Dumping NT_TIB

When a thread is crashed without any clue at all(eg. all registers are set to invalid value or something), you might try to get stack trace by manually pointing esp/ebp to some probable value inside stack. In that case, you need to get valid stack range. It can be achieved with following windbg command. Check out StackBase,StackLimit field from NT_TIB structure.

0:005> dt -r ntdll!_NT_TIB poi(fs:18h)

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3ff2c _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x000 Next : 0x01c3fecc _EXCEPTION_REGISTRATION_RECORD

+0x004 Handler : 0x7e44048f _EXCEPTION_DISPOSITION user32!_except_handler3+0

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

+0x000 ExceptionList : 0x01c3ac88 _EXCEPTION_REGISTRATION_RECORD

+0x004 StackBase : 0x01c40000

+0x008 StackLimit : 0x01c2c000

+0x00c SubSystemTib : (null)

+0x010 FiberData : 0x00001e00

+0x010 Version : 0x1e00

+0x014 ArbitraryUserPointer : (null)

+0x018 Self : 0x7ffd9000 _NT_TIB

Advertisements

4 Responses to Dumping NT_TIB

  1. For example, a user may list a particular band as being one of his interests.
    Amidst other stuff, Galileo Galilei ended up being any
    noted Italian astronomer, physicist, mathematician and/or philosopher who worked inside the dawn
    of the Renaissance. He wanted to research further into these cosmic waves, but was not able to because Bell was not interested, they
    had found out all they needed from his research relating to transatlantic radio communication.

    Like

  2. This blog was… how do I say it? Relevant!! Finally I have found something which
    helped me. Appreciate it!

    Like

    • Rocky says:

      What youre stating is fully genuine. I realize that everyone should say exactly the same point, but I just believe that you place it in the way that everyone can corphemend. I also really like the photos you put in here. They suit so well with what youre wanting to say. Im certain youll achieve so many folks with what youve got to say.

      Like

  3. Greta says:

    Mmg penah terkena ni, awal2 xnk ckp bisnes apa, dok pong pang2 tah pape…last2 skali kata zhaailn…uduii..heran gak sbb balik keje singgah pasar mlm, sanggup member ni nk jumpa jugak2 (ingtkn rindu kt sy), tgk2 bwk sorg laki (ingtkn laki dia coz x kenal), rupa2nya tukang pong pang2 tu la…erkkk…ngeri dowh. Kata amik produk tu leh jd sihat, abis apa kes bwk keta dlm mengantuk anta ibu mengandung? ngeri2…

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: