前段时间发现了KWSUpd.exe异常出错,并生成了dump文件,但一直没时间去分析,今天花了点时间分析了一下,但不知道应该怎么写esp文件,现把分析内容发出来,看谁能写个esp文件?
并附上KWSUpd.exe的dump文件。
FAULTING_IP:
kislivx+82ef9
10082ef9 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 10082ef9 (kislivx+0x00082ef9)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 0
PROCESS_NAME: KWSUpd.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: kislivx
FAULTING_MODULE: 7c920000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4bb161b4
ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
FAULTING_THREAD: 000008d8
BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN
DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN
LAST_CONTROL_TRANSFER: from 7c802532 to 7c92eb94
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00c090f8 7c802532 00000120 0001d4c0 00000000 ntdll+0xeb94
00c0910c 6977044d 00000120 0001d4c0 00c0b1bc kernel32+0x2532
00c09174 697679d0 00c0d1bc 00c0b1bc 000000ae faultrep!ReportEREvent+0x1ae2
00c0d5d0 697682f1 100874c0 00c0e41c 00000001 faultrep!ReportFaultDWM+0x1863
00c0e640 7c8635d1 100874c0 00000001 00000000 faultrep!ReportFault+0x573
00c0ece0 10069f07 100874c0 ce06caff 31f93500 kernel32+0x635d1
00c0f014 10082ef9 7c9237bf 00c0f104 00c0f5a0 kislivx+0x69f07
00c0f03c 7c92378b 00c0f104 00c0f5a0 00c0f120 kislivx+0x82ef9
00c0f0ec 7c92eafa 00000000 00c0f120 00c0f104 ntdll+0x378b
00c0f480 00000000 00000000 00000000 00000000 ntdll+0xeafa
FOLLOWUP_IP:
kislivx+82ef9
10082ef9 ?? ???
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: kislivx+82ef9
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: kislivx.dll
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_c0000409_kislivx.dll!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/00082ef9.htm?Retriage=1
Followup: MachineOwner
---------
0:001> lmvm kislivx
start end module name
10000000 100b3000 kislivx T (no symbols)
Loaded symbol image file: kislivx.dll
Image path: C:\Program Files\Maxthon2\Modules\MxKWS\kislivx.dll
Image name: kislivx.dll
Timestamp: Tue Mar 30 10:28:04 2010 (4BB161B4)
CheckSum: 000C0855
ImageSize: 000B3000
File version: 2010.3.30.568
Product version: 9.0.9939.568
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:001> lmvm ntdll
start end module name
7c920000 7c9b6000 ntdll T (no symbols)
Loaded symbol image file: ntdll.dll
Image path: C:\WINDOWS\system32\ntdll.dll
Image name: ntdll.dll
Timestamp: Mon Feb 09 18:18:57 2009 (49900311)
CheckSum: 000965E9
ImageSize: 00096000
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
上传的附件: