Does the VS disassembly window show the whole EXE?

StackOverflow https://stackoverflow.com/questions/493534

  •  20-08-2019
  •  | 
  •  

Question

A client is running my company's program and it is halting before it gets anywhere. They sent this information from the Windows Event Log:

faulting module program.exe, version 1.2.3.4, fault address 0x00054321.

We don't have much else to go on so as a last ditch effort I've been trying to see if I can find where that position is in a disassembler. I run the program through Visual Studio, pause it, look at the Disassembly window and try scrolling to that address but all I get there is this:

00054321  ???              
00054322  ???              
00054323  ???              
00054324  ???              
00054325  ???              
00054326  ???              
00054327  ???              
00054328  ???              
00054329  ???              
0005432A  ???

Would this be because Visual Studio only disassembles part of the EXE near the pause position or something? It's hard for me to look through how much is actually disassembled because the scrollbar doesn't work fully. (I can't grab and move the scroll position; I have to scroll by line or by page.)

Thanks for any insight you may have!

Was it helpful?

Solution

The fault address could also be caused from a stack corruption problem, ie. the return address could be compromised and jumped back to the wrong address @ 0x54321. Also, depending on the tecnology used (Java, .NET) the code could change it's position between runs.

Visual studio makes a disassembly of the whole process space. ???? means that the position is not accessible.

You'd better need a stack-frame to see what's happening, from a core dump.

OTHER TIPS

WinDbg may be your friend here, there you can load your executable and the symbols (.pdb), if you can get a (mini)dump as QbProg says that would definitely ease the search. But I have had experiences when it was easier doing this in WinDbg.

What are you expecting to see in the disassembly window? This approach is not going to work. If you are able to rebuild the exact same build configuration of that your client is running then you can enable the /MAP option in the project's link options. This will create a file that maps symbols to addresses and will allow you to see which function was executing when the crash occurred. You may have to do a bit of calculation to offset the raw mapped address against the address the module was loaded at on the client's PC.

As Fredrik says, WinDbg may be able to help too, especially if you can get a crash dump from your client's PC.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top