rax goes to zero when cycling through a linked list, but the list is valid.
in [Device Drivers]
|
Prev: Error 39 with Coinstaller (USB-Kmdf)
Next: rax goes to zero when cycling through a linked list, but the listis valid.
From: matt_sykes on 10 Sep 2010 08:19 Here is the exception: fffff880`06159500 483b5020 cmp rdx,qword ptr [rax+20h] ds: 002b:00000000`00000020=???????????????? This is the line that cycles through the linked list in a while loop: fffff880`06159506 488b00 mov rax,qword ptr [rax] This is the list: kd> dl fffffa801ac24f70 100 1 fffffa80`1ac24f70 fffffa80`1aa8f010 <--- this is the start address fffffa80`1aa8f010 fffffa80`1aff6350 fffffa80`1aff6350 fffffa80`1acec740 fffffa80`1acec740 fffffa80`1b372cf0 fffffa80`1b372cf0 fffffa80`1b546190 fffffa80`1b546190 fffffa80`1b55baf0 fffffa80`1b55baf0 fffffa80`1b551660 fffffa80`1b551660 fffffa80`1ac24f70 The list is got from rcx (first param) + 0xa0: add rcx,0A0h and the vale put into rax: mov rax,qword ptr [rcx] kd> dt trusted!_TRACKED_PROCESS FFFFFA801AC24ED0 +0x000 List : _LIST_ENTRY [ 0xfffffa80`18df0a50 - 0xfffffa80`1adea5c0 ] +0x010 Flags : 1 +0x018 ParentId : 0x00000000`00000450 +0x020 ProcessId : 0x00000000`00000a7c +0x028 ProcessImageNameLength : 0x9a +0x030 ProcessImageName : 0xfffff8a0`02203c30 -> 0x5c +0x038 FileLock : _ERESOURCE +0x0a0 Files : _LIST_ENTRY [ 0xfffffa80`1aa8f010 - 0xfffffa80`1b551660 ] <--- 0xfffffa80`1aa8f010 is a valid address in the linked list at offset 0xa0 from rcx (the first param). I dont see how rax can end up zero, it seems utterly impossible. Here is the assembly for the loop and function initialisation: fffff880`061594e0 4533d2 xor r10d,r10d fffff880`061594e3 4885c9 test rcx,rcx fffff880`061594e6 41b90d0000c0 mov r9d,0C000000Dh fffff880`061594ec 7428 je Trusted!TrustLookupFileObject +0x36 (fffff880`06159516) fffff880`061594ee 4881c1a0000000 add rcx,0A0h fffff880`061594f5 41b90f0000c0 mov r9d,0C000000Fh fffff880`061594fb 488b01 mov rax,qword ptr [rcx] fffff880`061594fe eb09 jmp Trusted!TrustLookupFileObject +0x29 (fffff880`06159509) fffff880`06159500 483b5020 cmp rdx,qword ptr [rax+20h] fffff880`06159504 740a je Trusted!TrustLookupFileObject +0x30 (fffff880`06159510) fffff880`06159506 488b00 mov rax,qword ptr [rax] fffff880`06159509 483bc8 cmp rcx,rax fffff880`0615950c 75f2 jne Trusted!TrustLookupFileObject +0x20 (fffff880`06159500) |