Details

Id:  AVR:Reserved e2d.003
Description:  Access violation while reading reversed but unallocated memory at 0x1BF37D8
Location:  microsoftedgecp.exe!edgehtml.dll!CBaseScriptable::PrivateQueryInterface
Security impact:  Denial of Service

Stack

Disassembly

77672bf5 cc int 3
77672bf6 cc int 3
77672bf7 cc int 3
77672bf8 cc int 3
77672bf9 cc int 3
77672bfa cc int 3
77672bfb cc int 3
77672bfc cc int 3
77672bfd cc int 3
77672bfe cc int 3
77672bff cc int 3
ntdll!LdrpValidateUserCallTarget:
77672c00 8b15a0c16d77 mov edx,dword ptr [ntdll!LdrSystemDllInitBlock+0x60 (776dc1a0)]
77672c06 8bc1 mov eax,ecx
77672c08 c1e808 shr eax,8
ntdll!LdrpValidateUserCallTargetBitMapCheck:
77672c0b 8b1482 mov edx,dword ptr [edx+eax*4] ⇐ instruction pointer
77672c0e 8bc1 mov eax,ecx
77672c10 c1e803 shr eax,3
77672c13 f6c10f test cl,0Fh
77672c16 7506 jne ntdll!LdrpValidateUserCallTargetBitMapRet+0x1 (77672c1e)
77672c18 0fa3c2 bt edx,eax
77672c1b 730a jae ntdll!LdrpValidateUserCallTargetBitMapRet+0xa (77672c27)
ntdll!LdrpValidateUserCallTargetBitMapRet:
77672c1d c3 ret
77672c1e 83c801 or eax,1
77672c21 0fa3c2 bt edx,eax
77672c24 7301 jae ntdll!LdrpValidateUserCallTargetBitMapRet+0xa (77672c27)
77672c26 c3 ret
77672c27 51 push ecx
77672c28 8d642480 lea esp,[esp-80h]
77672c2c 0f110424 movups xmmword ptr [esp],xmm0
77672c30 0f114c2410 movups xmmword ptr [esp+10h],xmm1
77672c35 0f11542420 movups xmmword ptr [esp+20h],xmm2

Registers

eax=00478df6 ebx=107aca74 ecx=478df633 edx=00a10000 esi=478df633 edi=107ac990
eip=77672c0b esp=107ac988 ebp=107ac998 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF
fopcode=0000 fpip=0000:652333d5 fpdp=0000:107ad634
st0= 0.000000000000000000000e+0000 st1=-1.078999817530109144610e-0043
st2= 0.000000000000000000000e+0000 st3= 1.000000000000000000000e+0000
st4= 1.000000000000000000000e+0000 st5=-1.078999817530109144610e-0043
st6= 1.000000000000000000000e+0000 st7= 1.000000000000000000000e+0004
mm0=0000000000000000 mm1=9a00000000000000
mm2=0000000000000000 mm3=8000000000000000
mm4=8000000000000000 mm5=9a00000000000000
mm6=8000000000000000 mm7=9c40000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ntdll!LdrpValidateUserCallTargetBitMapCheck:
77672c0b 8b1482 mov edx,dword ptr [edx+eax*4] ds:0023:01bf37d8=????????

Referenced memory

Memory around address 0x1BF37D8:

01bf3798 ????????
01bf379c ????????
01bf37a0 ????????
01bf37a4 ????????
01bf37a8 ????????
01bf37ac ????????
01bf37b0 ????????
01bf37b4 ????????
01bf37b8 ????????
01bf37bc ????????
01bf37c0 ????????
01bf37c4 ????????
01bf37c8 ????????
01bf37cc ????????
01bf37d0 ????????
01bf37d4 ????????
01bf37d8 ???????? ⇐ referenced
01bf37dc ????????
01bf37e0 ????????
01bf37e4 ????????
01bf37e8 ????????
01bf37ec ????????
01bf37f0 ????????
01bf37f4 ????????
01bf37f8 ????????
01bf37fc ????????
01bf3800 ????????
01bf3804 ????????
01bf3808 ????????
01bf380c ????????
01bf3810 ????????
01bf3814 ????????

Binary information

edgehtml.dll

Loaded symbol image file: C:\WINDOWS\SYSTEM32\edgehtml.dll
Image path: C:\WINDOWS\SYSTEM32\edgehtml.dll
Image name: edgehtml.dll
Timestamp: Sat Apr 23 06:20:39 2016 (571AF817)
CheckSum: 011D509E
ImageSize: 011EB000
File version: 11.0.10586.306
Product version: 11.0.10586.306
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Internet Explorer
InternalName: EDGEHTML
OriginalFilename: EDGEHTML.DLL
ProductVersion: 11.00.10586.306
FileVersion: 11.00.10586.306 (th2_release_sec.160422-1850)
FileDescription: Microsoft (R) HTML Viewer
LegalCopyright: � Microsoft Corporation. All rights reserved.

microsoftedgecp.exe

Image path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Image name: microsoftedgecp.exe
Timestamp: Tue Nov 24 07:49:28 2015 (56540878)
CheckSum: 00053B24
ImageSize: 0004E000
File version: 11.0.10586.20
Product version: 11.0.10586.20
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft Edge
InternalName: MicrosoftEdgeCP
OriginalFilename: MicrosoftEdgeCP.exe
ProductVersion: 11.00.10586.20
FileVersion: 11.00.10586.20 (th2_release_sec.151123-1940)
FileDescription: Microsoft Edge Content Process
LegalCopyright: � Microsoft Corporation. All rights reserved.

Debugger IO


Microsoft (R) Windows Debugger Version 6.3.9600.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred cache*\\J3\Symbols
Deferred cache*\\server\Symbols
Deferred srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Deferred srv*http://symbols.mozilla.org/firefox
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;cache*\\J3\Symbols;cache*\\server\Symbols;srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com;srv*http://symbols.mozilla.org/firefox
Executable search path is:
ModLoad: 01090000 010a4000 C:\Windows\System32\RuntimeBroker.exe
ModLoad: 775d0000 7774b000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6cc80000 6cce1000 C:\WINDOWS\system32\verifier.dll
ModLoad: 75160000 751f6000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 74460000 745df000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 75a40000 75afe000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 770e0000 771a2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 772b0000 7746d000 C:\WINDOWS\system32\combase.dll
ModLoad: 747d0000 74828000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 74350000 74394000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 74340000 7434c000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 76f10000 76ffb000 C:\WINDOWS\system32\ole32.dll
ModLoad: 75210000 75254000 C:\WINDOWS\system32\sechost.dll
ModLoad: 77470000 775c5000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 75720000 75858000 C:\WINDOWS\system32\USER32.dll
ModLoad: 74e60000 74e8f000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 74dd0000 74e54000 C:\WINDOWS\system32\clbcatq.dll
ModLoad: 6eb60000 6ece7000 C:\Windows\System32\Windows.UI.Immersive.dll
ModLoad: 759b0000 75a3d000 C:\WINDOWS\system32\shcore.dll
ModLoad: 72100000 7231c000 C:\Windows\System32\ActXPrxy.dll
ModLoad: 6efc0000 6f088000 C:\Windows\System32\WinTypes.dll
ModLoad: 73280000 7334d000 C:\Windows\System32\twinapi.appcore.dll
ModLoad: 742a0000 742bd000 C:\Windows\System32\bcrypt.dll
ModLoad: 6cae0000 6cb01000 C:\Windows\System32\Windows.ApplicationModel.Core.dll
ModLoad: 743b0000 743bf000 C:\WINDOWS\system32\profapi.dll
ModLoad: 73a00000 73a28000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 73c10000 73c29000 C:\Windows\System32\USERENV.dll
ModLoad: 69b00000 69b12000 C:\WINDOWS\SYSTEM32\profext.dll
ModLoad: 74050000 74074000 C:\WINDOWS\system32\SspiCli.dll
ModLoad: 678a0000 678b5000 C:\WINDOWS\SYSTEM32\capauthz.dll
ModLoad: 72fc0000 73052000 C:\WINDOWS\system32\apphelp.dll
(cf4.c04): Break instruction exception - code 80000003 (first chance)
eax=0023a000 ebx=00000000 ecx=77691d90 edx=40040110 esi=77691d90 edi=77691d90
eip=77661250 esp=00a9fa50 ebp=00a9fa7c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77661250 cc int 3

