How do you find out what number each sys call is? Like on SP3 ZwCreateFile is
ZwCreateFile:
mov eax, 0x25
mov edx, 0x7ffe0300
call [edx]
retn 0x2c
How do you find out that ZwCreateFile is 0x25?
Windows System Call Table (NT/2000/XP/2003/Vista) says that NtCreateFile (the same function as ZwCreateFile, see MSDN and many others) is
Windows NT Windows 2000 Windows XP W2K3 Vista
SP3 SP4 SP5 SP6 SP0 SP1 SP2 SP3 SP4 SP0 SP1 SP2 SP0 SP1 SP0
0x17 0x17 0x17 0x17 0x20 0x20 0x20 0x20 0x20 0x25 0x25 0x25 0x27 0x27 0x3b
You can easily discover these for yourself by dumping the syscall table nt!KiServiceTable using kd or WinDbg.
Information from the Sysinternals forums.
Have your compiler generate a map file. The map file contains function names and their locations (offsets, addresses or both). Search the map file for an address and you should come up with a name for that address.
In your example, ZwCreateFile is not 0x25. The processor dereferences the {pointer} value in edx and uses that value as the address for ZwCreateFile. The address of ZwCreateFile cannot be obtained from the assembly language you posted. The address of ZwCreateFile is stored in location 0x7ffe0300, which must have been initialized before this assembly language fragment.
Again, consult your map file.
Related
I am working on a custom 32-bit OS, and i have coded a bare bones bootloader. I am trying to make it load a simple kernel that puts a char onto the screen, however, instead of getting the char i get a triple fault (maybe?)
I've tried increasing the number of sectors read, the number of 'db 0's in my extended program, tampering with the compilation script...
Nothing, however, my OS also prints the letter 'H' if it succeeds to read the disk, and sometimes when I increase the number of sectors to something exponential, the vm doesn't restart, but the disk isn't read successfully.
Github: https://github.com/Nutty000/Broken-OS
"BROKEN-OS", you say?
Your GitHub ldr.asm file has many errors.
The Boot Sector and BPB Structure uses all the wrong data sizes! No wonder your VM gets all confused.
should be
---------
OEMIdentifier db "POSv0.10"
BytesPerSector dd 512 DW
SectorsPerCluster db 1
ReservedSectors db 32 DW
NumberOfFATs db 2
NUmberOfRootDirEntries db 224 DW
NumberOfSectors dd 2880 DW
MediaDescriptorType db 0xf0
SectorsPerFAT db 9 DW
SectorsPerTrack db 18 DW
NumberOfSides db 2 DW
HiddenSectors db 0 DD
LargeSectorCount db 0 DD
DriveNumber db 0x00
db 0
Signature db 0x29
VolumeID db 0x00, 0x00, 0x00, 0x00
VolumeLabel db "POSBOOTDSK "
SystemIdentifier db "FAT12 "
jmp short mbrcodestart
This short jump is encoded with 2 bytes, but the above mentioned structure must begin at offset 3 in your bootsector. You need to pad with a nop instruction, or force a near (non-short) jmp.
jmp short mbrcodestart
nop
The fact of storing a capital "H" as the first byte of your [ExtendedSpace] that you later jump to was a bad idea, but luckily for you that will not pose a problem as that particular encoding 72 happens to correspond to a valid one-byte instruction dec ax.
There's also:
not setting up the segment registers yourself
not setting up a stack in a safe place where the additional sectors can't overwrite it
ignoring the BH and BL parameters of the BIOS.Teletype call
not inspecting the carry flag that you get from the int 13h call
reading many sectors at once instead of the more reliable method of using a loop of reading individual sectors. (Some real-world BIOSes are somewhat broken; using only the simplest functionality will let your bootloader work even on such machines. See also Michael Petch's general tips for bootloaders.)
...
All of this happens even before diving into protected mode. First make sure the real mode part works fine before attempting to go further.
There are many good answers on this forum that deal with these issues:
Bootloader doesn't jump to kernel code
My OS is showing weird characters
Your current ldr.asm for reference:
[org 0x7c00]
jmp short mbrcodestart
OEMIdentifier db "POSv0.10"
BytesPerSector dd 512
SectorsPerCluster db 1
ReservedSectors db 32
NumberOfFATs db 2
NUmberOfRootDirEntries db 224
NumberOfSectors dd 2880
MediaDescriptorType db 0xf0 ;3.5 Inch Double-Sided HD Floppy disk(1.44MB or 2.88MB) should work with single-sided ones as well, maybe even 5.25 inch diskettes
SectorsPerFAT db 9
SectorsPerTrack db 18
NumberOfSides db 2
HiddenSectors db 0
LargeSectorCount db 0
;EBPB
DriveNumber db 0x00 ;Floppy Disk
db 0 ;Reserved
Signature db 0x29
VolumeID db 0x00, 0x00, 0x00, 0x00
VolumeLabel db "POSBOOTDSK "
SystemIdentifier db "FAT12 "
mbrcodestart:
mov bx, POSBL_WelcomeString
call print16
call read16
mov ah, 0x0e
mov al, [ExtendedSpace]
int 0x10
jmp ExtendedSpace
POSBL_WelcomeString:
db "PlanetOS BootLoader (POSBL) v0.1 (limited compatability)",0
print16:
mov ah, 0x0e
loop:
mov al, [bx]
cmp al, byte 0
je exit
int 0x10
inc bx
jmp loop
exit:
ret
ExtendedSpace equ 0x7e00
read16:
mov ah, 0x02
mov al, 20
mov bx, ExtendedSpace
mov ch, 0x00
mov cl, 0x02
mov dh, 0x00
mov dl, 0x00
int 0x13
ret
times 510-($-$$) db 0
dw 0xaa55
The first instruction executed after jmp ExtendedSpace is db 'H' i.e. not code
I am trying to read a file. The call is from VB to CPP dll.
Here is my sample code snippet
VB CALL
Private Sub ReadFile(...)
On Error GoTo Problem
Dim errorString As String
Sample.ReadFile basepath, filename, register, errorString
GoTo Completed
Problem:
WriteToLogFile basepath + filename + errorString //error string contains the formatted hresult message from cpp dll
My CPP function:
HRESULT ReadFile(...)
{
hr= actualread(...)
if(FAILED(hr)
{
return E_FAIL //
}
If I change E_FAIL to ERROR_FILE_NOT_FOUND VB is not logging the error message.
The E_FAIL message description is Unspecified error. Which does not help the user much.
It logs E_POINTER,E_HANDLE etc anything that starts with E_ not with ERROR_
COM specifies which values in a HRESULT are treated as errors, and which aren't. To quote from Structure of COM Error Codes:
The high-order bit in the HRESULT or SCODE indicates whether the return value represents success or failure. If set to 0, SEVERITY_SUCCESS, the value indicates success. If set to 1, SEVERITY_ERROR, it indicates failure.
The E_ constants are designed to be used this way, and have appropriate values to ensure they get treated as errors. The ERROR_ constants are not, they are meant for a different convention for reporting errors.
As WhozCraig pointed out in the comments, there is a HRESULT_FROM_WIN32 function you can use to convert a Win32 error code to a HRESULT.
Decoding Errors
-2147220978 style numbers are 32 bit signed integers, convert to hex with calculator.
Windows errors (smallish numbers) and COM HResults (typically, but with exceptions, start with an 8 as in 0x80040154) are defined in WinError.h, except 8007nnnn where you look up the Window error number that it contains.
As a general rule Windows errors are less than 65,535 (0xFFFF). Errors starting 0x80000001 are Component Object Model (COM) HResults. Errors starting 0xC0000001 are NTStatus results. Errors starting 0xD0000001 are also NTStatus values returned in a HResult.
WinError - Returned from Windows API Calls
HResult - Returned from COM calls
NTStatus - Returned from kernel and some API calls also return when
encountering a kernel error.
NTStatus errors (typically but not always start with an C as in 0xC0000022) are defined in NTStatus.h.
