Details

Id:  AVR:Arbitrary b89.c4b
Description:  Access violation while reading memory at 0x7DF5FFC60000
Location:  iexplore.exe!mshtml.dll!CAnimatablePropertyListElement::GetCurrentValues
Security impact:  Potentially exploitable security issue

Stack

Disassembly

ntdll!LdrpICallHandler:
00007fff`1fdf3b60 33d2            xor     edx,edx
00007fff`1fdf3b62 b90a000000      mov     ecx,0Ah
00007fff`1fdf3b67 cd29            int     29h
00007fff`1fdf3b69 90              nop
00007fff`1fdf3b6a cc              int     3
00007fff`1fdf3b6b cc              int     3
00007fff`1fdf3b6c cc              int     3
00007fff`1fdf3b6d cc              int     3
00007fff`1fdf3b6e cc              int     3
00007fff`1fdf3b6f cc              int     3
ntdll!LdrpValidateUserCallTarget:
00007fff`1fdf3b70 488b1579370d00  mov     rdx,qword ptr [ntdll!LdrSystemDllInitBlock+0x60 (00007fff`1fec72f0)]
00007fff`1fdf3b77 488bc1          mov     rax,rcx
00007fff`1fdf3b7a 48c1e809        shr     rax,9
ntdll!LdrpValidateUserCallTarget+0xe:
00007fff`1fdf3b7e 488b14c2        mov     rdx,qword ptr [rdx+rax*8]              ⇐ instruction pointer
00007fff`1fdf3b82 488bc1          mov     rax,rcx
00007fff`1fdf3b85 48c1e803        shr     rax,3
00007fff`1fdf3b89 f6c10f          test    cl,0Fh
00007fff`1fdf3b8c 7507            jne     ntdll!LdrpValidateUserCallTarget+0x25 (00007fff`1fdf3b95)
00007fff`1fdf3b8e 480fa3c2        bt      rdx,rax
00007fff`1fdf3b92 730c            jae     ntdll!LdrpValidateUserCallTarget+0x30 (00007fff`1fdf3ba0)
00007fff`1fdf3b94 c3              ret
00007fff`1fdf3b95 4883c801        or      rax,1
00007fff`1fdf3b99 480fa3c2        bt      rdx,rax
00007fff`1fdf3b9d 7301            jae     ntdll!LdrpValidateUserCallTarget+0x30 (00007fff`1fdf3ba0)
00007fff`1fdf3b9f c3              ret
00007fff`1fdf3ba0 488bc1          mov     rax,rcx
00007fff`1fdf3ba3 4d33d2          xor     r10,r10
00007fff`1fdf3ba6 e935ffffff      jmp     ntdll!LdrpHandleInvalidUserCallTarget (00007fff`1fdf3ae0)
00007fff`1fdf3bab cc              int     3
00007fff`1fdf3bac cc              int     3
00007fff`1fdf3bad cc              int     3

Registers

rax=0000000000000000 rbx=00007ffefdf97730 rcx=0000000000000000
rdx=00007df5ffc60000 rsi=0000000000000000 rdi=0000000000000000
rip=00007fff1fdf3b7e rsp=000000437d7ab818 rbp=0000000000000000
 r8=000000437d7ab8f8  r9=000000437d7ab8f0 r10=0000000000000009
r11=000000437d7ab8f4 r12=0000000080011462 r13=000000437148fe70
r14=0000003b074a4fe0 r15=000000437d7ab8f0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
fpcw=027F    fpsw=0000    fptw=0000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 0.000000000000000000000e+0000
st6= 0.000000000000000000000e+0000  st7= 0.000000000000000000000e+0000
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=0000000000000000
mm6=0000000000000000  mm7=0000000000000000
xmm0=0 0 8.26766e-044 2.01327e+008
xmm1=8.26766e-044 9.34857e+009 8.26766e-044 9.34883e+009
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
xmm8=0 0 0 0
xmm9=0 0 0 0
xmm10=0 0 1.875 0
xmm11=0 0 0 0
xmm12=0 0 0 0
xmm13=0 0 0 0
xmm14=0 0 0 0
xmm15=0 0 0 0
dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000
dr3=0000000000000000 dr6=0000000000000000 dr7=0000000000000000
ntdll!LdrpValidateUserCallTarget+0xe:
00007fff`1fdf3b7e 488b14c2        mov     rdx,qword ptr [rdx+rax*8] ds:00007df5`ffc60000=????????????????

