How to Dump when a Function Fails

So here are the steps you can use in the debugger to get it to create a process dump when a given function fails.  Please note that this is only for a native function and not a managed (.NET) function.

First, find the ret instruction for the function you're interested in... 

0:000> uf ole32!CoCreateInstanceEx
ole32!CoCreateInstanceEx:
  140 775002ce 8bff             mov     edi,edi
  140 775002d0 55               push    ebp
  140 775002d1 8bec             mov     ebp,esp
  148 775002d3 6a00             push    0x0
  148 775002d5 ff751c           push    dword ptr [ebp+0x1c]
  148 775002d8 ff7518           push    dword ptr [ebp+0x18]
  148 775002db ff7514           push    dword ptr [ebp+0x14]
  148 775002de ff7510           push    dword ptr [ebp+0x10]
  148 775002e1 ff750c           push    dword ptr [ebp+0xc]
  148 775002e4 ff7508           push    dword ptr [ebp+0x8]
  148 775002e7 e809000000     call ole32!CComActivator::DoCreateInstance (775002f5)
  149 775002ec 5d               pop     ebp
  149 775002ed c21800           ret     0x18        <---------- HERE

Then set the breakpoint... 

0:000> bu 775002ed ".if((@eax & 0`ffffffff) == (800401f3))
      {.dump /ma /u C:\InvalidClassString.dmp;g}.else{g}"

Note: In this case I'm checking for a specific HRESULT, and note the bit-masking crud (see the "sign extension of registers" topic on the debugger.chm for more info).

kick it on DotNetKicks.com

Published 06 June 08 11:52 by Tom
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# DotNetKicks.com said on June 6, 2008 11:53 AM:

You've been kicked (a good thing) - Trackback from DotNetKicks.com

# Sudeep Gopalakrishnan said on June 9, 2008 5:14 PM:

This is great! I have been looking for something like this.. However doesn't this method work when we know the address of the function's return statement ahead? How do I get a dump file everytime a particular function is called when we do not know the address of that function?

thanks in advance for any clues.

# Tom said on June 15, 2008 9:21 PM:

Sudeepg,

The easiest way really depends on what you are looking for.  If you are looking for a generic way with managed code, there really isn't an easy way ahead of time.  Unless you use Visual Studio.  Otherwise, you can run it once and find the address of the function and then use that to set your breakpoint.  The sos that ships with the debugger has a !bp function that works, but only for 1.x versions of .NET

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required

Search

This Blog

All my posts are provided "AS IS" with no warranties, and confer no rights. All the expressions expressed herein are entirely my own and not necessarily those of Microsoft. In addition, thoughts and opinions often change. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.



Your country's flag: IP Address Lookup





See who links to this blog

Add to Technorati Favorites

site statistics

Technology Blogs - BlogCatalog Blog Directory

Technology
Top Blogs

BlogRankers.com

BRDTracker



Syndication

Page view tracker