.h files are the best source because it includes the symbolic name of the error which can give clues such as the source of the error. FormatMessage doesn't give the symbolic name only the description.
You get these files by downloading the Platform SDK (it's gigabytes)
http://www.microsoft.com/en-us/download/details.aspx%3Fid%3D8279&sa=U&ei=w2IrULDDLsHFmAWbmIHoBg&ved=0CBwQFjAA&usg=AFQjCNHZn9-4f2NnuN9o3UWUsOF3wL7HBQ
If you just want the two files I have them on my skydrive so I can reference them anywhere I go.
https://skydrive.live.com/redir?resid=E2F0CE17A268A4FA!121
Note internet errors (12,000 - 12,999) are windows errors but are specified in wininet.h also available above.
There are errors defined in other .h files. But 99% are in the three above.
Structure of HResults and NTStatus Codes
The most significant bit in HResults, and the two most significant bits in NTStatus are set on error. Hence Hresults start 8 on error and NTStatus starts C on Error. The next 14 or 15 bits are reserved and some specify the facility - what area the error is in. This is the third and fourth number when reading hex. EG 0xnn07nnnn - An HResult facility code 7 is a normal Windows' error (returned from a COM program - hence it's returned as a HResult). Facility codes are defined in Winerror.h for HResults and NTStatus.h for NTStatus codes. They are different.
To Decode 0x8003nnnn Errors
HResults with facility code 3 means the HResult contains OLE Structured Storage errors (0x0 to 0xff). These are the same as Dos error codes. These don't seem to be in Windows' header files and the list of codes is at the end of this post.
To Decode 0x8004nnnn Errors
HResults with facility code 4 means the HResult contains OLE errors (0x0 to 0x1ff) while the rest of the range (0x200 onwards) is component specific errors so 20e from one component will have a different meaning to 20e from another component.
This is why the source of the error is extra important for errors above 0x80040200.
To Decode 0x8007nnnn Errors
HResults with facility code 7 means the HResult contains a Windows' error code. You have to look up the Windows' error code not the HResult.
To decode 0x80070002. The 0x means it's a hexadecimal number, the 8 means error, the first 7 means it a windows error, and the rest of the number, 2, is the actual Windows error.
To look up the error we need it in decimal format. Start Calculator (Start - All Programs - Accessories - Calculator) and choose View menu - Scientific, then View menu - Hex. Enter 2. Then View menu - Decimal. It will say 2.
Start a Command Prompt (Start - All Programs - Accessories - Command Prompt) and type
net helpmsg 2
and it will say
The system cannot find the file specified.
or look it up in winerror.h
//
// MessageId: ERROR_FILE_NOT_FOUND
//
// MessageText:
//
// The system cannot find the file specified.
//
#define ERROR_FILE_NOT_FOUND 2L
To Decode 0x8019nnnn Errors
HResults with facility 0x19 are HTTP errors. Codes under 16,384 (0x4000) are the same as HTTP errors, eg HTTP status 404: The requested URL does not exist on the server is 0x80190194 (0x194 = 404). Codes 16,384 and higher are BITS specific.
To Decode 0xDnnnnnnn Errors
HResults starting 0xD are an HResult with a NTStatus value in it. Just cange the lead D to a C and treat as an NTStatus (Hresult = NTStatus OR 10000000).
