DEP Description and Terminologies
To avoid redundancy, please read the following MSDN article on DEP if this is new to you:
How to identify DEP problem using WinDbg
When the application encounters DEP problem, an Access Violation exception will be thrown by the OS. Since AV can happen due to different reasons, follow these steps to ascertain that DEP setting is the root cause of the problem.
Start windbg and attach to the application
Press F6 key in windbg and select the process, then click attach. Then press F5 to continue run the application until it encounter Access Violation exception.
Use !analyze command
When the DEP incurred exception happens such as the following:
The stored exception information can be accessed via .ecxr.
(5b8.1cbc): Access violation - code c0000005 (first/second chance not available)
eax=002bbe64 ebx=000e05a2 ecx=00000000 edx=00000081 esi=007997d0 edi=007997c8
eip=007997d0 esp=002bbcc0 ebp=002bbce0 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
007997d0 c7442404c8977900 mov dword ptr [esp+4],7997C8h ss:002b:002bbcc4=000e05a2
Execute the following debug command:
0:000>!analyze –v
007997d0 c7442404c8977900 mov dword ptr [esp+4],7997C8h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 007997d0
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 007997d0
Attempt to execute non-executable address 007997d0
The !analyze displays the details about the exception. Parameter[0] indicates the type of exception is attempt to execute non-executable.
Additional method to verify DEP related AV
At this point, you can be pretty sure of the problem. If you want to see other evidences, continue
0:000> !address @eip
Usage: Heap
Allocation Base: 00790000
Base Address: 00790000
End Address: 007a0000
Region Size: 00010000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
The “Protect” property for the EIP address does not have permission to execute code
Review the source code.
To get the source code location, get the callstack by executing this debug command:
0:000> kb200
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
002bbcbc 59a9b152 000e05a2 00000081 00000000 0x7997d0
002bbce0 751d6238 000e05a2 00000081 00000000 myDLL!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<1442840576,0> >::StartWindowProc+0x62 [f:\myDLL\atl\include\atlwin.h @ 2097]
002bbd0c 751d7298 59a9b0f0 000e05a2 00000081 user32!InternalCallWinProc+0x23 [d:\w7rtm\windows\core\ntuser\client\i386\callproc.asm @ 106]
002bbd84 751d7177 00000000 59a9b0f0 000e05a2 user32!UserCallWinProcCheckWow+0xd8 [d:\w7rtm\windows\core\ntuser\client\clmsg.c @ 154]
002bbde0 751d942c 012e48b0 00000000 00000081 user32!DispatchClientMessage+0xe0 [d:\w7rtm\windows\core\ntuser\client\client.c @ 3202]
002bbe20 772b00e6 002bbe38 00000000 002bc3b0 user32!__fnINLPCREATESTRUCT+0x91 [d:\w7rtm\windows\core\ntuser\inc\ntcb.h @ 1412]
002bbe34 00000000 00000000 00000000 c0f00000 ntdll!KiUserCallbackDispatcher+0x2e [d:\win7_gdr\minkernel\ntos\rtl\i386\userdisp.asm @ 405]
The following atlwin.h reveals offending code at line 2097 trying to execute from a stack allocated local variable function pointer:
template <class TBase, class TWinTraits>
LRESULT CALLBACK CWindowImplBaseT< TBase, TWinTraits >::StartWindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
Read more: linkaiyu