1

A client sent us a crash dump containing hex address of the assembly instruction of our dll. How can I relate this to the c++ code on visual studio?

Our program is packaged in a dll which is then loaded by the host application on remote server. We have source code of our dll, but not the host application. What's the best way to debug crash caused by the dll?

crash : #214 0001BD54 EIP: 6BAA7271 ESP: 240DF640 
              6BAA7271:000000 [6BAA7271] unknown (ourcompany.dll)
              6BA9FA31:000000 [6BA9FA31] unknown (ourcompany.dll)
              6BA994D9:000000 [6BA994D9] unknown (ourcompany.dll)
              6BA9F5F2:000000 [6BA9F5F2] unknown (ourcompany.dll)
              6BAADB36:000000 [6BAADB36] unknown (ourcompany.dll)
              6BAADBB4:000000 [6BAADBB4] unknown (ourcompany.dll)
              76EC3378:000012 [76EC338A] AcquireSRWLockExclusive
(kernel32.dll)
              775D9F0F:000063 [775D9F72] RtlInsertElementGenericTableAvl
(ntdll.dll)
              775D9F0F:000036 [775D9F45] RtlInsertElementGenericTableAvl
(ntdll.dll)

   crash -->  6BAA7271 80780F00          cmp        byte [eax+0xf], 0x0
              6BAA7275 74EB              jz         0x6baa7262

              6BAA7277 8B8310040000      mov        eax, [ebx+0x410]
              6BAA727D 89BD24FDFFFF      mov        [ebp+0xfffffd24], edi
              6BAA7283 3BF8              cmp        edi, eax
              6BAA7285 740E              jz         0x6baa7295

              6BAA7287 663B770C          cmp        si, [edi+0xc]

            : #215 000167B0 EIP: 752178D7 ESP: 37F3FC00 
              7521787B:00005C [752178D7] DlgDirSelectComboBoxExW
(user32.dll)
              62AD0013:000000 [62AD0013] unknown (***.dll)
              76EC3378:000012 [76EC338A] AcquireSRWLockExclusive
(kernel32.dll)
              775D9F0F:000063 [775D9F72] RtlInsertElementGenericTableAvl
(ntdll.dll)
              775D9F0F:000036 [775D9F45] RtlInsertElementGenericTableAvl
(ntdll.dll)
Improve this question
4
  • Did you generate a map when the dll was built? Commented Nov 3, 2014 at 23:34
  • @rrirower Did you mean a .pdb file? Yes we have it. Commented Nov 3, 2014 at 23:47
  • No. A .map file can be used to reconcile program addresses. It's an option when you build. Commented Nov 4, 2014 at 0:12
  • Some project use the Windows API that generate "mini dumps" on a crash. The debuggers can use a mini dump and your DLL & PDB files to show you where the crash happened. Commented Nov 4, 2014 at 1:56

1 Answer 1

Reset to default
2

Start debugging with the exact same binaries as your client. Then in modules window check base address of your dll, then add offset to it from crash dump. In disassembly window ( debug -> windows -> disassembly) you enter in Address: editbox your calculated crash address in hex format 0xXXXXXXXX. This should show you source code line you are interested in.

The problem is how to calculate crash offset, you should have in your crash log modules section where you will have you dll load address, this should suffice to calculate crash offset. This should be 0x6BAA7271 - [dll base offset].

I dont work with dll-s, but this should work.

Also, its easier to debug such issues if you have tagged in your source code control given release of your product. Then you checkout branch for such tag, and this allows you to generate pdb-s and do experiments with program.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The base address of a DLL is sometimes ignored by Windows. If some other DLL uses the same base address, one has to be moved. Also ASLR will change the DLL base addresses.
Thanks this really helps. To add more info, the host exe application should be debugged by doing Debug -> Attach to Process. Also the windows calculator program has hex mode which really helps when calculating the relative address / offset.
Also a good crash dump should have a list of dll modules and it's load address. Something like this: : 705F0000 00047000 ourcompany.dll. (I believe this is the load address and length). This information is critical to calculate the relative address on the stack trace.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.