Referenced memory

Memory around address 0x7DF5FFC60000:

00007df5`ffc5ff80  ????????`????????
00007df5`ffc5ff88  ????????`????????
00007df5`ffc5ff90  ????????`????????
00007df5`ffc5ff98  ????????`????????
00007df5`ffc5ffa0  ????????`????????
00007df5`ffc5ffa8  ????????`????????
00007df5`ffc5ffb0  ????????`????????
00007df5`ffc5ffb8  ????????`????????
00007df5`ffc5ffc0  ????????`????????
00007df5`ffc5ffc8  ????????`????????
00007df5`ffc5ffd0  ????????`????????
00007df5`ffc5ffd8  ????????`????????
00007df5`ffc5ffe0  ????????`????????
00007df5`ffc5ffe8  ????????`????????
00007df5`ffc5fff0  ????????`????????
00007df5`ffc5fff8  ????????`????????
00007df5`ffc60000  ????????`????????
00007df5`ffc60008  ????????`????????
00007df5`ffc60010  ????????`????????
00007df5`ffc60018  ????????`????????
00007df5`ffc60020  ????????`????????
00007df5`ffc60028  ????????`????????
00007df5`ffc60030  ????????`????????
00007df5`ffc60038  ????????`????????
00007df5`ffc60040  ????????`????????
00007df5`ffc60048  ????????`????????
00007df5`ffc60050  ????????`????????
00007df5`ffc60058  ????????`????????
00007df5`ffc60060  ????????`????????
00007df5`ffc60068  ????????`????????
00007df5`ffc60070  ????????`????????
00007df5`ffc60078  ????????`????????

Binary information

MSHTML.dll

    Loaded symbol image file: C:\Windows\SYSTEM32\MSHTML.dll
    Image path: C:\Windows\SYSTEM32\MSHTML.dll
    Image name: MSHTML.dll
    Timestamp:        Tue Feb 23 12:55:08 2016 (56CC489C)
    CheckSum:         0177F5B8
    ImageSize:        0178A000
    File version:     11.0.10240.16724
    Product version:  11.0.10240.16724
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Internet Explorer
    InternalName:     MSHTML
    OriginalFilename: MSHTML.DLL
    ProductVersion:   11.00.10240.16724
    FileVersion:      11.00.10240.16724 (th1_st1.160222-1812)
    FileDescription:  Microsoft (R) HTML Viewer
    LegalCopyright:   � Microsoft Corporation. All rights reserved.

iexplore.exe

    Image path: iexplore.exe
    Image name: iexplore.exe
    Timestamp:        Wed Nov 25 05:27:51 2015 (565538C7)
    CheckSum:         000CEA03
    ImageSize:        000CA000
    File version:     11.0.10240.16603
    Product version:  11.0.10240.16603
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Internet Explorer
    InternalName:     iexplore
    OriginalFilename: IEXPLORE.EXE
    ProductVersion:   11.00.10240.16603
    FileVersion:      11.00.10240.16603 (th1_st1.151124-1750)
    FileDescription:  Internet Explorer
    LegalCopyright:   � Microsoft Corporation. All rights reserved.

Debugger IO


Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" http://E5-W1001164-0:30000/Ping-3747.5358898

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       cache*\\server\Symbols
Deferred                                       srv*http://msdl.microsoft.com/download/symbols
Symbol search path is: cache*\\server\Symbols;srv*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00007ff6`2b6a0000 00007ff6`2b76a000   iexplore.exe
ModLoad: 00007fff`1fd70000 00007fff`1ff32000   ntdll.dll
ModLoad: 00007fff`076f0000 00007fff`0775d000   C:\Windows\system32\verifier.dll
Page heap: pid 0x250: page heap enabled with flags 0x3.
ModLoad: 00007fff`1de90000 00007fff`1df3d000   C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007fff`1d260000 00007fff`1d43d000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 00007fff`1ade0000 00007fff`1ae58000   C:\Windows\system32\apphelp.dll
ModLoad: 00007fff`1fc20000 00007fff`1fd6e000   C:\Windows\system32\USER32.dll
ModLoad: 00007fff`1dbe0000 00007fff`1dd66000   C:\Windows\system32\GDI32.dll
ModLoad: 00007fff`1d750000 00007fff`1d7ed000   C:\Windows\system32\msvcrt.dll
ModLoad: 00007fff`1d0f0000 00007fff`1d1a3000   C:\Windows\system32\shcore.dll
ModLoad: 00007fff`1d800000 00007fff`1da7c000   C:\Windows\system32\combase.dll
ModLoad: 00007fff`1da90000 00007fff`1dbb6000   C:\Windows\system32\RPCRT4.dll
ModLoad: 00007fff`1e370000 00007fff`1e416000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007fff`1e110000 00007fff`1e16b000   C:\Windows\system32\sechost.dll
ModLoad: 00007fff`17970000 00007fff`17ce6000   C:\Windows\SYSTEM32\iertutil.dll
(250.d5c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007fff`1fe2e510 cc              int     3

Create process 592 breakpoint.
0:000> g
shell\lib\connectedidhelpers_lightweight.cpp(118)\SettingSyncCore.dll!00007FFF12C2DE50: (caller: 00007FFF12C05D4D) ReturnHr[PreRelease](1) tid(d5c) 800708CA This network connection does not exist.
shell\lib\connectedidhelpers_lightweight.cpp(118)\SettingSyncCore.dll!00007FFF12C2DE50: (caller: 00007FFF12C05D4D) ReturnHr[PreRelease](2) tid(81c) 800708CA This network connection does not exist.
shell\lib\connectedidhelpers_lightweight.cpp(118)\SettingSyncCore.dll!00007FFF12C2DE50: (caller: 00007FFF12C05D4D) ReturnHr[PreRelease](3) tid(9fc) 800708CA This network connection does not exist.
shell\lib\connectedidhelpers_lightweight.cpp(118)\SettingSyncCore.dll!00007FFF12C2DE50: (caller: 00007FFF12C05D4D) ReturnHr[PreRelease](4) tid(ac) 800708CA This network connection does not exist.
shell\lib\connectedidhelpers_lightweight.cpp(118)\SettingSyncCore.dll!00007FFF12C2DE50: (caller: 00007FFF12C05D4D) ReturnHr[PreRelease](5) tid(544) 800708CA This network connection does not exist.
shell\lib\connectedidhelpers_lightweight.cpp(118)\SettingSyncCore.dll!00007FFF12C2DE50: (caller: 00007FFF12C05D4D) ReturnHr[PreRelease](6) tid(730) 800708CA This network connection does not exist.
(250.340): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

0:046> .lastevent
Last event: 250.340: Access violation - code c0000005 (first chance)
  debugger time: Tue Mar 15 09:48:35.758 2016 (UTC + 1:00)

0:046> |.
.  0 id: 250 create name: iexplore.exe

0:046> .symopt- 0x80000000
Symbol options are 0x90F17:
  0x00000001 - SYMOPT_CASE_INSENSITIVE
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00000400 - SYMOPT_EXACT_SYMBOLS
  0x00000800 - SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00080000 - SYMOPT_NO_PROMPTS

0:046> .exr -1
ExceptionAddress: 00007fff1fdf3b7e (ntdll!LdrpValidateUserCallTarget+0x000000000000000e)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00007df5ffc60000
Attempt to read from address 00007df5ffc60000

0:046> .symopt+ 0x80000000
Symbol options are 0x80090F17:
  0x00000001 - SYMOPT_CASE_INSENSITIVE
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00000400 - SYMOPT_EXACT_SYMBOLS
  0x00000800 - SYMOPT_ALLOW_ABSOLUTE_SYMBOLS
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00080000 - SYMOPT_NO_PROMPTS
  0x80000000 - SYMOPT_DEBUG

0:046> lm on
start             end                 module name
00007ff6`2b6a0000 00007ff6`2b76a000   iexplore iexplore.exe
00007ffe`fcd10000 00007ffe`fe49a000   MSHTML   MSHTML.dll  
00007fff`04f20000 00007fff`05b1a000   IEFRAME  IEFRAME.dll 
00007fff`05db0000 00007fff`0624b000   jscript9 jscript9.dll
00007fff`065c0000 00007fff`067f7000   msxml3   msxml3.dll  
00007fff`075a0000 00007fff`076ec000   uiautomationcore uiautomationcore.dll
00007fff`076f0000 00007fff`0775d000   verifier verifier.dll
00007fff`0a720000 00007fff`0a7c8000   ieproxy  ieproxy.dll 
00007fff`0ad90000 00007fff`0adc8000   msls31   msls31.dll  
00007fff`0add0000 00007fff`0ae64000   IEUI     IEUI.dll    
00007fff`0ae70000 00007fff`0aeb5000   sqmapi   sqmapi.dll  
00007fff`0aec0000 00007fff`0af2e000   IEShims  IEShims.dll 
00007fff`123c0000 00007fff`12850000   explorerframe explorerframe.dll
00007fff`12850000 00007fff`12898000   vaultcli vaultcli.dll
00007fff`128a0000 00007fff`128e6000   dataexchange dataexchange.dll
00007fff`128f0000 00007fff`12959000   oleacc   oleacc.dll  
00007fff`12960000 00007fff`12bd4000   comctl32 comctl32.dll
00007fff`12be0000 00007fff`12cc1000   SettingSyncCore SettingSyncCore.dll
00007fff`13250000 00007fff`13316000   TokenBroker TokenBroker.dll
00007fff`13360000 00007fff`1339f000   netprofm netprofm.dll
00007fff`13690000 00007fff`1369e000   npmproxy npmproxy.dll
00007fff`137e0000 00007fff`13c4a000   ActXPrxy ActXPrxy.dll
00007fff`13c50000 00007fff`13c61000   settingsyncpolicy settingsyncpolicy.dll
00007fff`13ff0000 00007fff`142b1000   WININET  WININET.dll 
00007fff`14520000 00007fff`14547000   IDStore  IDStore.dll 
00007fff`14550000 00007fff`14557000   MSIMG32  MSIMG32.dll 
00007fff`14890000 00007fff`148a5000   ondemandconnroutehelper ondemandconnroutehelper.dll
00007fff`14940000 00007fff`14950000   msimtf   msimtf.dll  
00007fff`14950000 00007fff`1498d000   MLANG    MLANG.dll   
00007fff`14af0000 00007fff`14afc000   dispex   dispex.dll  
00007fff`14d60000 00007fff`14de9000   directmanipulation directmanipulation.dll
00007fff`15010000 00007fff`15269000   DWrite   DWrite.dll  
00007fff`152a0000 00007fff`15436000   urlmon   urlmon.dll  
00007fff`15b30000 00007fff`15bc2000   msvcp110_win msvcp110_win.dll
00007fff`15bd0000 00007fff`15c09000   policymanager policymanager.dll
00007fff`15da0000 00007fff`15daa000   rasadhlp rasadhlp.dll
00007fff`165d0000 00007fff`16638000   fwpuclnt fwpuclnt.dll
00007fff`16a70000 00007fff`16fb5000   d2d1     d2d1.dll    
00007fff`172d0000 00007fff`1731b000   UIAnimation UIAnimation.dll
00007fff`177b0000 00007fff`17962000   windowscodecs windowscodecs.dll
00007fff`17970000 00007fff`17ce6000   iertutil iertutil.dll
00007fff`17cf0000 00007fff`17e21000   wintypes wintypes.dll
00007fff`18e90000 00007fff`190fe000   d3d10warp d3d10warp.dll
00007fff`199a0000 00007fff`19a76000   winhttp  winhttp.dll 
00007fff`19a80000 00007fff`19a8c000   Secur32  Secur32.dll 
00007fff`19aa0000 00007fff`19b3c000   dxgi     dxgi.dll    
00007fff`19b40000 00007fff`19b76000   XmlLite  XmlLite.dll 
00007fff`19b80000 00007fff`19e23000   d3d11    d3d11.dll   
00007fff`19e30000 00007fff`19e52000   dwmapi   dwmapi.dll  
00007fff`1a0b0000 00007fff`1a252000   ieapfltr ieapfltr.dll
00007fff`1a290000 00007fff`1a413000   PROPSYS  PROPSYS.dll 
00007fff`1a420000 00007fff`1a433000   wtsapi32 wtsapi32.dll
00007fff`1a440000 00007fff`1a45c000   SAMLIB   SAMLIB.dll  
00007fff`1a470000 00007fff`1a47b000   WINNSI   WINNSI.DLL  
00007fff`1a520000 00007fff`1a558000   IPHLPAPI IPHLPAPI.DLL
00007fff`1a740000 00007fff`1a79c000   ninput   ninput.dll  
00007fff`1a8a0000 00007fff`1a971000   dcomp    dcomp.dll   
00007fff`1ac70000 00007fff`1ac95000   sppc     sppc.dll    
00007fff`1aca0000 00007fff`1accc000   winmmbase winmmbase.dll
00007fff`1acd0000 00007fff`1acf6000   SLC      SLC.dll     
00007fff`1ad00000 00007fff`1ad23000   WINMM    WINMM.dll   
00007fff`1ade0000 00007fff`1ae58000   apphelp  apphelp.dll 
00007fff`1b070000 00007fff`1b106000   uxtheme  uxtheme.dll 
00007fff`1b130000 00007fff`1b157000   DEVOBJ   DEVOBJ.dll  
00007fff`1b160000 00007fff`1b24e000   twinapi_appcore twinapi.appcore.dll
00007fff`1bbc0000 00007fff`1bbca000   DPAPI    DPAPI.dll   
00007fff`1bc60000 00007fff`1bc93000   rsaenh   rsaenh.dll  
00007fff`1bd90000 00007fff`1bdaf000   USERENV  USERENV.dll 
00007fff`1bdb0000 00007fff`1be58000   DNSAPI   DNSAPI.dll  
00007fff`1bfb0000 00007fff`1c00d000   mswsock  mswsock.dll 
00007fff`1c010000 00007fff`1c027000   cryptsp  cryptsp.dll 
00007fff`1c160000 00007fff`1c16b000   CRYPTBASE CRYPTBASE.dll
00007fff`1c360000 00007fff`1c38c000   SspiCli  SspiCli.dll 
00007fff`1c5c0000 00007fff`1c62b000   bcryptPrimitives bcryptPrimitives.dll
00007fff`1c630000 00007fff`1c6c8000   sxs      sxs.dll     
00007fff`1c6d0000 00007fff`1c6f8000   bcrypt   bcrypt.dll  
00007fff`1c7a0000 00007fff`1c7ea000   powrprof powrprof.dll
00007fff`1c7f0000 00007fff`1c7ff000   kernel_appcore kernel.appcore.dll
00007fff`1c800000 00007fff`1c813000   profapi  profapi.dll 
00007fff`1c820000 00007fff`1c831000   MSASN1   MSASN1.dll  
00007fff`1c840000 00007fff`1ca01000   CRYPT32  CRYPT32.dll 
00007fff`1cac0000 00007fff`1d0e8000   windows_storage windows.storage.dll
00007fff`1d0f0000 00007fff`1d1a3000   shcore   shcore.dll  
00007fff`1d210000 00007fff`1d254000   CFGMGR32 CFGMGR32.dll
00007fff`1d260000 00007fff`1d43d000   KERNELBASE KERNELBASE.dll
00007fff`1d440000 00007fff`1d59c000   MSCTF    MSCTF.dll   
00007fff`1d600000 00007fff`1d741000   ole32    ole32.dll   
00007fff`1d750000 00007fff`1d7ed000   msvcrt   msvcrt.dll  
00007fff`1d7f0000 00007fff`1d7f8000   NSI      NSI.dll     
00007fff`1d800000 00007fff`1da7c000   combase  combase.dll 
00007fff`1da90000 00007fff`1dbb6000   RPCRT4   RPCRT4.dll  
00007fff`1dbe0000 00007fff`1dd66000   GDI32    GDI32.dll   
00007fff`1dd70000 00007fff`1de2e000   OLEAUT32 OLEAUT32.dll
00007fff`1de90000 00007fff`1df3d000   KERNEL32 KERNEL32.DLL
00007fff`1e110000 00007fff`1e16b000   sechost  sechost.dll 
00007fff`1e170000 00007fff`1e215000   clbcatq  clbcatq.dll 
00007fff`1e220000 00007fff`1e2f7000   comdlg32 comdlg32.dll
00007fff`1e300000 00007fff`1e369000   WS2_32   WS2_32.dll  
00007fff`1e370000 00007fff`1e416000   ADVAPI32 ADVAPI32.dll
00007fff`1e420000 00007fff`1e456000   IMM32    IMM32.DLL   
00007fff`1e460000 00007fff`1f982000   SHELL32  SHELL32.dll 
00007fff`1fb40000 00007fff`1fb91000   SHLWAPI  SHLWAPI.dll 
00007fff`1fba0000 00007fff`1fc0f000   coml2    coml2.dll   
00007fff`1fc20000 00007fff`1fd6e000   USER32   USER32.dll  
00007fff`1fd70000 00007fff`1ff32000   ntdll    ntdll.dll   

0:046> kn 0x64
 # Child-SP          RetAddr           Call Site
00 00000043`7d7ab818 00007ffe`fdb4aed2 ntdll!LdrpValidateUserCallTarget+0xe
01 00000043`7d7ab820 00007ffe`fdb4aa7f MSHTML!CAnimatablePropertyListElement::GetCurrentValues+0x72
02 00000043`7d7ab8b0 00007ffe`fdb49f99 MSHTML!CreateKeyframeFromBlock+0x303
03 00000043`7d7ab970 00007ffe`fdb4994a MSHTML!BuildAnimation+0x33d
04 00000043`7d7abae0 00007ffe`fd7b3017 MSHTML!AnimationStartHandler+0x12a
05 00000043`7d7abc10 00007ffe`fd2d75f9 MSHTML!CAnimations::LoopAnimations+0x247
06 00000043`7d7abd20 00007ffe`fcee9138 MSHTML!ProcessTransitionsAndAnimations+0x4d7e39
07 00000043`7d7abec0 00007ffe`fce854a9 MSHTML!CElement::ComputeFormatsVirtual+0xae8
08 00000043`7d7ac410 00007ffe`fce85271 MSHTML!CElement::ComputeFormats+0x1b9
09 00000043`7d7ac540 00007ffe`fce840d6 MSHTML!CTreeNode::ComputeFormats+0x81
0a 00000043`7d7ac580 00007ffe`fce827d4 MSHTML!CTreeNode::ComputeFormatsHelper+0x46
0b 00000043`7d7ad330 00007ffe`fce9f5e0 MSHTML!CTreeNode::EnsureNestedFormats+0xa4
0c 00000043`7d7ad370 00007ffe`fce06618 MSHTML!CElement::UpdateFormatsForLayout+0x100
0d 00000043`7d7ad400 00007ffe`fcde2652 MSHTML!CView::ExecuteInvalidationTasks+0x248
0e 00000043`7d7ad4f0 00007ffe`fce5c808 MSHTML!CView::EnsureView+0x412
0f 00000043`7d7ad5c0 00007ffe`fcd263b7 MSHTML!CPaintController::EnsureView+0x58
10 00000043`7d7ad5f0 00007ffe`fce5c249 MSHTML!CPaintBeat::OnBeat+0x357
11 00000043`7d7ad660 00007ffe`fcdc6933 MSHTML!CPaintBeat::OnVSyncMethodCall+0x99
12 00000043`7d7ad690 00007ffe`fcdc91e6 MSHTML!GlobalWndOnPaintPriorityMethodCall+0x3b3
13 00000043`7d7ad780 00007fff`1fc300dc MSHTML!GlobalWndProc+0x166
14 00000043`7d7ad800 00007fff`1fc2fe52 USER32!UserCallWinProcCheckWow+0x1fc
15 00000043`7d7ad8f0 00007fff`1fc3d3fe USER32!DispatchClientMessage+0xa2
16 00000043`7d7ad950 00007fff`1fe05714 USER32!_fnDWORD+0x3e
17 00000043`7d7ad9b0 00007fff`1fc4ffba ntdll!KiUserCallbackDispatcherContinue
18 00000043`7d7ada38 00007fff`1fc2fca7 USER32!NtUserDispatchMessage+0xa
19 00000043`7d7ada40 00007fff`04f4ff7d USER32!DispatchMessageWorker+0x247
1a 00000043`7d7adac0 00007fff`04f28d9e IEFRAME!CTabWindow::_TabWindowThreadProc+0x4cd
1b 00000043`7d7afd10 00007fff`179a7faf IEFRAME!LCIETab_ThreadProc+0x3ce
1c 00000043`7d7afe40 00007fff`1dea2d92 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
1d 00000043`7d7afe70 00007fff`1fd79f64 KERNEL32!BaseThreadInitThunk+0x22
1e 00000043`7d7afea0 00000000`00000000 ntdll!RtlUserThreadStart+0x34

0:046> ~s
00007fff`1fdf3b7e 488b14c2        mov     rdx,qword ptr [rdx+rax*8] ds:00007df5`ffc60000=????????????????

0:046> !heap -p -a 0x7DF5FFC60000
 

0:046> .if ($vvalid(@$scopeip - 40, 40)) { u @$scopeip - 40 @$scopeip - 1; };
ntdll!LdrpHandleInvalidUserCallTarget+0x5e:
00007fff`1fdf3b3e 0f286c2470      movaps  xmm5,xmmword ptr [rsp+70h]
00007fff`1fdf3b43 0f28642460      movaps  xmm4,xmmword ptr [rsp+60h]
00007fff`1fdf3b48 4881c480000000  add     rsp,80h
00007fff`1fdf3b4f 58              pop     rax
00007fff`1fdf3b50 5a              pop     rdx
00007fff`1fdf3b51 59              pop     rcx
00007fff`1fdf3b52 4158            pop     r8
00007fff`1fdf3b54 4159            pop     r9
00007fff`1fdf3b56 c3              ret
00007fff`1fdf3b57 cc              int     3
00007fff`1fdf3b58 cc              int     3
00007fff`1fdf3b59 cc              int     3
00007fff`1fdf3b5a cc              int     3
00007fff`1fdf3b5b cc              int     3
00007fff`1fdf3b5c cc              int     3
00007fff`1fdf3b5d 0f1f00          nop     dword ptr [rax]
ntdll!LdrpICallHandler:
00007fff`1fdf3b60 33d2            xor     edx,edx
00007fff`1fdf3b62 b90a000000      mov     ecx,0Ah
00007fff`1fdf3b67 cd29            int     29h
00007fff`1fdf3b69 90              nop
00007fff`1fdf3b6a cc              int     3
00007fff`1fdf3b6b cc              int     3
00007fff`1fdf3b6c cc              int     3
00007fff`1fdf3b6d cc              int     3
00007fff`1fdf3b6e cc              int     3
00007fff`1fdf3b6f cc              int     3
ntdll!LdrpValidateUserCallTarget:
00007fff`1fdf3b70 488b1579370d00  mov     rdx,qword ptr [ntdll!LdrSystemDllInitBlock+0x60 (00007fff`1fec72f0)]
00007fff`1fdf3b77 488bc1          mov     rax,rcx
00007fff`1fdf3b7a 48c1e809        shr     rax,9

