• Advertisement
Sign in to follow this  

Invalid UNWIND_INFO data?

This topic is 1791 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts


I'm trying to read the unwind data of some dlls (in this case: ntdll.dll).
I noticed that in some cases I read the data jsut fine, but in other cases I see "garbage".
I used dumpbin to look at the unwind data in the dll and I noticed that when I read "garbage" - dumbin can't read it either.

This is what I see with dumpbin:

  00006EF4 000442AF 000442C3 0014265D
  00006F00 000442C3 000442CD 00142669
  00006F0C 000442CD 000442D9 001444D5
  00006F18 000442D9 000442FD 00147E95
  00006F24 000442FD 00044376 00144679
  00006F30 00044376 000443D0 001448A1
  00006F3C 000443D0 0004442C 001254B0
    Unwind version: 1
    Unwind flags: None
    Size of prologue: 0x0A
    Count of codes: 4
    Unwind codes:
      0A: ALLOC_LARGE, size=0x1A8
      03: PUSH_NONVOL, register=rdi
      02: PUSH_NONVOL, register=rsi

I also noticed that when I resolve an IP to a "garbaged" runtime function,SymFunctionTableAccess64 does something that couldn't find any documnetation of.
So my questions are:
1. Is this really a garbaged unwind info? If not, how can I read its content?
2. What does SymFunctionTableAccess64 do when it handles such "garbage"? Where can I find some documentation for it?

thanks! smile.png

Edited by Idov

Share this post

Link to post
Share on other sites
Sign in to follow this  

  • Advertisement