Dos Error Codes (for 0x8003nnnn errors)
Code Message
01 Invalid function number
02 File not found
03 Path not found
04 Too many open files (no handles left)
05 Access denied
06 Invalid handle
07 Memory control blocks destroyed
08 Insufficient memory
09 Invalid memory block address
0A Invalid environment
0B Invalid format
0C Invalid access mode (open mode is invalid)
0D Invalid data
0E Reserved
0F Invalid drive specified
10 Attempt to remove current directory
11 Not same device
12 No more files
13 Attempt to write on a write-protected diskette
14 Unknown unit
15 Drive not ready
16 Unknown command
17 CRC error
18 Bad request structure length
19 Seek error
1A Unknown media type
1B Sector not found
1C Printer out of paper
1D Write fault
1E Read fault
1F General failure
20 Sharing violation
21 Lock violation
22 Invalid disk change
23 FCB unavailable
24 Sharing buffer overflow
25 Reserved
26 Unable to complete file operation (DOS 4.x)
27-31 Reserved
32 Network request not supported
33 Remote computer not listening
34 Duplicate name on network
35 Network name not found
36 Network busy
37 Network device no longer exists
38 NetBIOS command limit exceeded
39 Network adapter error
3A Incorrect network response
3B Unexpected network error
3C Incompatible remote adapter
3D Print queue full
3E No space for print file
3F Print file deleted
40 Network name deleted
41 Access denied
42 Network device type incorrect
43 Network name not found
44 Network name limit exceeded
45 NetBIOS session limit exceeded
46 Temporarily paused
47 Network request not accepted
48 Print or disk redirection is paused
49-4F Reserved
50 File already exists
51 Reserved
52 Cannot make directory entry
53 Fail on INT 24
54 Too many redirections
55 Duplicate redirection
56 Invalid password
57 Invalid parameter
58 Network device fault
59 Function not supported by network (DOS 4.x)
5A Required system component not installed (DOS 4.x)
Facility Codes
NTStatus Facilities HResults Facilities
Common status values
0x0 Null 0x0
Debugger 0x1 Rpc 0x1
Rpc_runtime 0x2 Dispatch 0x2
Rpc_stubs 0x3 Storage 0x3
Io_error_code 0x4 Itf 0x4
Various drivers 0x5-0xf Win32 0x7
Ntwin32 0x7 Windows 0x8
Ntsspi 0x9 Sspi 0x9
Terminal_server 0xa Security 0x9
Faciltiy_mui_error_code 0xb Control 0xa
Usb_error_code 0x10 Cert 0xb
Hid_error_code 0x11 Internet 0xc
Firewire_error_code 0x12 Mediaserver 0xd
Cluster_error_code 0x13 Msmq 0xe
Acpi_error_code 0x14 Setupapi 0xf
Sxs_error_code 0x15 Scard 0x10
Transaction 0x19 Complus 0x11
Commonlog 0x1a Aaf 0x12
Video 0x1b Urt 0x13
Filter_manager 0x1c Acs 0x14
Monitor 0x1d Dplay 0x15
Graphics_kernel 0x1e Umi 0x16
Driver_framework 0x20 Sxs 0x17
Fve_error_code 0x21 Windows_ce 0x18
Fwp_error_code 0x22 Http 0x19
Ndis_error_code 0x23 Usermode_commonlog 0x1a
Hypervisor 0x35 Usermode_filter_manager 0x1f
Ipsec 0x36 Backgroundcopy 0x20
Maximum_value 0x37 Configuration 0x21
State_management 0x22
Metadirectory 0x23
Windowsupdate 0x24
Directoryservice 0x25
Graphics 0x26
Shell 0x27
Tpm_services 0x28
Tpm_software 0x29
Pla 0x30
Fve 0x31
Fwp 0x32
Winrm 0x33
Ndis 0x34
Usermode_hypervisor 0x35
Cmi 0x36
Windows_defender 0x50
In a Windows Application I created I am attempting to run a batch file that points to a .vbs. It runs the vbs script but it does not modify the registry as needed. However, if I run the batch file manually it functions properly. Does anyone have any insight as to what could be the issue? I thought it was permissions but why would it matter if I manually click on the batch file or if my program opens it? Regardless, I have modified the batch file to try to run as admin but nothing online seems to work.
It says nowhere that CreateProcess can run batch files. As batch files aren't programs CreateProcess can't do anything with it. CMD.exe executes batch files.
YOU WOULD HAVE KNOWN THIS BY TESTING THE RETURN VALUE and by reading the Docs
From Help
Return Value
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
Also from Help
To run a batch file, you must start the command interpreter; set lpApplicationName to cmd.exe and set lpCommandLine to the name of the batch file.
