dump analyze

（1）如果返回值等于4字节，函数将把返回值赋予EAX，通过EAX返回
（2）如果返回值等于8字节，函数将把返回值赋予EAX和EDX，通过EAX和EDX返回，EDX存储高位4字节，EAX存储低位4字节
（3）如果返回值是一个大于8字节的数据，EAX存放返回值的地址

0:000> !analyze -v

FAULTING_IP:
+0
00000000 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD:  00001588

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

PROCESS_NAME:  EnforcerGUI.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT

BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER:  from 77d244e4 to 77d2f62c

STACK_TEXT:  
045bfa98 77d244e4 00000418 00596380 00000010 ntdll!ZwWaitForWorkViaWorkerFactory+0xc
045bfc34 779d86e3 00594060 045bfc84 77d5be99 ntdll!TppWorkerThread+0x1e3
045bfc40 77d5be99 00594060 943f99ac 00000000 kernel32!BaseThreadInitThunk+0xe
045bfc84 77d5be6c 77d25087 00594060 ffffffff ntdll!__RtlUserThreadStart+0x72
045bfc9c 00000000 77d25087 00594060 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s; .ecxr ; kb

FOLLOWUP_IP:
ntdll!ZwWaitForWorkViaWorkerFactory+c
77d2f62c c21000          ret     10h

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ntdll!ZwWaitForWorkViaWorkerFactory+c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntdll

IMAGE_NAME:  ntdll.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  53645e25

FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_ntdll.dll!ZwWaitForWorkViaWorkerFactory

BUCKET_ID:  APPLICATION_FAULT_STATUS_BREAKPOINT_ntdll!ZwWaitForWorkViaWorkerFactory+c

Followup: MachineOwner
---------

0:000> u 77d244e4// 显示指定内存中的程序代码的反汇编
ntdll!TppWorkerThread+0x1e3:
77d244e4 8945c4          mov     dword ptr [ebp-3Ch],eax
77d244e7 8975fc          mov     dword ptr [ebp-4],esi
77d244ea b9c003fe7f      mov     ecx,offset SharedUserData+0x3c0 (7ffe03c0)
77d244ef 85c0            test    eax,eax
77d244f1 0f85883cfeff    jne     ntdll!TppWorkerThread+0x244 (77d0817f)
77d244f7 2bc3            sub     eax,ebx
77d244f9 0f859f0effff    jne     ntdll!TppWorkerThread+0x24b (77d1539e)
77d244ff 8b01            mov     eax,dword ptr [ecx]
0:000> ub 77d2f62c //要反汇编的区域是向后计算的
ntdll!ZwWaitForKeyedEvent+0xc:
77d2f60c c21000          ret     10h
77d2f60f 90              nop
ntdll!NtWaitForWnfNotifications:
77d2f610 b8a9010000      mov     eax,1A9h
77d2f615 64ff15c0000000  call    dword ptr fs:[0C0h]
77d2f61c c20800          ret     8
77d2f61f 90              nop
ntdll!ZwWaitForWorkViaWorkerFactory:
77d2f620 b8aa010000      mov     eax,1AAh
77d2f625 64ff15c0000000  call    dword ptr fs:[0C0h]


0:000> !teb //查看TEB结构的具体内容
TEB at 7e93c000
    ExceptionList:        045bfc24
    StackBase:            045c0000
    StackLimit:           045be000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7e93c000
    EnvironmentPointer:   00000000
    ClientId:             00001f00 . 00001588
    RpcHandle:            00000000
    Tls Storage:          00591e80
    PEB Address:          7ea67000
    LastErrorValue:       0
    LastStatusValue:      0
    Count Owned Locks:    0
    HardErrorMode:        0
0:000> r
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000002 edi=00594060
eip=77d2f62c esp=045bfa9c ebp=045bfc34 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!ZwWaitForWorkViaWorkerFactory+0xc:
77d2f62c c21000          ret     10h


0:000> dps 045be000 045c0000 //显示指定内存范围的内容
045be000  00000000

045bef4c  00000000
045bef50  772d10b8 ole32!DllMain+0x44
045bef54  00000000

045befd8  045beff4
045befdc  77d4f317 ntdll!bsearch+0x61
045befe0  045bf03c


045bf790  75de1501 crypt32!DllMain+0xad
045bf794  75de0000 crypt32!__xc_a <PERF> (crypt32+0x0)
045bf798  77b1109e msctf!DllMain+0x3c
045bf79c  77ba10d8 msctf!g_dwThreadDllMain
045bf7a0  00000000

045bf7b4  045bf818
045bf7b8  74e76aca mswsock!_except_handler4
045bf7bc  e63189b2
045bf7c0  fffffffe
045bf7c4  045bf828
045bf7c8  74e51151 mswsock!__DllMainCRTStartup+0x84
045bf7cc  00000002
045bf7d0  74e51183 mswsock!__DllMainCRTStartup+0xaa
045bf7d4  968f611a

045bf7e0  004f2d90
045bf7e4  74ed1170 gpapi!_CRT_INIT+0x2d5
045bf7e8  74ed0000 gpapi!__xc_a <PERF> (gpapi+0x0)
045bf7ec  00000002
045bf7f0  74ed11c8 gpapi!_CRT_INIT+0x445
045bf7f4  9708ef99

045bf810  045bf7d4
045bf814  75660000 advapi32!_sz_CRYPTSP_dll <PERF> (advapi32+0x0)
045bf818  045bf898
045bf81c  74e76aca mswsock!_except_handler4
045bf820  e6318892
045bf824  fffffffe
045bf828  045bf840
045bf82c  74e510bf mswsock!_DllMainCRTStartup+0x1a
045bf830  74e50000 mswsock!__xc_a <PERF> (mswsock+0x0)
045bf834  00000002

045bf844  00000000
045bf848  77d523c2 ntdll!RtlDeactivateActivationContextUnsafeFast+0x263
045bf84c  00000002


045bf9e0  045bfc24
045bf9e4  77d05191 ntdll!_except_handler4

045bfc94  ffffffff
045bfc98  77dd1e8b ntdll!FinalExceptionHandler
045bfc9c  00000000
045bfca0  00000000
045bfca4  77d25087 ntdll!TppWorkerThread

045c0000  3bf27462