Apr 102012

kf is a useful command to find out stack memory taken by a frame. See below…
I have three functions which looks like this…

#pragma auto_inline(off)
void TestStack2()
void TestStack1()
       char bytes[0x190] = {9};
       printf("hello: %s", bytes);
void TestStack()
       char bytes[0x90] = {9};
       printf("hello: %s", bytes);

// Check out the frame sizes…
  Memory  ChildEBP RetAddr 
          0024f000 00291578 TestMFC1!TestStack2+0x5
      19c 0024f19c 002915d8 TestMFC1!TestStack1+0x18
       9c 0024f238 002916ea TestMFC1!TestStack+0x18
       28 0024f260 7856f282 TestMFC1!CTestMFC1Dlg::OnInitDialog+0xca
        8 0024f268 752c62fa mfc100!AfxDlgProc+0x31
       2c 0024f294 752ef9df USER32!InternalCallWinProc+0x23
       7c 0024f310 752ef784 USER32!UserCallDlgProcCheckWow+0xd7

Alternatively we can take difference of child ebp and current esp to know frame size.

Sep 132011

Found a nice article which describes how to take native/managed crash dumps automatically using CDB as soon as a crash takes place. We know that for CLR 2.0 we’ve got to configure crash handler settings at two places in the registry for a native and managed application.

For native

  1. HKLM\Software\Microsoft\Windows NT\Current Version\AeDebug\Debugger
  2. HKLM\Software\Microsoft\Windows NT\Current Version\AeDebug\Auto

For managed

  1. HKLM\Software\Microsoft\.NETFramework\DbgManagedDebugger
  2. HKLM\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting

This article from MSDN explains in detail on how to configure registry entries to take automatic crash dumps using CDB…