y

    0157fdd4 f8 53 0b 00 ff ff ff ff - 80 f2 06 00 fe 21 83 77 .S...........!.w

    0157fde4 f8 eb fd 7f 00 b7 45 79 - 1b 00 00 00 00 02 00 00 ......Ey........

    0157fdf4 fc ff 57 01 23 00 00 00 - 10 67 06 00 00 00 00 00 ..W.#....g......

    0157fe04 38 fa b8 e2 01 00 00 00 - f0 20 0b 82 00 00 00 00 8........ ......

    0157fe14 f8 ea 3a e1 4c fc 8c eb - 00 00 00 00 00 00 00 00 ..:.L...........

    0157fe24 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0157fe34 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0157fe44 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0157fe54 00 00 00 00 00 00 00 00 - 02 00 00 00 01 00 00 00 ................



    Muestra de estado para identificador de subproceso 0x2dc



    eax=78df6a2c ebx=00000003 ecx=00168548 edx=00000000 esi=78468ef8 edi=00000003

    eip=78468f03 esp=01e0ff20 ebp=01e0ff6c iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    third part comes now....
     
    fulgenfj,
    #2


  3. to hide this advert.

  4. 2005/10/19
    fulgenfj

    fulgenfj Inactive Thread Starter

    Joined:
    2005/10/19
    Messages:
    3
    Likes Received:
    0
    Third part about drwtsn32.log

    here it comes (spanis written);

    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:028d9e07=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    01E0FF6C 7947A10E 01E0FF44 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

    00000000 00000000 00000000 00000000 00000000 00000000 kernel32!WaitForMultipleObjects



    *----> Muestra de pilas sin procesar <----*

    01e0ff20 fb a1 47 79 03 00 00 00 - 44 ff e0 01 01 00 00 00 ..Gy....D.......

    01e0ff30 00 00 00 00 00 00 00 00 - 00 60 e4 78 00 00 00 00 .........`.x....

    01e0ff40 6d 7e 45 79 b8 03 00 00 - bc 03 00 00 c0 03 00 00 m~Ey............

    01e0ff50 00 00 00 00 00 00 00 00 - 00 4f 07 00 16 00 18 00 .........O......

    01e0ff60 20 69 df 78 00 00 00 00 - 04 ff e0 01 00 00 00 00 i.x............

    01e0ff70 0e a1 47 79 44 ff e0 01 - 01 00 00 00 00 00 00 00 ..GyD...........

    01e0ff80 00 00 00 00 00 00 00 00 - 8b 6a df 78 03 00 00 00 .........j.x....

    01e0ff90 44 60 e4 78 00 00 00 00 - ff ff ff ff 62 d5 46 78 D`.x........b.Fx

    01e0ffa0 48 e7 4a 78 ec ff e0 01 - 00 00 00 00 00 00 00 00 H.Jx............

    01e0ffb0 03 00 00 00 00 00 df 78 - 88 b3 45 79 00 00 00 00 .......x..Ey....

    01e0ffc0 62 d5 46 78 48 e7 4a 78 - 00 00 00 00 00 d0 fa 7f b.FxH.Jx........

    01e0ffd0 48 85 16 00 c0 ff e0 01 - 48 85 16 00 ff ff ff ff H.......H.......

    01e0ffe0 54 1f 4a 79 08 2b 45 79 - 00 00 00 00 00 00 00 00 T.Jy.+Ey........

    01e0fff0 00 00 00 00 2c 6a df 78 - 00 00 00 00 00 00 00 00 ....,j.x........

    01e10000 08 00 00 00 01 01 00 00 - ee ff ee ff 00 00 00 00 ................

    01e10010 00 00 07 00 00 40 02 00 - 00 00 e1 01 00 01 00 00 .....@..........

    01e10020 40 00 e1 01 00 00 f1 01 - 29 00 00 00 03 00 00 00 @.......).......

    01e10030 b8 05 07 00 00 00 00 00 - d8 3f ed 01 00 00 00 00 .........?......

    01e10040 08 00 08 00 01 01 14 00 - 31 00 37 00 2f 00 31 00 ........1.7./.1.

    01e10050 30 00 2f 00 32 00 30 00 - 30 00 35 00 20 00 20 00 0./.2.0.0.5. . .