Create process 3316 breakpoint.
0:007> g
*** wait with pending attach

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred cache*\\J3\Symbols
Deferred cache*\\server\Symbols
Deferred srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Deferred srv*http://symbols.mozilla.org/firefox
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;cache*\\J3\Symbols;cache*\\server\Symbols;srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com;srv*http://symbols.mozilla.org/firefox
Executable search path is:
ModLoad: 00d30000 00d38000 C:\WINDOWS\system32\browser_broker.exe
ModLoad: 775d0000 7774b000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6cc80000 6cce1000 C:\WINDOWS\system32\verifier.dll
ModLoad: 75160000 751f6000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 74460000 745df000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 75a40000 75afe000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 772b0000 7746d000 C:\WINDOWS\system32\combase.dll
ModLoad: 770e0000 771a2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 747d0000 74828000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 75210000 75254000 C:\WINDOWS\system32\sechost.dll
ModLoad: 75720000 75858000 C:\WINDOWS\system32\user32.dll
ModLoad: 77470000 775c5000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 74e60000 74e8f000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 74340000 7434c000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 73070000 730e9000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 6cb40000 6cb57000 C:\WINDOWS\SYSTEM32\browserbroker.dll
ModLoad: 759b0000 75a3d000 C:\WINDOWS\system32\shcore.dll
ModLoad: 750c0000 75152000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 74650000 747c9000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 743a0000 743ae000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 6ecf0000 6efbb000 C:\WINDOWS\SYSTEM32\iertutil.dll
ModLoad: 748d0000 74dca000 C:\WINDOWS\system32\windows.storage.dll
ModLoad: 74420000 74457000 C:\WINDOWS\system32\cfgmgr32.dll
ModLoad: 77060000 770db000 C:\WINDOWS\system32\advapi32.dll
ModLoad: 75670000 756b5000 C:\WINDOWS\system32\shlwapi.dll
ModLoad: 74350000 74394000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 743b0000 743bf000 C:\WINDOWS\system32\profapi.dll
ModLoad: 6bf70000 6c0ec000 C:\WINDOWS\SYSTEM32\urlmon.dll
ModLoad: 715f0000 71606000 C:\WINDOWS\SYSTEM32\MPR.dll
ModLoad: 6a650000 6a878000 C:\WINDOWS\SYSTEM32\WININET.dll
ModLoad: 716f0000 7171d000 C:\WINDOWS\SYSTEM32\XmlLite.dll
ModLoad: 73ac0000 73ac8000 C:\WINDOWS\SYSTEM32\DPAPI.DLL
ModLoad: 74dd0000 74e54000 C:\WINDOWS\system32\clbcatq.dll
ModLoad: 61d00000 61d4f000 C:\Windows\System32\ieproxy.dll
ModLoad: 76f10000 76ffb000 C:\WINDOWS\system32\ole32.dll
ModLoad: 73280000 7334d000 C:\Windows\System32\twinapi.appcore.dll
ModLoad: 742a0000 742bd000 C:\Windows\System32\bcrypt.dll
ModLoad: 74050000 74074000 C:\WINDOWS\SYSTEM32\SspiCli.dll
ModLoad: 75b00000 76efe000 C:\WINDOWS\system32\SHELL32.dll
(10bc.e40): Break instruction exception - code 80000003 (first chance)

Create process 4284 breakpoint.
1:007> g
*** wait with pending attach

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred cache*\\J3\Symbols
Deferred cache*\\server\Symbols
Deferred srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Deferred srv*http://symbols.mozilla.org/firefox
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;cache*\\J3\Symbols;cache*\\server\Symbols;srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com;srv*http://symbols.mozilla.org/firefox
Executable search path is:
ModLoad: 01040000 0151d000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
ModLoad: 775d0000 7774b000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6cc80000 6cce1000 C:\WINDOWS\system32\verifier.dll
ModLoad: 75160000 751f6000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 74460000 745df000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 72fc0000 73052000 C:\WINDOWS\system32\apphelp.dll
ModLoad: 77060000 770db000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 75a40000 75afe000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 75210000 75254000 C:\WINDOWS\system32\sechost.dll
ModLoad: 770e0000 771a2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 76f10000 76ffb000 C:\WINDOWS\system32\ole32.dll
ModLoad: 772b0000 7746d000 C:\WINDOWS\system32\combase.dll
ModLoad: 747d0000 74828000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 77470000 775c5000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 75720000 75858000 C:\WINDOWS\system32\USER32.dll
ModLoad: 6fe50000 6fe99000 C:\WINDOWS\SYSTEM32\wincorlib.DLL
ModLoad: 750c0000 75152000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 74e60000 74e8f000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 74340000 7434c000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 6f090000 6fd00000 C:\Windows\System32\Windows.UI.Xaml.dll
ModLoad: 6efc0000 6f088000 C:\WINDOWS\SYSTEM32\wintypes.dll
ModLoad: 72bf0000 72c77000 C:\WINDOWS\SYSTEM32\CoreMessaging.dll
ModLoad: 72320000 72372000 C:\WINDOWS\SYSTEM32\Bcp47Langs.dll
ModLoad: 6ecf0000 6efbb000 C:\WINDOWS\SYSTEM32\iertutil.dll
ModLoad: 759b0000 75a3d000 C:\WINDOWS\system32\shcore.dll
ModLoad: 748d0000 74dca000 C:\WINDOWS\system32\windows.storage.dll
ModLoad: 74420000 74457000 C:\WINDOWS\system32\cfgmgr32.dll
ModLoad: 75670000 756b5000 C:\WINDOWS\system32\shlwapi.dll
ModLoad: 74350000 74394000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 743b0000 743bf000 C:\WINDOWS\system32\profapi.dll
ModLoad: 73280000 7334d000 C:\Windows\System32\twinapi.appcore.dll
ModLoad: 742a0000 742bd000 C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 6e510000 6e525000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EShims.dll
ModLoad: 73c10000 73c29000 C:\WINDOWS\SYSTEM32\USERENV.dll
ModLoad: 715f0000 71606000 C:\WINDOWS\SYSTEM32\MPR.dll
ModLoad: 615f0000 61a2c000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll
ModLoad: 75b00000 76efe000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 743c0000 7441e000 C:\WINDOWS\system32\firewallapi.dll
ModLoad: 734a0000 734cd000 C:\WINDOWS\SYSTEM32\fwbase.dll
ModLoad: 72100000 7231c000 C:\Windows\System32\ActXPrxy.dll
ModLoad: 73070000 730e9000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 72b10000 72b2d000 C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 72860000 728e2000 C:\WINDOWS\SYSTEM32\dxgi.dll
ModLoad: 6b5a0000 6b5c9000 C:\Windows\System32\Windows.ApplicationModel.dll
ModLoad: 6c710000 6ca93000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eView.dll
ModLoad: 6bf70000 6c0ec000 C:\WINDOWS\SYSTEM32\urlmon.dll
ModLoad: 6fd80000 6fe50000 C:\Windows\System32\MrmCoreR.dll
ModLoad: 6fd00000 6fd7b000 C:\Windows\System32\Windows.UI.dll
ModLoad: 6a930000 6aaf6000 C:\WINDOWS\system32\CoreUIComponents.dll
ModLoad: 75890000 759af000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 728f0000 72b0a000 C:\WINDOWS\SYSTEM32\d3d11.dll
ModLoad: 71bb0000 71dc8000 C:\WINDOWS\SYSTEM32\d3d10warp.dll
ModLoad: 71720000 71bae000 C:\WINDOWS\SYSTEM32\d2d1.dll
ModLoad: 72c80000 72d34000 C:\Windows\System32\dcomp.dll
ModLoad: 69b00000 69b12000 C:\WINDOWS\SYSTEM32\profext.dll
ModLoad: 73a00000 73a28000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 6a650000 6a878000 C:\WINDOWS\SYSTEM32\WININET.dll
ModLoad: 74050000 74074000 C:\WINDOWS\SYSTEM32\SspiCli.dll
ModLoad: 66850000 6685b000 C:\WINDOWS\SYSTEM32\tokenbinding.dll
ModLoad: 75000000 7505f000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 6bba0000 6bbb2000 C:\WINDOWS\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 71620000 7164f000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 70e40000 70edb000 C:\WINDOWS\SYSTEM32\winhttp.dll
ModLoad: 73d50000 73da0000 C:\WINDOWS\system32\mswsock.dll
ModLoad: 70210000 70218000 C:\WINDOWS\SYSTEM32\WINNSI.DLL
ModLoad: 75200000 75207000 C:\WINDOWS\system32\NSI.dll
ModLoad: 696a0000 696e1000 C:\WINDOWS\system32\DataExchange.dll
ModLoad: 73ed0000 73eda000 C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
ModLoad: 6b100000 6b10f000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 69b60000 69b6c000 C:\WINDOWS\system32\execmodelproxy.dll
ModLoad: 64350000 644cb000 C:\WINDOWS\SYSTEM32\ieapfltr.dll
ModLoad: 73de0000 73df3000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 6ddc0000 6de0a000 C:\WINDOWS\SYSTEM32\policymanager.dll
ModLoad: 6dd50000 6ddb5000 C:\WINDOWS\SYSTEM32\msvcp110_win.dll
ModLoad: 716f0000 7171d000 C:\WINDOWS\SYSTEM32\XmlLite.dll
ModLoad: 6e7c0000 6e8f2000 C:\Windows\System32\Windows.Globalization.dll
ModLoad: 6b7d0000 6b804000 C:\WINDOWS\System32\netprofm.dll
ModLoad: 6b6a0000 6b6a9000 C:\WINDOWS\System32\npmproxy.dll
ModLoad: 71610000 71620000 C:\WINDOWS\SYSTEM32\wkscli.dll
ModLoad: 70ba0000 70bc8000 C:\WINDOWS\SYSTEM32\netjoin.dll
ModLoad: 73f00000 73f1e000 C:\WINDOWS\SYSTEM32\JoinUtil.dll
ModLoad: 756c0000 7571a000 C:\WINDOWS\system32\coml2.dll
ModLoad: 73940000 7394a000 C:\WINDOWS\SYSTEM32\netutils.dll
ModLoad: 6cb10000 6cb39000 C:\WINDOWS\SYSTEM32\MDMRegistration.DLL
ModLoad: 74650000 747c9000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 743a0000 743ae000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 6da50000 6da63000 C:\WINDOWS\SYSTEM32\DMCmnUtils.dll
ModLoad: 730f0000 73112000 C:\WINDOWS\SYSTEM32\DEVOBJ.dll
ModLoad: 73f70000 73f90000 C:\WINDOWS\SYSTEM32\ncrypt.dll
ModLoad: 73f40000 73f6c000 C:\WINDOWS\SYSTEM32\NTASN1.dll
ModLoad: 731f0000 73274000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
ModLoad: 72770000 72790000 C:\WINDOWS\SYSTEM32\SLC.dll
ModLoad: 72750000 7276d000 C:\WINDOWS\SYSTEM32\sppc.dll
ModLoad: 69fb0000 69fe4000 C:\Windows\System32\execmodelclient.dll
ModLoad: 725a0000 726eb000 C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 733d0000 733ef000 C:\Windows\System32\rmclient.dll
ModLoad: 6e900000 6eaf1000 C:\WINDOWS\SYSTEM32\dwrite.dll
ModLoad: 666a0000 666ec000 C:\Windows\System32\Windows.Graphics.dll
ModLoad: 701c0000 701c8000 C:\Windows\System32\rasadhlp.dll
ModLoad: 70060000 700a7000 C:\WINDOWS\System32\fwpuclnt.dll
ModLoad: 6cae0000 6cb01000 C:\Windows\System32\Windows.ApplicationModel.Core.dll
ModLoad: 660a0000 66333000 C:\WINDOWS\SYSTEM32\msftedit.dll
ModLoad: 72060000 72083000 C:\WINDOWS\SYSTEM32\globinputhost.dll
ModLoad: 67920000 6796d000 C:\WINDOWS\SYSTEM32\NInput.dll
ModLoad: 66350000 66362000 C:\Windows\System32\Windows.Globalization.Fontgroups.dll
ModLoad: 66340000 66349000 C:\WINDOWS\SYSTEM32\fontgroupsoverride.dll
ModLoad: 6cac0000 6cae0000 C:\Windows\System32\Windows.System.Profile.RetailInfo.dll
ModLoad: 69a50000 69ae3000 C:\WINDOWS\system32\twinapi.dll
ModLoad: 6e750000 6e7c0000 C:\WINDOWS\system32\directmanipulation.dll
ModLoad: 6de80000 6de91000 C:\Windows\System32\threadpoolwinrt.dll
(664.394): Break instruction exception - code 80000003 (first chance)

Create process 1636 breakpoint.
2:053> g
*** wait with pending attach

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred cache*\\J3\Symbols
Deferred cache*\\server\Symbols
Deferred srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Deferred srv*http://symbols.mozilla.org/firefox
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;cache*\\J3\Symbols;cache*\\server\Symbols;srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com;srv*http://symbols.mozilla.org/firefox
Executable search path is:
ModLoad: 009c0000 00a0e000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
ModLoad: 775d0000 7774b000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6cc80000 6cce1000 C:\WINDOWS\system32\verifier.dll
ModLoad: 75160000 751f6000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 74460000 745df000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 72fc0000 73052000 C:\WINDOWS\system32\apphelp.dll
ModLoad: 77060000 770db000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 75a40000 75afe000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 75210000 75254000 C:\WINDOWS\system32\sechost.dll
ModLoad: 770e0000 771a2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 759b0000 75a3d000 C:\WINDOWS\system32\shcore.dll
ModLoad: 772b0000 7746d000 C:\WINDOWS\system32\combase.dll
ModLoad: 747d0000 74828000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 74600000 74642000 C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 743a0000 743ae000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 74650000 747c9000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 6ecf0000 6efbb000 C:\WINDOWS\SYSTEM32\iertutil.dll
ModLoad: 748d0000 74dca000 C:\WINDOWS\system32\windows.storage.dll
ModLoad: 74420000 74457000 C:\WINDOWS\system32\cfgmgr32.dll
ModLoad: 75670000 756b5000 C:\WINDOWS\system32\shlwapi.dll
ModLoad: 77470000 775c5000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 75720000 75858000 C:\WINDOWS\system32\USER32.dll
ModLoad: 74340000 7434c000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 74350000 74394000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 743b0000 743bf000 C:\WINDOWS\system32\profapi.dll
ModLoad: 74e60000 74e8f000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 615f0000 61a2c000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EMODEL.dll
ModLoad: 75b00000 76efe000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 750c0000 75152000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 743c0000 7441e000 C:\WINDOWS\system32\firewallapi.dll
ModLoad: 73c10000 73c29000 C:\WINDOWS\SYSTEM32\USERENV.dll
ModLoad: 734a0000 734cd000 C:\WINDOWS\SYSTEM32\fwbase.dll
ModLoad: 6e510000 6e525000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EShims.dll
ModLoad: 715f0000 71606000 C:\WINDOWS\SYSTEM32\MPR.dll
ModLoad: 76f10000 76ffb000 C:\WINDOWS\system32\ole32.dll
ModLoad: 73070000 730e9000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 69b00000 69b12000 C:\WINDOWS\SYSTEM32\profext.dll
ModLoad: 73a00000 73a28000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 73280000 7334d000 C:\WINDOWS\SYSTEM32\twinapi.appcore.dll
ModLoad: 742a0000 742bd000 C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 64bb0000 65d9b000 C:\WINDOWS\SYSTEM32\edgehtml.dll
ModLoad: 73de0000 73df3000 C:\WINDOWS\SYSTEM32\cryptsp.dll
ModLoad: 64540000 64bb0000 C:\WINDOWS\SYSTEM32\chakra.dll
ModLoad: 64500000 64533000 C:\WINDOWS\SYSTEM32\MLANG.dll
ModLoad: 73ed0000 73eda000 C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
ModLoad: 6efc0000 6f088000 C:\Windows\System32\WinTypes.dll
ModLoad: 6a650000 6a878000 C:\WINDOWS\SYSTEM32\WININET.dll
ModLoad: 74050000 74074000 C:\WINDOWS\SYSTEM32\SspiCli.dll
ModLoad: 66850000 6685b000 C:\WINDOWS\SYSTEM32\tokenbinding.dll
ModLoad: 75000000 7505f000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 6bba0000 6bbb2000 C:\WINDOWS\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 71620000 7164f000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 70e40000 70edb000 C:\WINDOWS\SYSTEM32\winhttp.dll
ModLoad: 73d50000 73da0000 C:\WINDOWS\system32\mswsock.dll
ModLoad: 70210000 70218000 C:\WINDOWS\SYSTEM32\WINNSI.DLL
ModLoad: 75200000 75207000 C:\WINDOWS\system32\NSI.dll
ModLoad: 6bf70000 6c0ec000 C:\WINDOWS\SYSTEM32\urlmon.dll
ModLoad: 72b10000 72b2d000 C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 75890000 759af000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 64350000 644cb000 C:\WINDOWS\SYSTEM32\ieapfltr.dll
ModLoad: 6ddc0000 6de0a000 C:\WINDOWS\SYSTEM32\policymanager.dll
ModLoad: 6dd50000 6ddb5000 C:\WINDOWS\SYSTEM32\msvcp110_win.dll
(304.e88): Break instruction exception - code 80000003 (first chance)

Create process 772 breakpoint.
3:062> g
*** wait with pending attach

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*http://msdl.microsoft.com/download/symbols
Deferred cache*\\J3\Symbols
Deferred cache*\\server\Symbols
Deferred srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com
Deferred srv*http://symbols.mozilla.org/firefox
Symbol search path is: srv*http://msdl.microsoft.com/download/symbols;cache*\\J3\Symbols;cache*\\server\Symbols;srv*http://chromium-browser-symsrv.commondatastorage.googleapis.com;srv*http://symbols.mozilla.org/firefox
Executable search path is:
ModLoad: 01390000 0139b000 C:\WINDOWS\system32\ApplicationFrameHost.exe
ModLoad: 775d0000 7774b000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 6cc80000 6cce1000 C:\WINDOWS\system32\verifier.dll
ModLoad: 75160000 751f6000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 74460000 745df000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 75a40000 75afe000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 772b0000 7746d000 C:\WINDOWS\system32\combase.dll
ModLoad: 770e0000 771a2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 747d0000 74828000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 74340000 7434c000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 74dd0000 74e54000 C:\WINDOWS\system32\clbcatq.dll
ModLoad: 67c30000 67d31000 C:\WINDOWS\System32\ApplicationFrame.dll
ModLoad: 759b0000 75a3d000 C:\WINDOWS\system32\SHCORE.dll
ModLoad: 75670000 756b5000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77470000 775c5000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 75720000 75858000 C:\WINDOWS\system32\USER32.dll
ModLoad: 750c0000 75152000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 725a0000 726eb000 C:\WINDOWS\System32\PROPSYS.dll
ModLoad: 75210000 75254000 C:\WINDOWS\system32\sechost.dll
ModLoad: 73280000 7334d000 C:\WINDOWS\System32\twinapi.appcore.dll
ModLoad: 73070000 730e9000 C:\WINDOWS\System32\UxTheme.dll
ModLoad: 730f0000 73112000 C:\WINDOWS\System32\DEVOBJ.dll
ModLoad: 74420000 74457000 C:\WINDOWS\system32\cfgmgr32.dll
ModLoad: 69a50000 69ae3000 C:\WINDOWS\System32\TWINAPI.dll
ModLoad: 71720000 71bae000 C:\WINDOWS\System32\d2d1.dll
ModLoad: 728f0000 72b0a000 C:\WINDOWS\System32\d3d11.dll
ModLoad: 72c80000 72d34000 C:\WINDOWS\System32\dcomp.dll
ModLoad: 72b10000 72b2d000 C:\WINDOWS\System32\dwmapi.dll
ModLoad: 742a0000 742bd000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 72860000 728e2000 C:\WINDOWS\System32\dxgi.dll
ModLoad: 74e60000 74e8f000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 72100000 7231c000 C:\Windows\System32\ActXPrxy.dll
ModLoad: 75890000 759af000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 71bb0000 71dc8000 C:\WINDOWS\system32\D3D10Warp.dll
ModLoad: 6cb60000 6cc7c000 C:\WINDOWS\system32\UIAutomationCore.DLL
ModLoad: 73c10000 73c29000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 743b0000 743bf000 C:\WINDOWS\system32\profapi.dll
ModLoad: 75b00000 76efe000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 748d0000 74dca000 C:\WINDOWS\system32\windows.storage.dll
ModLoad: 77060000 770db000 C:\WINDOWS\system32\advapi32.dll
ModLoad: 74350000 74394000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 72320000 72372000 C:\WINDOWS\system32\Bcp47Langs.dll
ModLoad: 72410000 72583000 C:\WINDOWS\system32\windowscodecs.dll
ModLoad: 6fd80000 6fe50000 C:\WINDOWS\SYSTEM32\mrmcorer.dll
ModLoad: 6ecf0000 6efbb000 C:\WINDOWS\SYSTEM32\iertutil.dll
ModLoad: 6fd00000 6fd7b000 C:\Windows\System32\Windows.UI.dll
(d98.13a8): Break instruction exception - code 80000003 (first chance)

Create process 3480 breakpoint.
4:076> g
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(304.80c): Unknown exception - code 00000005 (first chance)
inetcore\apfilter\src\util\unmanaged\core\src\useraccountstore.cpp(48)\ieapfltr.dll!64399176: (caller: 64398D8F) Exception(1) tid(80c) 80040154 Class not registered
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(664.1144): Windows Runtime Originate Error - code 40080201 (first chance)
(304.80c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

3:091> .lastevent
Last event: 304.80c: Access violation - code c0000005 (first chance)
debugger time: Mon May 16 16:13:15.166 2016 (UTC + 2:00)

3:091> |.
. 3 id: 304 attach name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe

3:091> .exr -1
ExceptionAddress: 77672c0b (ntdll!LdrpValidateUserCallTargetBitMapCheck)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 01bf37d8
Attempt to read from address 01bf37d8

3:091> lm on
start end module name
009c0000 00a0e000 microsoftedgecp microsoftedgecp.exe
615f0000 61a2c000 EMODEL EMODEL.dll
61d00000 61d4f000 ieproxy ieproxy.dll
64350000 644cb000 ieapfltr ieapfltr.dll
644d0000 644de000 msimtf msimtf.dll
644e0000 644fc000 srpapi srpapi.dll
64500000 64533000 MLANG MLANG.dll
64540000 64bb0000 chakra chakra.dll
64bb0000 65d9b000 edgehtml edgehtml.dll
66850000 6685b000 tokenbinding tokenbinding.dll
67920000 6796d000 ninput ninput.dll
696a0000 696e1000 dataexchange dataexchange.dll
69a50000 69ae3000 twinapi twinapi.dll
69b00000 69b12000 profext profext.dll
6a650000 6a878000 WININET WININET.dll
6bba0000 6bbb2000 ondemandconnroutehelper ondemandconnroutehelper.dll
6bf70000 6c0ec000 urlmon urlmon.dll
6cc80000 6cce1000 verifier verifier.dll
6dd50000 6ddb5000 msvcp110_win msvcp110_win.dll
6ddc0000 6de0a000 policymanager policymanager.dll
6e1c0000 6e1e0000 IDStore IDStore.dll
6e510000 6e525000 EShims EShims.dll
6e670000 6e678000 dispex dispex.dll
6e750000 6e7c0000 directmanipulation directmanipulation.dll
6e7c0000 6e8f2000 windows_globalization windows.globalization.dll
6e900000 6eaf1000 DWrite DWrite.dll
6ecf0000 6efbb000 iertutil iertutil.dll
6efc0000 6f088000 WinTypes WinTypes.dll
6fd00000 6fd7b000 Windows_UI Windows.UI.dll
6fd80000 6fe50000 MrmCoreR MrmCoreR.dll
70060000 700a7000 fwpuclnt fwpuclnt.dll
701c0000 701c8000 rasadhlp rasadhlp.dll
70210000 70218000 WINNSI WINNSI.DLL
70e40000 70edb000 winhttp winhttp.dll
715f0000 71606000 MPR MPR.dll
71620000 7164f000 IPHLPAPI IPHLPAPI.DLL
71720000 71bae000 d2d1 d2d1.dll
71bb0000 71dc8000 d3d10warp d3d10warp.dll
72100000 7231c000 ActXPrxy ActXPrxy.dll
72320000 72372000 Bcp47Langs Bcp47Langs.dll
725a0000 726eb000 PROPSYS PROPSYS.dll
726f0000 72703000 SAMLIB SAMLIB.dll
72860000 728e2000 dxgi dxgi.dll
728f0000 72b0a000 d3d11 d3d11.dll
72b10000 72b2d000 dwmapi dwmapi.dll
72c80000 72d34000 dcomp dcomp.dll
72fc0000 73052000 apphelp apphelp.dll
73070000 730e9000 uxtheme uxtheme.dll
731f0000 73274000 DNSAPI DNSAPI.dll
73280000 7334d000 twinapi_appcore twinapi.appcore.dll
733d0000 733ef000 rmclient rmclient.dll
734a0000 734cd000 fwbase fwbase.dll
73970000 7397a000 tbs tbs.dll
73a00000 73a28000 ntmarta ntmarta.dll
73a90000 73abf000 rsaenh rsaenh.dll
73c10000 73c29000 USERENV USERENV.dll
73d50000 73da0000 mswsock mswsock.dll
73de0000 73df3000 cryptsp cryptsp.dll
73ed0000 73eda000 CRYPTBASE CRYPTBASE.DLL
74050000 74074000 SspiCli SspiCli.dll
74210000 74291000 sxs sxs.dll
742a0000 742bd000 bcrypt bcrypt.dll
74340000 7434c000 kernel_appcore kernel.appcore.dll
74350000 74394000 powrprof powrprof.dll
743a0000 743ae000 MSASN1 MSASN1.dll
743b0000 743bf000 profapi profapi.dll
743c0000 7441e000 firewallapi firewallapi.dll
74420000 74457000 cfgmgr32 cfgmgr32.dll
74460000 745df000 KERNELBASE KERNELBASE.dll
74600000 74642000 WINTRUST WINTRUST.dll
74650000 747c9000 CRYPT32 CRYPT32.dll
747d0000 74828000 bcryptPrimitives bcryptPrimitives.dll
748d0000 74dca000 windows_storage windows.storage.dll
74e60000 74e8f000 IMM32 IMM32.DLL
75000000 7505f000 WS2_32 WS2_32.dll
750c0000 75152000 OLEAUT32 OLEAUT32.dll
75160000 751f6000 KERNEL32 KERNEL32.DLL
75200000 75207000 NSI NSI.dll
75210000 75254000 sechost sechost.dll
75670000 756b5000 shlwapi shlwapi.dll
75720000 75858000 USER32 USER32.dll
75890000 759af000 MSCTF MSCTF.dll
759b0000 75a3d000 shcore shcore.dll
75a40000 75afe000 msvcrt msvcrt.dll
75b00000 76efe000 SHELL32 SHELL32.dll
76f10000 76ffb000 ole32 ole32.dll
77060000 770db000 ADVAPI32 ADVAPI32.dll
770e0000 771a2000 RPCRT4 RPCRT4.dll
772b0000 7746d000 combase combase.dll
77470000 775c5000 GDI32 GDI32.dll
775d0000 7774b000 ntdll ntdll.dll

