00007ffa`19fc7391 0f85e6010000 jne iertutil!LCIEGetTypedComponentFromThread+0x2ad (00007ffa`19fc757d)
00007ffa`19fc7397 4c8b354ac13100 mov r14,qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)]
00007ffa`19fc739e 498b06 mov rax,qword ptr [r14]
00007ffa`19fc73a1 4c8bb848020000 mov r15,qword ptr [rax+248h]
00007ffa`19fc73a8 488d05019dffff lea rax,[iertutil!CIsoScope::GetTlsIndex (00007ffa`19fc10b0)]
00007ffa`19fc73af 4c3bf8 cmp r15,rax
00007ffa`19fc73b2 0f85e4000000 jne iertutil!LCIEGetTypedComponentFromThread+0x1cc (00007ffa`19fc749c)
00007ffa`19fc73b8 8bd6 mov edx,esi
00007ffa`19fc73ba 498bce mov rcx,r14
00007ffa`19fc73bd e8ee9cffff call iertutil!CIsoScope::GetTlsIndex (00007ffa`19fc10b0)
00007ffa`19fc73c2 8bc8 mov ecx,eax
00007ffa`19fc73c4 ff1556100800 call qword ptr [iertutil!_imp_TlsGetValue (00007ffa`1a048420)]
00007ffa`19fc73ca 448b7ddb mov r15d,dword ptr [rbp-25h]
00007ffa`19fc73ce 4885c0 test rax,rax
00007ffa`19fc73d1 0f84a6010000 je iertutil!LCIEGetTypedComponentFromThread+0x2ad (00007ffa`19fc757d)
iertutil!LCIEGetTypedComponentFromThread+0x107:
00007ffa`19fc73d7 0fb74802 movzx ecx,word ptr [rax+2] ⇐ instruction pointer
00007ffa`19fc73db 413bcf cmp ecx,r15d
00007ffa`19fc73de 0f8599010000 jne iertutil!LCIEGetTypedComponentFromThread+0x2ad (00007ffa`19fc757d)
00007ffa`19fc73e4 8b4804 mov ecx,dword ptr [rax+4]
00007ffa`19fc73e7 488b7de7 mov rdi,qword ptr [rbp-19h]
00007ffa`19fc73eb 894dd7 mov dword ptr [rbp-29h],ecx
00007ffa`19fc73ee 488945df mov qword ptr [rbp-21h],rax
00007ffa`19fc73f2 85c9 test ecx,ecx
00007ffa`19fc73f4 0f84cb000000 je iertutil!LCIEGetTypedComponentFromThread+0x1f5 (00007ffa`19fc74c5)
00007ffa`19fc73fa 488b3de7c03100 mov rdi,qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)]
00007ffa`19fc7401 83c8ff or eax,0FFFFFFFFh
00007ffa`19fc7404 f00fc105f4c23100 lock xadd dword ptr [iertutil!g_cIsoScopeRef (00007ffa`1a2e3700)],eax
00007ffa`19fc740c ffc8 dec eax
00007ffa`19fc740e f7d8 neg eax
00007ffa`19fc7410 481bc0 sbb rax,rax
00007ffa`19fc7413 482105cec03100 and qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)],rax
00007ffa`19fc741a 488b07 mov rax,qword ptr [rdi]
00007ffa`19fc741d 488b7048 mov rsi,qword ptr [rax+48h]
Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" http://J3:28876/
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred cache*C:\Symbols
Deferred cache*\\server\Symbols
Deferred srv*http://symbols.mozilla.org/firefox
Deferred srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;cache*C:\Symbols;cache*\\server\Symbols;srv*http://symbols.mozilla.org/firefox;srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Executable search path is:
ModLoad: 00007ff7`eb770000 00007ff7`eb83a000 iexplore.exe
ModLoad: 00007ffa`22c60000 00007ffa`22e21000 ntdll.dll
ModLoad: 00007ffa`12d80000 00007ffa`12ded000 C:\WINDOWS\system32\verifier.dll
Page heap: pid 0x166C: page heap enabled with flags 0x3.
ModLoad: 00007ffa`22370000 00007ffa`2241d000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 00007ffa`1f3a0000 00007ffa`1f588000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 00007ffa`1da70000 00007ffa`1dae9000 C:\WINDOWS\system32\apphelp.dll
ModLoad: 00007ffa`220e0000 00007ffa`22236000 C:\WINDOWS\system32\USER32.dll
ModLoad: 00007ffa`21e80000 00007ffa`22006000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 00007ffa`22a10000 00007ffa`22aad000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 00007ffa`1fea0000 00007ffa`1ff55000 C:\WINDOWS\system32\shcore.dll
ModLoad: 00007ffa`20540000 00007ffa`207bd000 C:\WINDOWS\system32\combase.dll
ModLoad: 00007ffa`200d0000 00007ffa`201ec000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 00007ffa`1fdb0000 00007ffa`1fe1a000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 00007ffa`22960000 00007ffa`22a07000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 00007ffa`22240000 00007ffa`2229b000 C:\WINDOWS\system32\sechost.dll
ModLoad: 00007ffa`19fa0000 00007ffa`1a324000 C:\WINDOWS\SYSTEM32\iertutil.dll
ModLoad: 00007ffa`1f760000 00007ffa`1fda4000 C:\WINDOWS\system32\windows.storage.dll
ModLoad: 00007ffa`20010000 00007ffa`20053000 C:\WINDOWS\system32\cfgmgr32.dll
ModLoad: 00007ffa`204e0000 00007ffa`20532000 C:\WINDOWS\system32\shlwapi.dll
ModLoad: 00007ffa`1f2b0000 00007ffa`1f2bf000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 00007ffa`1f2c0000 00007ffa`1f30b000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 00007ffa`1f290000 00007ffa`1f2a4000 C:\WINDOWS\system32\profapi.dll
(166c.13ac): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffa`22d2aa60 cc int 3
Create process 5740 breakpoint.