    Muestra de estado para identificador de subproceso 0x3a8



    eax=78df9fdb ebx=00000003 ecx=78df1513 edx=00000000 esi=78468ef8 edi=00000003

    eip=78468f03 esp=01f9fefc ebp=01f9ff48 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:02a69de3=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    01F9FF48 7947A10E 01F9FF20 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

    01F9FFB4 7945B388 01E16830 01F5FA5C 78DF1513 01E16830 kernel32!WaitForMultipleObjects

    01F9FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x34c



    eax=000005f0 ebx=00000004 ecx=01010101 edx=00000000 esi=78468ef8 edi=00000004

    eip=78468f03 esp=01fdfe7c ebp=01fdfec8 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:02aa9d63=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    01FDFEC8 7947A10E 01FDFEA0 00000001 00000000 01FDFEC0 ntdll!NtWaitForMultipleObjects

    01FDFF38 770A6CA8 0049ECCE 0049ECCE 00000000 0049ECCE kernel32!WaitForMultipleObjects

    01FDFFB4 7945B388 001068C0 00000000 00000000 001068C0 cscdll!MprServiceProc

    01FDFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x3b4



    eax=01e94000 ebx=0009eea4 ecx=0201fc8c edx=00000000 esi=00000000 edi=00096e74

    eip=78468f03 esp=0201ff6c ebp=0201ffb4 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:02ae9e53=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0201FFB4 7945B388 00000000 00000000 0000005A 00000000 ntdll!NtWaitForMultipleObjects

    0201FFEC 00000000 7695423E 00000000 00000000 000000C8 kernel32!lstrcmpiW



    *----> Muestra de pilas sin procesar <----*

    0201ff6c 2e 44 95 76 01 00 00 00 - 70 6e 09 00 00 00 00 00 .D.v....pn......

    0201ff7c 01 00 00 00 00 00 00 00 - 00 00 00 00 5a 00 00 00 ............Z...

    0201ff8c 00 00 00 00 00 00 00 00 - e0 4c 09 00 b0 5b e5 01 .........L...[..

    0201ff9c 98 ee 09 00 70 6e 09 00 - fc 00 00 00 01 00 00 00 ....pn..........

    0201ffac e0 4c 09 00 e0 55 e5 01 - ec ff 01 02 88 b3 45 79 .L...U........Ey

    0201ffbc 00 00 00 00 00 00 00 00 - 5a 00 00 00 00 00 00 00 ........Z.......

    0201ffcc 00 a0 fa 7f ff ff ff ff - c0 ff 01 02 ff ff ff ff ................

    0201ffdc ff ff ff ff 54 1f 4a 79 - 08 2b 45 79 00 00 00 00 ....T.Jy.+Ey....

    0201ffec 00 00 00 00 00 00 00 00 - 3e 42 95 76 00 00 00 00 ........>B.v....

    0201fffc 00 00 00 00 c8 00 00 00 - 00 01 00 00 ff ee ff ee ................

    0202000c 02 10 00 00 00 00 00 00 - 00 fe 00 00 00 00 10 00 ................

    0202001c 00 20 00 00 00 02 00 00 - 00 20 00 00 2f 02 00 00 . ....... ../...

    0202002c ff ef fd 7f 0f 00 08 06 - 00 00 00 00 00 00 00 00 ................

    0202003c 00 00 00 00 00 00 00 00 - 98 05 02 02 0f 00 00 00 ................

    0202004c f8 ff ff ff 50 00 02 02 - 50 00 02 02 40 06 02 02 ....P...P...@...

    0202005c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0202006c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0202007c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0202008c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

    0202009c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................



    Muestra de estado para identificador de subproceso 0x3c0



    eax=00000000 ebx=0209ff80 ecx=00000000 edx=00000000 esi=78468f08 edi=00000634

    eip=78468f13 esp=0209ff64 ebp=0209ff88 iopl=0 nv up ei ng nz ac po cy

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000297





    función: ZwWaitForSingleObject

    78468f08 b8ea000000 mov eax,0xea

    78468f0d 8d542404 lea edx,[esp+0x4] ss:02b69e4b=????????

    78468f11 cd2e int 2e

    78468f13 c20c00 ret 0xc

    78468f16 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0209FF88 7945B3DB 00000634 0000EA60 00000000 770A2FCF ntdll!ZwWaitForSingleObject

    004558DE 00000000 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject



    Muestra de estado para identificador de subproceso 0x3c4



    eax=01e3e208 ebx=0009ee98 ecx=125e8983 edx=00000000 esi=01e94028 edi=00000029

    eip=78468f03 esp=020dff6c ebp=020dffb4 iopl=0 nv up ei pl nz na pe nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:02ba9e53=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    020DFFB4 7945B388 0009EE98 00000000 00000000 0009EE98 ntdll!NtWaitForMultipleObjects

    020DFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x3c8



    eax=00d00008 ebx=000000b4 ecx=00000007 edx=00000000 esi=0211ff98 edi=77e2793f

    eip=77e41eb3 esp=0211ff58 ebp=0211ff78 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: DispatchMessageW

    77e41e99 e8349dffff call GetFocus+0x50 (77e3bbd2)

    77e41e9e e93effffff jmp GetWindowLongW+0x681 (77e41de1)

    77e41ea3 90 nop

    77e41ea4 90 nop

    77e41ea5 90 nop

    77e41ea6 90 nop

    77e41ea7 90 nop

    77e41ea8 b89a110000 mov eax,0x119a

    77e41ead 8d542404 lea edx,[esp+0x4] ss:02be9e3f=????????

    77e41eb1 cd2e int 2e

    77e41eb3 c21000 ret 0x10

    77e41eb6 90 nop

    77e41eb7 90 nop

    77e41eb8 90 nop

    77e41eb9 90 nop

    77e41eba 90 nop



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0211FF78 77555C36 0211FF98 00000000 00000000 00000000 user32!DispatchMessageW

    0211FFB4 7945B388 000000B4 77575428 0006F048 000000B4 winmm!midiOutGetNumDevs

    0211FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x3bc



    eax=77542bda ebx=00000002 ecx=0016d280 edx=00000000 esi=78468ef8 edi=00000002

    eip=78468f03 esp=023eff24 ebp=023eff70 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: NtWaitForMultipleObjects

    78468ef8 b8e9000000 mov eax,0xe9

    78468efd 8d542404 lea edx,[esp+0x4] ss:02eb9e0b=????????

    78468f01 cd2e int 2e

    78468f03 c21400 ret 0x14

    78468f06 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    023EFF70 7947A10E 023EFF48 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

    023EFFB4 7945B388 00000000 00000019 00000000 00000000 kernel32!WaitForMultipleObjects

    023EFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x3f4



    eax=00000000 ebx=00000102 ecx=7cf52e10 edx=00000000 esi=78468398 edi=02e9ff74

    eip=784683a3 esp=02e9ff60 ebp=02e9ff7c iopl=0 nv up ei pl nz na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206





    función: NtDelayExecution

    78468398 b832000000 mov eax,0x32

    7846839d 8d542404 lea edx,[esp+0x4] ss:03969e47=????????

    784683a1 cd2e int 2e

    784683a3 c20800 ret 0x8

    784683a6 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    02E9FF7C 7947A25A 0000EA60 00000000 7CEB5D45 0000EA60 ntdll!NtDelayExecution

    00007530 00000000 00000000 00000000 00000000 00000000 kernel32!Sleep



    Muestra de estado para identificador de subproceso 0x538



    eax=74f86311 ebx=01e18c60 ecx=00070748 edx=00000000 esi=74f9a3a0 edi=00000000

    eip=78468af7 esp=02f2ff84 ebp=02f2ffb4 iopl=0 nv up ei pl nz na pe nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202





    función: NtRemoveIoCompletion

    78468aec b8a8000000 mov eax,0xa8

    78468af1 8d542404 lea edx,[esp+0x4] ss:039f9e6b=????????

    78468af5 cd2e int 2e

    78468af7 c21400 ret 0x14

    78468afa 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    02F2FFB4 7945B388 74F89048 78463148 FFFFFFFF 01E18C60 ntdll!NtRemoveIoCompletion

    02F2FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x12c



    eax=00000000 ebx=00013880 ecx=00167b10 edx=00000000 esi=00000000 edi=00000000

    eip=78468af7 esp=0324ff24 ebp=0324ffb4 iopl=0 nv up ei ng nz na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286





    función: NtRemoveIoCompletion

    78468aec b8a8000000 mov eax,0xa8

    78468af1 8d542404 lea edx,[esp+0x4] ss:03d19e0b=????????

    78468af5 cd2e int 2e

    78468af7 c21400 ret 0x14

    78468afa 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0324FFB4 7945B388 031FFEF4 00000002 00000001 031FFEF4 ntdll!NtRemoveIoCompletion

    0324FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x234



    eax=00000102 ebx=00007530 ecx=00000102 edx=00000000 esi=0007b208 edi=00007530

    eip=78468af7 esp=0334febc ebp=0334fee4 iopl=0 nv up ei ng nz ac po cy

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000297





    función: NtRemoveIoCompletion

    78468aec b8a8000000 mov eax,0xa8

    78468af1 8d542404 lea edx,[esp+0x4] ss:03e19da3=????????

