Page 1 of 2
Randon Access Violation on dhcpcsvc6.DLL
Posted: Thu Aug 08, 2013 1:13 pm
by detinho
Hi.
We're having some random access violation when runinng our application on Windows 2008 Server(fully updated). According to my understending of the madExcept logs, the errors are occurring in the madExcept's own code.
Here are three logs of the errors:
https://dl.dropboxusercontent.com/u/221 ... ordhcp.zip.
All three logs have this call stack, with some small variations:
Code: Select all
date/time : 2013-08-08, 08:49:44, 130ms
computer name : SERVER201
wts client name : DARKA-F2427F8A7
user name : cd07
registered owner : Usuário do Windows
operating system : Windows 2008 R2 x64 Service Pack 1 build 7601
system language : Portuguese
system up time : 13 hours 54 minutes
program up time : 1 minute 20 seconds
processors : 16x Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
physical memory : 12771/32755 MB (free/total)
free disk space : (C:) 369,49 GB
display mode : 1024x768, 16 bit
process id : $6524
allocated memory : 84,20 MB
executable : autcom.exe
exec. date/time : 2013-08-07 15:41
version : 27.18.365.85
compiled with : Delphi 2006/07
madExcept version : 4.0.7
callstack crc : $776e705e, $08562d73, $08562d73
exception number : 2
exception class : EAccessViolation
exception message : Access violation at address 73601C89 in module 'dhcpcsvc.DLL'. Write of address 73601C89.
thread $6a0c:
73601c89 +15c dhcpcsvc.DLL DhcpIsEnabled
741c6a84 +037 IPHLPAPI.DLL GetAdaptersAddresses
00462ac5 +00d autcom.exe madExcept CallThreadProcSafe
0046321b +037 autcom.exe madExcept UserWorkItemExceptFrame
76d633a8 +010 kernel32.dll BaseThreadInitThunk
Main ($6544):
00000000 +ffbd19c4 autcom.exe madStackTrace +0 StackAddrToStr
>> stack will be calculated soon
Does this have a quick workaround (either with some madExcept configuration or altering my code) or is some bug/incompatiblity?
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Thu Aug 08, 2013 2:30 pm
by madshi
It's weird that you don't get a proper callstack for the main thread. That could be a bug in madExcept, but this is probably of no consequence for this specific problem.
The crash occurs when a thread is calling "IPHLPAPI.GetAdaptersAddresses()". The crash is occuring somewhere inside of the IPHelper dll. This is a system dll. Does your code call "GetAdaptersAddresses()" somewhere? Or maybe some of the third party components you're using? madExcept itself does not call this function.
The "madExcept.CallThreadProcSsafe" and "madExcept.UserWorkItemExceptFrame" items in the callstack have to be there. That's how madExcept is able to automatically catch exceptions in secondary threads for you. These callstack items do not in any way indicate that madExcept is causing the crashes.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Thu Aug 08, 2013 6:56 pm
by detinho
I searched through all the project and it's components and none of them uses the GetAdaptersAddresses.
The fact that there is no call stack for the main thread, is that we unchecked the "call stack of all running threads" option.
To see a full log, please dowload again from
https://dl.dropboxusercontent.com/u/221 ... ordhcp.zip that now has some logs from yesterday.
Thanks!
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Thu Aug 08, 2013 7:15 pm
by madshi
Well, I can't say from the bug report who's calling GetAdaptersAddresses and why. But somebody does, inside of your process. It could be an indirect call. Meaning some of your code (or 3rd party code, or some Delphi RTL/VCL unit) calls some other win32 API and that internally calls GetAdaptersAddresses. Maybe it's somehow related to that Soap Http stuff? GetAdaptersAddresses has something to do with network, IP etc... I don't know, just guessing around here...
I wish I could tell you more, but there isn't really any more information in the crash report for this specific problem...
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Wed Nov 20, 2013 3:06 pm
by Chris08
Hi,
we got the same AV but with the MainThread-Callstack. Seems that the application is shutting down. Maybe this helps to track down the problem.