0:000> g
(166c.14ec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
0:022> .lastevent
Last event: 166c.14ec: Access violation - code c0000005 (first chance)
debugger time: Tue Jul 5 12:55:26.777 2016 (UTC + 2:00)
0:022> lm on
start end module name
00000207`ef670000 00000207`ef69c000 WINMMBASE_207ef670000 WINMMBASE.dll
00007ff7`eb770000 00007ff7`eb83a000 iexplore iexplore.exe
00007ff9`fe610000 00007ff9`ffd9e000 MSHTML MSHTML.dll
00007ffa`01270000 00007ffa`01724000 jscript9 jscript9.dll
00007ffa`04b20000 00007ffa`04bcd000 ieproxy ieproxy.dll
00007ffa`05630000 00007ffa`056c4000 IEUI IEUI.dll
00007ffa`07840000 00007ffa`0799c000 uiautomationcore uiautomationcore.dll
00007ffa`09170000 00007ffa`09e41000 IEFRAME IEFRAME.dll
00007ffa`0a3c0000 00007ffa`0a572000 ieapfltr ieapfltr.dll
00007ffa`0a580000 00007ffa`0a590000 msimtf msimtf.dll
00007ffa`0a590000 00007ffa`0a5b1000 srpapi srpapi.dll
00007ffa`0a5c0000 00007ffa`0a5fe000 MLANG MLANG.dll
00007ffa`0ca40000 00007ffa`0ca4e000 tokenbinding tokenbinding.dll
00007ffa`0f790000 00007ffa`0f7fd000 IEShims IEShims.dll
00007ffa`0f940000 00007ffa`0f98b000 vaultcli vaultcli.dll
00007ffa`104a0000 00007ffa`104f0000 edputil edputil.dll
00007ffa`104f0000 00007ffa`10990000 explorerframe explorerframe.dll
00007ffa`10990000 00007ffa`109da000 dataexchange dataexchange.dll
00007ffa`109e0000 00007ffa`10a4a000 oleacc oleacc.dll
00007ffa`11240000 00007ffa`1130e000 TokenBroker TokenBroker.dll
00007ffa`11310000 00007ffa`11406000 SettingSyncCore SettingSyncCore.dll
00007ffa`115d0000 00007ffa`115e5000 settingsyncpolicy settingsyncpolicy.dll
00007ffa`117a0000 00007ffa`117ac000 DAVHLPR DAVHLPR.DLL
00007ffa`11e20000 00007ffa`120c9000 WININET WININET.dll
00007ffa`12d80000 00007ffa`12ded000 verifier verifier.dll
00007ffa`134a0000 00007ffa`13657000 urlmon urlmon.dll
00007ffa`13810000 00007ffa`1386c000 ninput ninput.dll
00007ffa`15060000 00007ffa`152d4000 comctl32 comctl32.dll
00007ffa`154c0000 00007ffa`15515000 policymanager policymanager.dll
00007ffa`159f0000 00007ffa`15a2a000 msls31 msls31.dll
00007ffa`15ea0000 00007ffa`15f32000 msvcp110_win msvcp110_win.dll
00007ffa`16860000 00007ffa`16888000 IDStore IDStore.dll
00007ffa`169d0000 00007ffa`169da000 rasadhlp rasadhlp.dll
00007ffa`16b80000 00007ffa`16c0b000 directmanipulation directmanipulation.dll
00007ffa`17080000 00007ffa`17095000 ondemandconnroutehelper ondemandconnroutehelper.dll
00007ffa`170e0000 00007ffa`17625000 d2d1 d2d1.dll
00007ffa`17730000 00007ffa`178e1000 windowscodecs windowscodecs.dll
00007ffa`179e0000 00007ffa`17a47000 fwpuclnt fwpuclnt.dll
00007ffa`18060000 00007ffa`182c0000 DWrite DWrite.dll
00007ffa`18340000 00007ffa`1834b000 WINNSI WINNSI.DLL
00007ffa`183f0000 00007ffa`18426000 XmlLite XmlLite.dll
00007ffa`18650000 00007ffa`192d8000 atidxx64 atidxx64.dll
00007ffa`193b0000 00007ffa`193d8000 atiuxp64 atiuxp64.dll
00007ffa`193e0000 00007ffa`193ea000 VERSION VERSION.dll
00007ffa`193f0000 00007ffa`1955f000 aticfx64 aticfx64.dll
00007ffa`19640000 00007ffa`19656000 WKSCLI WKSCLI.DLL
00007ffa`19fa0000 00007ffa`1a324000 iertutil iertutil.dll
00007ffa`1a330000 00007ffa`1a466000 wintypes wintypes.dll
00007ffa`1b7d0000 00007ffa`1b898000 winhttp winhttp.dll
00007ffa`1b8a0000 00007ffa`1b8ac000 Secur32 Secur32.dll
00007ffa`1be40000 00007ffa`1be78000 IPHLPAPI IPHLPAPI.DLL
00007ffa`1c0d0000 00007ffa`1c172000 dxgi dxgi.dll