    78468af5 cd2e int 2e

    78468af7 c21400 ret 0x14

    78468afa 8bff mov edi,edi



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0334FEE4 7713FA03 000000A0 0334FF1C 0334FF0C 0334FF14 ntdll!NtRemoveIoCompletion

    0334FF20 7713F964 00007530 0334FF60 0334FF5C 0334FF70 rpcrt4!PerformRpcInitialization

    0334FF74 77133DD7 7713E003 0007B208 782D7591 007DFCA4 rpcrt4!PerformRpcInitialization

    0334FFA8 7713AF16 00167E70 0334FFEC 7945B388 00083330 rpcrt4!RpcBindingSetOption

    0334FFB4 7945B388 00083330 782D7591 007DFCA4 00083330 rpcrt4!RpcMgmtSetCancelTimeout

    0334FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



    Muestra de estado para identificador de subproceso 0x41c



    eax=01ebbc68 ebx=00075eb8 ecx=0012c540 edx=00000000 esi=0338ff98 edi=77e41ebb

    eip=77e41eb3 esp=0338fe60 ebp=0338fe78 iopl=0 nv up ei pl zr na po nc

    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





    función: DispatchMessageW

    77e41e99 e8349dffff call GetFocus+0x50 (77e3bbd2)

    77e41e9e e93effffff jmp GetWindowLongW+0x681 (77e41de1)

    77e41ea3 90 nop

    77e41ea4 90 nop

    77e41ea5 90 nop

    77e41ea6 90 nop

    77e41ea7 90 nop

    77e41ea8 b89a110000 mov eax,0x119a

    77e41ead 8d542404 lea edx,[esp+0x4] ss:03e59d47=????????

    77e41eb1 cd2e int 2e

    77e41eb3 c21000 ret 0x10

    77e41eb6 90 nop

    77e41eb7 90 nop

    77e41eb8 90 nop

    77e41eb9 90 nop

    77e41eba 90 nop



    *----> Seguimiento regresivo de pila <----*



    FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

    0338FE78 010021C7 0338FF98 00000000 00000000 00000000 user32!DispatchMessageW

    0338FFB4 7945B388 00075EB8 100170E4 10033638 00075EB8 winlogon!<nosymbols>

    0338FFEC 00000000 010020F3 00075EB8 00000000 000A00D5 kernel32!lstrcmpiW



    *----> Muestra de pilas sin procesar <----*

    0338fe60 e4 1e e4 77 98 ff 38 03 - 00 00 00 00 00 00 00 00 ...w..8.........

    0338fe70 00 00 00 00 00 00 00 00 - b4 ff 38 03 c7 21 00 01 ..........8..!..

    0338fe80 98 ff 38 03 00 00 00 00 - 00 00 00 00 00 00 00 00 ..8.............

    0338fe90 e4 70 01 10 38 36 03 10 - 00 00 00 00 00 00 00 00 .p..86..........

    0338fea0 00 f0 fa 7f a8 c6 b5 81 - 01 77 d0 81 00 00 00 00 .........w......

    0338feb0 bc fe 1f c0 00 00 00 00 - 56 06 00 00 e7 02 00 00 ........V.......

    0338fec0 00 00 00 00 00 00 00 00 - 01 00 00 00 80 0c 1f b7 ................

    0338fed0 ed cb 44 80 1c 00 30 c0 - 00 70 00 c0 00 00 00 00 ..D...0..p......

    0338fee0 20 76 d0 81 00 00 00 00 - 00 00 00 00 00 f0 fa 7f v..............

    0338fef0 ff ff c3 01 01 83 b6 81 - 00 00 00 00 20 c0 af 81 ............ ...

    0338ff00 01 00 00 00 90 6a d7 81 - 60 bc d7 81 aa 4b 45 80 .....j..`....KE.

    0338ff10 38 60 d5 e2 20 76 d0 81 - 00 00 00 82 00 00 00 02 8`.. v..........

    0338ff20 60 0c 1f b7 40 f1 48 80 - 88 3d 0a 82 38 60 d5 e2 `...@.H..=..8`..

    0338ff30 60 cd d6 81 c0 47 a9 81 - 00 00 00 00 50 49 a9 81 `....G......PI..

    0338ff40 60 0c 1f b7 63 c3 42 80 - 6b c3 42 80 c0 47 a9 81 `...c.B.k.B..G..

    0338ff50 20 49 a9 81 d4 4b 06 80 - a5 8d 46 80 6c 0c 1f b7 I...K....F.l...

    0338ff60 00 00 00 00 20 c0 af 81 - 00 00 00 00 b0 0c 1f b7 .... ...........

    0338ff70 00 00 00 00 50 49 a9 81 - 05 00 00 00 00 00 00 00 ....PI..........

    0338ff80 00 00 00 00 00 00 00 00 - 51 f6 42 80 00 00 00 00 ........Q.B.....

    0338ff90 00 00 00 00 fc f6 42 80 - 60 cd d6 81 c0 47 a9 81 ......B.`....G..
     
    fulgenfj,
    #3
  5. 2005/10/26
    cpc2004

    cpc2004 Inactive

    Joined:
    2005/07/08
    Messages:
    366
    Likes Received:
    0
    Hi,

    It crashes at routine RtlAllocateHeap. Probably it is faulty ram. Run memtest to stress test the ram.

    cpc2004
     
    cpc2004,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...