0:046> .if ($vvalid(@$scopeip, 40)) { u @$scopeip @$scopeip + 39; };
ntdll!LdrpValidateUserCallTarget+0xe:
00007fff`1fdf3b7e 488b14c2        mov     rdx,qword ptr [rdx+rax*8]
00007fff`1fdf3b82 488bc1          mov     rax,rcx
00007fff`1fdf3b85 48c1e803        shr     rax,3
00007fff`1fdf3b89 f6c10f          test    cl,0Fh
00007fff`1fdf3b8c 7507            jne     ntdll!LdrpValidateUserCallTarget+0x25 (00007fff`1fdf3b95)
00007fff`1fdf3b8e 480fa3c2        bt      rdx,rax
00007fff`1fdf3b92 730c            jae     ntdll!LdrpValidateUserCallTarget+0x30 (00007fff`1fdf3ba0)
00007fff`1fdf3b94 c3              ret
00007fff`1fdf3b95 4883c801        or      rax,1
00007fff`1fdf3b99 480fa3c2        bt      rdx,rax
00007fff`1fdf3b9d 7301            jae     ntdll!LdrpValidateUserCallTarget+0x30 (00007fff`1fdf3ba0)
00007fff`1fdf3b9f c3              ret
00007fff`1fdf3ba0 488bc1          mov     rax,rcx
00007fff`1fdf3ba3 4d33d2          xor     r10,r10
00007fff`1fdf3ba6 e935ffffff      jmp     ntdll!LdrpHandleInvalidUserCallTarget (00007fff`1fdf3ae0)
00007fff`1fdf3bab cc              int     3
00007fff`1fdf3bac cc              int     3
00007fff`1fdf3bad cc              int     3
00007fff`1fdf3bae cc              int     3
00007fff`1fdf3baf cc              int     3
00007fff`1fdf3bb0 cc              int     3
00007fff`1fdf3bb1 666666666666660f1f840000000000 nop word ptr [rax+rax]

0:046> rM 0x7D
rax=0000000000000000 rbx=00007ffefdf97730 rcx=0000000000000000
rdx=00007df5ffc60000 rsi=0000000000000000 rdi=0000000000000000
rip=00007fff1fdf3b7e rsp=000000437d7ab818 rbp=0000000000000000
 r8=000000437d7ab8f8  r9=000000437d7ab8f0 r10=0000000000000009
r11=000000437d7ab8f4 r12=0000000080011462 r13=000000437148fe70
r14=0000003b074a4fe0 r15=000000437d7ab8f0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
fpcw=027F    fpsw=0000    fptw=0000
st0= 0.000000000000000000000e+0000  st1= 0.000000000000000000000e+0000
st2= 0.000000000000000000000e+0000  st3= 0.000000000000000000000e+0000
st4= 0.000000000000000000000e+0000  st5= 0.000000000000000000000e+0000
st6= 0.000000000000000000000e+0000  st7= 0.000000000000000000000e+0000
mm0=0000000000000000  mm1=0000000000000000
mm2=0000000000000000  mm3=0000000000000000
mm4=0000000000000000  mm5=0000000000000000
mm6=0000000000000000  mm7=0000000000000000
xmm0=0 0 8.26766e-044 2.01327e+008
xmm1=8.26766e-044 9.34857e+009 8.26766e-044 9.34883e+009
xmm2=0 0 0 0
xmm3=0 0 0 0
xmm4=0 0 0 0
xmm5=0 0 0 0
xmm6=0 0 0 0
xmm7=0 0 0 0
xmm8=0 0 0 0
xmm9=0 0 0 0
xmm10=0 0 1.875 0
xmm11=0 0 0 0
xmm12=0 0 0 0
xmm13=0 0 0 0
xmm14=0 0 0 0
xmm15=0 0 0 0
dr0=0000000000000000 dr1=0000000000000000 dr2=0000000000000000
dr3=0000000000000000 dr6=0000000000000000 dr7=0000000000000000
ntdll!LdrpValidateUserCallTarget+0xe:
00007fff`1fdf3b7e 488b14c2        mov     rdx,qword ptr [rdx+rax*8] ds:00007df5`ffc60000=????????????????

