Walking the Stack frame.

0 Likes

Problem:

Softice is not very helpful when debugging exceptions thrown by the NT kernel.  For instance, if I get a KeBugCheckEx PAGE_FAULT_IN_NONPAGED_AREA fault, the stack is all messed up and I cannot find the stack frames of the routines that caused the problems. Do you folks have any additional tips (or better, some automated tools in softice) to help?

Resolution:

Unfortunately, the STACK command does not give all the information with most kernel mode exceptions because we are trapping KeBugCheckEx.  Once this routine is hit, stack frames are not available.  The best thing to do at this point is to take advantage of the WHAT command.  Dump the stack, right click on different values, and choose WHAT.  The WHAT engine will be able to tell you module.section offset for code and data.  It will also be able to tell you about important system values.  You can even automate this will the following macro.

macro stk="WHAT *(%1);stk (%1 4)"

This is a recursive macro that will walk the stack on run each 32 bit value through the WHAT engine.  There is no termination state for the recursion, so you can stop the macro by hitting ESC.  Call the macro as follows.

stk esp

Old KB# 11744
Comment List
Anonymous
Related Discussions
Recommended