This is What You are Doing Wrong
1. You have a bizzare program design.
Any program can prompt for user input and write to the registry. You are writing a program that will have at least four different ways of writing the registry (.NET, WSH, WMI, API). Then you run a batch that has two ways of writing the registry (WMI and reg.exe). Then a vbs file with two ways (WMI, WSH).
2. You do not test for errors.
You must test for errors. The only person with access to the error is YOU. Errors say what happened. You must fix the error or crash. And there is no point asking without the error number, error source, what it was trying to do, and the parameters.
Errors are to be expected. Users do delete or move files for example.
3. You must read the documentation
It has to be open while you program. It explains what you need to tell it for it to behave in certain ways. Just typing random commands (as many here do - they are invalid of course) OR typing random parameters (as you are) doesn't work. If you don't read them you don't know what they mean.
4. Playing helpless
When you get told the answer, you go and look everything up in the documentation, and then google it.
You not reply with a pathetic "it didn't work". You post the error number, error source, what it was trying to do, and the parameters.
This is how to decode errors
Decoding Errors
-2147220978 style numbers are 32 bit signed integers, convert to hex with calculator.
Windows errors (smallish numbers) and COM HResults (typically, but with exceptions, start with an 8 as in 0x80040154) are defined in WinError.h, except 8007nnnn where you look up the Window error number that it contains.
As a general rule Windows errors are less than 65,535 (0xFFFF). Errors starting 0x80000001 are Component Object Model (COM) HResults. Errors starting 0xC0000001 are NTStatus results. Errors starting 0xD0000001 are also NTStatus values returned in a HResult.
NTStatus errors (typically but not always start with an C as in 0xC0000022) are defined in NTStatus.h.
.h files are the best source because it includes the symbolic name of the error which can give clues such as the source of the error. FormatMessage doesn't give the symbolic name only the description.
You get these files by downloading the Platform SDK (it's gigabytes)
http://www.microsoft.com/en-us/download/details.aspx%3Fid%3D8279&sa=U&ei=w2IrULDDLsHFmAWbmIHoBg&ved=0CBwQFjAA&usg=AFQjCNHZn9-4f2NnuN9o3UWUsOF3wL7HBQ
If you just want the two files I have them on my skydrive so I can reference them anywhere I go.
https://skydrive.live.com/redir?resid=E2F0CE17A268A4FA!121
Note internet errors (12,000 - 12,999) are windows errors but are specified in wininet.h also available above.
There are errors defined in other .h files. But 99% are in the three above.
Structure of HResults and NTStatus Codes
The most significant bit in HResults, and the two most significant bits in NTStatus are set on error. Hence Hresults start 8 on error and NTStatus starts C on Error. The next 14 or 15 bits are reserved and some specify the facility - what area the error is in. This is the third and fourth number when reading hex. EG 0xnn07nnnn - An HResult facility code 7 is a normal Windows' error (returned from a COM program - hence it's returned as a HResult). Facility codes are defined in Winerror.h for HResults and NTStatus.h for NTStatus codes. They are different.
To Decode 0x8003nnnn Errors
HResults with facility code 3 means the HResult contains OLE Structured Storage errors (0x0 to 0xff). These are the same as Dos error codes. These don't seem to be in Windows' header files and the list of codes is at the end of this post.
To Decode 0x8004nnnn Errors
HResults with facility code 4 means the HResult contains OLE errors (0x0 to 0x1ff) while the rest of the range (0x200 onwards) is component specific errors so 20e from one component will have a different meaning to 20e from another component.
This is why the source of the error is extra important for errors above 0x80040200.
To Decode 0x8007nnnn Errors
HResults with facility code 7 means the HResult contains a Windows' error code. You have to look up the Windows' error code not the HResult.
To decode 0x80070002. The 0x means it's a hexadecimal number, the 8 means error, the first 7 means it a windows error, and the rest of the number, 2, is the actual Windows error.
To look up the error we need it in decimal format. Start Calculator (Start - All Programs - Accessories - Calculator) and choose View menu - Scientific, then View menu - Hex. Enter 2. Then View menu - Decimal. It will say 2.