We assume that the problem has something todo with W2008 Server, maybe one should set the tsaware-flag?
http://stackoverflow.com/questions/1437 ... minal-serv
Code: Select all
date/time : 2013-10-28, 09:40:24, 696ms
computer name : <>
wts client name : <>
user name : <>
registered owner : Windows-Benutzer
operating system : Windows 2008 R2 x64 Service Pack 1 build 7601
system language : German
system up time : 20 days 21 hours
program up time : 3 seconds
processors : 4x Intel(R) Xeon(R) CPU E5405 @ 2.00GHz
physical memory : 1653/4095 MB (free/total)
free disk space : (C:) 95,34 GB (I:) 113,11 GB
display mode : 1424x923, 16 bit
process id : $2ef8
allocated memory : 27,46 MB
largest free block : 1,35 GB
command line : "I:\<Path>\webupgrade.exe" UPDATEAVAILABLE C:\Users\adminsd\AppData\Local\<Path>\DBT73ED.LOG
executable : webupgrade.exe
exec. date/time : 2013-10-22 12:09
version : 0.9.0.123
compiled with : Delphi 2010
madExcept version : 4.0.8.1
callstack crc : $776e705e, $63a771a1, $af67e584
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 740F1C89 in module 'dhcpcsvc.DLL'. Write of address 740F1C89.
thread $3698:
740f1c89 +15c dhcpcsvc.DLL DhcpIsEnabled
74126a84 +037 IPHLPAPI.DLL GetAdaptersAddresses
0047afa5 +00d webupgrade.exe madExcept CallThreadProcSafe
0047b6ff +037 webupgrade.exe madExcept UserWorkItemExceptFrame
74bc3368 +010 kernel32.dll BaseThreadInitThunk
main thread ($2904):
76f6f8ca +0e ntdll.dll NtWaitForSingleObject
752f1497 +92 KERNELBASE.dll WaitForSingleObjectEx
74bc118f +3e kernel32.dll WaitForSingleObjectEx
74bc1143 +0d kernel32.dll WaitForSingleObject
00471269 +69 webupgrade.exe madExcept CloseHandleExceptionThread
0047f1af +53 webupgrade.exe madExcept Close
0047f33a +2e webupgrade.exe madExcept Finalization
00407056 +3e webupgrade.exe System 12622 FinalizeUnits
0047a368 +54 webupgrade.exe madExcept InterceptFinalizeUnits
0047a377 +07 webupgrade.exe madExcept InterceptHalt0FinalizeUnits
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $b9c:
76f71f3f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $a04:
76f70156 +0e ntdll.dll NtWaitForMultipleObjects
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $30f8:
76f71f3f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $33ec: <priority:2>
74e57c18 +45 USER32.dll GetMessageA
0047afa5 +0d webupgrade.exe madExcept CallThreadProcSafe
0047b00f +37 webupgrade.exe madExcept ThreadExceptFrame
74bc3368 +10 kernel32.dll BaseThreadInitThunk
>> created by main thread ($2904) at:
745a6c8b +00 winmm.dll
thread $eb4:
76f71f3f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $2684:
76f71f3f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $12dc:
76f6f8ca +0e ntdll.dll NtWaitForSingleObject
752f1497 +92 KERNELBASE.dll WaitForSingleObjectEx
74bc118f +3e kernel32.dll WaitForSingleObjectEx
74bc1143 +0d kernel32.dll WaitForSingleObject
0047afa5 +0d webupgrade.exe madExcept CallThreadProcSafe
0047b00f +37 webupgrade.exe madExcept ThreadExceptFrame
74bc3368 +10 kernel32.dll BaseThreadInitThunk
>> created by main thread ($2904) at:
75df1102 +00 WININET.dll
thread $2ba8:
76f70156 +00e ntdll.dll NtWaitForMultipleObjects
752f15e3 +0fa KERNELBASE.dll WaitForMultipleObjectsEx
74bc19f7 +089 kernel32.dll WaitForMultipleObjectsEx
75cb4d21 +065 WS2_32.dll WSALookupServiceNextW
75cb4a94 +20b WS2_32.dll GetAddrInfoW
0047afa5 +00d webupgrade.exe madExcept CallThreadProcSafe
0047b6ff +037 webupgrade.exe madExcept UserWorkItemExceptFrame
74bc3368 +010 kernel32.dll BaseThreadInitThunk
thread $2a48:
76f71f3f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
74bc3368 +10 kernel32.dll BaseThreadInitThunk
thread $494:
76f6fd8a +0e ntdll.dll NtDelayExecution
752f3bc2 +5f KERNELBASE.dll SleepEx
752f4493 +0a KERNELBASE.dll Sleep
0047afa5 +0d webupgrade.exe madExcept CallThreadProcSafe
0047b00f +37 webupgrade.exe madExcept ThreadExceptFrame
74bc3368 +10 kernel32.dll BaseThreadInitThunk
>> created by thread $30f8 at:
74d0da8e +00 ole32.dll
thread $3634: <priority:1>
76f6f952 +0e ntdll.dll NtRemoveIoCompletion
0047afa5 +0d webupgrade.exe madExcept CallThreadProcSafe
0047b00f +37 webupgrade.exe madExcept ThreadExceptFrame
74bc3368 +10 kernel32.dll BaseThreadInitThunk
>> created by main thread ($2904) at:
731aa33f +00 mswsock.dll
disassembling:
[...]