0:046> dpp @$ea - 10*$ptrsize L10;
00007df5`ffc5ff80  ????????`????????
00007df5`ffc5ff88  ????????`????????
00007df5`ffc5ff90  ????????`????????
00007df5`ffc5ff98  ????????`????????
00007df5`ffc5ffa0  ????????`????????
00007df5`ffc5ffa8  ????????`????????
00007df5`ffc5ffb0  ????????`????????
00007df5`ffc5ffb8  ????????`????????
00007df5`ffc5ffc0  ????????`????????
00007df5`ffc5ffc8  ????????`????????
00007df5`ffc5ffd0  ????????`????????
00007df5`ffc5ffd8  ????????`????????
00007df5`ffc5ffe0  ????????`????????
00007df5`ffc5ffe8  ????????`????????
00007df5`ffc5fff0  ????????`????????
00007df5`ffc5fff8  ????????`????????

0:046> dpp @$ea L10;
00007df5`ffc60000  ????????`????????
00007df5`ffc60008  ????????`????????
00007df5`ffc60010  ????????`????????
00007df5`ffc60018  ????????`????????
00007df5`ffc60020  ????????`????????
00007df5`ffc60028  ????????`????????
00007df5`ffc60030  ????????`????????
00007df5`ffc60038  ????????`????????
00007df5`ffc60040  ????????`????????
00007df5`ffc60048  ????????`????????
00007df5`ffc60050  ????????`????????
00007df5`ffc60058  ????????`????????
00007df5`ffc60060  ????????`????????
00007df5`ffc60068  ????????`????????
00007df5`ffc60070  ????????`????????
00007df5`ffc60078  ????????`????????

0:046> dpp @$ea2 - 10*$ptrsize L10;
Bad register error at '@$ea2 - 10*$ptrsize '

0:046> lm M *iexplore.exe
start             end                 module name
00007ff6`2b6a0000 00007ff6`2b76a000   iexplore   (deferred)             

0:046> lmv m *MSHTML
start             end                 module name
00007ffe`fcd10000 00007ffe`fe49a000   MSHTML     (pdb symbols)          \\server\symbols\mshtml.pdb\EFF7478C66044900ACEECF78C1E4F0851\mshtml.pdb
    Loaded symbol image file: C:\Windows\SYSTEM32\MSHTML.dll
    Image path: C:\Windows\SYSTEM32\MSHTML.dll
    Image name: MSHTML.dll
    Timestamp:        Tue Feb 23 12:55:08 2016 (56CC489C)
    CheckSum:         0177F5B8
    ImageSize:        0178A000
    File version:     11.0.10240.16724
    Product version:  11.0.10240.16724
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Internet Explorer
    InternalName:     MSHTML
    OriginalFilename: MSHTML.DLL
    ProductVersion:   11.00.10240.16724
    FileVersion:      11.00.10240.16724 (th1_st1.160222-1812)
    FileDescription:  Microsoft (R) HTML Viewer
    LegalCopyright:   � Microsoft Corporation. All rights reserved.

0:046> lmv m *iexplore
start             end                 module name
00007ff6`2b6a0000 00007ff6`2b76a000   iexplore   (deferred)             
    Image path: iexplore.exe
    Image name: iexplore.exe
    Timestamp:        Wed Nov 25 05:27:51 2015 (565538C7)
    CheckSum:         000CEA03
    ImageSize:        000CA000
    File version:     11.0.10240.16603
    Product version:  11.0.10240.16603
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Internet Explorer
    InternalName:     iexplore
    OriginalFilename: IEXPLORE.EXE
    ProductVersion:   11.00.10240.16603
    FileVersion:      11.00.10240.16603 (th1_st1.151124-1750)
    FileDescription:  Internet Explorer
    LegalCopyright:   � Microsoft Corporation. All rights reserved.

0:046>