3:091> kn 0x64
# ChildEBP RetAddr
00 107ac984 6556b067 ntdll!LdrpValidateUserCallTargetBitMapCheck
01 107ac998 65a05a88 edgehtml!CBaseScriptable::PrivateQueryInterface+0xc7
02 107ac9b8 65253d90 edgehtml!Credentials::PrivateQueryInterface+0x18
03 107ac9dc 646afa19 edgehtml!CBaseTypeOperations::QueryObjectInterface+0xc0
04 107aca04 6472d3cb chakra!Js::CustomExternalObject::QueryObjectInterface+0x39
05 107aca2c 7733c72f chakra!JavascriptDispatch::QueryInterface+0x1cb
06 (Inline) -------- combase!ObtainStdIDFromUnk+0x19 [d:\th\com\combase\dcomrem\stdid.cxx @ 2133]
07 (Inline) -------- combase!StdMarshalObject+0xb2 [d:\th\com\combase\dcomrem\marshal.cxx @ 9570]
08 107acb34 7733c053 combase!CDestObjectWrapper::MarshalInterface+0x5ef [d:\th\com\combase\dcomrem\coapi.cxx @ 718]
09 107acba4 772bb878 combase!CoMarshalInterface+0x613 [d:\th\com\combase\dcomrem\coapi.cxx @ 1001]
0a 107acc24 750e4285 combase!WdtpInterfacePointer_UserMarshal+0x68 [d:\th\com\combase\proxy\proxy\transmit.cxx @ 882]
0b 107acc58 770f0301 OLEAUT32!VARIANT_UserMarshal+0x125
0c 107acca4 770f01db RPCRT4!NdrpUserMarshalMarshall+0xae
0d 107accd0 770e479a RPCRT4!NdrUserMarshalMarshall+0x8b
0e 107ad118 772bc39e RPCRT4!NdrStubCall2+0x8ea
0f 107ad164 77316906 combase!CStdStubBuffer_Invoke+0xde [d:\th\com\combase\ndr\ndrole\stub.cxx @ 1446]
10 (Inline) -------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_adf5d6ba83bff890864fd80ca2bbf1eb>::operator()+0x1c [d:\th\com\combase\dcomrem\channelb.cxx @ 1805]
11 107ad1b8 77318ae7 combase!ObjectMethodExceptionHandlingAction<<lambda_adf5d6ba83bff890864fd80ca2bbf1eb> >+0x76 [d:\th\com\combase\dcomrem\excepn.hxx @ 91]
12 (Inline) -------- combase!InvokeStubWithExceptionPolicyAndTracing+0x8e [d:\th\com\combase\dcomrem\channelb.cxx @ 1808]
13 107ad2dc 7731dd91 combase!DefaultStubInvoke+0x207 [d:\th\com\combase\dcomrem\channelb.cxx @ 1880]
14 (Inline) -------- combase!SyncStubCall::Invoke+0x22 [d:\th\com\combase\dcomrem\channelb.cxx @ 1934]
15 (Inline) -------- combase!SyncServerCall::StubInvoke+0x22 [d:\th\com\combase\dcomrem\servercall.hpp @ 736]
16 (Inline) -------- combase!StubInvoke+0x1d7 [d:\th\com\combase\dcomrem\channelb.cxx @ 2154]
17 107ad41c 773218b0 combase!ServerCall::ContextInvoke+0x381 [d:\th\com\combase\dcomrem\ctxchnl.cxx @ 1568]
18 (Inline) -------- combase!CServerChannel::ContextInvoke+0x8b [d:\th\com\combase\dcomrem\ctxchnl.cxx @ 1458]
19 (Inline) -------- combase!DefaultInvokeInApartment+0xc5 [d:\th\com\combase\dcomrem\callctrl.cxx @ 3438]
1a (Inline) -------- combase!ClassicSTAInvokeInApartment+0x186 [d:\th\com\combase\dcomrem\callctrl.cxx @ 3202]
1b 107ad514 7731ae45 combase!AppInvoke+0x410 [d:\th\com\combase\dcomrem\channelb.cxx @ 1606]
1c 107ad8cc 773227c6 combase!ComInvokeWithLockAndIPID+0x625 [d:\th\com\combase\dcomrem\channelb.cxx @ 2686]
1d (Inline) -------- combase!ComInvoke+0x1f1 [d:\th\com\combase\dcomrem\channelb.cxx @ 2223]
1e (Inline) -------- combase!ThreadDispatch+0x25a [d:\th\com\combase\dcomrem\chancont.cxx @ 414]
1f 107ad9a0 75755d93 combase!ThreadWndProc+0x426 [d:\th\com\combase\dcomrem\chancont.cxx @ 722]
20 107ad9cc 75739f3a USER32!_InternalCallWinProc+0x2b
21 107ada64 75739a80 USER32!UserCallWinProcCheckWow+0x1aa
22 107adac4 757398d0 USER32!DispatchMessageWorker+0x1a0
23 107adad0 6168a62d USER32!DispatchMessageW+0x10
24 107afc74 61689e13 EMODEL!CTabWindow::_TabWindowThreadProc+0x54d
25 107afd44 6eef1e7c EMODEL!LCIETab_ThreadProc+0x2f3
26 107afd5c 751795f4 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
27 107afd70 775f241a KERNEL32!BaseThreadInitThunk+0x24
28 107afdb8 775f23e9 ntdll!__RtlUserThreadStart+0x2b
29 107afdc8 00000000 ntdll!_RtlUserThreadStart+0x1b

3:091> .exr -1
ExceptionAddress: 77672c0b (ntdll!LdrpValidateUserCallTargetBitMapCheck)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 01bf37d8
Attempt to read from address 01bf37d8

3:091> !heap -p -a 0x1BF37D8
ReadMemory error for address 63273bbf
Use `!address 63273bbf' to check validity of the address.
ReadMemory error for address 63d33bbf
Use `!address 63d33bbf' to check validity of the address.
ReadMemory error for address 66523bbf
Use `!address 66523bbf' to check validity of the address.
ReadMemory error for address 74fc3bd6
Use `!address 74fc3bd6' to check validity of the address.
ReadMemory error for address 694f3bbf
Use `!address 694f3bbf' to check validity of the address.


3:091> !vprot 0x1BF37D8
BaseAddress: 01bf3000
AllocationBase: 00a10000
AllocationProtect: 00000001 PAGE_NOACCESS
RegionSize: 0032f000
State: 00002000 MEM_RESERVE
Type: 00040000 MEM_MAPPED