740f1c62 mov [ebp-$270], esi
740f1c68 mov [ebp-$26c], esi
740f1c6e mov [ebp-$268], ecx
740f1c74 mov dword ptr [ebp-$264], $238
740f1c7e mov [ebp-$284], esi
740f1c84 call -$172 ($740f1b17) ; NsiGetAllParametersEx (NSI.dll)
740f1c84
740f1c89 > mov edi, eax
740f1c8b cmp edi, esi
740f1c8d jnz loc_740f1ccf
740f1c8d
740f1c8f lea eax, [ebp-$250]
740f1c95 push eax
740f1c96 lea eax, [ebp-$24]
740f1c99 push eax
[...]
Thanks for your help!
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Wed Nov 20, 2013 3:22 pm
by madshi
Looks like the dhcpcsvc6.DLL might already be unloaded in the moment when "IpHlpApi.GetAdaptersAdresses()" internally tries to call "hdcpcsvc6.DhcpIsEnabled()". Or maybe not. Can't say because the bug report is incomplete (no module list). It's also possible that the dll is still loaded, but in the process of being unloaded or something.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Wed Nov 20, 2013 5:07 pm
by Chris08
Yes, unfortunatly, no module list.
I just added the disasm-part.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Wed Nov 20, 2013 5:19 pm
by madshi
That is extremely weird. Taking the disasm into account, the bugreport suggests that the 0x740f1xxx code page of dhcpcsvc6.dll was changed to "non executable" while a thread was still running through that code. Not sure how this can happen. I would say the most likely situation is that some other thread is trying to unload that dll while the crashing thread is still executing code in the dll. Or maybe some other thread has changed the page access rights of the dll for some reason (could be a bug in the code or something).
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Fri Jan 17, 2014 12:50 pm
by rowwt
Hi,
I get the same error. It is happening on a citrix terminal server environment. We are using MapiSendMail to open the default mail client. The customer has outlook. Outlook popups having all the data we provide in the code. But randomly, the application is crashing behind the outlook's new mail window. Madexcept is also failing to send us the report so i have paid a visit to customer and did some screen shots with the error and with the call stack. I've attached the files.
Do you have any clue on why is happening? We get this error only on citrix and we are not able to reproduce it on our test/devel computers.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Fri Jan 17, 2014 1:12 pm
by madshi
According to the bug report the crash occurs in a thread created by "mso.dll" which is a part of Microsoft Office. I suppose this could be the dll handling the MAPI transport from your process to MS Outlook. This is just a guess on my part, though. If I'm guessing correctly, the bug could be in "mso.dll". It might make sense to switch to a better mail sending method. E.g. SMTP or HTTP upload. You could also try updating MS Office with the latest service packs in the hope that this might fix the problem.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Fri Jan 17, 2014 9:32 pm
by zunzster
We see this issue quite regularly as we use MAPI and lots of our users run our application on TS.
Office (and Outlook in particular) is not DEP safe on Windows 2008 R2.
http://support.microsoft.com/kb/2028367
If you're wondering why this doesn't occur on non-server versions of Windows (e.g. XP, Vista, Win7, etc.),
it's because
*only* 'system' processes run with DEP enabled by default in desktop versions, whereas DEP is enabled
on
*all* processes by default in server versions.
TS (and Citrix) are the classic case where a server version of Windows ends up hosting desktop applications and thus
where you see this annoying issue.
Now in the above KB, Microsoft recommends exempting Outlook.exe from DEP to workaround the issue.
However, when talking via MAPI to Outlook, the problematic non DEP-safe code will be running in
*your* address space,
thus you will need to exempt
*your* processes exe from DEP checking or suffer these spurious AVs.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Fri Jan 17, 2014 11:53 pm
by madshi
Thanks for chiming in, that's good to know!
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Mon Jan 20, 2014 10:31 am
by rowwt
Very good news indeed. I hope this will solve our issue. Thank you.
While searching on the internet about the issues on terminal server environments, i also found that is possible to make your application TS-aware by adding this flag: {$SetPEOptFlags IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE}
I had no time to test this. Do you know anything about it? Will DEP consider the application safe if it was built with this flag?