Start a Command Prompt (Start - All Programs - Accessories - Command Prompt) and type
net helpmsg 2
and it will say
The system cannot find the file specified.
or look it up in winerror.h
//
// MessageId: ERROR_FILE_NOT_FOUND
//
// MessageText:
//
// The system cannot find the file specified.
//
#define ERROR_FILE_NOT_FOUND 2L
To Decode 0x8019nnnn Errors
HResults with facility 0x19 are HTTP errors. Codes under 16,384 (0x4000) are the same as HTTP errors, eg HTTP status 404: The requested URL does not exist on the server is 0x80190194 (0x194 = 404). Codes 16,384 and higher are BITS specific.
To Decode 0xDnnnnnnn Errors
HResults starting 0xD are an HResult with a NTStatus value in it. Just change the lead D to a C and treat as an NTStatus (Hresult = NTStatus OR 0x10000000).
Dos Error Codes (for 0x8003nnnn errors)
Code Message
01 Invalid function number
02 File not found
03 Path not found
04 Too many open files (no handles left)
05 Access denied
06 Invalid handle
07 Memory control blocks destroyed
08 Insufficient memory
09 Invalid memory block address
0A Invalid environment
0B Invalid format
0C Invalid access mode (open mode is invalid)
0D Invalid data
0E Reserved
0F Invalid drive specified
10 Attempt to remove current directory
11 Not same device
12 No more files
13 Attempt to write on a write-protected diskette
14 Unknown unit
15 Drive not ready
16 Unknown command
17 CRC error
18 Bad request structure length
19 Seek error
1A Unknown media type
1B Sector not found
1C Printer out of paper
1D Write fault
1E Read fault
1F General failure
20 Sharing violation
21 Lock violation
22 Invalid disk change
23 FCB unavailable
24 Sharing buffer overflow
25 Reserved
26 Unable to complete file operation (DOS 4.x)
27-31 Reserved
32 Network request not supported
33 Remote computer not listening
34 Duplicate name on network
35 Network name not found
36 Network busy
37 Network device no longer exists
38 NetBIOS command limit exceeded
39 Network adapter error
3A Incorrect network response
3B Unexpected network error
3C Incompatible remote adapter
3D Print queue full
3E No space for print file
3F Print file deleted
40 Network name deleted
41 Access denied
42 Network device type incorrect
43 Network name not found
44 Network name limit exceeded
45 NetBIOS session limit exceeded
46 Temporarily paused
47 Network request not accepted
48 Print or disk redirection is paused
49-4F Reserved
50 File already exists
51 Reserved
52 Cannot make directory entry
53 Fail on INT 24
54 Too many redirections
55 Duplicate redirection
56 Invalid password
57 Invalid parameter
58 Network device fault
59 Function not supported by network (DOS 4.x)
5A Required system component not installed (DOS 4.x)
Facility Codes
NTStatus Facilities HResults Facilities
Common status values 0x0 Null 0x0
Debugger 0x1 Rpc 0x1
Rpc_runtime 0x2 Dispatch 0x2
Rpc_stubs 0x3 Storage 0x3
Io_error_code 0x4 Itf 0x4
Various drivers 0x5-0xf Win32 0x7
Ntwin32 0x7 Windows 0x8
Ntsspi 0x9 Sspi 0x9
Terminal_server 0xa Security 0x9
Faciltiy_mui_error_code 0xb Control 0xa
Usb_error_code 0x10 Cert 0xb
Hid_error_code 0x11 Internet 0xc
Firewire_error_code 0x12 Mediaserver 0xd
Cluster_error_code 0x13 Msmq 0xe
Acpi_error_code 0x14 Setupapi 0xf
Sxs_error_code 0x15 Scard 0x10
Transaction 0x19 Complus 0x11
Commonlog 0x1a Aaf 0x12
Video 0x1b Urt 0x13
Filter_manager 0x1c Acs 0x14
Monitor 0x1d Dplay 0x15
Graphics_kernel 0x1e Umi 0x16
Driver_framework 0x20 Sxs 0x17
Fve_error_code 0x21 Windows_ce 0x18
Fwp_error_code 0x22 Http 0x19
Ndis_error_code 0x23 Usermode_commonlog 0x1a
Hypervisor 0x35 Usermode_filter_manager 0x1f
Ipsec 0x36 Backgroundcopy 0x20
Maximum_value 0x37 Configuration 0x21
State_management 0x22
Metadirectory 0x23
Windowsupdate 0x24
Directoryservice 0x25
Graphics 0x26
Shell 0x27
Tpm_services 0x28
Tpm_software 0x29
Pla 0x30
Fve 0x31
Fwp 0x32
Winrm 0x33
Ndis 0x34
Usermode_hypervisor 0x35
Cmi 0x36
Windows_defender 0x50
Now I'm writing bootloader which starts in the middle of memory, but after it finishes I need to go to the main app, thought to try jmp 0x00, however my chip doesn't support jmp, how should I start main app?