00007ffa`1c180000 00007ffa`1c428000 d3d11 d3d11.dll
00007ffa`1c4a0000 00007ffa`1c4c2000 dwmapi dwmapi.dll
00007ffa`1c660000 00007ffa`1c667000 MSIMG32 MSIMG32.dll
00007ffa`1c990000 00007ffa`1ce23000 ActXPrxy ActXPrxy.dll
00007ffa`1d0f0000 00007ffa`1d276000 PROPSYS PROPSYS.dll
00007ffa`1d380000 00007ffa`1d393000 wtsapi32 wtsapi32.dll
00007ffa`1d4d0000 00007ffa`1d4ec000 SAMLIB SAMLIB.dll
00007ffa`1d6e0000 00007ffa`1d7c3000 dcomp dcomp.dll
00007ffa`1d980000 00007ffa`1d9a3000 WINMM WINMM.dll
00007ffa`1da70000 00007ffa`1dae9000 apphelp apphelp.dll
00007ffa`1db90000 00007ffa`1dc26000 uxtheme uxtheme.dll
00007ffa`1dcf0000 00007ffa`1dd9a000 DNSAPI DNSAPI.dll
00007ffa`1dda0000 00007ffa`1dea0000 twinapi_appcore twinapi.appcore.dll
00007ffa`1e000000 00007ffa`1e032000 fwbase fwbase.dll
00007ffa`1e6f0000 00007ffa`1e6fc000 NETUTILS NETUTILS.DLL
00007ffa`1e730000 00007ffa`1e73d000 tbs tbs.dll
00007ffa`1e8f0000 00007ffa`1e924000 rsaenh rsaenh.dll
00007ffa`1e930000 00007ffa`1e93a000 DPAPI DPAPI.dll
00007ffa`1ea40000 00007ffa`1ea5f000 USERENV USERENV.dll
00007ffa`1ebb0000 00007ffa`1ec0c000 mswsock mswsock.dll
00007ffa`1ec60000 00007ffa`1ec77000 CRYPTSP CRYPTSP.dll
00007ffa`1ed80000 00007ffa`1ed8b000 CRYPTBASE CRYPTBASE.dll
00007ffa`1ee80000 00007ffa`1eea9000 bcrypt bcrypt.dll
00007ffa`1ef90000 00007ffa`1efbd000 SspiCli SspiCli.dll
00007ffa`1f140000 00007ffa`1f1d9000 sxs sxs.dll
00007ffa`1f280000 00007ffa`1f290000 MSASN1 MSASN1.dll
00007ffa`1f290000 00007ffa`1f2a4000 profapi profapi.dll
00007ffa`1f2b0000 00007ffa`1f2bf000 kernel_appcore kernel.appcore.dll
00007ffa`1f2c0000 00007ffa`1f30b000 powrprof powrprof.dll
00007ffa`1f310000 00007ffa`1f396000 FirewallAPI FirewallAPI.dll
00007ffa`1f3a0000 00007ffa`1f588000 KERNELBASE KERNELBASE.dll
00007ffa`1f590000 00007ffa`1f758000 CRYPT32 CRYPT32.dll
00007ffa`1f760000 00007ffa`1fda4000 windows_storage windows.storage.dll
00007ffa`1fdb0000 00007ffa`1fe1a000 bcryptPrimitives bcryptPrimitives.dll
00007ffa`1fe80000 00007ffa`1fe97000 NETAPI32 NETAPI32.dll
00007ffa`1fea0000 00007ffa`1ff55000 shcore shcore.dll
00007ffa`20010000 00007ffa`20053000 cfgmgr32 cfgmgr32.dll
00007ffa`20060000 00007ffa`200cb000 WS2_32 WS2_32.dll
00007ffa`200d0000 00007ffa`201ec000 RPCRT4 RPCRT4.dll
00007ffa`201f0000 00007ffa`2025f000 coml2 coml2.dll
00007ffa`20260000 00007ffa`203ba000 MSCTF MSCTF.dll
00007ffa`203c0000 00007ffa`204cb000 comdlg32 comdlg32.dll
00007ffa`204e0000 00007ffa`20532000 shlwapi shlwapi.dll
00007ffa`20540000 00007ffa`207bd000 combase combase.dll
00007ffa`207c0000 00007ffa`20903000 ole32 ole32.dll
00007ffa`20920000 00007ffa`21e7c000 SHELL32 SHELL32.dll
00007ffa`21e80000 00007ffa`22006000 GDI32 GDI32.dll
00007ffa`22070000 00007ffa`220ab000 IMM32 IMM32.DLL
00007ffa`220d0000 00007ffa`220d8000 NSI NSI.dll
00007ffa`220e0000 00007ffa`22236000 USER32 USER32.dll
00007ffa`22240000 00007ffa`2229b000 sechost sechost.dll
00007ffa`222a0000 00007ffa`22361000 OLEAUT32 OLEAUT32.dll
00007ffa`22370000 00007ffa`2241d000 KERNEL32 KERNEL32.DLL
00007ffa`22480000 00007ffa`22527000 clbcatq clbcatq.dll
00007ffa`22960000 00007ffa`22a07000 ADVAPI32 ADVAPI32.dll
00007ffa`22a10000 00007ffa`22aad000 msvcrt msvcrt.dll
00007ffa`22c60000 00007ffa`22e21000 ntdll ntdll.dll
0:022> kn 0x14
# Child-SP RetAddr Call Site
00 000000ae`e6c4ad60 00007ff9`fe7bcf20 iertutil!LCIEGetTypedComponentFromThread+0x107
01 000000ae`e6c4ae30 00007ff9`fe701e15 MSHTML!COmWindowProxy::EstablishIsoDependencies+0x24