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Mon Jan 20, 2014 8:08 pm
by zunzster
My understanding is that flag is about *your* application and whether it needs the TS app compatibility DLL loaded.
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
As far as I know, it has no effect on DEP or on other peoples code, in this case, Outlook's DLLs.
Re: Randon Access Violation on dhcpcsvc6.DLL
Posted: Tue Apr 11, 2017 9:45 am
by tprami
We had similar error, not yet sure what is causing...
Code: Select all
date/time : 2017-04-11, 00:44:04, 18ms
computer name : SERVERXXX
wts client name : SERVER
user name : XXXXXX
operating system : Windows 2008 R2 x64 Service Pack 1 build 7601
system language : Swedish
system up time : 1 day 2 hours
program up time : 390 milliseconds
processors : 16x Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
physical memory : 7557/16374 MB (free/total)
free disk space : (C:) 67,87 GB
display mode : 1680x1050, 16 bit
process id : $2ec8
allocated memory : 44,47 MB
largest free block : 1017,37 MB
executable : KirjanpitoClient.exe
exec. date/time : 2017-03-21 14:34
version : 2017.1.1.1020
bde version : 5.1.1.1
compiled with : Delphi 10.1 Berlin
madExcept version : 4.0.16
contact name : XXXXXX XXXXXX
contact email : XXXXXX@XXXXXX.XXX
callstack crc : $fbec8fbf, $4532391e, $9a5413bd
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 72F71CA0 in module 'dhcpcsvc.DLL'. Execution of address 72F71CA0.
thread $3968:
72f71ca0 +173 dhcpcsvc.DLL DhcpIsEnabled
74a26a84 +037 IPHLPAPI.DLL GetAdaptersAddresses
00859575 +00d KirjanpitoClient.exe madExcept 17281 +6 CallThreadProcSafe
00859ce2 +032 KirjanpitoClient.exe madExcept 17576 +9 UserWorkItemExceptFrame
76d73368 +010 kernel32.dll BaseThreadInitThunk
main thread ($1ed0):
77e50117 +02b ntdll.dll KiUserCallbackDispatcher
77e6ecdf +063 ntdll.dll bsearch
004cfc45 +1b5 KirjanpitoClient.exe System.Classes TReader.ReadProperty
004cf4dd +015 KirjanpitoClient.exe System.Classes TReader.ReadDataInner
004cf4bf +067 KirjanpitoClient.exe System.Classes TReader.ReadData
004dce9d +001 KirjanpitoClient.exe System.Classes TComponent.ReadState
0066b923 +02f KirjanpitoClient.exe Vcl.Controls TControl.ReadState
004cf313 +11f KirjanpitoClient.exe System.Classes TReader.ReadComponent
004cf551 +089 KirjanpitoClient.exe System.Classes TReader.ReadDataInner
004cf4bf +067 KirjanpitoClient.exe System.Classes TReader.ReadData
004dce9d +001 KirjanpitoClient.exe System.Classes TComponent.ReadState
0066b923 +02f KirjanpitoClient.exe Vcl.Controls TControl.ReadState
006701c5 +025 KirjanpitoClient.exe Vcl.Controls TWinControl.ReadState
004cf313 +11f KirjanpitoClient.exe System.Classes TReader.ReadComponent
0067558c +0d0 KirjanpitoClient.exe Vcl.Controls TWinControl.SetBounds
004cf313 +11f KirjanpitoClient.exe System.Classes TReader.ReadComponent
004cf551 +089 KirjanpitoClient.exe System.Classes TReader.ReadDataInner
004cf490 +038 KirjanpitoClient.exe System.Classes TReader.ReadData
004dce9d +001 KirjanpitoClient.exe System.Classes TComponent.ReadState
0066b923 +02f KirjanpitoClient.exe Vcl.Controls TControl.ReadState
006701c5 +025 KirjanpitoClient.exe Vcl.Controls TWinControl.ReadState
004d0441 +1f5 KirjanpitoClient.exe System.Classes TReader.ReadRootComponent
004ca06e +032 KirjanpitoClient.exe System.Classes TStream.ReadComponent