3:091> .if ($vvalid(@$scopeip - 138, 138)) { u @$scopeip - 138 @$scopeip - 1; };
ntdll!SbpTraceSbImpl+0x101:
77672ad3 044d add al,4Dh
77672ad5 0200 add al,byte ptr [eax]
77672ad7 0000 add byte ptr [eax],al
77672ad9 895c2464 mov dword ptr [esp+64h],ebx
77672add 6689442410 mov word ptr [esp+10h],ax
77672ae2 8d4c2410 lea ecx,[esp+10h]
77672ae6 0fb7c0 movzx eax,ax
77672ae9 89442468 mov dword ptr [esp+68h],eax
77672aed 8d442420 lea eax,[esp+20h]
77672af1 50 push eax
77672af2 6a05 push 5
77672af4 68f0665d77 push offset ntdll!AeSbImplEvent (775d66f0)
77672af9 ff742428 push dword ptr [esp+28h]
77672afd 894c2460 mov dword ptr [esp+60h],ecx
77672b01 ff742428 push dword ptr [esp+28h]
77672b05 899c2480000000 mov dword ptr [esp+80h],ebx
77672b0c e89f42fbff call ntdll!EtwEventWrite (77626db0)
77672b11 8b8c24a4000000 mov ecx,dword ptr [esp+0A4h]
77672b18 5f pop edi
77672b19 5e pop esi
77672b1a 5b pop ebx
77672b1b 33cc xor ecx,esp
77672b1d e84ee5feff call ntdll!__security_check_cookie (77661070)
77672b22 8be5 mov esp,ebp
77672b24 5d pop ebp
77672b25 c3 ret
77672b26 cc int 3
77672b27 cc int 3
77672b28 cc int 3
77672b29 cc int 3
77672b2a cc int 3
77672b2b cc int 3
ntdll!_SEH_prolog4:
77672b2c 6820726677 push offset ntdll!_except_handler4 (77667220)
77672b31 64ff3500000000 push dword ptr fs:[0]
77672b38 8b442410 mov eax,dword ptr [esp+10h]
77672b3c 896c2410 mov dword ptr [esp+10h],ebp
77672b40 8d6c2410 lea ebp,[esp+10h]
77672b44 2be0 sub esp,eax
77672b46 53 push ebx
77672b47 56 push esi
77672b48 57 push edi
77672b49 a1e4e16d77 mov eax,dword ptr [ntdll!__security_cookie (776de1e4)]
77672b4e 3145fc xor dword ptr [ebp-4],eax
77672b51 33c5 xor eax,ebp
77672b53 50 push eax
77672b54 8965e8 mov dword ptr [ebp-18h],esp
77672b57 ff75f8 push dword ptr [ebp-8]
77672b5a 8b45fc mov eax,dword ptr [ebp-4]
77672b5d c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
77672b64 8945f8 mov dword ptr [ebp-8],eax
77672b67 8d45f0 lea eax,[ebp-10h]
77672b6a 64a300000000 mov dword ptr fs:[00000000h],eax
77672b70 c3 ret
ntdll!_SEH_epilog4:
77672b71 8b4df0 mov ecx,dword ptr [ebp-10h]
77672b74 64890d00000000 mov dword ptr fs:[0],ecx
77672b7b 59 pop ecx
77672b7c 5f pop edi
77672b7d 5f pop edi
77672b7e 5e pop esi
77672b7f 5b pop ebx
77672b80 8be5 mov esp,ebp
77672b82 5d pop ebp
77672b83 51 push ecx
77672b84 c3 ret
77672b85 cc int 3
77672b86 cc int 3
77672b87 cc int 3
77672b88 cc int 3
77672b89 cc int 3
77672b8a cc int 3
77672b8b cc int 3
ntdll!_SEH_prolog4_GS:
77672b8c 6820726677 push offset ntdll!_except_handler4 (77667220)
77672b91 64ff3500000000 push dword ptr fs:[0]
77672b98 8b442410 mov eax,dword ptr [esp+10h]
77672b9c 896c2410 mov dword ptr [esp+10h],ebp
77672ba0 8d6c2410 lea ebp,[esp+10h]
77672ba4 2be0 sub esp,eax
77672ba6 53 push ebx
77672ba7 56 push esi
77672ba8 57 push edi
77672ba9 a1e4e16d77 mov eax,dword ptr [ntdll!__security_cookie (776de1e4)]
77672bae 3145fc xor dword ptr [ebp-4],eax
77672bb1 33c5 xor eax,ebp
77672bb3 8945e4 mov dword ptr [ebp-1Ch],eax
77672bb6 50 push eax
77672bb7 8965e8 mov dword ptr [ebp-18h],esp
77672bba ff75f8 push dword ptr [ebp-8]
77672bbd 8b45fc mov eax,dword ptr [ebp-4]
77672bc0 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
77672bc7 8945f8 mov dword ptr [ebp-8],eax
77672bca 8d45f0 lea eax,[ebp-10h]
77672bcd 64a300000000 mov dword ptr fs:[00000000h],eax
77672bd3 c3 ret
ntdll!_SEH_epilog4_GS:
77672bd4 8b4de4 mov ecx,dword ptr [ebp-1Ch]
77672bd7 33cd xor ecx,ebp
77672bd9 e892e4feff call ntdll!__security_check_cookie (77661070)
77672bde e98effffff jmp ntdll!_SEH_epilog4 (77672b71)
77672be3 cc int 3
77672be4 cc int 3
77672be5 cc int 3
77672be6 cc int 3
77672be7 cc int 3
77672be8 cc int 3
77672be9 cc int 3
77672bea cc int 3
77672beb cc int 3
77672bec cc int 3
77672bed cc int 3
77672bee cc int 3
77672bef cc int 3
77672bf0 cc int 3
77672bf1 cc int 3
77672bf2 cc int 3
77672bf3 cc int 3
77672bf4 cc int 3
77672bf5 cc int 3
77672bf6 cc int 3
77672bf7 cc int 3
77672bf8 cc int 3
77672bf9 cc int 3
77672bfa cc int 3
77672bfb cc int 3
77672bfc cc int 3
77672bfd cc int 3
77672bfe cc int 3
77672bff cc int 3
ntdll!LdrpValidateUserCallTarget:
77672c00 8b15a0c16d77 mov edx,dword ptr [ntdll!LdrSystemDllInitBlock+0x60 (776dc1a0)]
77672c06 8bc1 mov eax,ecx
77672c08 c1e808 shr eax,8

