0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DUMP_CLASS: 2
DUMP_QUALIFIER: 400
CONTEXT: 000000000027f270 – (.cxr 0x27f270)
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000002085390 rsi=000000000266f208 rdi=0000000002085390
rip=000007fefdf9930f rsp=000000000027f830 rbp=000007fefe116aa0
r8=0000000000000001 r9=0000000000354de0 r10=0000000000000000
r11=0000000000000001 r12=00000000ffffffff r13=0000000000354de0
r14=0000000000000000 r15=000007fefe1453d8
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ole32!CStdMarshal::ReleaseAllIPIDEntries+0xbf:
000007fefdf9930f 48894168 mov qword ptr [rcx+68h],rax ds:0000000000000068=???
Resetting default scope
FAULTING_IP:
ntdll!KiUserExceptionDispatch+2e
00000000`77cebcb8 84c0 test al,al
EXCEPTION_RECORD: 000000000027f760 – (.exr 0x27f760)
ExceptionAddress: 000007fefdf9930f (ole32!CStdMarshal::ReleaseAllIPIDEntries+0x00000000000000bf)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000068
Attempt to write to address 0000000000000068
PROCESS_NAME: POWERPNT.EXE
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000000180fe8
WRITE_ADDRESS: 0000000000180fe8
FOLLOWUP_IP:
000007fe`e673604b 488bcb mov rcx,rbx
WATSON_BKT_PROCSTAMP: 58a903b6
WATSON_BKT_PROCVER: 16.0.7766.2060
PROCESS_VER_PRODUCT: Microsoft Office 2016
WATSON_BKT_MODULE: ucrtbase.dll
WATSON_BKT_MODSTAMP: 55a5b718
WATSON_BKT_MODOFFSET: 63d8e
WATSON_BKT_MODVER: 10.0.10240.16390
MODULE_VER_PRODUCT: Microsoft? Windows? Operating System
BUILD_VERSION_STRING: 6.1.7601.23677 (win7sp1_ldr.170209-0600)
MODLIST_WITH_TSCHKSUM_HASH: 80169872d5b4d94271d10e570ab2fe62e068f0c7
MODLIST_SHA1_HASH: 3c73cd96d04143c3d0f2657f603060a3bb78ea27
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_FLAGS: c07
DUMP_TYPE: 0
APP: powerpnt.exe
ANALYSIS_SESSION_HOST: VAIBHAV-T320
ANALYSIS_SESSION_TIME: 03-21-2017 15:43:17.0304
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
RECURRING_STACK: From frames 0x8 to 0x8
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
INVALID_STACK_ACCESS
Tid [0x0]
Frame [0x00]
STACK_OVERFLOW
Tid [0x0]
Frame [0x00]
INVALID_POINTER_WRITE
Tid [0x2894]
Frame [0x00]: ucrtbase!seh_filter_exe
IN_CALL
Tid [0x2894]
Frame [0x00]: ucrtbase!seh_filter_exe
Failure Bucketing
BUGCHECK_STR: INVALID_STACK_ACCESS_STACK_OVERFLOW_INVALID_POINTER_WRITE_IN_CALL
DEFAULT_BUCKET_ID: INVALID_STACK_ACCESS_IN_CALL
LAST_CONTROL_TRANSFER: from 000007fefdf99218 to 000007fefdf9930f
STACK_TEXT:
000000000027f830 000007fefdf99218 : 0000000000000000 000000000266f208 0000000000354de0 0000000000000001 : ole32!CStdMarshal::ReleaseAllIPIDEntries+0xbf
000000000027f880 000007fefdf990ec : 0000000000000000 0000000000000001 0000000000354de0 0000000000000001 : ole32!CStdMarshal::~CStdMarshal+0x18
000000000027f8b0 000007fefdf993d4 : 000000000266f200 0000000000000001 0000000000351d20 0000000077cd0a7a : ole32!CStdIdentity::scalar deleting destructor'+0x14 000000000027f8e0 000007fee673604b : 0000000080000000 00000000020786c0 0000000000346260 0000000000354de0 : ole32!CStdIdentity::CInternalUnk::Release+0xdc 000000000027f910 000007fee675dac4 : 000007fee676e320 000000006b9f1192 0000000000000000 000007fe`e0397457 : MyHook!MyClass::Release+0x2b
THREAD_SHA1_HASH_MOD_FUNC: 0a2e5f795616c25ca1f1e993b730829aa071d7dc
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 5bcb3ffd0edb7f13d6668f00ce00d6d4c955a07a
THREAD_SHA1_HASH_MOD: 9c998a442875458641df1816ef345d19856d0a66
FAULT_INSTR_CODE: ffcb8b48
FAULTING_SOURCE_LINE: <>
FAULTING_SOURCE_FILE: <>
FAULTING_SOURCE_LINE_NUMBER: 52
FAULTING_SOURCE_CODE:
48: InterlockedDecrement(&m_cRef);
49:
50: if (m_cRef == 0)
51: {
52: delete this;
53: return 0;
54: }
55:
56: return m_cRef;
57: }
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: MyHook!MyClass::Release+2b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MyHook
IMAGE_NAME: MyHook.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 58d07552
STACK_COMMAND: .cxr 0x27f270 ; kb
FAILURE_BUCKET_ID: INVALID_STACK_ACCESS_IN_CALL_c0000005_MyHook!MyClass::Release
BUCKET_ID: X64_INVALID_STACK_ACCESS_STACK_OVERFLOW_INVALID_POINTER_WRITE_IN_CALL_MyHook!MyClass::Release+2b
PRIMARY_PROBLEM_CLASS: X64_INVALID_STACK_ACCESS_STACK_OVERFLOW_INVALID_POINTER_WRITE_IN_CALL_MyHook!MyClass::Release+2b
BUCKET_ID_OFFSET: 2b
BUCKET_ID_MODULE_STR: MyHook64
BUCKET_ID_MODTIMEDATESTAMP: 58d07552
BUCKET_ID_MODCHECKSUM: 725c0
BUCKET_ID_MODVER_STR: 15.0.0.38013
BUCKET_ID_PREFIX_STR: X64_INVALID_STACK_ACCESS_STACK_OVERFLOW_INVALID_POINTER_WRITE_IN_CALL_
FAILURE_PROBLEM_CLASS: INVALID_STACK_ACCESS_IN_CALL
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: MyHook.dll
FAILURE_FUNCTION_NAME: MyClass::Release
BUCKET_ID_FUNCTION_STR: MyClass::Release
FAILURE_SYMBOL_NAME: MyHook.dll!MyClass::Release
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/POWERPNT.EXE/16.0.7766.2060/58a903b6/ucrtbase.dll/10.0.10240.16390/55a5b718/c0000005/00063d8e.htm?Retriage=1
TARGET_TIME: 2017-03-21T09:53:10.000Z
OSBUILD: 7601
OSSERVICEPACK: 23677
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-02-09 22:04:46
BUILDDATESTAMP_STR: 170209-0600
BUILDLAB_STR: win7sp1_ldr
BUILDOSVER_STR: 6.1.7601.23677
ANALYSIS_SESSION_ELAPSED_TIME: 17109
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_stack_access_in_call_c0000005_MyHook.dll!MyClass::release
FAILURE_ID_HASH: {0e43dbf7-729d-913d-963a-e07a9a01ab05}
Followup: MachineOwner