I would use RJMP:
Relative jump to an address within PC - 2K +1 and PC + 2K (words). In
the assembler, labels are used instead of relative operands.
For example:
entry:
rjmp reset
.org 512
reset:
rjmp foo
.org 3072
foo:
rjmp entry
By the way, there are several other jump instructions (RJMP, IJMP, RCALL, ICALL, CALL, RET, RETI etc.) See this relevant discussion.
Well take a look into RET instruction. It returns to previous location, so you can try:
push 0x00
push 0x00
ret
This should work because while entering into any function you push your current location, and RET makes you go back.
As far as I remember ATmege8 has 16-bit address line, but if I'm not right you may need more push 0x00
why not simply use IJMP?
set Z to 0x00 and use IJMP. may be faster than 2xpush and ret
EOR R30, R30 ; clear ZL
EOR R31, R31 ; clear ZH
IJMP ; set PC to Z
should be 4 cycles and 3 instruction words (6 Bytes program memory)
In an effort to track down some hard to reproduce crashes I've configured the UnhandledExceptionFilter to create mini-dump files as described here: Debugging Custom Filters For Unhandled Exceptions and Effective Minidumps
The dumps are being successfully captured but I'm not having much luck interpreting the stack information. In the hope that someone else will have experienced something similar I'll provide as many details as I can below. Sorry if this question ends up being a little verbose as a result.
Visual Studio provides the following dump summary:
Dump Summary
------------
Dump File: MiniDump.dmp
Last Write Time: 15/08/2012 22:07:22
Process Name: Server.exe : C:\Project\Server.exe
Process Architecture: x86
Exception Code: 0xC0000005
Exception Information: The thread tried to read from or write to a virtual address for which it does not have the appropriate access.
Heap Information: Not Present
System Information
------------------
OS Version: 6.1.7601
CLR Version(s):
Modules
-------
Module Name Module Path Module Version
----------- ----------- --------------
Server.exe C:\Project\Server.exe 1.0.0.1
ntdll.dll C:\Windows\SysWOW64\ntdll.dll 6.1.7601.17725
kernel32.dll C:\Windows\SysWOW64\kernel32.dll 6.1.7601.17651
KERNELBASE.dll C:\Windows\SysWOW64\KERNELBASE.dll 6.1.7601.17651
mysqlpp_d.dll C:\Projects\Ken11\bin\debug\mysqlpp_d.dll 0.0.0.0
wsock32.dll C:\Windows\System32\wsock32.dll 6.1.7600.16385
ws2_32.dll C:\Windows\SysWOW64\ws2_32.dll 6.1.7601.17514
msvcrt.dll C:\Windows\SysWOW64\msvcrt.dll 7.0.7601.17744
libmySQL.dll C:\Projects\Ken11\bin\debug\libmySQL.dll 0.0.0.0
user32.dll C:\Windows\SysWOW64\user32.dll 6.1.7601.17514
advapi32.dll C:\Windows\SysWOW64\advapi32.dll 6.1.7601.17514
msvcp90d.dll C:\Projects\Ken11\bin\debug\Microsoft.VC90.DebugCRT\msvcp90d.dll 9.0.21022.8
msvcr90d.dll C:\Projects\Ken11\bin\debug\Microsoft.VC90.DebugCRT\msvcr90d.dll 9.0.21022.8
mfc90d.dll C:\Projects\Ken11\bin\debug\Microsoft.VC90.DebugMFC\mfc90d.dll 9.0.21022.8
dbghelp.dll C:\Windows\System32\dbghelp.dll 6.1.7601.17514