02 000000ae`e6c4ae60 00007ff9`fe7ea86a MSHTML!COmWindowProxy::SecureObject+0x285
03 000000ae`e6c4af00 00007ff9`fe6ff287 MSHTML!COmWindowProxy::GetSecureWindowProxy+0x2a
04 000000ae`e6c4af40 00007ff9`fe66aa55 MSHTML!CMarkup::Passivate+0x5e7
05 000000ae`e6c4af90 00007ff9`fe6fcef9 MSHTML!CBase::PrivateRelease+0x235
06 000000ae`e6c4afc0 00007ff9`fe709e30 MSHTML!COmWindowProxy::PrivateRelease+0x99
*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\combase.dll
07 000000ae`e6c4aff0 00007ffa`20614624 MSHTML!CWindow::Release+0x40
08 000000ae`e6c4b020 00007ffa`20596fe6 combase+0xd4624
09 000000ae`e6c4b050 00007ffa`205944b6 combase+0x56fe6
0a 000000ae`e6c4b0a0 00007ffa`20595d1a combase+0x544b6
0b 000000ae`e6c4b2a0 00007ffa`2015d533 combase+0x55d1a
0c 000000ae`e6c4b440 00007ffa`201a9ef1 RPCRT4!Invoke+0x73
0d 000000ae`e6c4b4a0 00007ffa`20146096 RPCRT4!Ndr64StubWorker+0xba1
0e 000000ae`e6c4bb70 00007ffa`205438fb RPCRT4!NdrStubCall3+0xf6
0f 000000ae`e6c4bbe0 00007ffa`205ceafc combase+0x38fb
10 000000ae`e6c4bc20 00007ffa`205ce675 combase+0x8eafc
11 000000ae`e6c4bc90 00007ffa`205c2374 combase+0x8e675
12 000000ae`e6c4beb0 00007ffa`205c072f combase+0x82374
13 000000ae`e6c4c180 00007ffa`205bfa2d combase+0x8072f
0:022> .exr -1
ExceptionAddress: 00007ffa19fc73d7 (iertutil!LCIEGetTypedComponentFromThread+0x0000000000000107)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000001ffe25a6ed2
Attempt to read from address 000001ffe25a6ed2
0:022> |.
. 0 id: 166c create name: iexplore.exe
0:022> !heap -p -a 0x1FFE25A6ED2
address 000001ffe25a6ed2 found in
_DPH_HEAP_ROOT @ 1ffe1731000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
1ffe175e888: 1ffe25a6000 2000
00007ffa22cf2947 ntdll!RtlDebugFreeHeap+0x0000000000000047
00007ffa22c824cb ntdll!RtlpFreeHeap+0x000000000000009b
00007ffa22c80ad9 ntdll!RtlFreeHeap+0x0000000000000319
00007ffa22a29b9c msvcrt!free+0x000000000000001c
00007ffa19fbd3d8 iertutil!CIsoMalloc::_UninitializeEntry+0x0000000000000018
00007ffa19fbfe96 iertutil!CIsoSList::_DecrementEntryRefcount+0x00000000000000d6
00007ffa19fbd2be iertutil!CIsoMalloc::RemoveArtifact+0x000000000000003e
00007ffa19fc57a2 iertutil!CIsoScope::RemoveArtifact+0x0000000000000082
00007ffa19fe7664 iertutil!IsoRemoveArtifact+0x0000000000000034
00007ffa0919059d IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000000000007cd
00007ffa091e5147 IEFRAME!LCIETab_ThreadProc+0x0000000000000357
00007ffa19fe726f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x000000000000001f
00007ffa22388102 KERNEL32!BaseThreadInitThunk+0x0000000000000022
00007ffa22cbc5b4 ntdll!RtlUserThreadStart+0x0000000000000034
0:022> .if ($vvalid(@$scopeip - 138, 138)) { u @$scopeip - 138 @$scopeip - 1; };
iertutil!CIESubscriptionManager::DeclareEvent+0x21f:
00007ffa`19fc729f 20488b and byte ptr [rax-75h],cl
00007ffa`19fc72a2 cdff int 0FFh
00007ffa`19fc72a4 d7 xlat byte ptr [rbx]
00007ffa`19fc72a5 e966feffff jmp iertutil!CIESubscriptionManager::DeclareEvent+0x90 (00007ffa`19fc7110)
00007ffa`19fc72aa 498b06 mov rax,qword ptr [r14]
00007ffa`19fc72ad 488b5820 mov rbx,qword ptr [rax+20h]
00007ffa`19fc72b1 488bcb mov rcx,rbx
00007ffa`19fc72b4 ff1596180800 call qword ptr [iertutil!_guard_check_icall_fptr (00007ffa`1a048b50)]
00007ffa`19fc72ba 8b942480000000 mov edx,dword ptr [rsp+80h]
00007ffa`19fc72c1 498bce mov rcx,r14
00007ffa`19fc72c4 ffd3 call rbx