004c1803 +057 KirjanpitoClient.exe System.Classes InternalReadComponentRes
004c2f13 +05f KirjanpitoClient.exe System.Classes InitComponent
004c2fa1 +061 KirjanpitoClient.exe System.Classes InitInheritedComponent
006387a4 +064 KirjanpitoClient.exe Vcl.Forms TCustomFrame.Create
017717f7 +04b KirjanpitoClient.exe MNForm.Main 462 +8 TMNMainForm.FormCreate
00638f8d +031 KirjanpitoClient.exe Vcl.Forms TCustomForm.DoCreate
00638afd +13d KirjanpitoClient.exe Vcl.Forms TCustomForm.Create
00643d62 +076 KirjanpitoClient.exe Vcl.Forms TApplication.CreateForm
017a15ae +0fe KirjanpitoClient.exe KirjanpitoClient 397 +30 initialization
76d73368 +010 kernel32.dll BaseThreadInitThunk
thread $49b4:
77e60166 +0e ntdll.dll NtWaitForMultipleObjects
76d73368 +10 kernel32.dll BaseThreadInitThunk
thread $3aa0 (TSTUpdateThread):
77e5f8da +00e ntdll.dll NtWaitForSingleObject
76f715c8 +092 KERNELBASE.dll WaitForSingleObjectEx
76d7118f +03e kernel32.dll WaitForSingleObjectEx
76d71143 +00d kernel32.dll WaitForSingleObject
7706cd75 +0f5 wininet.dll HttpSendRequestW
007dabc6 +546 KirjanpitoClient.exe Soap.SOAPHTTPTrans THTTPReqResp.Send
007db745 +135 KirjanpitoClient.exe Soap.SOAPHTTPTrans THTTPReqResp.Execute
007d64c6 +21a KirjanpitoClient.exe Soap.Rio TRIO.DoDispatch
007d6e4a +19a KirjanpitoClient.exe Soap.Rio TRIO.Generic
007d6921 +025 KirjanpitoClient.exe Soap.Rio TRIO.QueryInterface$15$ActRec.$0$Body
00475ea3 +03b KirjanpitoClient.exe System.Rtti TVirtualInterface.RawCallback
00475b67 +027 KirjanpitoClient.exe System.Rtti TVirtualInterface.Create$547$ActRec.$0$Body
0047594a +076 KirjanpitoClient.exe System.Rtti TMethodImplementation.Intercept
004754d7 +00b KirjanpitoClient.exe System.Rtti RawIntercept
008b50c6 +17e KirjanpitoClient.exe STUpdateAgent 189 +33 TSTUpdateThread.Execute
0085968f +02b KirjanpitoClient.exe madExcept 17348 +3 HookedTThreadExecute
004db0c1 +049 KirjanpitoClient.exe System.Classes ThreadProc
0040c260 +028 KirjanpitoClient.exe System 16 +0 ThreadWrapper
00859575 +00d KirjanpitoClient.exe madExcept 17281 +6 CallThreadProcSafe
008595da +032 KirjanpitoClient.exe madExcept 17331 +9 ThreadExceptFrame
76d73368 +010 kernel32.dll BaseThreadInitThunk
>> created by main thread ($1ed0) at:
008b4ee0 +034 KirjanpitoClient.exe STUpdateAgent 128 +6 TSTUpdateThread.Create
thread $4700:
77e61f4f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
76d73368 +10 kernel32.dll BaseThreadInitThunk
thread $4948:
77e5fd9a +0e ntdll.dll NtDelayExecution
76f73d36 +5f KERNELBASE.dll SleepEx
76f74607 +0a KERNELBASE.dll Sleep
00859575 +0d KirjanpitoClient.exe madExcept 17281 +6 CallThreadProcSafe
008595da +32 KirjanpitoClient.exe madExcept 17331 +9 ThreadExceptFrame
76d73368 +10 kernel32.dll BaseThreadInitThunk
>> created by main thread ($1ed0) at:
758eda5e +00 ole32.dll
thread $6a88 (TEventSendThread):
77e5f8da +00e ntdll.dll NtWaitForSingleObject
76916944 +04f WS2_32.dll connect
0096e67d +229 KirjanpitoClient.exe CRVioTcp 273 +55 TCRVioTcp.InternalConnect
0096ea1e +246 KirjanpitoClient.exe CRVioTcp 371 +55 TCRVioTcp.TryConnect
009718b0 +098 KirjanpitoClient.exe DBMonitorMessages 486 +16 TSocketMessagePacker.Open
009728d8 +050 KirjanpitoClient.exe DBMonitorClient 261 +9 TDBMonitor.IsMonitorActive
00972d33 +07f KirjanpitoClient.exe DBMonitorClient 415 +15 TEventSendThread.Execute
0085968f +02b KirjanpitoClient.exe madExcept 17348 +3 HookedTThreadExecute