3:091> .if ($vvalid(@$scopeip, 138)) { u @$scopeip @$scopeip + 137; };
ntdll!LdrpValidateUserCallTargetBitMapCheck:
77672c0b 8b1482 mov edx,dword ptr [edx+eax*4]
77672c0e 8bc1 mov eax,ecx
77672c10 c1e803 shr eax,3
77672c13 f6c10f test cl,0Fh
77672c16 7506 jne ntdll!LdrpValidateUserCallTargetBitMapRet+0x1 (77672c1e)
77672c18 0fa3c2 bt edx,eax
77672c1b 730a jae ntdll!LdrpValidateUserCallTargetBitMapRet+0xa (77672c27)
ntdll!LdrpValidateUserCallTargetBitMapRet:
77672c1d c3 ret
77672c1e 83c801 or eax,1
77672c21 0fa3c2 bt edx,eax
77672c24 7301 jae ntdll!LdrpValidateUserCallTargetBitMapRet+0xa (77672c27)
77672c26 c3 ret
77672c27 51 push ecx
77672c28 8d642480 lea esp,[esp-80h]
77672c2c 0f110424 movups xmmword ptr [esp],xmm0
77672c30 0f114c2410 movups xmmword ptr [esp+10h],xmm1
77672c35 0f11542420 movups xmmword ptr [esp+20h],xmm2
77672c3a 0f115c2430 movups xmmword ptr [esp+30h],xmm3
77672c3f 0f11642440 movups xmmword ptr [esp+40h],xmm4
77672c44 0f116c2450 movups xmmword ptr [esp+50h],xmm5
77672c49 0f11742460 movups xmmword ptr [esp+60h],xmm6
77672c4e 0f117c2470 movups xmmword ptr [esp+70h],xmm7
77672c53 e8272dfeff call ntdll!RtlpHandleInvalidUserCallTarget (7765597f)
77672c58 0f100424 movups xmm0,xmmword ptr [esp]
77672c5c 0f104c2410 movups xmm1,xmmword ptr [esp+10h]
77672c61 0f10542420 movups xmm2,xmmword ptr [esp+20h]
77672c66 0f105c2430 movups xmm3,xmmword ptr [esp+30h]
77672c6b 0f10642440 movups xmm4,xmmword ptr [esp+40h]
77672c70 0f106c2450 movups xmm5,xmmword ptr [esp+50h]
77672c75 0f10742460 movups xmm6,xmmword ptr [esp+60h]
77672c7a 0f107c2470 movups xmm7,xmmword ptr [esp+70h]
77672c7f 8da42480000000 lea esp,[esp+80h]
77672c86 59 pop ecx
77672c87 c3 ret
77672c88 cc int 3
77672c89 cc int 3
77672c8a cc int 3
77672c8b cc int 3
77672c8c cc int 3
77672c8d cc int 3
77672c8e cc int 3
77672c8f cc int 3
ntdll!NtdllScrollBarWndProc_A:
77672c90 ff2500c06d77 jmp dword ptr [ntdll!NtUserPfn (776dc000)]
77672c96 8da42400000000 lea esp,[esp]
77672c9d 8d4900 lea ecx,[ecx]
ntdll!NtdllScrollBarWndProc_W:
77672ca0 ff255cc06d77 jmp dword ptr [ntdll!NtUserPfn+0x5c (776dc05c)]
77672ca6 8da42400000000 lea esp,[esp]
77672cad 8d4900 lea ecx,[ecx]
ntdll!NtdllTitleWndProc_A:
77672cb0 ff2504c06d77 jmp dword ptr [ntdll!NtUserPfn+0x4 (776dc004)]
77672cb6 8da42400000000 lea esp,[esp]
77672cbd 8d4900 lea ecx,[ecx]
ntdll!NtdllTitleWndProc_W:
77672cc0 ff2560c06d77 jmp dword ptr [ntdll!NtUserPfn+0x60 (776dc060)]
77672cc6 8da42400000000 lea esp,[esp]
77672ccd 8d4900 lea ecx,[ecx]
ntdll!NtdllMenuWndProc_A:
77672cd0 ff2508c06d77 jmp dword ptr [ntdll!NtUserPfn+0x8 (776dc008)]
77672cd6 8da42400000000 lea esp,[esp]
77672cdd 8d4900 lea ecx,[ecx]
ntdll!NtdllMenuWndProc_W:
77672ce0 ff2564c06d77 jmp dword ptr [ntdll!NtUserPfn+0x64 (776dc064)]
77672ce6 8da42400000000 lea esp,[esp]
77672ced 8d4900 lea ecx,[ecx]
ntdll!NtdllDesktopWndProc_A:
77672cf0 ff250cc06d77 jmp dword ptr [ntdll!NtUserPfn+0xc (776dc00c)]
77672cf6 8da42400000000 lea esp,[esp]
77672cfd 8d4900 lea ecx,[ecx]
ntdll!NtdllDesktopWndProc_W:
77672d00 ff2568c06d77 jmp dword ptr [ntdll!NtUserPfn+0x68 (776dc068)]
77672d06 8da42400000000 lea esp,[esp]
77672d0d 8d4900 lea ecx,[ecx]
ntdll!NtdllDefWindowProc_A:
77672d10 ff2510c06d77 jmp dword ptr [ntdll!NtUserPfn+0x10 (776dc010)]
77672d16 8da42400000000 lea esp,[esp]
77672d1d 8d4900 lea ecx,[ecx]
ntdll!NtdllDefWindowProc_W:
77672d20 ff256cc06d77 jmp dword ptr [ntdll!NtUserPfn+0x6c (776dc06c)]
77672d26 8da42400000000 lea esp,[esp]
77672d2d 8d4900 lea ecx,[ecx]
ntdll!NtdllMessageWindowProc_A:
77672d30 ff2514c06d77 jmp dword ptr [ntdll!NtUserPfn+0x14 (776dc014)]
77672d36 8da42400000000 lea esp,[esp]
77672d3d 8d4900 lea ecx,[ecx]
ntdll!NtdllMessageWindowProc_W:
77672d40 ff2570c06d77 jmp dword ptr [ntdll!NtUserPfn+0x70 (776dc070)]

3:091> rM 0x7D
eax=00478df6 ebx=107aca74 ecx=478df633 edx=00a10000 esi=478df633 edi=107ac990
eip=77672c0b esp=107ac988 ebp=107ac998 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
fpcw=027F: rn 53 puozdi fpsw=4000: top=0 cc=1000 -------- fptw=FFFF
fopcode=0000 fpip=0000:652333d5 fpdp=0000:107ad634
st0= 0.000000000000000000000e+0000 st1=-1.078999817530109144610e-0043
st2= 0.000000000000000000000e+0000 st3= 1.000000000000000000000e+0000
st4= 1.000000000000000000000e+0000 st5=-1.078999817530109144610e-0043
st6= 1.000000000000000000000e+0000 st7= 1.000000000000000000000e+0004
mm0=0000000000000000 mm1=9a00000000000000
mm2=0000000000000000 mm3=8000000000000000
mm4=8000000000000000 mm5=9a00000000000000
mm6=8000000000000000 mm7=9c40000000000000
xmm0=0 0 0 0
xmm1=0 0 0 0
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
dr0=00000000 dr1=00000000 dr2=00000000
dr3=00000000 dr6=00000000 dr7=00000000
ntdll!LdrpValidateUserCallTargetBitMapCheck:
77672c0b 8b1482 mov edx,dword ptr [edx+eax*4] ds:0023:01bf37d8=????????

3:091> dpp @$ea - 10*$ptrsize L10;
01bf3798 ????????
01bf379c ????????
01bf37a0 ????????
01bf37a4 ????????
01bf37a8 ????????
01bf37ac ????????
01bf37b0 ????????
01bf37b4 ????????
01bf37b8 ????????
01bf37bc ????????
01bf37c0 ????????
01bf37c4 ????????
01bf37c8 ????????
01bf37cc ????????
01bf37d0 ????????
01bf37d4 ????????

3:091> dpp @$ea L10;
01bf37d8 ????????
01bf37dc ????????
01bf37e0 ????????
01bf37e4 ????????
01bf37e8 ????????
01bf37ec ????????
01bf37f0 ????????
01bf37f4 ????????
01bf37f8 ????????
01bf37fc ????????
01bf3800 ????????
01bf3804 ????????
01bf3808 ????????
01bf380c ????????
01bf3810 ????????
01bf3814 ????????

3:091> dpp @$ea2 - 10*$ptrsize L10;
Bad register error at '@$ea2 - 10*$ptrsize '

3:091> lm M *microsoftedgecp.exe
start end module name
009c0000 00a0e000 microsoftedgecp (deferred)

3:091> lmv m *edgehtml
start end module name
64bb0000 65d9b000 edgehtml (pdb symbols) \\j3\symbols\edgehtml.pdb\EB51CD87F5FF4258B32C8451ECC8CB031\edgehtml.pdb
Loaded symbol image file: C:\WINDOWS\SYSTEM32\edgehtml.dll
Image path: C:\WINDOWS\SYSTEM32\edgehtml.dll
Image name: edgehtml.dll
Timestamp: Sat Apr 23 06:20:39 2016 (571AF817)
CheckSum: 011D509E
ImageSize: 011EB000
File version: 11.0.10586.306
Product version: 11.0.10586.306
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Internet Explorer
InternalName: EDGEHTML
OriginalFilename: EDGEHTML.DLL
ProductVersion: 11.00.10586.306
FileVersion: 11.00.10586.306 (th2_release_sec.160422-1850)
FileDescription: Microsoft (R) HTML Viewer
LegalCopyright: � Microsoft Corporation. All rights reserved.

3:091> lmv m *microsoftedgecp
start end module name
009c0000 00a0e000 microsoftedgecp (deferred)
Image path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Image name: microsoftedgecp.exe
Timestamp: Tue Nov 24 07:49:28 2015 (56540878)
CheckSum: 00053B24
ImageSize: 0004E000
File version: 11.0.10586.20
Product version: 11.0.10586.20
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft Edge
InternalName: MicrosoftEdgeCP
OriginalFilename: MicrosoftEdgeCP.exe
ProductVersion: 11.00.10586.20
FileVersion: 11.00.10586.20 (th2_release_sec.151123-1940)
FileDescription: Microsoft Edge Content Process
LegalCopyright: � Microsoft Corporation. All rights reserved.

3:091>