Search code examples

Crash Debugging Win32 Application

I'm spending lot of time doing crash debugging of Win32 apps. One thing i'm very curious to know about is, How to find whether any address belongs to stack / heap or program code section. Is there any windbg/ollydbg plugin available for this purpose? Or I've to to it manually from memory map? Ex:

0:000> r
eax=00930264 ebx=008e0000 ecx=41414592 edx=00930000 esi=41414141 edi=008e0441
eip=00407289 esp=0012fae0 ebp=0012faf4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
00407289 8b1437          mov     edx,dword ptr [edi+esi] ds:0023:41cf4582=????????
0:000> u eip
00407289 8b1437          mov     edx,dword ptr [edi+esi]
0040728c 8b4c3704        mov     ecx,dword ptr [edi+esi+4]
00407290 57              push    edi
00407291 e89ae8ffff      call    MyApp+0x5b30 (00405b30)
00407296 897d14          mov     dword ptr [ebp+14h],edi
00407299 5f              pop     edi
0040729a 85c0            test    eax,eax
0040729c 741e            je      MyApp+0x72bc (004072bc)

In this case i wanna know which register pointing to which section (code/stack/heap )so that i can proceed further to the root cause.

Thanks in Advance.


  • 0:000> ?@esi+@edi
    Evaluate expression: 36278408 = 02299088
    0:000> !address 02299088
     ProcessParametrs 00311020 in range 00310000 00410000
     Environment 02294848 in range 02290000 02390000
        02290000 : 02290000 - 00100000
                        Type     00020000 MEM_PRIVATE
                        Protect  00000004 PAGE_READWRITE
                        State    00001000 MEM_COMMIT
                        Usage    RegionUsageHeap
                        Handle   00310000