mswsock.dll C:\Windows\System32\mswsock.dll 6.1.7601.17514
wininet.dll C:\Windows\SysWOW64\wininet.dll 8.0.7601.17785
rasman.dll C:\Windows\System32\rasman.dll 6.1.7600.16385
devobj.dll C:\Windows\SysWOW64\devobj.dll 6.1.7601.17621
Looking at the stack of the thread where the exception occurred we get the following extremely short call stack:
msvcr90d.dll!6d69f824()
[Frames below may be incorrect and/or missing, no symbols loaded for msvcr90d.dll]
--> Server.exe!CServer::LoadPageList() Line 269 + 0x28 bytes C++
cccccccc()
All the correct threads in the application have nice clean stacks showing calls all the way back to __RtlUserThreadStart E.g:
mswsock.dll!_WSPRecv#36() + 0x34ff bytes
ws2_32.dll!_WSARecv#28() + 0x71 bytes
wsock32.dll!_recv#16() + 0x33 bytes
>libmySQL.dll!008aaa2f()
[Frames below may be incorrect and/or missing, no symbols loaded for libmySQL.dll]
libmySQL.dll!008aac0d()
libmySQL.dll!008a34d7()
libmySQL.dll!008a30d2()
libmySQL.dll!0084be35()
libmySQL.dll!00851572()
libmySQL.dll!00851c2b()
Server.exe!CServer::logStatusToDB(AsynchStatus_T * pStatus=0x04f18170) Line 1717 C++
Server.exe!CServer::checkStatus(AsynchStatus_T * pStatus=0x04f18170) Line 2145 C++
Server.exe!CThread::ControllingFunction(void * lpParameter=0x03fffe08) Line 1280 + 0xf bytes C++
kernel32.dll!#BaseThreadInitThunk#12() + 0x12 bytes
ntdll.dll!___RtlUserThreadStart#8() + 0x27 bytes
ntdll.dll!__RtlUserThreadStart#8() + 0x1b bytes
How could the lower portion of the crashed thread's stack get replaced by 0xCCCCCCCC?
For completeness here is the disassembly of the frame Server.exe!CServer::LoadPageList() Line 269 + 0x28 bytes
00453217 mov byte ptr [ebp-4],0
0045321B mov esi,esp
0045321D lea ecx,[ebp-104h]
00453223 call dword ptr [__imp_ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > (6DA994h)]
00453229 cmp esi,esp
0045322B call _RTC_CheckEsp (690D20h)
00453230 mov dword ptr [ebp-4],0FFFFFFFFh
00453237 mov esi,esp
00453239 lea ecx,[ebp-20h]
0045323C call dword ptr [__imp_ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >::~CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > (6DA994h)]
00453242 cmp esi,esp
00453244 call _RTC_CheckEsp (690D20h)
00453249 push edx
0045324A mov ecx,ebp
0045324C push eax
0045324D lea edx,[ (45327Ch)]
00453253 call _RTC_CheckStackVars (690D50h)
00453258 pop eax <<<=== exception refers to this line
00453259 pop edx
0045325A mov ecx,dword ptr [ebp-0Ch]
0045325D mov dword ptr fs:[0],ecx
00453264 pop ecx
00453265 pop edi
Update
Completely forgot to include the function source (thanks Joachim):
void CServer::LoadPageList()
{
CString header;
header.Format("Accept: text/plain, */*; q=0.01\r\n");
_pSession->setHttpHeader (header);
_pSession->ReadPage (_T("/Pages"), true);
SaveTimeStampedFile ("Pages.txt");
}
The strange thing is that all of the operations in the function LoadPageList complete successfully, the crash seems to happen after the string's destructor is called just before returning from this stack frame.