004db0c1 +049 KirjanpitoClient.exe System.Classes ThreadProc
0040c260 +028 KirjanpitoClient.exe System 16 +0 ThreadWrapper
00859575 +00d KirjanpitoClient.exe madExcept 17281 +6 CallThreadProcSafe
008595da +032 KirjanpitoClient.exe madExcept 17331 +9 ThreadExceptFrame
76d73368 +010 kernel32.dll BaseThreadInitThunk
>> created by main thread ($1ed0) at:
00972bdb +01b KirjanpitoClient.exe DBMonitorClient 368 +1 TEventSendThread.Create
thread $4c80:
77e61f4f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
76d73368 +10 kernel32.dll BaseThreadInitThunk
thread $338c:
77e61f4f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
76d73368 +10 kernel32.dll BaseThreadInitThunk
thread $6080:
77e5f8da +0e ntdll.dll NtWaitForSingleObject
76f715c8 +92 KERNELBASE.dll WaitForSingleObjectEx
76d7118f +3e kernel32.dll WaitForSingleObjectEx
76d71143 +0d kernel32.dll WaitForSingleObject
00859575 +0d KirjanpitoClient.exe madExcept 17281 +6 CallThreadProcSafe
008595da +32 KirjanpitoClient.exe madExcept 17331 +9 ThreadExceptFrame
76d73368 +10 kernel32.dll BaseThreadInitThunk
>> created by thread $3aa0 (TSTUpdateThread) at:
77124ce7 +00 wininet.dll
thread $621c:
77e61f4f +0b ntdll.dll NtWaitForWorkViaWorkerFactory
76d73368 +10 kernel32.dll BaseThreadInitThunk
cpu registers:
eax = 00000000
ebx = 76d722b1
ecx = 00000000
edx = 77e9c30e
esi = 00000000
edi = 00000000
eip = 72f71ca0
esp = 0471f5ec
ebp = 0471f894
stack dump:
0471f5ec 04 95 67 02 30 94 67 02 - 30 94 67 02 00 00 00 00 ..g.0.g.0.g.....
0471f5fc 00 00 00 00 00 00 00 00 - a4 1d f7 72 01 00 00 00 ...........r....
0471f60c 01 00 00 00 00 00 00 00 - 34 f6 71 04 08 00 00 00 ........4.q.....
0471f61c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0471f62c 58 f6 71 04 38 02 00 00 - 00 00 00 09 00 00 06 00 X.q.8...........
0471f63c 04 00 00 00 00 00 00 00 - 4c 00 4e 00 28 d6 72 06 ........L.N.(.r.
0471f64c 08 f9 71 04 bc 04 00 00 - 00 00 00 00 0c 00 00 00 ..q.............
0471f65c 6a 00 48 00 50 00 20 00 - 4e 00 43 00 33 00 38 00 j.H.P. .N.C.3.8.
0471f66c 32 00 69 00 20 00 44 00 - 50 00 20 00 4d 00 75 00 2.i. .D.P. .M.u.
0471f67c 6c 00 74 00 69 00 66 00 - 75 00 6e 00 63 00 74 00 l.t.i.f.u.n.c.t.
0471f68c 69 00 6f 00 6e 00 20 00 - 47 00 69 00 67 00 61 00 i.o.n. .G.i.g.a.
0471f69c 62 00 69 00 74 00 20 00 - 53 00 65 00 72 00 76 00 b.i.t. .S.e.r.v.
0471f6ac 65 00 72 00 20 00 41 00 - 64 00 61 00 70 00 74 00 e.r. .A.d.a.p.t.
0471f6bc 65 00 72 00 20 00 23 00 - 34 00 36 00 00 00 00 00 e.r. .#.4.6.....
0471f6cc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0471f6dc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0471f6ec 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0471f6fc 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0471f70c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0471f71c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
disassembling:
00859568 public madExcept.CallThreadProcSafe: ; function entry point
00859568 17275 push ebp
00859569 mov ebp, esp
0085956b 17276 push ebx
0085956c 17277 mov ebx, esp
0085956e 17278 mov eax, [ebp+$c]
00859571 17279 push eax
00859572 17280 mov eax, [ebp+8]
00859575 17281 > call eax
00859575
00859577 17283 cmp ebx, esp
00859579 17284 jz loc_8595a2
00859579
0085957b 17287 ja loc_859599
0085957b
0085957d 17291 push eax
0085957e 17292 mov eax, ebx
00859580 17293 mov ebx, esp
00859582 17294 add ebx, 4
[...]