00007ffa`19fc72c6 ebac jmp iertutil!CIESubscriptionManager::DeclareEvent+0x1f4 (00007ffa`19fc7274)
00007ffa`19fc72c8 cc int 3
00007ffa`19fc72c9 cc int 3
00007ffa`19fc72ca cc int 3
00007ffa`19fc72cb cc int 3
00007ffa`19fc72cc cc int 3
00007ffa`19fc72cd cc int 3
00007ffa`19fc72ce cc int 3
00007ffa`19fc72cf cc int 3
iertutil!LCIEGetTypedComponentFromThread:
00007ffa`19fc72d0 48895c2408 mov qword ptr [rsp+8],rbx
00007ffa`19fc72d5 55 push rbp
00007ffa`19fc72d6 56 push rsi
00007ffa`19fc72d7 57 push rdi
00007ffa`19fc72d8 4154 push r12
00007ffa`19fc72da 4155 push r13
00007ffa`19fc72dc 4156 push r14
00007ffa`19fc72de 4157 push r15
00007ffa`19fc72e0 488d6c24d9 lea rbp,[rsp-27h]
00007ffa`19fc72e5 4881ec90000000 sub rsp,90h
00007ffa`19fc72ec 488b051d7d3100 mov rax,qword ptr [iertutil!_security_cookie (00007ffa`1a2df010)]
00007ffa`19fc72f3 4833c4 xor rax,rsp
00007ffa`19fc72f6 48894517 mov qword ptr [rbp+17h],rax
00007ffa`19fc72fa 8365d700 and dword ptr [rbp-29h],0
00007ffa`19fc72fe 4d8be1 mov r12,r9
00007ffa`19fc7301 488365df00 and qword ptr [rbp-21h],0
00007ffa`19fc7306 4d8be8 mov r13,r8
00007ffa`19fc7309 448bf2 mov r14d,edx
00007ffa`19fc730c 8955ef mov dword ptr [rbp-11h],edx
00007ffa`19fc730f 448bf9 mov r15d,ecx
00007ffa`19fc7312 894ddb mov dword ptr [rbp-25h],ecx
00007ffa`19fc7315 bb05400080 mov ebx,80004005h
00007ffa`19fc731a 448b0ddfc33100 mov r9d,dword ptr [iertutil!g_cIsoScopeRef (00007ffa`1a2e3700)]
00007ffa`19fc7321 4585c9 test r9d,r9d
00007ffa`19fc7324 0f8492010000 je iertutil!LCIEGetTypedComponentFromThread+0x1ec (00007ffa`19fc74bc)
00007ffa`19fc732a 418d4901 lea ecx,[r9+1]
00007ffa`19fc732e 418bc1 mov eax,r9d
00007ffa`19fc7331 f00fb10dc7c33100 lock cmpxchg dword ptr [iertutil!g_cIsoScopeRef (00007ffa`1a2e3700)],ecx
00007ffa`19fc7339 443bc8 cmp r9d,eax
00007ffa`19fc733c 75dc jne iertutil!LCIEGetTypedComponentFromThread+0x4a (00007ffa`19fc731a)
00007ffa`19fc733e 488b1da3c13100 mov rbx,qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)]
00007ffa`19fc7345 488b03 mov rax,qword ptr [rbx]
00007ffa`19fc7348 488b7840 mov rdi,qword ptr [rax+40h]
00007ffa`19fc734c 488d05cdf4ffff lea rax,[iertutil!CIsoScope::ReferenceScope (00007ffa`19fc6820)]
00007ffa`19fc7353 483bf8 cmp rdi,rax
00007ffa`19fc7356 0f8519010000 jne iertutil!LCIEGetTypedComponentFromThread+0x1a5 (00007ffa`19fc7475)
00007ffa`19fc735c 33d2 xor edx,edx
00007ffa`19fc735e 488bcb mov rcx,rbx
00007ffa`19fc7361 e8baf4ffff call iertutil!CIsoScope::ReferenceScope (00007ffa`19fc6820)
00007ffa`19fc7366 8bd8 mov ebx,eax
00007ffa`19fc7368 85c0 test eax,eax
00007ffa`19fc736a 0f8804800300 js iertutil!LCIEGetTypedComponentFromThread+0x380a4 (00007ffa`19fff374)
00007ffa`19fc7370 488b3d71c13100 mov rdi,qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)]
00007ffa`19fc7377 48897de7 mov qword ptr [rbp-19h],rdi
00007ffa`19fc737b 85db test ebx,ebx
00007ffa`19fc737d 0f88c9000000 js iertutil!LCIEGetTypedComponentFromThread+0x17c (00007ffa`19fc744c)
00007ffa`19fc7383 ff157f100800 call qword ptr [iertutil!_imp_GetCurrentThreadId (00007ffa`1a048408)]
00007ffa`19fc7389 be01000000 mov esi,1
00007ffa`19fc738e 443bf0 cmp r14d,eax
00007ffa`19fc7391 0f85e6010000 jne iertutil!LCIEGetTypedComponentFromThread+0x2ad (00007ffa`19fc757d)
00007ffa`19fc7397 4c8b354ac13100 mov r14,qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)]
00007ffa`19fc739e 498b06 mov rax,qword ptr [r14]
