From: Tim Roberts on
"MB" <bla(a)bla.bla> wrote:
>
>Our application, which runs as a service, has given the following
>Application Error just once, randomly, while shutting down the service on a
>customer machine:
>
>The instruction at "0x7c82caa2" referenced memory at "0xffffffff". The
>memory could not be "read".
>
>Is there anything that can be gleaned from that address?

The addresses just under the 2GB mark are occupied by the system DLLs. If
you are running Windows XP, this is kernel32.dll (which starts at
7C800000).

I can't tell what routine it is, but it calls NtSetInformationJobObject so
it must be modifying some process state.
--
Tim Roberts, timr(a)probo.com
Providenza & Boekelheide, Inc.
From: MB on
This is interesting. Thank you.

The operating system was 2003 Server.

MB.


From: Remy Lebeau on

"Tim Roberts" <timr(a)probo.com> wrote in message
news:1n8qj3psp8bj07eeu8677j7u2srsp3kh15(a)4ax.com...

> The addresses just under the 2GB mark are occupied by the
> system DLLs. If you are running Windows XP, this is kernel32.dll
> (which starts at 7C800000).

Is there a list somewhere that specifies which OS DLLs run at which
addresses?


Gambit


From: Tim Roberts on
"Remy Lebeau" <no.spam(a)no.spam.com> wrote:
>
>"Tim Roberts" <timr(a)probo.com> wrote in message
>news:1n8qj3psp8bj07eeu8677j7u2srsp3kh15(a)4ax.com...
>
>> The addresses just under the 2GB mark are occupied by the
>> system DLLs. If you are running Windows XP, this is kernel32.dll
>> (which starts at 7C800000).
>
>Is there a list somewhere that specifies which OS DLLs run at which
>addresses?

No, but you can find out by asking. That's what I did. (Actually, that's
not quite true; I loaded a dummy program into OllyDbg. OllyDbg includes a
window that shows the base address of all of the currently loaded modules,
in numerical order.)


C:\Dev>link /dump /headers \WINDOWS\system32\kernel32.dll
Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
Copyright (C) Microsoft Corporation. All rights reserved.


Dump of file \WINDOWS\system32\kernel32.dll

PE signature found

File Type: DLL

FILE HEADER VALUES
14C machine (x86)
4 number of sections
46239BD5 time date stamp Mon Apr 16 08:52:53 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
210E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
DLL

OPTIONAL HEADER VALUES
10B magic # (PE32)
7.10 linker version
82200 size of code
70000 size of initialized data
0 size of uninitialized data
B5AE entry point (7C80B5AE)
1000 base of code
7F000 base of data
7C800000 image base (7C800000 to 7C8F4FFF) <<<<<<
1000 section alignment
200 file alignment
...
--
Tim Roberts, timr(a)probo.com
Providenza & Boekelheide, Inc.