How to Dump when a Function Fails

So here are the steps you can use in the debugger to get it to create a process dump when a given function fails.  Please note that this is only for a native function and not a managed (.NET) function.

First, find the ret instruction for the function you're interested in...

0:000> uf ole32!CoCreateInstanceEx
  140 775002ce 8bff             mov     edi,edi
  140 775002d0 55               push    ebp
  140 775002d1 8bec             mov     ebp,esp
  148 775002d3 6a00             push    0x0
  148 775002d5 ff751c           push    dword ptr [ebp+0x1c]
  148 775002d8 ff7518           push    dword ptr [ebp+0x18]
  148 775002db ff7514           push    dword ptr [ebp+0x14]
  148 775002de ff7510           push    dword ptr [ebp+0x10]
  148 775002e1 ff750c           push    dword ptr [ebp+0xc]
  148 775002e4 ff7508           push    dword ptr [ebp+0x8]
  148 775002e7 e809000000     call ole32!CComActivator::DoCreateInstance (775002f5)
  149 775002ec 5d               pop     ebp
  149 775002ed c21800           ret     0x18        <---------- HERE

Then set the breakpoint...

0:000> bu 775002ed ".if((@eax & 0`ffffffff) == (800401f3))
{.dump /ma /u C:\InvalidClassString.dmp;g}.else{g}"

Note: In this case I'm checking for a specific HRESULT, and note the bit-masking crud (see the "sign extension of registers" topic on the debugger.chm for more info).

kick it on

Comments (3)

  1. You’ve been kicked (a good thing) – Trackback from

  2. sudeepg says:

    This is great! I have been looking for something like this.. However doesn’t this method work when we know the address of the function’s return statement ahead? How do I get a dump file everytime a particular function is called when we do not know the address of that function?

    thanks in advance for any clues.

  3. Sudeepg,

    The easiest way really depends on what you are looking for.  If you are looking for a generic way with managed code, there really isn’t an easy way ahead of time.  Unless you use Visual Studio.  Otherwise, you can run it once and find the address of the function and then use that to set your breakpoint.  The sos that ships with the debugger has a !bp function that works, but only for 1.x versions of .NET

Skip to main content