00007ffa`19fc73a1 4c8bb848020000 mov r15,qword ptr [rax+248h]
00007ffa`19fc73a8 488d05019dffff lea rax,[iertutil!CIsoScope::GetTlsIndex (00007ffa`19fc10b0)]
00007ffa`19fc73af 4c3bf8 cmp r15,rax
00007ffa`19fc73b2 0f85e4000000 jne iertutil!LCIEGetTypedComponentFromThread+0x1cc (00007ffa`19fc749c)
00007ffa`19fc73b8 8bd6 mov edx,esi
00007ffa`19fc73ba 498bce mov rcx,r14
00007ffa`19fc73bd e8ee9cffff call iertutil!CIsoScope::GetTlsIndex (00007ffa`19fc10b0)
00007ffa`19fc73c2 8bc8 mov ecx,eax
00007ffa`19fc73c4 ff1556100800 call qword ptr [iertutil!_imp_TlsGetValue (00007ffa`1a048420)]
00007ffa`19fc73ca 448b7ddb mov r15d,dword ptr [rbp-25h]
00007ffa`19fc73ce 4885c0 test rax,rax
00007ffa`19fc73d1 0f84a6010000 je iertutil!LCIEGetTypedComponentFromThread+0x2ad (00007ffa`19fc757d)
0:022> .if ($vvalid(@$scopeip, 138)) { u @$scopeip @$scopeip + 137; };
iertutil!LCIEGetTypedComponentFromThread+0x107:
00007ffa`19fc73d7 0fb74802 movzx ecx,word ptr [rax+2]
00007ffa`19fc73db 413bcf cmp ecx,r15d
00007ffa`19fc73de 0f8599010000 jne iertutil!LCIEGetTypedComponentFromThread+0x2ad (00007ffa`19fc757d)
00007ffa`19fc73e4 8b4804 mov ecx,dword ptr [rax+4]
00007ffa`19fc73e7 488b7de7 mov rdi,qword ptr [rbp-19h]
00007ffa`19fc73eb 894dd7 mov dword ptr [rbp-29h],ecx
00007ffa`19fc73ee 488945df mov qword ptr [rbp-21h],rax
00007ffa`19fc73f2 85c9 test ecx,ecx
00007ffa`19fc73f4 0f84cb000000 je iertutil!LCIEGetTypedComponentFromThread+0x1f5 (00007ffa`19fc74c5)
00007ffa`19fc73fa 488b3de7c03100 mov rdi,qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)]
00007ffa`19fc7401 83c8ff or eax,0FFFFFFFFh
00007ffa`19fc7404 f00fc105f4c23100 lock xadd dword ptr [iertutil!g_cIsoScopeRef (00007ffa`1a2e3700)],eax
00007ffa`19fc740c ffc8 dec eax
00007ffa`19fc740e f7d8 neg eax
00007ffa`19fc7410 481bc0 sbb rax,rax
00007ffa`19fc7413 482105cec03100 and qword ptr [iertutil!g_pIsoScope (00007ffa`1a2e34e8)],rax
00007ffa`19fc741a 488b07 mov rax,qword ptr [rdi]
00007ffa`19fc741d 488b7048 mov rsi,qword ptr [rax+48h]
00007ffa`19fc7421 488d05d8f2ffff lea rax,[iertutil!CIsoScope::ReleaseScope (00007ffa`19fc6700)]
00007ffa`19fc7428 483bf0 cmp rsi,rax
00007ffa`19fc742b 755d jne iertutil!LCIEGetTypedComponentFromThread+0x1ba (00007ffa`19fc748a)
00007ffa`19fc742d 33d2 xor edx,edx
00007ffa`19fc742f 488bcf mov rcx,rdi
00007ffa`19fc7432 e8c9f2ffff call iertutil!CIsoScope::ReleaseScope (00007ffa`19fc6700)
00007ffa`19fc7437 85db test ebx,ebx
00007ffa`19fc7439 7811 js iertutil!LCIEGetTypedComponentFromThread+0x17c (00007ffa`19fc744c)
00007ffa`19fc743b 4d85ed test r13,r13
00007ffa`19fc743e 7407 je iertutil!LCIEGetTypedComponentFromThread+0x177 (00007ffa`19fc7447)
00007ffa`19fc7440 8b45d7 mov eax,dword ptr [rbp-29h]
00007ffa`19fc7443 41894500 mov dword ptr [r13],eax
00007ffa`19fc7447 4d85e4 test r12,r12
00007ffa`19fc744a 7566 jne iertutil!LCIEGetTypedComponentFromThread+0x1e2 (00007ffa`19fc74b2)
00007ffa`19fc744c 8bc3 mov eax,ebx
00007ffa`19fc744e 488b4d17 mov rcx,qword ptr [rbp+17h]
00007ffa`19fc7452 4833cc xor rcx,rsp
00007ffa`19fc7455 e846a80200 call iertutil!_security_check_cookie (00007ffa`19ff1ca0)
00007ffa`19fc745a 488b9c24d0000000 mov rbx,qword ptr [rsp+0D0h]
00007ffa`19fc7462 4881c490000000 add rsp,90h
00007ffa`19fc7469 415f pop r15
00007ffa`19fc746b 415e pop r14
00007ffa`19fc746d 415d pop r13
00007ffa`19fc746f 415c pop r12
00007ffa`19fc7471 5f pop rdi
00007ffa`19fc7472 5e pop rsi
00007ffa`19fc7473 5d pop rbp
00007ffa`19fc7474 c3 ret
00007ffa`19fc7475 488bcf mov rcx,rdi
00007ffa`19fc7478 ff15d2160800 call qword ptr [iertutil!_guard_check_icall_fptr (00007ffa`1a048b50)]
00007ffa`19fc747e 33d2 xor edx,edx
00007ffa`19fc7480 488bcb mov rcx,rbx
00007ffa`19fc7483 ffd7 call rdi
00007ffa`19fc7485 e9dcfeffff jmp iertutil!LCIEGetTypedComponentFromThread+0x96 (00007ffa`19fc7366)
00007ffa`19fc748a 488bce mov rcx,rsi
00007ffa`19fc748d ff15bd160800 call qword ptr [iertutil!_guard_check_icall_fptr (00007ffa`1a048b50)]
00007ffa`19fc7493 33d2 xor edx,edx
00007ffa`19fc7495 488bcf mov rcx,rdi
00007ffa`19fc7498 ffd6 call rsi
00007ffa`19fc749a eb9b jmp iertutil!LCIEGetTypedComponentFromThread+0x167 (00007ffa`19fc7437)
00007ffa`19fc749c 498bcf mov rcx,r15
00007ffa`19fc749f ff15ab160800 call qword ptr [iertutil!_guard_check_icall_fptr (00007ffa`1a048b50)]
00007ffa`19fc74a5 8bd6 mov edx,esi
00007ffa`19fc74a7 498bce mov rcx,r14
00007ffa`19fc74aa 41ffd7 call r15
00007ffa`19fc74ad e910ffffff jmp iertutil!LCIEGetTypedComponentFromThread+0xf2 (00007ffa`19fc73c2)
00007ffa`19fc74b2 488b45df mov rax,qword ptr [rbp-21h]
00007ffa`19fc74b6 49890424 mov qword ptr [r12],rax
00007ffa`19fc74ba eb90 jmp iertutil!LCIEGetTypedComponentFromThread+0x17c (00007ffa`19fc744c)
00007ffa`19fc74bc 488b7de7 mov rdi,qword ptr [rbp-19h]
00007ffa`19fc74c0 e9b6feffff jmp iertutil!LCIEGetTypedComponentFromThread+0xab (00007ffa`19fc737b)
00007ffa`19fc74c5 448b75ef mov r14d,dword ptr [rbp-11h]
00007ffa`19fc74c9 488b07 mov rax,qword ptr [rdi]
00007ffa`19fc74cc 488b5828 mov rbx,qword ptr [rax+28h]
00007ffa`19fc74d0 488d05c9dfffff lea rax,[iertutil!CIsoScope::GetNextArtifact (00007ffa`19fc54a0)]
00007ffa`19fc74d7 483bd8 cmp rbx,rax
00007ffa`19fc74da 7570 jne iertutil!LCIEGetTypedComponentFromThread+0x27c (00007ffa`19fc754c)
00007ffa`19fc74dc 488364243000 and qword ptr [rsp+30h],0
00007ffa`19fc74e2 488d45df lea rax,[rbp-21h]
00007ffa`19fc74e6 4889442428 mov qword ptr [rsp+28h],rax
00007ffa`19fc74eb 4c8d4df7 lea r9,[rbp-9]
00007ffa`19fc74ef 488d45d7 lea rax,[rbp-29h]
00007ffa`19fc74f3 41b014 mov r8b,14h
00007ffa`19fc74f6 8bd6 mov edx,esi
00007ffa`19fc74f8 4889442420 mov qword ptr [rsp+20h],rax
00007ffa`19fc74fd 488bcf mov rcx,rdi
00007ffa`19fc7500 e89bdfffff call iertutil!CIsoScope::GetNextArtifact (00007ffa`19fc54a0)
00007ffa`19fc7505 be02000000 mov esi,2
00007ffa`19fc750a 85c0 test eax,eax
00007ffa`19fc750c 7577 jne iertutil!LCIEGetTypedComponentFromThread+0x2b5 (00007ffa`19fc7585)
00007ffa`19fc750e 488b4ddf mov rcx,qword ptr [rbp-21h]
0:022> rM 0x7D
rax=000001ffe25a6ed0 rbx=0000000000000000 rcx=0000000000000031
rdx=0000000000000001 rsi=0000000000000001 rdi=000001ffe3e2ab90
rip=00007ffa19fc73d7 rsp=000000aee6c4ad60 rbp=000000aee6c4adc9
r8=000001ffe3e2ab90 r9=0000000000000000 r10=0000000000000000
r11=000000008000000a r12=0000000000000000 r13=000000aee6c4ae70
r14=000001ffe3e2ab90 r15=0000000000000203
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
fpcw=027F fpsw=0000 fptw=0000
st0= 0.000000000000000000000e+0000 st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000 st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000 st5= 0.000000000000000000000e+0000
st6= 0.000000000000000000000e+0000 st7= 0.000000000000000000000e+0000
mm0=0000000000000000 mm1=0000000000000000
mm2=0000000000000000 mm3=0000000000000000
mm4=0000000000000000 mm5=0000000000000000
mm6=0000000000000000 mm7=0000000000000000
xmm0=3.02498e-041 3146.47 3.27243e-028 -4.75651e+012
xmm1=4.59093e-041 5.43423e-018 4.59093e-041 5.61475e-018
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
xmm8=0 0 0 0
xmm9=0 0 0 0
xmm10=0 0 0 0
xmm11=0 0 0 0
xmm12=0 0 0 0
xmm13=0 0 0 0
xmm14=0 0 0 0
xmm15=0 0 0 0
dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000
dr3=0000000000000000 dr6=0000000000000000 dr7=0000000000000000
iertutil!LCIEGetTypedComponentFromThread+0x107:
00007ffa`19fc73d7 0fb74802 movzx ecx,word ptr [rax+2] ds:000001ff`e25a6ed2=????
0:022> dpp @$ea - 10*$ptrsize L10;
000001ff`e25a6e52 ????????`????????
000001ff`e25a6e5a ????????`????????
000001ff`e25a6e62 ????????`????????
000001ff`e25a6e6a ????????`????????
000001ff`e25a6e72 ????????`????????
000001ff`e25a6e7a ????????`????????
000001ff`e25a6e82 ????????`????????
000001ff`e25a6e8a ????????`????????
000001ff`e25a6e92 ????????`????????
000001ff`e25a6e9a ????????`????????
000001ff`e25a6ea2 ????????`????????
000001ff`e25a6eaa ????????`????????
000001ff`e25a6eb2 ????????`????????
000001ff`e25a6eba ????????`????????
000001ff`e25a6ec2 ????????`????????
000001ff`e25a6eca ????????`????????
0:022> dpp @$ea L10;
000001ff`e25a6ed2 ????????`????????
000001ff`e25a6eda ????????`????????
000001ff`e25a6ee2 ????????`????????
000001ff`e25a6eea ????????`????????
000001ff`e25a6ef2 ????????`????????
000001ff`e25a6efa ????????`????????
000001ff`e25a6f02 ????????`????????
000001ff`e25a6f0a ????????`????????
000001ff`e25a6f12 ????????`????????
000001ff`e25a6f1a ????????`????????
000001ff`e25a6f22 ????????`????????
000001ff`e25a6f2a ????????`????????
000001ff`e25a6f32 ????????`????????
000001ff`e25a6f3a ????????`????????
000001ff`e25a6f42 ????????`????????
000001ff`e25a6f4a ????????`????????
0:022> dpp @$ea2 - 10*$ptrsize L10;
Bad register error at '@$ea2 - 10*$ptrsize '
0:022> lm M *iexplore.exe
start end module name
00007ff7`eb770000 00007ff7`eb83a000 iexplore (deferred)
0:022> lmv m *iertutil
start end module name
00007ffa`19fa0000 00007ffa`1a324000 iertutil (pdb symbols) c:\symbols\iertutil.pdb\F27AB10F46A94B09820179789A2997051\iertutil.pdb
Loaded symbol image file: C:\WINDOWS\SYSTEM32\iertutil.dll
Image path: C:\WINDOWS\SYSTEM32\iertutil.dll
Image name: iertutil.dll
Timestamp: Sat May 28 05:55:20 2016 (574916A8)
CheckSum: 0038187B
ImageSize: 00384000
File version: 11.0.10586.420
Product version: 11.0.10586.420
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Internet Explorer
InternalName: IeRtUtil.dll
OriginalFilename: IeRtUtil.dll
ProductVersion: 11.00.10586.420
FileVersion: 11.00.10586.420 (th2_release_sec.160527-1834)
FileDescription: Run time utility for Internet Explorer
LegalCopyright: � Microsoft Corporation. All rights reserved.
0:022> lmv m *iexplore
start end module name
00007ff7`eb770000 00007ff7`eb83a000 iexplore (deferred)
Image path: iexplore.exe
Image name: iexplore.exe
Timestamp: Sat May 28 06:18:29 2016 (57491C15)
CheckSum: 000D6FBD
ImageSize: 000CA000
File version: 11.0.10586.420
Product version: 11.0.10586.420
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Internet Explorer
InternalName: iexplore
OriginalFilename: IEXPLORE.EXE
ProductVersion: 11.00.10586.420
FileVersion: 11.00.10586.420 (th2_release_sec.160527-1834)
FileDescription: Internet Explorer
LegalCopyright: � Microsoft Corporation. All rights reserved.
0:022>